deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'master' into v-smandalika-5494946-B3

Browse Source
This commit is contained in:
Siddarth Mandalika 2021-10-29 08:02:51 +05:30
commit 2f80e5ee45
71 changed files with 813 additions and 4097 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

87
.openpublishing.redirection.json
View File

@ -1,5 +1,60 @@
{
"redirections": [
{
"source_path": "windows/configuration/wcd/wcd-embeddedlockdownprofiles.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/mobile-devices/configure-mobile.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/mobile-devices/lockdown-xml.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/mobile-devices/mobile-lockdown-designer.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/mobile-devices/product-ids-in-windows-10-mobile.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/mobile-devices/provisioning-configure-mobile.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/mobile-devices/provisioning-nfc.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/mobile-devices/provisioning-package-splitter.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/mobile-devices/settings-that-can-be-locked-down.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/mobile-devices/start-layout-xml-mobile.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/whats-new/windows-11.md",
"redirect_url": "/windows/whats-new/windows-11-whats-new",
@ -6637,22 +6692,22 @@
},
{
"source_path": "windows/manage/set-up-a-kiosk-for-windows-10-for-mobile-edition.md",
"redirect_url": "/windows/configuration/mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/manage/lockdown-xml.md",
"redirect_url": "/windows/configuration/mobile-devices/lockdown-xml",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/manage/settings-that-can-be-locked-down.md",
"redirect_url": "/windows/configuration/mobile-devices/settings-that-can-be-locked-down",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/manage/product-ids-in-windows-10-mobile.md",
"redirect_url": "/windows/configuration/mobile-devices/product-ids-in-windows-10-mobile",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
@ -6682,7 +6737,7 @@
},
{
"source_path": "windows/manage/start-layout-xml-mobile.md",
"redirect_url": "/windows/configuration/mobile-devices/start-layout-xml-mobile",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
@ -6847,7 +6902,7 @@
},
{
"source_path": "windows/deploy/provisioning-nfc.md",
"redirect_url": "/windows/configuration/provisioning-packages/provisioning-nfc",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
@ -7602,7 +7657,7 @@
},
{
"source_path": "windows/configure/configure-mobile.md",
"redirect_url": "/windows/configuration/mobile-devices/configure-mobile",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
@ -7767,7 +7822,7 @@
},
{
"source_path": "windows/configure/lockdown-xml.md",
"redirect_url": "/windows/configuration/mobile-devices/lockdown-xml",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
@ -7787,12 +7842,12 @@
},
{
"source_path": "windows/configure/mobile-lockdown-designer.md",
"redirect_url": "/windows/configuration/mobile-devices/mobile-lockdown-designer",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/configure/product-ids-in-windows-10-mobile.md",
"redirect_url": "/windows/configuration/mobile-devices/product-ids-in-windows-10-mobile",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
@ -7822,7 +7877,7 @@
},
{
"source_path": "windows/configure/provisioning-configure-mobile.md",
"redirect_url": "/windows/configuration/mobile-devices/provisioning-configure-mobile",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
@ -7847,12 +7902,12 @@
},
{
"source_path": "windows/configure/provisioning-nfc.md",
"redirect_url": "/windows/configuration/mobile-devices/provisioning-nfc",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/configure/provisioning-package-splitter.md",
"redirect_url": "/windows/configuration/mobile-devices/provisioning-package-splitter",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
@ -7892,7 +7947,7 @@
},
{
"source_path": "windows/configure/set-up-a-kiosk-for-windows-10-for-mobile-edition.md",
"redirect_url": "/windows/configuration/mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
@ -7902,7 +7957,7 @@
},
{
"source_path": "windows/configure/settings-that-can-be-locked-down.md",
"redirect_url": "/windows/configuration/mobile-devices/settings-that-can-be-locked-down",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
@ -7912,7 +7967,7 @@
},
{
"source_path": "windows/configure/start-layout-xml-mobile.md",
"redirect_url": "/windows/configuration/mobile-devices/start-layout-xml-mobile",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{

2
browsers/edge/group-policies/index.yml
View File

@ -6,7 +6,7 @@ summary: Microsoft Edge Legacy works with Group Policy and Microsoft Intune to h
metadata:
title: Microsoft Edge Legacy # Required; page title displayed in search results. Include the brand. < 60 chars.
description: Find the tools and resources you need to help deploy and use Microsoft Edge in your organization. # Required; article description that is displayed in search results. < 160 chars.
keywords: Microsoft Edge Legacy, Windows 10, Windows 10 Mobile
keywords: Microsoft Edge Legacy, Windows 10
ms.localizationpriority: medium
ms.prod: edge
author: shortpatti

4
browsers/edge/microsoft-edge-faq.yml
View File

@ -15,7 +15,7 @@ metadata:
title: Frequently Asked Questions (FAQ) for IT Pros
summary: |
Applies to: Microsoft Edge on Windows 10 and Windows 10 Mobile
Applies to: Microsoft Edge on Windows 10
> [!NOTE]
> You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](/DeployEdge/).
@ -40,7 +40,7 @@ sections:
- question: How do I customize Microsoft Edge and related settings for my organization?
answer: |
You can use Group Policy or Microsoft Intune to manage settings related to Microsoft Edge, such as security settings, folder redirection, and preferences. See [Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](./group-policies/index.yml) for a list of policies currently available for Microsoft Edge and configuration information. Note that the preview release of Chromium-based Microsoft Edge might not include management policies or other enterprise functionality; our focus during the preview is modern browser fundamentals.
You can use Group Policy or Microsoft Intune to manage settings related to Microsoft Edge, such as security settings, folder redirection, and preferences. See [Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](./group-policies/index.yml) for a list of policies currently available for Microsoft Edge and configuration information. The preview release of Chromium-based Microsoft Edge might not include management policies or other enterprise functionality; our focus during the preview is modern browser fundamentals.
- question: Is Adobe Flash supported in Microsoft Edge?
answer: |

4
browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md
View File

@ -1,7 +1,7 @@
---
ms.localizationpriority: medium
title: Change history for Internet Explorer 11 (IE11) - Deployment Guide for IT Pros (Internet Explorer 11 for IT Pros)
description: This topic lists new and updated topics in the Internet Explorer 11 Deployment Guide documentation for Windows 10 and Windows 10 Mobile.
description: This topic lists new and updated topics in the Internet Explorer 11 Deployment Guide documentation for Windows 10.
ms.mktglfcycl: deploy
ms.prod: ie11
ms.sitesec: library
@ -18,7 +18,7 @@ ms.author: dansimp
[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
This topic lists new and updated topics in the Internet Explorer 11 documentation for both Windows 10 and Windows 10 Mobile.
This topic lists new and updated topics in the Internet Explorer 11 documentation for Windows 10.
## April 2017
|New or changed topic | Description |

4
browsers/internet-explorer/ie11-deploy-guide/index.md
View File

@ -33,7 +33,7 @@ Because this content isn't intended to be a step-by-step guide, not all of the s
## In this guide
|Topic |Description |
|------|------------|
|[Change history for Internet Explorer 11](change-history-for-internet-explorer-11.md) |Lists new and updated topics in the Internet Explorer 11 documentation for both Windows 10 and Windows 10 Mobile. |
|[Change history for Internet Explorer 11](change-history-for-internet-explorer-11.md) |Lists new and updated topics in the Internet Explorer 11 documentation for Windows 10. |
|[System requirements and language support for Internet Explorer 11 (IE11)](system-requirements-and-language-support-for-ie11.md) |IE11 is available for a number of systems and languages. This topic provides info about the minimum system requirements and language support. |
|[List of updated features and tools - Internet Explorer 11 (IE11)](updated-features-and-tools-with-ie11.md) |IE11 includes several new features and tools. This topic includes high-level info about the each of them. |
|[Install and Deploy Internet Explorer 11 (IE11)](install-and-deploy-ie11.md) |Use the topics in this section to learn how to customize your Internet Explorer installation package, how to choose the right method for installation, and how to deploy IE into your environment. You can also find more info about your virtualization options for legacy apps. |
@ -42,7 +42,7 @@ Because this content isn't intended to be a step-by-step guide, not all of the s
|[Group Policy and Internet Explorer 11 (IE11)](group-policy-and-ie11.md) |Use the topics in this section to learn about Group Policy and how to use it to manage IE. |
|[Manage Internet Explorer 11](manage-ie11-overview.md) |Use the topics in this section to learn about how to auto detect your settings, auto configure your configuration settings, and auto configure your proxy configuration settings for IE. |
|[Troubleshoot Internet Explorer 11 (IE11)](troubleshoot-ie11.md) |Use the topics in this section to learn how to troubleshoot several of the more common problems experienced with IE. |
|[Out-of-date ActiveX control blocking](out-of-date-activex-control-blocking.md) |ActiveX controls are small apps that let websites provide content, like videos, games, and let you interact with content like toolbars. Unfortunately, because many ActiveX controls arent automatically updated, they can become outdated as new versions are released. Its very important that you keep your ActiveX controls up-to-date because malicious software (or malware) can target security flaws in outdated controls, damaging your computer by collecting info from it, installing unwanted software, or by letting someone else control it remotely. To help avoid this situation, IE includes a new security feature, called <em>out-of-date ActiveX control blocking</em>. |
|[Out-of-date ActiveX control blocking](out-of-date-activex-control-blocking.md) |ActiveX controls are small apps that let websites provide content, like videos, games, and let you interact with content like toolbars. Unfortunately, because many ActiveX controls arent automatically updated, they can become outdated as new versions are released. Its important that you keep your ActiveX controls up-to-date because malicious software (or malware) can target security flaws in outdated controls, damaging your computer by collecting info from it, installing unwanted software, or by letting someone else control it remotely. To help avoid this situation, IE includes a new security feature, called <em>out-of-date ActiveX control blocking</em>. |
|[Deprecated document modes and Internet Explorer 11](deprecated-document-modes.md) |Internet Explorer 8 introduced document modes as a way to move from the proprietary coding of web features to a more standardized type of coding that could run on multiple browsers and devices. Starting with Windows 10, were deprecating document modes.<p>This means that while IE11 will continue to support document modes, Microsoft Edge wont. And because of that, it also means that if you want to use Microsoft Edge, youre going to have to update your legacy webpages and apps to support modern features, browsers, and devices.<p><b>Note</b><br>For specific details about the technologies and APIs that are no longer supported in Microsoft Edge, see [A break from the past, part 2: Saying goodbye to ActiveX, VBScript, attachEvent](https://go.microsoft.com/fwlink/p/?LinkId=615953). |
|[What is the Internet Explorer 11 Blocker Toolkit?](what-is-the-internet-explorer-11-blocker-toolkit.md) |The IE11 Blocker Toolkit lets you turn off the automatic delivery of IE11 through the <b>Automatic Updates</b> feature of Windows Update. |
|[Missing Internet Explorer Maintenance (IEM) settings for Internet Explorer 11](missing-internet-explorer-maintenance-settings-for-ie11.md) |The Internet Explorer Maintenance (IEM) settings have been deprecated in favor of Group Policy preferences, Administrative Templates (.admx), and the Internet Explorer Administration Kit 11 (IEAK 11).<p>Because of this change, your IEM-configured settings will no longer work on computers running Internet Explorer 10 or newer. To fix this, you need to update the affected settings using Group Policy preferences, Administrative Templates (.admx), or the IEAK 11.<p>Because Group Policy Preferences and IEAK 11 run using asynchronous processes, you should choose to use only one of the tools within each group of settings. For example, using only IEAK 11 in the <b>Security</b> settings or Group Policy Preferences within the <b>Internet Zone</b> settings. Also, it's important to remember that policy is enforced and can't be changed by the user, while preferences are configured, but can be changed by the user. |

8
browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md
View File

@ -39,7 +39,7 @@ Using Enterprise Mode means that you can continue to use Microsoft Edge as your
> [!TIP]
> If you are running an earlier version of Internet Explorer, we recommend upgrading to IE11, so that any legacy apps continue to work correctly.
For Windows 10 and Windows 10 Mobile, Microsoft Edge is the default browser experience. However, Microsoft Edge lets you continue to use IE11 for sites that are on your corporate intranet or included on your Enterprise Mode Site List.
For Windows 10, Microsoft Edge is the default browser experience. However, Microsoft Edge lets you continue to use IE11 for sites that are on your corporate intranet or included on your Enterprise Mode Site List.
## What is Enterprise Mode?
@ -68,12 +68,12 @@ Download the [Enterprise Mode Site List Manager (schema v.2)](https://go.microso
[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
XML file
The Enterprise Mode Site List is an XML document that specifies a list of sites, their compat mode, and their intended browser. Using [Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853), you can automatically start a webpage using a specific browser. In the case of IE11, the webpage can also be launched in a specific compat mode, so it always renders correctly. Your employees can easily view this site list by typing _about:compat_ in either Microsoft Edge or IE11.
The Enterprise Mode Site List is an XML document that specifies a list of sites, their compatibility mode, and their intended browser. Using [Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853), you can automatically start a webpage using a specific browser. In IE11, the webpage can also be launched in a specific compatibility mode, so it always renders correctly. Your employees can easily view this site list by typing `about:compat` in either Microsoft Edge or IE11.
Starting with Windows 10, version 1511 (also known as the Anniversary Update), you can also [restrict IE11 to only the legacy web apps that need it](https://blogs.windows.com/msedgedev/2016/05/19/edge14-ie11-better-together/), automatically sending sites not included in the Enterprise Mode Site List to Microsoft Edge.
### Site list xml file
This is a view of the [raw EMIE v2 schema.xml file](https://gist.github.com/kypflug/9e9961de771d2fcbd86b#file-emie-v2-schema-xml). There are equivalent Enterprise Mode Site List policies for both [Microsoft Edge](/microsoft-edge/deploy/emie-to-improve-compatibility) and [Internet Explorer 11](turn-on-enterprise-mode-and-use-a-site-list.md). The Microsoft Edge list is used to determine which sites should open in IE11; while the IE11 list is used to determine the compat mode for a site, and which sites should open in Microsoft Edge. We recommend using one list for both browsers, where each policy points to the same XML file location.
This is a view of the [raw EMIE v2 schema.xml file](https://gist.github.com/kypflug/9e9961de771d2fcbd86b#file-emie-v2-schema-xml). There are equivalent Enterprise Mode Site List policies for both [Microsoft Edge](/microsoft-edge/deploy/emie-to-improve-compatibility) and [Internet Explorer 11](turn-on-enterprise-mode-and-use-a-site-list.md). The Microsoft Edge list is used to determine which sites should open in IE11; while the IE11 list is used to determine the compatibility mode for a site, and which sites should open in Microsoft Edge. We recommend using one list for both browsers, where each policy points to the same XML file location.
```xml
<site-list version="205">
@ -123,7 +123,7 @@ You can build and manage your Enterprise Mode Site List is by using any generic
### Enterprise Mode Site List Manager
This tool helps you create error-free XML documents with simple n+1 versioning and URL verification. We recommend using this tool if your site list is relatively small. For more info about this tool, see the Use the [Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) topics.
There are 2 versions of this tool, both supported on Windows 7, Windows 8.1, and Windows 10:
There are two versions of this tool, both supported on Windows 7, Windows 8.1, and Windows 10:
- [Enterprise Mode Site List Manager (schema v.1)](https://www.microsoft.com/download/details.aspx?id=42501). This is an older version of the schema that you must use if you want to create and update your Enterprise Mode Site List for devices running the v.1 version of the schema.

16
education/windows/deploy-windows-10-in-a-school-district.md
View File

@ -20,11 +20,11 @@ manager: dansimp
- Windows 10
This guide shows you how to deploy the Windows 10 operating system in a school district. You learn how to deploy Windows 10 in classrooms; integrate the school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD); and deploy Windows 10 and your apps to new devices or upgrade existing devices to Windows 10. This guide also describes how to use Microsoft Endpoint Configuration Manager, Microsoft Intune, and Group Policy to manage devices. Finally, the guide discusses common, ongoing maintenance tasks that you will perform after initial deployment as well as the automated tools and built-in features of the operating system.
This guide shows you how to deploy the Windows 10 operating system in a school district. You learn how to deploy Windows 10 in classrooms; integrate the school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD); and deploy Windows 10 and your apps to new devices or upgrade existing devices to Windows 10. This guide also describes how to use Microsoft Endpoint Configuration Manager, Microsoft Intune, and Group Policy to manage devices. Finally, the guide discusses common, ongoing maintenance tasks that you will perform after initial deployment and the automated tools and built-in features of the operating system.
## Prepare for district deployment
Proper preparation is essential for a successful district deployment. To avoid common mistakes, your first step is to plan a typical district configuration. Just as with building a house, you need a blueprint for what your district and individual schools should look like when its finished. The second step in preparation is to learn how you will manage the users, apps, and devices in your district. Just as a builder needs to have the right tools to build a house, you need the right set of tools to deploy your district.
Proper preparation is essential for a successful district deployment. To avoid common mistakes, your first step is to plan a typical district configuration. As with building a house, you need a blueprint for what your district and individual schools should look like when its finished. The second step in preparation is to learn how you will manage the users, apps, and devices in your district. Just as a builder needs to have the right tools to build a house, you need the right set of tools to deploy your district.
> [!NOTE]
> This guide focuses on Windows 10 deployment and management in a district. For management of other devices and operating systems in education environments, see [Manage BYOD and corporate-owned devices with MDM solutions](https://www.microsoft.com/cloud-platform/mobile-device-management).
@ -126,7 +126,7 @@ Office 365 Education allows:
* Students and faculty to use Yammer to collaborate through private social networking.
* Students and faculty to access classroom resources from anywhere on any device (including Windows 10 Mobile, iOS, and Android devices).
* Students and faculty to access classroom resources from anywhere on any device (including iOS and Android devices).
For more information about Office 365 Education features and an FAQ, go to [Office 365 Education plans and pricing](https://products.office.com/en-us/academic).
@ -1577,7 +1577,7 @@ For more information about Intune, see [Microsoft Intune Documentation](/intune/
If you selected to deploy and manage apps by using Microsoft Endpoint Manager and Intune in a hybrid configuration, then skip this section and continue to the [Deploy and manage apps by using Microsoft Endpoint Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager) section.
You can use Intune to deploy Microsoft Store and Windows desktop apps. Intune provides improved control over which users receive specific apps. In addition, Intune allows you to deploy apps to companion devices (such as Windows 10 Mobile, iOS, or Android devices). Finally, Intune helps you manage app security and features, such as mobile application management policies that let you manage apps on devices that are not enrolled in Intune or that another solution manages.
You can use Intune to deploy Microsoft Store and Windows desktop apps. Intune provides improved control over which users receive specific apps. In addition, Intune allows you to deploy apps to companion devices (such as iOS or Android devices). Finally, Intune helps you manage app security and features, such as mobile application management policies that let you manage apps on devices that are not enrolled in Intune or that another solution manages.
For more information about how to configure Intune to manage your apps, see the following resources:
@ -1589,9 +1589,9 @@ For more information about how to configure Intune to manage your apps, see the
### Deploy and manage apps by using Microsoft Endpoint Configuration Manager
You can use Microsoft Endpoint Manager to deploy Microsoft Store and Windows desktop apps. Configuration Manager allows you to create a Configuration Manager application that you can use to deploy apps to different devices (such as Windows 10 desktop, Windows 10 Mobile, iOS, or Android devices) by using *deployment types*. You can think of a Configuration Manager application as a box. You can think of deployment types as one or more sets of installation files and installation instructions within that box.
You can use Microsoft Endpoint Manager to deploy Microsoft Store and Windows desktop apps. Configuration Manager allows you to create a Configuration Manager application that you can use to deploy apps to different devices (such as Windows 10 desktop, iOS, or Android devices) by using *deployment types*. You can think of a Configuration Manager application as a box. You can think of deployment types as one or more sets of installation files and installation instructions within that box.
For example, you could create a Skype application that contains a deployment type for Windows 10 desktop, Windows 10 Mobile, iOS, and Android. You can deploy the one application to multiple device types.
For example, you could create a Skype application that contains a deployment type for Windows 10 desktop, iOS, and Android. You can deploy the one application to multiple device types.
> [!NOTE]
> When you configure Configuration Manager and Intune in a hybrid model, you deploy apps by using Configuration Manager as described in this section.
@ -1607,7 +1607,7 @@ If you selected to manage updates by using Configuration Manager and Intune in a
To help ensure that your users have the most current features and security protection, keep Windows 10 and your apps current with updates. To configure Windows 10 and app updates, use the **Updates** workspace in Intune.
> [!NOTE]
> You can only manage updates (including antivirus and antimalware updates) for Windows 10 desktop operating systems (not Windows 10 Mobile, iOS, or Android).
> You can only manage updates (including antivirus and antimalware updates) for Windows 10 desktop operating systems (not iOS or Android).
For more information about how to configure Intune to manage updates and malware protection, see the following resources:
@ -1631,7 +1631,7 @@ In this section, you prepared your institution for device management. You identi
## Deploy Windows 10 to devices
Youre ready to deploy Windows 10 to faculty and student devices. You must complete the steps in this section for each student device in the classrooms as well as for any new student devices you add in the future. You can also perform these actions for any device thats eligible for a Windows 10 upgrade. This section discusses deploying Windows 10 to new devices, refreshing Windows 10 on existing devices, and upgrading existing devices that are running eligible versions of Windows 8.1 or Windows 7 to Windows 10.
Youre ready to deploy Windows 10 to faculty and student devices. You must complete the steps in this section for each student device in the classrooms and for any new student devices you add in the future. You can also perform these actions for any device thats eligible for a Windows 10 upgrade. This section discusses deploying Windows 10 to new devices, refreshing Windows 10 on existing devices, and upgrading existing devices that are running eligible versions of Windows 8.1 or Windows 7 to Windows 10.
### Prepare for deployment

876
education/windows/deploy-windows-10-in-a-school.md
View File

File diff suppressed because it is too large Load Diff

66
education/windows/index.md
View File

@ -18,29 +18,63 @@ ms.date: 10/13/2017
## ![Learn more about Windows.](images/education.png) Learn
<p><b><a href="windows-editions-for-education-customers.md" data-raw-source="[Windows 10 editions for education customers](windows-editions-for-education-customers.md)">Windows 10 editions for education customers</a></b><br />Windows 10, version 1607 introduces two editions designed for the unique needs of K-12 institutions: Windows 10 Pro Education and Windows 10 Education. These editions provide education-specific default settings for the evolving landscape in K-12 education IT environments.</p>
<p><b><a href="https://www.microsoft.com/WindowsForBusiness/Compare" data-raw-source="[Compare each Windows edition](https://www.microsoft.com/WindowsForBusiness/Compare)">Compare each Windows edition</a></b><br />Find out more about the features and functionality we support in each edition of Windows.</p>
<p><b><a href="https://www.microsoft.com/education/buy-license/overview-of-how-to-buy/default.aspx?tabshow=schools" data-raw-source="[Get Windows 10 Education or Windows 10 Pro Education](https://www.microsoft.com/education/buy-license/overview-of-how-to-buy/default.aspx?tabshow=schools)">Get Windows 10 Education or Windows 10 Pro Education</a></b><br />When you&#39;ve made your decision, find out how to buy Windows for your school.</p>
**[Windows 10 editions for education customers](windows-editions-for-education-customers.md)**
Windows 10, version 1607 introduces two editions designed for the unique needs of K-12 institutions: Windows 10 Pro Education and Windows 10 Education. These editions provide education-specific default settings for the evolving landscape in K-12 education IT environments.
**[Compare each Windows edition](https://www.microsoft.com/WindowsForBusiness/Compare)**
Find out more about the features and functionality we support in each edition of Windows.
**[Get Windows 10 Education or Windows 10 Pro Education](https://www.microsoft.com/education/buy-license/overview-of-how-to-buy/default.aspx?tabshow=schools)**
When you've made your decision, find out how to buy Windows for your school.
## ![Plan for Windows 10 in your school.](images/clipboard.png) Plan
<p><b><a href="configure-windows-for-education.md" data-raw-source="[Windows 10 configuration recommendations for education customers](configure-windows-for-education.md)">Windows 10 configuration recommendations for education customers</a></b><br />Provides guidance on ways to customize the OS diagnostic data, consumer experiences, Cortana, search, as well as some of the preinstalled apps, so that Windows is ready for your school.</p>
<p><b><a href="edu-deployment-recommendations.md" data-raw-source="[Deployment recommendations for school IT administrators](edu-deployment-recommendations.md)">Deployment recommendations for school IT administrators</a></b><br />Learn how to customize the OS privacy settings, Skype, and Xbox for Windows-based devices used in schools so that you can choose what information is shared with Microsoft.</p>
<b><a href="get-minecraft-for-education.md" data-raw-source="[Get Minecraft Education Edition](get-minecraft-for-education.md)">Get Minecraft Education Edition</a></b><br />Minecraft Education Edition is built for learning. Learn how to get early access and add it to your Microsoft Store for Business for distribution.</p></div>
<div class="side-by-side-content-right"><p><b><a href="take-tests-in-windows-10.md" data-raw-source="[Take tests in Windows 10](take-tests-in-windows-10.md)">Take tests in Windows 10</a></b><br />Take a Test is a new app that lets you create the right environment for taking tests. Learn how to use and get it set up.</p>
<p><b><a href="chromebook-migration-guide.md" data-raw-source="[Chromebook migration guide](chromebook-migration-guide.md)">Chromebook migration guide</a></b><br />Find out how you can migrate a Chromebook-based learning environment to a Windows 10-based learning environment.</p>
**[Windows 10 configuration recommendations for education customers](configure-windows-for-education.md)**
Provides guidance on ways to customize the OS diagnostic data, consumer experiences, Cortana, search, and some of the preinstalled apps, so that Windows is ready for your school.
**[Deployment recommendations for school IT administrators](edu-deployment-recommendations.md)**
Learn how to customize the OS privacy settings, Skype, and Xbox for Windows-based devices used in schools so that you can choose what information is shared with Microsoft.
**[Get Minecraft Education Edition](get-minecraft-for-education.md)**
Minecraft Education Edition is built for learning. Learn how to get early access and add it to your Microsoft Store for Business for distribution.
**[Take tests in Windows 10](take-tests-in-windows-10.md)**
Take a Test is a new app that lets you create the right environment for taking tests. Learn how to use and get it set up.
**[Chromebook migration guide](chromebook-migration-guide.md)**
Find out how you can migrate a Chromebook-based learning environment to a Windows 10-based learning environment.
## ![Deploy Windows 10 for Education.](images/PCicon.png) Deploy
<p><b><a href="set-up-windows-10.md" data-raw-source="[Set up Windows devices for education](set-up-windows-10.md)">Set up Windows devices for education</a></b><br />Depending on your school&#39;s device management needs, you can use the Set up School PCs app or the Windows Configuration Designer tool to quickly set up student PCs.</p>
<p><b><a href="deploy-windows-10-in-a-school.md" data-raw-source="[Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)">Deploy Windows 10 in a school</a></b><br />Get step-by-step guidance to help you deploy Windows 10 in a school environment.</p>
<p><b><a href="deploy-windows-10-in-a-school-district.md" data-raw-source="[Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)">Deploy Windows 10 in a school district</a></b><br />Get step-by-step guidance on how to deploy Windows 10 to PCs and devices across a school district.</p>
<p><b><a href="test-windows10s-for-edu.md" data-raw-source="[Test Windows 10 S on existing Windows 10 education devices](test-windows10s-for-edu.md)">Test Windows 10 S on existing Windows 10 education devices</a></b><br />Test Windows 10 S on a variety of Windows 10 devices (except Windows 10 Home) in your school and share your feedback with us.</p>
**[Set up Windows devices for education](set-up-windows-10.md)**
Depending on your school's device management needs, you can use the Set up School PCs app or the Windows Configuration Designer tool to quickly set up student PCs.
**[Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)**
Get step-by-step guidance to help you deploy Windows 10 in a school environment.
**[Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)**
Get step-by-step guidance on how to deploy Windows 10 to PCs and devices across a school district.
**[Test Windows 10 S on existing Windows 10 education devices](test-windows10s-for-edu.md)**
Test Windows 10 S on various Windows 10 devices (except Windows 10 Home) in your school and share your feedback with us.
## ![Switch to Windows 10 for Education.](images/windows.png) Switch
<p><b><a href="change-to-pro-education.md" data-raw-source="[Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md)">Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S</a></b><br />If you have an education tenant and use Windows 10 Pro or Windows 10 S in your schools, find out how you can opt-in to a free switch to Windows 10 Pro Education.</p>
**[Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md)**
If you have an education tenant and use Windows 10 Pro or Windows 10 S in your schools, find out how you can opt-in to a free switch to Windows 10 Pro Education.
## Windows 8.1
@ -54,9 +88,11 @@ Follow these links to find step-by-step guidance on how to deploy Windows 8.1 in
<p><b><a href="/previous-versions/windows/it-pro/windows-8.1-and-8/dn645532(v=ws.11)" target="_blank">Microsoft Store apps</a></b><br />Explore Microsoft Store app deployment strategies and considerations for educational institutions running Windows 8.1.</p>
<p><b><a href="/previous-versions/windows/it-pro/windows-8.1-and-8/dn645486(v=ws.11)" target="_blank">Windows To Go</a></b><br />Learn about the benefits, limitations, and processes involved in deploying Windows To Go.</p>
## Related topics
## Related articles
- [Microsoft Education documentation and resources](/education)
- [Windows 10 and Windows 10 Mobile](/windows/windows-10/)
- [Windows for business](https://www.microsoft.com/windows/business)
- [Microsoft 365 for business](https://www.microsoft.com/microsoft-365/business)
<!--
<p><b><a href="/education/" target="_blank">Try it out: Windows 10 deployment (for education)</a></b><br />Learn how to upgrade devices running the Windows 7 operating system to Windows 10 Anniversary Update, and how to manage devices, apps, and users in Windows 10 Anniversary Update.<br /><br />For the best experience, use this guide in tandem with the <a href="https://vlabs.holsystems.com/vlabs/technet?eng=VLabs&auth=none&src=vlabs&altadd=true&labid=20949&lod=true" target="_blank">TechNet Virtual Lab: IT Pro Try-It-Out</a>.</p>

72
smb/cloud-mode-business-setup.md
View File

@ -27,7 +27,7 @@ ms.topic: conceptual
Are you ready to move your business to the cloud or wondering what it takes to make this happen with Microsoft cloud services and tools?
In this walkthrough, we'll show you how to deploy and manage a full cloud IT solution for your small to medium business using Microsoft 365 Business Standard, Microsoft Azure AD, Intune, Microsoft Store for Business, and Windows 10. We'll show you the basics on how to:
- Acquire an Microsoft 365 for business domain
- Acquire a Microsoft 365 for business domain
- Add Microsoft Intune and Azure Active Directory (AD) Premium licenses to your business tenant
- Set up Microsoft Store for Business and manage app deployment and sync with Intune
- Add users and groups in Azure AD and Intune
@ -37,27 +37,29 @@ In this walkthrough, we'll show you how to deploy and manage a full cloud IT sol
Go to the <a href="https://business.microsoft.com" target="_blank">Microsoft Business site</a> and select **Products** to learn more about pricing and purchasing options for your business.
## Prerequisites
Here's a few things to keep in mind before you get started:
- You'll need a registered domain to successfully go through the walkthrough.
- If you already own a domain, you can add this during the Office 365 setup.
- If you don't already own a domain, you'll have the option to purchase a domain from the Microsoft 365 admin center. We'll show how to do this as part of the walkthrough.
- If you don't already own a domain, you can purchase a domain from the Microsoft 365 admin center. This walkthrough includes the steps.
- You'll need an email address to create your Office 365 tenant.
- We recommend that you use Internet Explorer for the entire walkthrough. Right click on Internet Explorer and then choose **Start InPrivate Browsing**.
- We recommend that you use Internet Explorer for the entire walkthrough. Right select on Internet Explorer > **Start InPrivate Browsing**.
## 1. Set up your cloud infrastructure
To set up a cloud infrastructure for your organization, follow the steps in this section.
### 1.1 Set up Office 365 for business
See <a href="https://support.office.com/en-us/article/Set-up-Office-365-for-business-6a3a29a0-e616-4713-99d1-15eda62d04fa" target="_blank">Set up Office 365 for business</a> to learn more about the setup steps for businesses and nonprofits who have Office 365. You can watch video and learn how to:
See <a href="https://support.office.com/article/Set-up-Office-365-for-business-6a3a29a0-e616-4713-99d1-15eda62d04fa" target="_blank">Set up Office 365 for business</a> to learn more about the setup steps for businesses and nonprofits who have Office 365. You can watch video and learn how to:
- Plan your setup
- Create Office 365 accounts and how to add your domain.
- Install Office
To set up your Microsoft 365 for business tenant, see <a href="https://support.office.com/en-us/article/Get-started-with-Office-365-for-Business-d6466f0d-5d13-464a-adcb-00906ae87029" target="_blank">Get Started with Microsoft 365 for business</a>.
To set up your Microsoft 365 for business tenant, see <a href="https://support.office.com/article/Get-started-with-Office-365-for-Business-d6466f0d-5d13-464a-adcb-00906ae87029" target="_blank">Get Started with Microsoft 365 for business</a>.
If this is the first time you're setting this up, and you'd like to see how it's done, you can follow these steps to get started:
If you're new at setting up Office 365, and you'd like to see how it's done, you can follow these steps to get started:
1. Go to the <a href="https://products.office.com/en-us/business/office-365-affiliate-program-buy-business-premium" target="_blank">Office 365</a> page in the <a href="https://business.microsoft.com" target="_blank">Microsoft Business site</a>. Select **Try now** to use the Microsoft 365 Business Standard Trial or select **Buy now** to sign up for Microsoft 365 Business Standard. In this walkthrough, we'll select **Try now**.
1. Go to the <a href="https://products.office.com/business/office-365-affiliate-program-buy-business-premium" target="_blank">Office 365</a> page in the <a href="https://business.microsoft.com" target="_blank">Microsoft Business site</a>. Select **Try now** to use the Microsoft 365 Business Standard Trial or select **Buy now** to sign up for Microsoft 365 Business Standard. In this walkthrough, we'll select **Try now**.
**Figure 1** - Try or buy Office 365
@ -76,17 +78,17 @@ If this is the first time you're setting this up, and you'd like to see how it's
**Figure 2** - Microsoft 365 admin center
![Microsoft 365 admin center.](images/office365_portal.png)
![Opens the Microsoft 365 admin center.](images/office365_portal.png)
6. Select the **Admin** tile to go to the admin center.
7. In the admin center, click **Next** to see the highlights and welcome info for the admin center. When you're done, click **Go to setup** to complete the Office 365 setup.
This may take up to a half hour to complete.
This step can take up to a half hour to complete.
**Figure 3** - Admin center
![Microsoft 365 admin center.](images/office365_admin_portal.png)
![Complete the Office 365 setup in the Microsoft 365 admin center.](images/office365_admin_portal.png)
8. Go back to the <a href="https://portal.office.com/adminportal/home#/homepage" target="_blank">admin center</a> to add or buy a domain.
@ -97,7 +99,7 @@ If this is the first time you're setting this up, and you'd like to see how it's
![Add or buy a domain in admin center.](images/office365_buy_domain.png)
2. In the **Home > Domains** page, you will see the Microsoft-provided domain, such as *fabrikamdesign.onmicrosoft.com*.
2. In the **Home > Domains** page, you will see the Microsoft-provided domain, such as `fabrikamdesign.onmicrosoft.com`.
**Figure 5** - Microsoft-provided domain
@ -128,7 +130,7 @@ When adding users, you can also assign admin privileges to certain users in your
2. In the **Home > Active users** page, add users individually or in bulk.
- To add users one at a time, select **+ Add a user**.
If you select this option, you'll see the **New user** screen and you can add details about the new user including their name, user name, role, and so on. You also have the opportunity to assign **Product licenses**. For detailed step-by-step info on adding a user account, see *Add a user account in the admin center* in <a href="https://support.office.com/en-us/article/Add-users-individually-or-in-bulk-to-Office-365-Admin-Help-1970f7d6-03b5-442f-b385-5880b9c256ec" target="_blank">Add users individually or in bulk to Office 365 - Admin Help</a>.
If you select this option, you'll see the **New user** screen and you can add details about the new user including their name, user name, role, and so on. You also have the opportunity to assign **Product licenses**. For detailed step-by-step info on adding a user account, see *Add a user account in the admin center* in <a href="https://support.office.com/article/Add-users-individually-or-in-bulk-to-Office-365-Admin-Help-1970f7d6-03b5-442f-b385-5880b9c256ec" target="_blank">Add users individually or in bulk to Office 365 - Admin Help</a>.
**Figure 8** - Add an individual user
@ -136,7 +138,7 @@ When adding users, you can also assign admin privileges to certain users in your
- To add multiple users at once, select **More** and then choose **+ Import multiple users**. If you select this option, you'll need to create and upload a CSV file containing the list of users.
The **Import multiple users** screen includes a link where you can learn more about importing multiple users and also links for downloading a sample CSV file (one with headers only and another with headers and sample user information). For detailed step-by-step info on adding multiple users to Office 365, see <a href="https://support.office.com/en-us/article/Add-several-users-at-the-same-time-to-Office-365-Admin-Help-1f5767ed-e717-4f24-969c-6ea9d412ca88" target="_blank">Add several users at the same time to Office 365 - Admin Help</a>. Once you've added all the users, don't forget to assign **Product licenses** to the new users.
The **Import multiple users** screen includes a link where you can learn more about importing multiple users and also links for downloading a sample CSV file (one with headers only and another with headers and sample user information). For detailed step-by-step info on adding multiple users to Office 365, see <a href="https://support.office.com/article/Add-several-users-at-the-same-time-to-Office-365-Admin-Help-1f5767ed-e717-4f24-969c-6ea9d412ca88" target="_blank">Add several users at the same time to Office 365 - Admin Help</a>. Once you've added all the users, don't forget to assign **Product licenses** to the new users.
**Figure 9** - Import multiple users
@ -163,7 +165,7 @@ Microsoft Intune provides mobile device management, app management, and PC manag
![Assign Microsoft Intune licenses to users.](images/o365_assign_intune_license.png)
5. In the admin center, confirm that **Intune** shows up in the list under **Admin centers**. If it doesn't, sign out and then sign back in and then check again.
6. Select **Intune**. This will take you to the Intune management portal.
6. Select **Intune**. This step opens the Endpoint Manager admin center.
**Figure 12** - Microsoft Intune management portal
@ -187,8 +189,8 @@ Microsoft Azure is an open and flexible cloud platform that enables you to quick
![Access to Azure AD not available.](images/azure_ad_access_not_available.png)
3. From the error message, select the country/region for your business. This should match with the location you specified when you signed up for Office 365.
4. Click **Azure subscription**. This will take you to a free trial sign up screen.
3. From the error message, select the country/region for your business. The region should match with the location you specified when you signed up for Office 365.
4. Select **Azure subscription**. This step will take you to a free trial sign up screen.
**Figure 14** - Sign up for Microsoft Azure
@ -201,7 +203,7 @@ Microsoft Azure is an open and flexible cloud platform that enables you to quick
![Start managing your Azure subscription.](images/azure_ad_successful_signup.png)
This will take you to the <a href="https://portal.azure.com" target="_blank">Microsoft Azure portal</a>.
This step will take you to the <a href="https://portal.azure.com" target="_blank">Microsoft Azure portal</a>.
### 1.5 Add groups in Azure AD
This section is the walkthrough is optional. However, we recommend that you create groups in Azure AD to manage access to corporate resources, such as apps, policies and settings, and so on. For more information, see <a href="/azure/active-directory/active-directory-manage-groups" target="_blank">Managing access to resources with Azure Active Directory groups</a>.
@ -257,7 +259,7 @@ You can read <a href="https://blogs.technet.microsoft.com/enterprisemobility/201
**To enable automatic MDM enrollment**
1. In to the <a href="https://manage.windowsazure.com/" target="_blank">classic Azure portal</a>, click on your company's Azure Active Directory to go back to the main window. Select **Applications** from the list of directory menu options.
1. In the <a href="https://manage.windowsazure.com/" target="_blank">classic Azure portal</a>, click on your company's Azure Active Directory to go back to the main window. Select **Applications** from the list of directory menu options.
The list of applications for your company will appear. **Microsoft Intune** will be one of the applications on the list.
@ -294,7 +296,7 @@ You can read <a href="https://blogs.technet.microsoft.com/enterprisemobility/201
### 1.7 Configure Microsoft Store for Business for app distribution
Next, you'll need to configure Microsoft Store for Business to distribute apps with a management tool such as Intune.
In this part of the walkthrough, we'll be working on the <a href="https://manage.microsoft.com/" target="_blank">Microsoft Intune management portal</a> and <a href="https://businessstore.microsoft.com/en-us/Store/Apps" target="_blank">Microsoft Store for Business</a>.
In this part of the walkthrough, we'll be working on the <a href="https://manage.microsoft.com/" target="_blank">Microsoft Intune management portal</a> and <a href="https://businessstore.microsoft.com/Store/Apps" target="_blank">Microsoft Store for Business</a>.
**To associate your Store account with Intune and configure synchronization**
@ -305,7 +307,7 @@ In this part of the walkthrough, we'll be working on the <a href="https://manage
![Set up mobile device management in Intune.](images/intune_admin_mdm_configure.png)
3. Sign into <a href="https://businessstore.microsoft.com/en-us/Store/Apps" target="_blank">Microsoft Store for Business</a> using the same tenant account that you used to sign into Intune.
3. Sign into <a href="https://businessstore.microsoft.com/Store/Apps" target="_blank">Microsoft Store for Business</a> using the same tenant account that you used to sign into Intune.
4. Accept the EULA.
5. In the Store portal, select **Settings > Management tools** to go to the management tools page.
6. In the **Management tools** page, find **Microsoft Intune** on the list and click **Activate** to get Intune ready to use with Microsoft Store for Business.
@ -331,7 +333,7 @@ In this part of the walkthrough, we'll be working on the <a href="https://manage
**To buy apps from the Store**
In your <a href="https://businessstore.microsoft.com/en-us/Store/Apps" target="_blank">Microsoft Store for Business</a> portal, you can see the list of apps that you own by going to **Manage > Inventory**. You should see the following apps in your inventory:
In your <a href="https://businessstore.microsoft.com/Store/Apps" target="_blank">Microsoft Store for Business</a> portal, you can see the list of apps that you own by going to **Manage > Inventory**. You should see the following apps in your inventory:
- Sway
- OneNote
- PowerPoint Mobile
@ -344,7 +346,7 @@ In the following example, we'll show you how to buy apps through the Microsoft S
**Example 1 - Add other apps like Reader and InstaNote**
1. In the <a href="https://businessstore.microsoft.com/en-us/Store/Apps" target="_blank">Microsoft Store for Business</a> portal, click **Shop**, scroll down to the **Made by Microsoft** category, and click **Show all** to see all the Microsoft apps in the list.
1. In the <a href="https://businessstore.microsoft.com/Store/Apps" target="_blank">Microsoft Store for Business</a> portal, click **Shop**, scroll down to the **Made by Microsoft** category, and click **Show all** to see all the Microsoft apps in the list.
**Figure 28** - Shop for Store apps
@ -405,7 +407,7 @@ To set up new Windows devices, go through the Windows initial device setup or fi
![Choose how you'll connect the Windows device.](images/win10_choosehowtoconnect.png)
4. In the **Let's get you signed in** screen, sign in using one of the user accounts you added in section [1.2 Add users and assign product licenses](#12-add-users-and-assign-product-licenses). We suggest signing in as one of the global administrators. Later, sign in on another device using one of the non-admin accounts.
4. In the **Let's get you signed in** screen, sign in using a user account you added in section [1.2 Add users and assign product licenses](#12-add-users-and-assign-product-licenses). We suggest signing in as one of the global administrators. Later, sign in on another device using one of the non-admin accounts.
**Figure 33** - Sign in using one of the accounts you added
@ -419,14 +421,14 @@ To set up new Windows devices, go through the Windows initial device setup or fi
Verify that the device is set up correctly and boots without any issues.
**To verify that the device was set up correctly**
1. Click on the **Start** menu and select some of the options to make sure everything launches properly.
1. Click on the **Start** menu and select some of the options to make sure everything opens properly.
2. Confirm that the Store and built-in apps are working.
### 2.3 Verify the device is Azure AD joined
In the <a href="https://manage.microsoft.com/" target="_blank">Intune management portal</a>, verify that the device is joined to Azure AD and shows up as being managed in Microsoft Intune.
**To verify if the device is joined to Azure AD**
1. Check the device name on your PC. To do this, on your Windows PC, select **Settings > System > About** and then check **PC name**.
1. Check the device name on your PC. On your Windows PC, select **Settings > System > About** and then check **PC name**.
**Figure 34** - Check the PC name on your device
@ -456,7 +458,7 @@ In some cases, if an app is missing from the device, you need to reconfigure the
2. Select the app, right-click, then select **Manage Deployment...**.
3. Select the group(s) whose apps will be managed, and then click **Add** to add the group.
4. Click **Next** at the bottom of the app deployment settings window or select **Deployment Action** on the left column to check the deployment settings for the app.
5. For each group that you selected, set **Approval** to **Required Install**. This automatically sets **Deadline** to **As soon as possible**. If **Deadline** is not automatically set, set it to **As soon as possible**.
5. For each group that you selected, set **Approval** to **Required Install**. This step automatically sets **Deadline** to **As soon as possible**. If **Deadline** is not automatically set, set it to **As soon as possible**.
**Figure 36** - Reconfigure an app's deployment setting in Intune
@ -464,7 +466,7 @@ In some cases, if an app is missing from the device, you need to reconfigure the
6. Click **Finish**.
7. Repeat steps 2-6 for other apps that you want to deploy to the device(s) as soon as possible.
8. Verify that the app shows up on the device. To do this:
8. Verify that the app shows up on the device using the following steps:
- Make sure you're logged in to the Windows device.
- Click the **Start** button and check the apps that appear in the **Recently added** section. If you don't see the apps that you deployed in Intune, give it a few minutes. Only apps that aren't already deployed on the device will appear in the **Recently added** section.
@ -563,23 +565,25 @@ For other devices, such as those personally-owned by employees who need to conne
### 4.2 Add a new user
You can add new users to your tenant simply by adding them to the Microsoft 365 groups. Adding new users to Microsoft 365 groups automatically adds them to the corresponding groups in Microsoft Intune.
See [Add users to Office 365](https://support.office.com/en-us/article/Add-users-to-Office-365-for-business-435ccec3-09dd-4587-9ebd-2f3cad6bc2bc?ui=en-US&rs=en-US&ad=US&fromAR=1) to learn more. Once you're done adding new users, go to the <a href="https://manage.microsoft.com/" target="_blank">Intune management portal</a> and verify that the same users were added to the Intune groups as well.
See [Add users to Office 365](/microsoft-365/admin/add-users/add-users) to learn more. Once you're done adding new users, go to the <a href="https://manage.microsoft.com/" target="_blank">Intune management portal</a> and verify that the same users were added to the Intune groups as well.
## Get more info
### For IT admins
To learn more about the services and tools mentioned in this walkthrough, and learn what other tasks you can do, follow these links:
- <a href="https://support.office.com/en-us/article/Set-up-Office-365-for-business-6a3a29a0-e616-4713-99d1-15eda62d04fa" target="_blank">Set up Office 365 for business</a>
- Common admin tasks in Office 365 including email and OneDrive in <a href="https://support.office.com/en-us/article/Common-management-tasks-for-Office-365-46c667f7-5073-47b9-a75f-05a60cf77d91" target="_blank">Manage Office 365</a>
- <a href="https://support.office.com/article/Set-up-Office-365-for-business-6a3a29a0-e616-4713-99d1-15eda62d04fa" target="_blank">Set up Office 365 for business</a>
- Common admin tasks in Office 365 including email and OneDrive in <a href="https://support.office.com/article/Common-management-tasks-for-Office-365-46c667f7-5073-47b9-a75f-05a60cf77d91" target="_blank">Manage Office 365</a>
- More info about managing devices, apps, data, troubleshooting, and more in <a href="/intune/" target="_blank">Intune documentation</a>
- Learn more about Windows 10 in <a href="/windows/windows-10/" target="_blank">Windows 10 guide for IT pros</a>
- Learn more about Windows client in the [Windows client documentation for IT Pros](/windows/resources/).
- Info about distributing apps to your employees, managing apps, managing settings, and more in <a href="/microsoft-store/" target="_blank">Microsoft Store for Business</a>
### For information workers
Whether it's in the classroom, getting the most out of your devices, or learning some of the cool things you can do, we've got teachers covered. Follow these links for more info:
- <a href="https://support.office.com/" target="_blank">Office help and training</a>
- <a href="https://support.microsoft.com/products/windows?os=windows-10" target="_blank">Windows 10 help</a>
- [Office Help & Training](https://support.microsoft.com/office)
- [Windows help & learning](https://support.microsoft.com/windows)
## Related topics
- [Windows 10 and Windows 10 Mobile](/windows/windows-10/)
- [Windows for business](https://www.microsoft.com/windows/business)
- [Microsoft 365 for business](https://www.microsoft.com/microsoft-365/business)

35
smb/index.md
View File

@ -1,7 +1,7 @@
---
title: Windows 10 for small to midsize businesses
title: Windows 10/11 for small to midsize businesses
description: Microsoft products and devices to transform and grow your businessLearn how to use Windows 10 for your small to midsize business.
keywords: Windows 10, SMB, small business, midsize business, business
keywords: Windows 10, Windows 11, SMB, small business, midsize business, business
ms.prod: w10
ms.technology:
ms.topic: article
@ -15,22 +15,39 @@ manager: dansimp
audience: itpro
---
# Windows 10 for SMB
# Windows 10/11 for Small and Medium Business (SMB)
![Windows 10 for SMB.](images/smb_portal_banner.png)
## ![Learn more about Windows and other resources for SMBs.](images/learn.png) Learn
<p><b><a href="https://business.microsoft.com/en-us/products/windows" target="_blank">Windows 10 for business</a></b><br />Learn how Windows 10 and Windows devices can help your business.</p>
<p><b><a href="https://blogs.business.microsoft.com/" target="_blank">SMB blog</a></b><br />Read about the latest stories, technology insights, and business strategies for SMBs.</p>
<p><b><a href="https://business.microsoft.com/en-us/products" target="_blank">How to buy</a></b><br />Go here when you&#39;re ready to buy or want to learn more about Microsoft products you can use to help transform your business.</p>
**[Windows for business](https://www.microsoft.com/windows/business)**
Learn how Windows can help your business be more productive, collaborate better, and be more secure.
**[Bing Pages](https://www.microsoft.com/bing/bing-pages-overview)**
Use Bing to grow your business and enhance your brand online.
**[Customer stories](https://customers.microsoft.com/)**
Read about the latest stories and technology insights.
**[SMB Blog](https://techcommunity.microsoft.com/t5/small-and-medium-business-blog/bg-p/Microsoft365BusinessBlog)**
Read about business strategies and collaborations with SMBs.
**[Business Solutions and Technology](https://www.microsoft.com/store/b/business)**
Learn more about Microsoft products, or when you're ready to buy products and services to help transform your business.
## ![Deploy a Microsoft solution for your business.](images/deploy.png) Deploy
<p><b><a href="cloud-mode-business-setup.md" data-raw-source="[Get started: Deploy and manage a full cloud IT solution for your business](cloud-mode-business-setup.md)">Get started: Deploy and manage a full cloud IT solution for your business</a></b><br />Find out how easy it is to deploy and manage a full cloud IT solution for your small to midsize business using Microsoft cloud services and tools.</p>
**[Get started: Deploy and manage a full cloud IT solution for your business](cloud-mode-business-setup.md)**
Using Microsoft cloud services and tools, it can be easy to deploy and manage a full cloud IT solution for your small to midsize business.
## Related topics
## Related articles
- [Windows 10 and Windows 10 Mobile](/windows/windows-10/)
- [Windows for business](https://www.microsoft.com/windows/business)
- [Microsoft 365 for business](https://www.microsoft.com/microsoft-365/business)

3
store-for-business/add-unsigned-app-to-code-integrity-policy.md
View File

@ -24,7 +24,7 @@ ms.date: 07/21/2021
> We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) is now available. As announced earlier, you will have until June 9, 2021 to transition to DGSS v2. On June 9, 2021, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service by June 9, 2021.
>
> Following are the major changes we are making to the service:
> - The method for consuming the service will change to a more automation-friendly method based on PowerShell cmdlets. These cmdlets are available as a NuGet download, https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client/.
> - The method for consuming the service will change to a more automation-friendly method based on PowerShell cmdlets. These cmdlets are available as a NuGet download at [https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client/](https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client/).
> - In order to achieve desired isolation, you will be required to get a new CI policy from DGSS v2 (and optionally sign it).
> - DGSS v2 will not have support for downloading leaf certificates used to sign your files (however, the root certificate will still be available to download). Note that the certificate used to sign a file can be easily extracted from the signed file itself. As a result, after DGSS v1 is retired, you will no longer be able to download the leaf certificates used to sign your files.
>
@ -41,7 +41,6 @@ ms.date: 07/21/2021
**Applies to**
- Windows 10
- Windows 10 Mobile
When you want to add an unsigned app to a code integrity policy, you need to start with a code integrity policy created from a reference device. Then, create the catalog files for your unsigned app, sign the catalog files, and then merge the default policy that includes your signing certificate with existing code integrity policies.

13
store-for-business/app-inventory-management-microsoft-store-for-business.md
View File

@ -19,7 +19,6 @@ ms.date: 07/21/2021
**Applies to**
- Windows 10
- Windows 10 Mobile
> [!IMPORTANT]
> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
@ -64,12 +63,12 @@ Each app in the Store for Business has an online, or an offline license. For mor
| Action | Online-licensed app | Offline-licensed app |
| ------ | ------------------- | -------------------- |
| Assign to employees | X | |
| Add to private store | X | |
| Remove from private store | X | |
| View license details | X | |
| View product details | X | X |
| Download for offline use | | X |
| Assign to employees | ✔️ | |
| Add to private store | ✔️ | |
| Remove from private store | ✔️ | |
| View license details | ✔️ | |
| View product details | ✔️ | ✔️ |
| Download for offline use | | ✔️ |
The actions in the table are how you distribute apps, and manage app licenses. We'll cover those in the next sections. Working with offline-licensed apps has different steps. For more information on distributing offline-licensed apps, see [Distribute offline apps](distribute-offline-apps.md).

1
store-for-business/apps-in-microsoft-store-for-business.md
View File

@ -21,7 +21,6 @@ ms.date: 07/21/2021
**Applies to**
- Windows 10
- Windows 10 Mobile
> [!IMPORTANT]
> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).

1
store-for-business/assign-apps-to-employees.md
View File

@ -21,7 +21,6 @@ ms.date: 07/21/2021
**Applies to**
- Windows 10
- Windows 10 Mobile
> [!IMPORTANT]
> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).

2
store-for-business/configure-mdm-provider-microsoft-store-for-business.md
View File

@ -18,8 +18,8 @@ ms.date: 07/21/2021
# Configure an MDM provider
**Applies to**
- Windows 10
- Windows 10 Mobile
> [!IMPORTANT]
> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).

3
store-for-business/device-guard-signing-portal.md
View File

@ -20,7 +20,6 @@ ms.date: 07/21/2021
**Applies to**
- Windows 10
- Windows 10 Mobile
> [!IMPORTANT]
> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
@ -133,7 +132,7 @@ Device Guard is a feature set that consists of both hardware and software system
**JobDescription** - string, optional - A short (< 100 chars), human-readable description of this submission. If the script is being called as part of an automated build rocess the agent may wish to pass a version number or changeset number for this field. This information will be provided as part of the results of the Get-SigningHistory command.
**Submit-SigningV1MigrationPolicy** Submits a file to the service for signing and timestamping. The only valid file type for policy
signing is binary policy files with the extension (.bin) that have been created via the [ConvertFromCiPolicy](/powershell/module/configci/convertfrom-cipolicy?view=windowsserver2019-ps&viewFallbackFrom=win10-ps) cmdlet. Otherwise, binary policy file may not be deployed properly. Note: Only use for V1 migration.
signing is binary policy files with the extension (.bin) that have been created via the [ConvertFromCiPolicy](/powershell/module/configci/convertfrom-cipolicy) cmdlet. Otherwise, binary policy file may not be deployed properly. Note: Only use for V1 migration.
- Usage:

1
store-for-business/distribute-apps-from-your-private-store.md
View File

@ -20,7 +20,6 @@ ms.date: 07/21/2021
**Applies to**
- Windows 10
- Windows 10 Mobile
> [!IMPORTANT]
> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).

1
store-for-business/distribute-apps-to-your-employees-microsoft-store-for-business.md
View File

@ -21,7 +21,6 @@ ms.date: 07/21/2021
**Applies to**
- Windows 10
- Windows 10 Mobile
> [!IMPORTANT]
> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).

1
store-for-business/distribute-apps-with-management-tool.md
View File

@ -21,7 +21,6 @@ ms.date: 07/21/2021
**Applies to**
- Windows 10
- Windows 10 Mobile
> [!IMPORTANT]
> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).

1
store-for-business/distribute-offline-apps.md
View File

@ -21,7 +21,6 @@ ms.date: 07/21/2021
**Applies to:**
- Windows 10
- Windows 10 Mobile
> [!IMPORTANT]
> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).

1
store-for-business/find-and-acquire-apps-overview.md
View File

@ -21,7 +21,6 @@ ms.date: 07/21/2021
**Applies to**
- Windows 10
- Windows 10 Mobile
> [!IMPORTANT]
> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).

1
store-for-business/index.md
View File

@ -19,7 +19,6 @@ ms.date: 07/21/2021
**Applies to**
- Windows 10
- Windows 10 Mobile
> [!IMPORTANT]
> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).

4
store-for-business/manage-access-to-private-store.md
View File

@ -20,7 +20,6 @@ ms.date: 07/21/2021
**Applies to**
- Windows 10
- Windows 10 Mobile
> [!IMPORTANT]
> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
@ -40,9 +39,9 @@ Organizations can use either an MDM policy, or Group Policy to show only their p
Organizations using an MDM to manage apps can use a policy to show only the private store. When your MDM supports Microsoft Store for Business, the MDM can use the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider). More specifically, the [ApplicationManagement/RequirePrivateStoreOnly](/windows/client-management/mdm/policy-configuration-service-provider#ApplicationManagement_RequirePrivateStoreOnly) policy.
**ApplicationManagement/RequirePrivateStoreOnly** policy is supported on the following Windows 10 editions:
- Enterprise
- Education
- Mobile
For more information on configuring an MDM provider, see [Configure an MDM provider](./configure-mdm-provider-microsoft-store-for-business.md).
@ -51,6 +50,7 @@ For more information on configuring an MDM provider, see [Configure an MDM provi
If you're using Microsoft Store and you want employees to only see apps you're managing in your private store, you can use Group Policy to show only the private store. Microsoft Store app will still be available, but employees can't view or purchase apps. Employees can view and install apps that the admin has added to your organization's private store.
**Only display the private store within Microsoft Store app** group policy is supported on the following Windows 10 editions:
- Enterprise
- Education

1
store-for-business/manage-apps-microsoft-store-for-business-overview.md
View File

@ -20,7 +20,6 @@ ms.date: 07/21/2021
**Applies to**
- Windows 10
- Windows 10 Mobile
> [!IMPORTANT]
> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).

1
store-for-business/manage-private-store-settings.md
View File

@ -20,7 +20,6 @@ ms.localizationpriority: medium
**Applies to**
- Windows 10
- Windows 10 Mobile
> [!IMPORTANT]
> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).

1
store-for-business/manage-settings-microsoft-store-for-business.md
View File

@ -20,7 +20,6 @@ ms.date: 07/21/2021
**Applies to**
- Windows 10
- Windows 10 Mobile
> [!IMPORTANT]
> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).

1
store-for-business/manage-users-and-groups-microsoft-store-for-business.md
View File

@ -21,7 +21,6 @@ ms.date: 07/21/2021
**Applies to**
- Windows 10
- Windows 10 Mobile
> [!IMPORTANT]
> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).

11
store-for-business/microsoft-store-for-business-overview.md
View File

@ -4,7 +4,7 @@ description: With Microsoft Store for Business and Microsoft Store for Education
ms.assetid: 9DA71F6B-654D-4121-9A40-D473CC654A1C
ms.reviewer:
ms.prod: w10
ms.pagetype: store, mobile
ms.pagetype: store
ms.mktglfcycl: manage
ms.sitesec: library
ms.author: cmcatee
@ -20,7 +20,6 @@ ms.date: 07/21/2021
**Applies to**
- Windows 10
- Windows 10 Mobile
> [!IMPORTANT]
> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
@ -92,10 +91,10 @@ After your admin signs up for the Store for Business and Education, they can ass
| Permission | Account settings | Acquire apps | Distribute apps | Device Guard signing |
| ---------- | ---------------- | ------------ | --------------- | -------------------- |
| Admin | X | X | X | |
| Purchaser | | X | X | |
| Device Guard signer | | | | X |
| Basic purchaser | | X | X | |
| Admin | ✔️ | ✔️ | ✔️ | |
| Purchaser | | ✔️ | ✔️ | |
| Device Guard signer | | | | ✔️ |
| Basic purchaser | | ✔️ | ✔️ | |
> [!NOTE]
> Currently, the Basic purchaser role is only available for schools using Microsoft Store for Education. For more information, see [Microsoft Store for Education permissions](/education/windows/education-scenarios-store-for-business?toc=%2fmicrosoft-store%2feducation%2ftoc.json#manage-domain-settings).

1
store-for-business/notifications-microsoft-store-business.md
View File

@ -22,7 +22,6 @@ ms.date: 07/21/2021
**Applies to**
- Windows 10
- Windows 10 Mobile
> [!IMPORTANT]
> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).

1
store-for-business/prerequisites-microsoft-store-for-business.md
View File

@ -20,7 +20,6 @@ ms.date: 07/21/2021
**Applies to**
- Windows 10
- Windows 10 Mobile
> [!IMPORTANT]
> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).

27
store-for-business/roles-and-permissions-microsoft-store-for-business.md
View File

@ -21,7 +21,6 @@ ms.date: 07/21/2021
**Applies to**
- Windows 10
- Windows 10 Mobile
> [!IMPORTANT]
> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
@ -37,13 +36,13 @@ Microsoft Store for Business and Education has a set of roles that help admins a
This table lists the global user accounts and the permissions they have in Microsoft Store.
| | **Global Administrator** | **Billing Administrator** |
|| Global Administrator | Billing Administrator |
| ------------------------------ | --------------------- | --------------------- |
| **Sign up for Microsoft Store for Business and Education** | X | X |
| **Modify company profile settings** | X | X |
| **Purchase apps** | X | X |
| **Distribute apps** | X | X |
| **Purchase subscription-based software** | X | X |
| **Sign up for Microsoft Store for Business and Education** | ✔️ | ✔️ |
| **Modify company profile settings** | ✔️ | ✔️ |
| **Purchase apps** | ✔️ | ✔️ |
| **Distribute apps** | ✔️ | ✔️ |
| **Purchase subscription-based software** | ✔️ | ✔️ |
- **Global Administrator** and **Billing Administrator** - IT Pros with these accounts have full access to Microsoft Store. They can do everything allowed in the Microsoft Store Admin role, plus they can sign up for Microsoft Store.
@ -53,14 +52,14 @@ Microsoft Store for Business has a set of roles that help IT admins and employee
This table lists the roles and their permissions.
| | **Admin** | **Purchaser** | **Device Guard signer** |
|| Admin | Purchaser | Device Guard signer |
| ------------------------------ | ------ | -------- | ------------------- |
| **Assign roles** | X | | |
| **Manage Microsoft Store for Business and Education settings** | X | | |
| **Acquire apps** | X | X | |
| **Distribute apps** | X | X | |
| **Sign policies and catalogs** | X | | |
| **Sign Device Guard changes** | X | | X |
| **Assign roles** | ✔️ | | |
| **Manage Microsoft Store for Business and Education settings** | ✔️ | | |
| **Acquire apps** | ✔️ | ✔️ | |
| **Distribute apps** | ✔️ | ✔️ | |
| **Sign policies and catalogs** | ✔️ | | |
| **Sign Device Guard changes** | ✔️ | | ✔️ |
These permissions allow people to:

1
store-for-business/sign-code-integrity-policy-with-device-guard-signing.md
View File

@ -42,7 +42,6 @@ ms.date: 07/21/2021
**Applies to**
- Windows 10
- Windows 10 Mobile
Signing code integrity policies prevents policies from being tampered with after they're deployed. You can sign code integrity policies with the Device Guard signing portal.

1
store-for-business/sign-up-microsoft-store-for-business-overview.md
View File

@ -20,7 +20,6 @@ ms.date: 07/21/2021
**Applies to**
- Windows 10
- Windows 10 Mobile
> [!IMPORTANT]
> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).

4
store-for-business/troubleshoot-microsoft-store-for-business.md
View File

@ -20,7 +20,6 @@ ms.date: 07/21/2021
**Applies to**
- Windows 10
- Windows 10 Mobile
> [!IMPORTANT]
> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
@ -29,6 +28,7 @@ Troubleshooting topics for Microsoft Store for Business.
## Can't find apps in private store
The private store for your organization is a page in Microsoft Store app that contains apps that are private to your organization. After your organization acquires an app, your Store for Business admin can add it to your organization's private store. Your private store usually has a name that is close to the name of your organization or company. If you can't see your private store, there are a couple of things to check:
- **No apps in the private store** - The private store page is only available in Microsoft Store on Windows 10 if there are apps added to your private store. You won't see your private store page with no apps listed on it. If your Microsoft Store for Business admin has added an app to the private store, and the private store page is still not available, they can check the private store status for the app on **Product & services - Apps**. If the status under **Private store** is **Add in progress**, wait and check back.
- **Signed in with the wrong account** - If you have multiple accounts that you use in your organization, you might be signed in with the wrong account. Or, you might not be signed in. Use this procedure to sign in with your organization account.
@ -64,5 +64,5 @@ If you are still having trouble using Microsoft Store or installing an app, Admi
**To view Support page** 
1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com)
1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com).
2.Choose **Manage**> **Support**.

1
store-for-business/working-with-line-of-business-apps.md
View File

@ -20,7 +20,6 @@ ms.date: 07/21/2021
**Applies to**
- Windows 10
- Windows 10 Mobile
> [!IMPORTANT]
> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).

4
windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
View File

@ -289,6 +289,10 @@ To collect Event Viewer logs:
- [Filter Using Security Groups](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc752992(v=ws.11))
- [Enforce a Group Policy Object Link](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753909(v=ws.11))
- [Group Policy Central Store](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra)
- [Getting started with Cloud Native Windows Endpoints](https://docs.microsoft.com/mem/cloud-native-windows-endpoints)
- [A Framework for Windows endpoint management transformation](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/a-framework-for-windows-endpoint-management-transformation/ba-p/2460684)
- [Success with remote Windows Autopilot and Hybrid Azure Active Director join](https://techcommunity.microsoft.com/t5/intune-customer-success/success-with-remote-windows-autopilot-and-hybrid-azure-active/ba-p/2749353)
### Useful Links
- [Windows 10 Administrative Templates for Windows 10 May 2021 Update 21H1](https://www.microsoft.com/download/details.aspx?id=103124)

3
windows/client-management/mdm/enterpriseassignedaccess-csp.md
View File

@ -19,8 +19,7 @@ The EnterpriseAssignedAccess configuration service provider allows IT administra
> **Note**   The EnterpriseAssignedAccess CSP is only supported in Windows 10 Mobile.
To use an app to create a lockdown XML see [Use the Lockdown Designer app to create a Lockdown XML file](/windows/configuration/mobile-devices/mobile-lockdown-designer). For more information about how to interact with the lockdown XML at runtime, see [**DeviceLockdownProfile class**](/uwp/api/Windows.Embedded.DeviceLockdown.DeviceLockdownProfile).
For more information about how to interact with the lockdown XML at runtime, see [**DeviceLockdownProfile class**](/uwp/api/Windows.Embedded.DeviceLockdown.DeviceLockdownProfile).
The following shows the EnterpriseAssignedAccess configuration service provider in tree format as used by both the Open Mobile Alliance (OMA) Device Management (DM) and OMA Client Provisioning.
```

26
windows/configuration/TOC.yml
View File

@ -176,8 +176,6 @@
- name: Reference
items:
- name: Configure Windows 10 Mobile devices
href: mobile-devices/configure-mobile.md
- name: Windows Configuration Designer reference
items:
- name: Windows Configuration Designer provisioning settings (reference)
@ -229,9 +227,7 @@
- name: DMClient
href: wcd/wcd-dmclient.md
- name: EditionUpgrade
href: wcd/wcd-editionupgrade.md
- name: EmbeddedLockdownProfiles
href: wcd/wcd-embeddedlockdownprofiles.md
href: wcd/wcd-editionupgrade.md
- name: FirewallConfiguration
href: wcd/wcd-firewallconfiguration.md
- name: FirstExperience
@ -389,23 +385,3 @@
href: ue-v/uev-application-template-schema-reference.md
- name: Security Considerations for UE-V
href: ue-v/uev-security-considerations.md
- name: Use Windows Configuration Designer for Windows 10 Mobile devices
items:
- name: Use Windows Configuration Designer to configure Windows 10 Mobile devices
href: mobile-devices/provisioning-configure-mobile.md
- name: NFC-based device provisioning
href: mobile-devices/provisioning-nfc.md
- name: Barcode provisioning and the package splitter tool
href: mobile-devices/provisioning-package-splitter.md
- name: Use the Lockdown Designer app to create a Lockdown XML file
href: mobile-devices/mobile-lockdown-designer.md
- name: Configure Windows 10 Mobile using Lockdown XML
href: mobile-devices/lockdown-xml.md
- name: Settings and quick actions that can be locked down in Windows 10 Mobile
href: mobile-devices/settings-that-can-be-locked-down.md
- name: Product IDs in Windows 10 Mobile
href: mobile-devices/product-ids-in-windows-10-mobile.md
- name: Start layout XML for mobile editions of Windows 10 (reference)
href: mobile-devices/start-layout-xml-mobile.md

7
windows/configuration/manage-wifi-sense-in-enterprise.md
View File

@ -12,15 +12,14 @@ ms.sitesec: library
ms.pagetype: mobile
author: greg-lindsay
ms.localizationpriority: medium
ms.date: 05/02/2018
ms.topic: article
---
# Manage Wi-Fi Sense in your company
**Applies to:**
- Windows 10
- Windows 10 Mobile
**Applies to**
- Windows 10 version 1709 and older
>[!IMPORTANT]
>Beginning with Windows 10, version 1803, Wifi-Sense is no longer available. The following information only applies to Windows 10, version 1709 and prior. Please see [Connecting to open Wi-Fi hotspots in Windows 10](https://privacy.microsoft.com/windows-10-open-wi-fi-hotspots) for more details.

33
windows/configuration/mobile-devices/configure-mobile.md
View File

@ -1,33 +0,0 @@
---
title: Configure Windows 10 Mobile devices
description:
keywords: Windows 10, MDM, WSUS, Windows update
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: greg-lindsay
ms.author: greglin
ms.topic: article
ms.date: 07/27/2017
ms.reviewer:
manager: dansimp
---
# Configure Windows 10 Mobile devices
Windows 10 Mobile enables administrators to define what users can see and do on a device, which you might think of as "configuring" or "customizing" or "device lockdown". Your device configuration can provide a standard Start screen with pre-installed apps, or restrict various settings and features, or even limit the device to run only a single app (kiosk).
## In this section
| Topic | Description |
| --- | --- |
| [Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](set-up-a-kiosk-for-windows-10-for-mobile-edition.md) | You can configure a device running Windows 10 Mobile or Windows 10 Mobile Enterprise as a kiosk device, so that users can only interact with a single application that you select. |
| [Use Windows Configuration Designer to configure Windows 10 Mobile devices](provisioning-configure-mobile.md) | Use Windows Configuration Designer to create provisioning packages. Using provisioning packages, you can easily specify desired configuration and settings required to enroll the devices into management and then apply that configuration to target devices in a matter of minutes. |
| [Use the Lockdown Designer app to configure Windows 10 Mobile devices](mobile-lockdown-designer.md) | The Lockdown Designer app provides a guided wizard-like process to generate a Lockdown XML file that you can apply to devices running Windows 10 Mobile. |
| [Configure Windows 10 Mobile using Lockdown XML](lockdown-xml.md) | Windows 10 Mobile allows enterprises to lock down a device, define multiple user roles, and configure custom layouts on a device. |
| [Start layout XML for mobile editions of Windows 10 (reference)](start-layout-xml-mobile.md) | On Windows 10 Mobile, you can use the XML-based layout to modify the Start screen and provide the most robust and complete Start customization experience. This reference topic describes the supported elements and attributes for the LayoutModification.xml file. |
| [Settings and quick actions that can be locked down in Windows 10 Mobile](settings-that-can-be-locked-down.md) | This topic lists the settings and quick actions that can be locked down in Windows 10 Mobile. |
| [Product IDs in Windows 10 Mobile](product-ids-in-windows-10-mobile.md) | You can use the product ID and Application User Model (AUMID) in Lockdown.xml to specify apps that will be available to the user. |

BIN
windows/configuration/mobile-devices/images/doneicon.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 410 B

868
windows/configuration/mobile-devices/lockdown-xml.md
View File

@ -1,868 +0,0 @@
---
title: Configure Windows 10 Mobile using Lockdown XML (Windows 10)
description: Windows 10 Mobile allows enterprises to lock down a device, define multiple user roles, and configure custom layouts on a device.
ms.assetid: 22C8F654-2EC3-4E6D-8666-1EA9FCF90F5F
ms.reviewer:
manager: dansimp
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security, mobile
author: greg-lindsay
ms.author: greglin
ms.topic: article
ms.localizationpriority: medium
ms.date: 07/27/2017
---
# Configure Windows 10 Mobile using Lockdown XML
**Applies to**
- Windows 10 Mobile
Windows 10 Mobile allows enterprises to lock down a device, define multiple user roles, and configure custom layouts on a device. For example, the enterprise can lock down a device so that only applications and settings in an allow list are available.
This is accomplished using Lockdown XML, an XML file that contains settings for Windows 10 Mobile. When you deploy the lockdown XML file to a device, it is saved on the device as **wehlockdown.xml**. When the device boots, it looks for wehlockdown.xml and applies any settings configured in the file.
In this topic, you'll learn how to create an XML file that contains all lockdown entries available in the AssignedAccessXml area of the [EnterpriseAssignedAccess configuration service provider (CSP)](/windows/client-management/mdm/enterpriseassignedaccess-csp). This topic provides example XML that you can use in your own lockdown XML file that can be included in a provisioning package or when using a mobile device management (MDM) solution to push lockdown settings to enrolled devices. You can also use the [Lockdown Designer app](mobile-lockdown-designer.md) to configure and export your lockdown XML file.
> [!NOTE]
> On Windows 10 desktop editions, *assigned access* is a feature that lets you configure the device to run a single app above the lockscreen ([kiosk mode](../kiosk-methods.md)). On a Windows 10 Mobile device, assigned access refers to the lockdown settings in AssignedAccessXml in the [EnterpriseAssignedAccess configuration service provider (CSP)](/windows/client-management/mdm/enterpriseassignedaccess-csp).
If you're not familiar with CSPs, read [Introduction to configuration service providers (CSPs)](../provisioning-packages/how-it-pros-can-use-configuration-service-providers.md) first.
## Overview of the lockdown XML file
Let's start by looking at the basic structure of the lockdown XML file. You can start your file by pasting the following XML (or any other examples in this topic) into a text or XML editor, and saving the file as *filename*.xml.
```xml
<?xml version="1.0" encoding="utf-8"?>
<HandheldLockdown version="1.0" >
<Default>
<ActionCenter/>
<Apps/>
<Buttons/>
<CSPRunner/>
<MenuItems/>
<Settings/>
<Tiles/>
<StartScreenSize/>
</Default>
</HandheldLockdown>
```
**Default** and the entries beneath it establish the default device settings that are applied for every user. The device will always boot to this Default role. You can create additional roles on the device, each with its own settings, in the same XML file. [Learn how to add roles.](#configure-additional-roles)
The settings for the Default role and other roles must be listed in your XML file in the order presented in this topic. All of the entries are optional. If you don't include a setting, that aspect of the device will operate as it would for an nonconfigured device.
>[!TIP]
>Keep your XML file easy to work with and to understand by using proper indentation and adding comments for each setting you configure.
## Action Center
![XML for Action Center.](../images/ActionCenterXML.jpg)
The Action Center setting controls whether the user can open the Action Center on the device. When the Action Center is disabled, notifications on the lockscreen and toasts are also disabled. You can use optional attributes with the Action Center element to change that behavior for either notifications, toasts, or both.
In the following example, the Action Center is enabled and both policies are disabled.
```xml
<ActionCenter enabled="true" aboveLockToastEnabled="0" actionCenterNotificationEnabled="0"/>
```
In the following example, Action Center and the toast policy are enabled, and the notifications policy is disabled.
```xml
<ActionCenter enabled="true" aboveLockToastEnabled="1" actionCenterNotificationEnabled="0"/>
```
The following example is a complete lockdown XML file that disables Action Center, notifications, and toasts.
```xml
<?xml version="1.0" encoding="utf-8"?>
<HandheldLockdown version="1.0" >
<Default>
<!-- disable Action Center -->
<ActionCenter enabled="false" />
</Default>
</HandheldLockdown>
```
## Apps
![XML for Apps.](../images/AppsXML.png)
The Apps setting serves as an allow list and specifies the applications that will be available in the All apps list. Apps that are not included in this setting are hidden from the user and blocked from running.
You provide the App User Model ID (AUMID) and product ID for each app in your file. The product ID identifies an app package, and an app package can contain multiple apps, so you also provide the ADUMID to differentiate the app. Optionally, you can set an app to run automatically. [Get product ID and AUMID for apps in Windows 10 Mobile.](product-ids-in-windows-10-mobile.md)
The following example makes Outlook Calendar available on the device.
```xml
<Apps>
<!-- Outlook Calendar -->
<Application productId="{A558FEBA-85D7-4665-B5D8-A2FF9C19799B}" aumid="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.calendar">
</Application>
</Apps>
```
When you list an app, you can also set the app to be pinned to the Start screen by specifying the tile size and location. Tip: draw a grid and mark your app tiles on it to make sure you get the result you want. The width (X axis) in the following example is the limit for Windows 10 Mobile, but the length (Y axis) is unlimited. The number of columns available to you depends on the value for [StartScreenSize](#start-screen-size).
![Grid to lay out tiles for Start.](../images/StartGrid.jpg)
Tile sizes are:
* Small: 1x1
* Medium: 2x2
* Large: 2x4
Based on 6 columns, you can pin six small tiles or three medium tiles on a single row. A large tile can be combined with two small tiles or one medium tile on the same row. Obviously, you cannot set a medium tile for LocationX=5, or a large tile for LocationX=3, 4, or 5.
If the tile configuration in your file exceeds the available width, such as setting a large tile to start at position 3 on the X axis, that tile is appended to the bottom of the Start screen. Also, if the tile configuration in your file would result in tiles overlapping each other, the overlapping tiles are instead appended to the bottom of the Start screen.
In the following example, Outlook Calendar and Outlook Mail are pinned to the Start screen, and the Store app is allowed but is not pinned to Start.
```xml
<Apps>
<!-- Outlook Calendar -->
<Application productId="{A558FEBA-85D7-4665-B5D8-A2FF9C19799B}" aumid="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.calendar">
<PinToStart>
<Size>Large</Size>
<Location>
<LocationX>0</LocationX>
<LocationY>0</LocationY>
</Location>
</PinToStart>
</Application>
<!-- Outlook Mail-->
<Application productId="{A558FEBA-85D7-4665-B5D8-A2FF9C19799B}" aumid="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.mail">
<PinToStart>
<Size>Medium</Size>
<Location>
<LocationX>4</LocationX>
<LocationY>0</LocationY>
</Location>
</PinToStart>
</Application>
<!-- Store -->
<Application productId="7D47D89A-7900-47C5-93F2-46EB6D94C159" aumid="Microsoft.WindowsStore_8wekyb3d8bbwe!App" />
</Apps>
```
That layout would appear on a device like this:
![Example of the layout on a Start screen.](../images/StartGridPinnedApps.jpg)
You can create and pin folders to Start by using the Apps setting. Each folder requires a **folderId**, which must be a consecutive positive integer starting with `1`. You can also specify a **folderName** (optional) which will be displayed on Start.
```xml
<Apps>
<!-- Management folder -->
<Application folderId="1" folderName="Management">
<PinToStart>
<Size>Medium</Size>
<Location>
<LocationX>4</LocationX>
<LocationY>0</LocationY>
</Location>
</PinToStart>
</Application>
</Apps>
```
To add apps to the folder, include **ParentFolderId** in the application XML, as shown in the following example:
```xml
<Apps>
<!-- Outlook Calendar -->
<Application productId="{A558FEBA-85D7-4665-B5D8-A2FF9C19799B}" aumid="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.calendar">
<PinToStart>
<Size>Large</Size>
<Location>
<LocationX>0</LocationX>
<LocationY>0</LocationY>
</Location>
<ParentFolderId>1</ParentFolderId>
</PinToStart>
</Application>
<!-- Outlook Mail-->
<Application productId="{A558FEBA-85D7-4665-B5D8-A2FF9C19799B}" aumid="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.mail">
<PinToStart>
<Size>Medium</Size>
<Location>
<LocationX>4</LocationX>
<LocationY>0</LocationY>
</Location>
<ParentFolderId>1</ParentFolderId>
</PinToStart>
</Application>
</Apps>
```
When an app is contained in a folder, its **PinToStart** configuration (tile size and location) applies to its appearance when the folder is opened.
## Buttons
![XML for buttons.](../images/ButtonsXML.jpg)
In the Buttons setting, you use ButtonLockdownList to disable hardware buttons and ButtonRemapList to change button events to open an app that you specify.
### ButtonLockdownList
When a user taps a button that is in the lockdown list, nothing will happen. The following table lists which events can be disabled for each button.
Button | Press | PressAndHold | All
---|:---:|:---:|:--:|-
Start | ![no.](../images/crossmark.png) | ![yes](../images/checkmark.png) | ![no](../images/crossmark.png)
Back | ![yes.](../images/checkmark.png) | ![yes](../images/checkmark.png) | ![yes](../images/checkmark.png)
Search | ![yes.](../images/checkmark.png) | ![yes](../images/checkmark.png) | ![yes](../images/checkmark.png)
Camera | ![yes.](../images/checkmark.png) | ![yes](../images/checkmark.png) | ![yes](../images/checkmark.png)
Custom 1, 2, and 3 | ![yes.](../images/checkmark.png) | ![yes](../images/checkmark.png) | ![yes](../images/checkmark.png)
> [!NOTE]
> Custom buttons are hardware buttons that can be added to devices by OEMs.
In the following example, press-and-hold is disabled for the Back button.
```xml
<Buttons>
<ButtonLockdownList>
<Button name="Back">
<ButtonEvent name="PressAndHold" />
</Button>
</ButtonLockdownList>
</Buttons>
```
If you don't specify a button event, all actions for the button are disabled. In the next example, all actions are disabled for the camera button.
```xml
<Buttons>
<ButtonLockdownList>
<Button name="Camera">
</Button>
</ButtonLockdownList>
</Buttons>
```
### ButtonRemapList
ButtonRemapList lets you change the app that a button will run. You can remap the Search button and any custom buttons included by the OEM. You can't remap the Back, Start, or Camera buttons.
> [!WARNING]
> Button remapping can enable a user to open an application that is not in the allow list for that user role. Use button lock down to prevent application access for a user role.
To remap a button, you specify the button, the event, and the product ID for the app that you want the event to open.
In the following example, when a user presses the Search button, the phone dialer will open instead of the Search app.
```xml
<Buttons>
<ButtonRemapList>
<Button name="Search">
<ButtonEvent name="Press">
<!-- Phone dialer -->
<Application productID="{F41B5D0E-EE94-4F47-9CFE-3D3934C5A2C7 }" parameters="" />
</ButtonEvent>
</Button>
</ButtonRemapList>
</Buttons>
```
## CSPRunner
![XML for CSP Runner.](../images/CSPRunnerXML.jpg)
You can use CSPRunner to include settings that are not defined in AssignedAccessXML. For example, you can include settings from other sections of EnterpriseAssignedAccess CSP, such as lockscreen, theme, and time zone. You can also include settings from other CSPs, such as [Wi-Fi CSP](/windows/client-management/mdm/wifi-csp) or [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider).
CSPRunner is helpful when you are configuring a device to support multiple roles. It lets you apply different policies according to the role that is signed on. For example, Wi-Fi could be enabled for a supervisor role and disabled for a stocking clerk role.
In CSPRunner, you specify the CSP and settings using SyncML, a standardized markup language for device management. A SyncML section can include multiple settings, or you can use multiple SyncML sections -- it's up to you how you want to organize settings in this section.
> [!NOTE]
> This description of SyncML is just the information that you need to use SyncML in a lockdown XML file. To learn more about SyncML, see [Structure of OMA DM provisioning files](/windows/client-management/mdm/structure-of-oma-dm-provisioning-files).
Let's start with the structure of SyncML in the following example:
```xml
SyncML>
<SyncBody>
<Add>|<Replace>
<CmdID>#</CmdID>
<Item>
<Target>
<LocURI>CSP Path</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">Data Type</Format>
</Meta>
<Data>Value</Data>
</Item>
</Add>|</Replace>
<Final/>
</SyncBody>
</SyncML>
```
This table explains the parts of the SyncML structure.
SyncML entry | Description
---|---
**Add** or **Replace** | Use **Add** to apply a setting or policy that is not already configured. Use **Replace** to change an existing setting or policy.
**CmdID** | SyncBody can contain multiple commands. Each command in a lockdown XML file must have a different **CmdID** value.
**Item** | **Item** is a wrapper for a single setting. You can include multiple items for the command if they all use the same **Add** or **Replace** operation.
**Target > LocURI** | **LocURI** is the path to the CSP.
**Meta > Format** | The data format required by the CSP.
**Data** | The value for the setting.
## Menu items
![XML for menu items.](../images/MenuItemsXML.png)
Use DisableMenuItems to prevent use of the context menu, which is displayed when a user presses and holds an application in the All Apps list. You can include this entry in the default profile and in any additional user role profiles that you create.
```xml
<MenuItems>
<DisableMenuItems/>
</MenuItems>
```
## Settings
![XML for settings.](../images/SettingsXML.png)
The **Settings** section contains an `allow` list of pages in the Settings app and quick actions. The following example allows all settings.
```xml
<Settings>
<!-- Allow all settings -->
</Settings>
```
In earlier versions of Windows 10, you used the page name to define allowed settings. Starting in Windows 10, version 1703, you use the settings URI.
In the following example for Windows 10, version 1703, all system setting pages that have a settings URI are enabled.
```xml
<Settings>
<System name="ms-settings:screenrotation" />
<System name="ms-settings:notifications" />
<System name="ms-settings:phone" />
<System name="ms-settings:messaging" />
<System name="ms-settings:batterysaver" />
<System name="ms-settings:batterysaver-usagedetails" />
<System name="ms-settings:about" />
<System name="ms-settings:deviceencryption" />
<System name="ms-settings:maps" />
</Settings>
```
If you list a setting or quick action in **Settings**, all settings and quick actions that are not listed are blocked. To remove access to all of the settings in the system, do not include the settings application in [Apps](#apps).
For a list of the settings and quick actions that you can allow or block, see [Settings and quick actions that can be locked down in Windows 10 Mobile](settings-that-can-be-locked-down.md).
## Tiles
![XML for tiles.](../images/TilesXML.png)
By default, under Assigned Access, tile manipulation is turned off (blocked) and only available if enabled in the users profile. If tile manipulation is enabled in the users profile, they can pin/unpin, move, and resize tiles based on their preferences. When multiple people use one device and you want to enable tile manipulation for multiple users, you must enable it for each user in their user profile.
> [!IMPORTANT]
> If a device is turned off then back on, the tiles reset to their predefined layout. If a device has only one profile, the only way to reset the tiles is to turn off then turn on the device. If a device has multiple profiles, the device resets the tiles to the predefined layout based on the logged-in users profile.
```xml
<Tiles>
<EnableTileManipulation/>
</Tiles>
```
## Start screen size
Specify the size of the Start screen. In addition to 4/6 columns, you can also use 4/6/8 depending on screen resolutions. Valid values:
- Small sets the width to 4 columns on devices with short axis (less than 400epx) or 6 columns on devices with short axis (greater than or equal to 400epx).
- Large sets the width to 6 columns on devices with short axis (less than 400epx) or 8 columns on devices with short axis (greater than or equal to 400epx).
If you have existing lockdown xml, you must update start screen size if your device has >=400epx on its short axis so that tiles on Start can fill all 8 columns if you want to use all 8 columns instead of 6, or use 6 columns instead of 4.
[Learn about effective pixel width (epx) for different device size classes.](/windows/uwp/design/layout/screen-sizes-and-breakpoints-for-responsive-design)
## Configure additional roles
You can add custom configurations by role. In addition to the role configuration, you must also install a login application on the device. The app displays a list of available roles on the device; the user taps a role, such as "Manager"; the configuration defined for the "Manager" role is applied.
[Learn how to create a login application that will work with your Lockdown XML file.](https://github.com/Microsoft/Windows-universal-samples/tree/master/Samples/DeviceLockdownAzureLogin) For reference, see the [Windows.Embedded.DeviceLockdown API](/uwp/api/Windows.Embedded.DeviceLockdown).
In the XML file, you define each role with a GUID and name, as shown in the following example:
```xml
<Role guid="{7bb62e8c-81ba-463c-b691-74af68230b42}" name="Manager">
```
You can create a GUID using a GUID generator -- free tools are available online. The GUID needs to be unique within this XML file.
You can configure the same settings for each role as you did for the default role, except Start screen size which can only be configured for the default role. If you use CSPRunner with roles, be aware that the last CSP setting applied will be retained across roles unless explicitly changed in each role configuration. CSP settings applied by CSPRunner may conflict with settings applied by MDM.
```xml
<?xml version "1.0" encoding "utf-8"?>
<HandheldLockdown version "1.0" >
<Default>
<ActionCenter/>
<Apps/>
<Buttons/>
<CSPRunner/>
<MenuItems/>
<Settings/>
<Tiles/>
<StartScreenSize/>
</Default>
<RoleList>
<Role>
<ActionCenter/>
<Apps/>
<Buttons/>
<CSPRunner/>
<MenuItems/>
<Settings/>
<Tiles/>
</Role>
</RoleList>
</HandheldLockdown>
```
## Validate your XML
You can validate your lockdown XML file against the [EnterpriseAssignedAccess XSD](/windows/client-management/mdm/enterpriseassignedaccess-xsd).
## Add lockdown XML to a provisioning package
Use the Windows ICD tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package. [Install the ADK.](https://go.microsoft.com/fwlink/p/?LinkId=526740)
1. Follow the instructions at [Build and apply a provisioning package](../provisioning-packages/provisioning-create-package.md) to create a project, selecting **Common to all Windows mobile editions** for your project.
2. In **Available customizations**, go to **Runtime settings** &gt; **EmbeddedLockdownProfiles** &gt; **AssignedAccessXml**.
3. In the center pane, click **Browse** to locate and select the lockdown XML file that you created.
![browse button.](../images/icdbrowse.png)
4. On the **File** menu, select **Save.**
5. On the **Export** menu, select **Provisioning package**.
6. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.**
7. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing.
- **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
- **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select** and choosing the certificate you want to use to sign the package.
8. Click **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows ICD uses the project folder as the output location.
Optionally, you can click **Browse** to change the default output location.
9. Click **Next**.
10. Click **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status.
If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
11. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
- If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
- If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
After you build the provisioning package, follow the instructions for [applying a provisioning package at runtime to Windows 10 Mobile](../provisioning-packages/provisioning-create-package.md).
## Push lockdown XML using MDM
After you deploy your devices, you can still configure lockdown settings through your MDM solution if it supports the [EnterpriseAssignedAccess CSP](/windows/client-management/mdm/enterpriseassignedaccess-csp).
To push lockdown settings to enrolled devices, use the AssignedAccessXML setting and use the lockdown XML as the value. The lockdown XML will be in a HandheldLockdown section that becomes XML embedded in XML, so the XML that you enter must use escaped characters (such as `&lt;` in place of &lt;). After the MDM provider pushes your lockdown settings to the device, the CSP processes the file and updates the device.
## Full Lockdown.xml example
```xml
<?xml version="1.0" encoding="utf-8"?>
<HandheldLockdown version="1.0" >
<Default>
<ActionCenter enabled="true" />
<Apps>
<!-- Settings -->
<Application productId="{2A4E62D8-8809-4787-89F8-69D0F01654FB}">
<PinToStart>
<Size>Large</Size>
<Location>
<LocationX>0</LocationX>
<LocationY>0</LocationY>
</Location>
</PinToStart>
</Application>
<!-- Outlook Calendar -->
<Application productId="{A558FEBA-85D7-4665-B5D8-A2FF9C19799B}" aumid="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.calendar">
<PinToStart>
<Size>Small</Size>
<Location>
<LocationX>0</LocationX>
<LocationY>2</LocationY>
</Location>
</PinToStart>
</Application>
<!-- Photos -->
<Application productId="{FCA55E1B-B9A4-4289-882F-084EF4145005}">
<PinToStart>
<Size>Medium</Size>
<Location>
<LocationX>2</LocationX>
<LocationY>2</LocationY>
</Location>
</PinToStart>
</Application>
<!-- Edge -->
<Application productId="{395589FB-5884-4709-B9DF-F7D558663FFD}" />
<!-- Login App -->
<Application productId="{C85DC60D-30D4-4C67-A4B4-58282F1D152C}" />
</Apps>
<Buttons>
<ButtonLockdownList>
<!-- Lockdown all buttons -->
<Button name="Search">
</Button>
<Button name="Camera">
</Button>
<Button name="Custom1">
</Button>
<Button name="Custom2">
</Button>
<Button name="Custom3">
</Button>
</ButtonLockdownList>
<ButtonRemapList>
<Button name="Search">
<ButtonEvent name="Press">
<!-- Edge-->
<Application productId="{395589FB-5884-4709-B9DF-F7D558663FFD}" parameters="" />
</ButtonEvent>
</Button>
</ButtonRemapList>
</Buttons>
<CSPRunner>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseAssignedAccess/Theme/ThemeAccentColorID</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<!-- zero based index of available theme colors -->
<Data>7</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseAssignedAccess/Theme/ThemeBackground</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<!-- 0 for "light", 1 for "dark" -->
<Data>1</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseAssignedAccess/LockScreenWallpaper/BGFileName</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
<Type xmlns="syncml:metinf">text/plain</Type>
</Meta>
<Data>c:\windows\system32\lockscreen\480x800\Wallpaper_05.jpg</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
</CSPRunner>
<MenuItems>
<DisableMenuItems/>
</MenuItems>
<Settings>
<!-- Quick actions: Brightness, Rotation -->
<System name="SystemSettings_System_Display_QuickAction_Brightness"/>
<System name="SystemSettings_System_Display_Internal_Rotation"/>
<!-- Rotation, About -->
<System name="ms-settings:screenrotation"/>
<System name="ms-settings:about"/>
<!-- Ringtones, sounds -->
<System name="ms-settings:personalizationn"/>
<System name="ms-settings:sounds"/>
</Settings>
<Tiles>
<EnableTileManipulation/>
</Tiles>
<StartScreenSize>Small</StartScreenSize>
</Default>
<RoleList>
<Role guid="{88501844-3b51-4c9f-9da7-7ca745e7da6b}" name="Associate">
<ActionCenter enabled="0"/>
<Apps>
<!-- Settings -->
<Application productId="{2A4E62D8-8809-4787-89F8-69D0F01654FB}">
<PinToStart>
<Size>Small</Size>
<Location>
<LocationX>0</LocationX>
<LocationY>0</LocationY>
</Location>
</PinToStart>
</Application>
<!-- Outlook Calendar -->
<Application productId="{A558FEBA-85D7-4665-B5D8-A2FF9C19799B}" aumid="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.calendar">
<PinToStart>
<Size>Large</Size>
<Location>
<LocationX>0</LocationX>
<LocationY>2</LocationY>
</Location>
</PinToStart>
</Application>
<!-- Login App -->
<Application productId="{C85DC60D-30D4-4C67-A4B4-58282F1D152C}" />
</Apps>
<Buttons />
<CSPRunner>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseAssignedAccess/Theme/ThemeAccentColorID</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<!-- zero based index of available theme colors -->
<Data>10</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseAssignedAccess/Theme/ThemeBackground</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<!-- 0 for "light", 1 for "dark" -->
<Data>0</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseAssignedAccess/LockScreenWallpaper/BGFileName</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
<Type xmlns="syncml:metinf">text/plain</Type>
</Meta>
<Data>c:\windows\system32\lockscreen\480x800\Wallpaper_08.jpg</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
</CSPRunner>
<MenuItems>
<DisableMenuItems/>
</MenuItems>
<Settings>
<!-- Rotation, Notifications, About -->
<System name="ms-settings:screenrotation"/>
<System name="ms-settings:notifications"/>
<System name="ms-settings:about"/>
<!-- Ringtones, sounds -->
<System name="ms-settings:personalization"/>
<System name="ms-settings:sounds"/>
<!-- Workplace -->
<System name="ms-settings:workplace"/>
<System name="ms-settings:emailandaccounts"/>
</Settings>
</Role>
<Role guid="{7bb62e8c-81ba-463c-b691-74af68230b42}" name="Manager">
<ActionCenter enabled="true" />
<Apps>
<!-- Alarms and Clock -->
<Application productId="{44F7D2B4-553D-4BEC-A8B7-634CE897ED5F}">
<PinToStart>
<Size>Small</Size>
<Location>
<LocationX>0</LocationX>
<LocationY>0</LocationY>
</Location>
</PinToStart>
</Application>
<!-- Settings -->
<Application productId="{2A4E62D8-8809-4787-89F8-69D0F01654FB}">
<PinToStart>
<Size>Small</Size>
<Location>
<LocationX>1</LocationX>
<LocationY>0</LocationY>
</Location>
</PinToStart>
</Application>
<!-- Outlook Calendar -->
<Application productId="{A558FEBA-85D7-4665-B5D8-A2FF9C19799B}" aumid="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.calendar">
<PinToStart>
<Size>Medium</Size>
<Location>
<LocationX>2</LocationX>
<LocationY>0</LocationY>
</Location>
</PinToStart>
</Application>
<!-- Calculator -->
<Application productId="{B58171C6-C70C-4266-A2E8-8F9C994F4456}" />
<!-- Photos -->
<Application productId="{FCA55E1B-B9A4-4289-882F-084EF4145005}">
<PinToStart>
<Size>Small</Size>
<Location>
<LocationX>0</LocationX>
<LocationY>2</LocationY>
</Location>
</PinToStart>
</Application>
<!-- Store -->
<Application productId="{7D47D89A-7900-47C5-93F2-46EB6D94C159}">
<PinToStart>
<Size>Medium</Size>
<Location>
<LocationX>2</LocationX>
<LocationY>2</LocationY>
</Location>
</PinToStart>
</Application>
<!-- Login App -->
<Application productId="{C85DC60D-30D4-4C67-A4B4-58282F1D152C}" />
</Apps>
<Buttons />
<CSPRunner>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseAssignedAccess/Theme/ThemeAccentColorID</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<!-- zero based index of available theme colors -->
<Data>2</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseAssignedAccess/Theme/ThemeBackground</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<!-- 0 for "light", 1 for "dark" -->
<Data>1</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseAssignedAccess/LockScreenWallpaper/BGFileName</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
<Type xmlns="syncml:metinf">text/plain</Type>
</Meta>
<Data>c:\windows\system32\lockscreen\480x800\Wallpaper_015.jpg</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
</CSPRunner>
<MenuItems>
<DisableMenuItems/>
</MenuItems>
<Settings>
<!-- Allow all settings -->
</Settings>
<Tiles>
<EnableTileManipulation/>
</Tiles>
</Role>
</RoleList>
</HandheldLockdown>
```
## Learn more
[Customizing Your Device Experience with Assigned Access](https://channel9.msdn.com/Events/Build/2016/P508)
## Related topics
[Settings and quick actions that can be locked down in Windows 10 Mobile](settings-that-can-be-locked-down.md)
[Product IDs in Windows 10 Mobile](product-ids-in-windows-10-mobile.md)

172
windows/configuration/mobile-devices/mobile-lockdown-designer.md
View File

@ -1,172 +0,0 @@
---
title: Use the Lockdown Designer app to create a Lockdown XML file (Windows 10)
description:
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: greg-lindsay
ms.author: greglin
ms.topic: article
ms.date: 07/27/2017
ms.reviewer:
manager: dansimp
---
# Use the Lockdown Designer app to create a Lockdown XML file
![Lockdown Designer in the Store.](../images/ldstore.png)
Windows 10 Mobile allows enterprises to lock down a device, define multiple user roles, and configure custom layouts on a device. For example, the enterprise can lock down a device so that only applications and settings in an allow list are available. This is accomplished using Lockdown XML, an XML file that contains settings for Windows 10 Mobile.
When you deploy the lockdown XML file to a device, it is saved on the device as **wehlockdown.xml**. When the device boots, it looks for wehlockdown.xml and applies any settings configured in the file. You can deploy the lockdown XML file by [adding it to a provisioning package](lockdown-xml.md#add-lockdown-xml-to-a-provisioning-package) or [by using mobile device management (MDM)](lockdown-xml.md#push-lockdown-xml-using-mdm).
The Lockdown Designer app helps you configure and create a lockdown XML file that you can apply to devices running Windows 10 Mobile, version 1703, and includes a remote simulation to help you determine the layout for tiles on the Start screen. Lockdown Designer also validates the XML. Using Lockdown Designer is easier than [manually creating a lockdown XML file](lockdown-xml.md).
## Overview
Lockdown Designer can be installed on a PC running Windows 10, version 1607 or later. After you install the app, you connect a mobile device running Windows 10 Mobile, version 1703, to the PC.
>[!NOTE]
>Lockdown Designer will not make any changes to the connected device, but we recommend that you use a test device.
Lockdown Designer will populate the available settings and apps to configure from the connected device. Using the different pages in the app, you select the settings, apps, and layout to be included in the lockdown XML.
When you're done, you export the configuration to a lockdown XML file. This configuration can be applied to any device running Windows 10 Mobile, version 1703.
>[!NOTE]
>You can also import an existing WEHLockdown.xml file to Lockdown Designer and modify it in the app.
## Prepare the test mobile device
Perform these steps on the device running Windows 10 Mobile that you will use to supply the settings, apps, and layout to Lockdown Designer.
1. Install all apps on the device that you want to include in the configuration, including line-of-business apps.
2. On the mobile device, go to **Settings** > **Update & security** > **For developers**, enable **Developer mode**.
3. Read the disclaimer, then click **Yes** to accept the change.
4. Enable **Device discovery**, and then turn on **Device Portal**.
>[!IMPORTANT]
>Check **Settings > Personalization > Start > Show more tiles** on the test mobile device. If **Show more tiles** is **On**, you must select **Large** on the [**Start screen** page](#start) in Lockdown Designer. If you want to apply a **Small** layout, set **Show more tiles** on the test mobile device to **Off**.
>
>![turn off show more tiles for small start screen size.](../images/show-more-tiles.png)
## Prepare the PC
[Install Lockdown Designer](https://www.microsoft.com/store/r/9nblggh40753) on the PC.
If the PC and the test mobile device are on the same Wi-Fi network, you can connect the devices using Wi-Fi.
If you want to connect the PC and the test mobile device using a USB cable, perform the following steps on the PC:
1. [Install the Windows 10 Software Development Kit (SDK)](https://developer.microsoft.com/windows/downloads/windows-10-sdk). This enables the **Windows Phone IP over USB Transport (IpOverUsbSvc)** service.
2. Open a command prompt as an administrator and run `checknetisolation LoopbackExempt -a -n=microsoft.lockdowndesigner_8wekyb3d8bbwe`
>[!NOTE]
>Loopback is permitted only for development purposes. To remove the loopback exemption when you're done using Lockdown Designer, run `checknetisolation LoopbackExempt -d -n=microsoft.lockdowndesigner_8wekyb3d8bbwe`
<span id="pair" />
## Connect the mobile device to Lockdown Designer
**Using Wi-Fi**
1. Open Lockdown Designer.
2. Click **Create new project**.
3. On the test mobile device, go to **Settings** > **Update & security** > **For developers** > **Connect using:** and get the IP address listed for **Wi-Fi**.
2. On the **Project setting** > **General settings** page, in **Remote device IP address**, enter the IP address for the test mobile device, using `https://`.
3. Click **Pair**.
![Pair.](../images/ld-pair.png)
**Connect to remote device** appears.
4. On the mobile device, under **Device discovery**, tap **Pair**. A case-sensitive code is displayed.
5. On the PC, in **Connect to remote device**, enter the code from the mobile device.
6. Next, click **Sync** to pull information from the device in to Lockdown Designer.
![Sync.](../images/ld-sync.png)
7. Click the **Save** icon and enter a name for your project.
**Using a USB cable**
1. Open Lockdown Designer.
2. Click **Create new project**.
2. Connect a Windows 10 Mobile device to the PC by USB and unlock the device.
3. On the **Project setting** > **General settings** page, click **Pair**.
![Pair.](../images/ld-pair.png)
**Connect to remote device** appears.
4. On the mobile device, under **Device discovery**, tap **Pair**. A case-sensitive code is displayed.
5. On the PC, in **Connect to remote device**, enter the code from the mobile device.
6. Next, click **Sync** to pull information from the device in to Lockdown Designer.
![Sync.](../images/ld-sync.png)
7. Click the **Save** icon and enter a name for your project.
## Configure your lockdown XML settings
The apps and settings available in the pages of Lockdown Designer should now be populated from the test mobile device. The following table describes what you can configure on each page.
| Page | Description |
| --- | --- |
| ![Applications.](../images/ld-apps.png) | Each app from the test mobile device is listed. Select the apps that you want visible to users.</br></br>You can select an app to run automatically when a user signs in to the device. The **Select Auto-Run** menu is populated by the apps that you select to allow on the device. |
| ![CSP Runner.](../images/ld-csp.png) | CSPRunner enables you to include settings and policies that are not defined in other sections of the app. To make use of CSPRunner, you must create the SyncML block that contains the settings, and then import the SyncML in Lockdown Designer. [Learn how to use CSPRunner and author SyncML.](lockdown-xml.md#csprunner) |
| ![Settings.](../images/ld-settings.png) | On this page, you select the settings that you want visible to users. See the [ms settings: URI scheme reference](/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference) to see which Settings page maps to a URI. |
| ![Quick actions.](../images/ld-quick.png) | On this page, you select the settings that you want visible to users. |
| ![Buttons.](../images/ld-buttons.png) | Each hardware button on a mobile device has different actions that can be disabled. In addition, the behavior for **Search** button can be changed to open an app other than **Search**.</br></br>Some devices may have additional hardware buttons provided by the OEM. These are listed as Custom1, Custom2, and Custom3. If your device has custom hardware buttons, contact your equipment provider to identify how their custom buttons are defined. |
| ![Other settings.](../images/ld-other.png) | This page contains several settings that you can configure:</br></br>- The context menu is displayed when a user presses and holds an application in the All Apps list. You can enable or disable the context menu.</br></br>- Tile manipulation allows users to pin, unpin, move, and resize tiles on the Start screen. You can enable or disable tile manipulation.</br></br>- The Action Center setting controls whether the user can open the Action Center on the device. When the Action Center is disabled, notifications on the lockscreen and toasts are also disabled. You can use optional attributes with the Action Center element to change that behavior for either notifications, toasts, or both. |
| <span id="start" />![Start screen.](../images/ld-start.png) | On this page, you can start a remote simulation session with the test mobile device. Click **Start remote simulation**. You will see a **Start screen remote simulation in progress** message on the PC. (If the **Start remote simulation** button is not active, [pair the mobile device with the PC again](#pair).)</br></br>On the test mobile device, tiles for the apps that you allowed on the **Applications** page are displayed on the screen. You can move, resize, or unpin these tiles to achieve the desired layout.</br></br>When you are done changing the layout on the test mobile device, click **Accept** on the PC. |
## Validate and export
On the **Validate and export** page, click **Validate** to make sure your lockdown XML is valid.
>[!WARNING]
>Lockdown Designer cannot validate SyncML that you imported to CSPRunner.
Click **Export** to generate the XML file for your project. You can select the location to save the file.
## Create and configure multiple roles
You can create additional roles for the device and have unique configurations for each role. For example, you could have one configuration for a **Manager** role and a different configuration for a **Salesperson** role.
>[!NOTE]
>Using multiple roles on a device requires a login application that displays the list of roles and allows users to sign in to Azure Active Directory. [Learn how to create a login application that will work with your Lockdown XML file.](https://github.com/Microsoft/Windows-universal-samples/tree/master/Samples/DeviceLockdownAzureLogin)
**For each role:**
1. On the **Project setting** page, click **Role management**.
2. Click **Add a role**.
3. Enter a name for the role, and then click **Save**.
4. Configure the settings for the role as above, but make sure on each page that you select the correct role.
![Current role selection box.](../images/ld-role.png)

254
windows/configuration/mobile-devices/product-ids-in-windows-10-mobile.md
View File

@ -1,254 +0,0 @@
---
title: Product IDs in Windows 10 Mobile (Windows 10)
description: You can use the product ID and Application User Model (AUMID) in Lockdown.xml to specify apps that will be available to the user.
ms.assetid: 31116BED-C16A-495A-BD44-93218A087A1C
ms.reviewer:
manager: dansimp
keywords: ["lockdown"]
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: mobile
author: greg-lindsay
ms.author: greglin
ms.topic: article
ms.localizationpriority: medium
ms.date: 07/27/2017
---
# Product IDs in Windows 10 Mobile
**Applies to**
- Windows 10 Mobile
You can use the product ID and Application User Model (AUMID) in Lockdown.xml to specify apps that will be available to the user.
## Apps included in Windows 10 Mobile
The following table lists the product ID and AUMID for each app that is included in Windows 10 Mobile.
<table>
<thead>
<tr class="header">
<th align="left">App</th>
<th align="left">Product ID</th>
<th align="left">AUMID</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left">Alarms and clock</td>
<td align="left">44F7D2B4-553D-4BEC-A8B7-634CE897ED5F</td>
<td align="left">Microsoft.WindowsAlarms_8wekyb3d8bbwe!App</td>
</tr>
<tr class="even">
<td align="left">Calculator</td>
<td align="left">B58171C6-C70C-4266-A2E8-8F9C994F4456</td>
<td align="left">Microsoft.WindowsCalculator_8wekyb3d8bbwe!App</td>
</tr>
<tr class="odd">
<td align="left">Camera</td>
<td align="left">F0D8FEFD-31CD-43A1-A45A-D0276DB069F1</td>
<td align="left">Microsoft.WindowsCamera_8wekyb3d8bbwe!App</td>
</tr>
<tr class="even">
<td align="left">Contact Support</td>
<td align="left">0DB5FCFF-4544-458A-B320-E352DFD9CA2B</td>
<td align="left">Windows.ContactSupport_cw5n1h2txyewy!App</td>
</tr>
<tr class="odd">
<td align="left">Cortana</td>
<td align="left">FD68DCF4-166F-4C55-A4CA-348020F71B94</td>
<td align="left">Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI</td>
</tr>
<tr class="even">
<td align="left">Excel</td>
<td align="left">EAD3E7C0-FAE6-4603-8699-6A448138F4DC</td>
<td align="left">Microsoft.Office.Excel_8wekyb3d8bbwe!microsoft.excel</td>
</tr>
<tr class="odd">
<td align="left">Facebook</td>
<td align="left">82A23635-5BD9-DF11-A844-00237DE2DB9E</td>
<td align="left">Microsoft.MSFacebook_8wekyb3d8bbwe!x82a236355bd9df11a84400237de2db9e</td>
</tr>
<tr class="even">
<td align="left">File Explorer</td>
<td align="left">C5E2524A-EA46-4F67-841F-6A9465D9D515</td>
<td align="left">c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy!App</td>
</tr>
<tr class="odd">
<td align="left">FM Radio</td>
<td align="left">F725010E-455D-4C09-AC48-BCDEF0D4B626</td>
<td align="left">N/A</td>
</tr>
<tr class="even">
<td align="left">Get Started</td>
<td align="left">B3726308-3D74-4A14-A84C-867C8C735C3C</td>
<td align="left">Microsoft.Getstarted_8wekyb3d8bbwe!App</td>
</tr>
<tr class="odd">
<td align="left">Groove Music</td>
<td align="left">D2B6A184-DA39-4C9A-9E0A-8B589B03DEC0</td>
<td align="left">Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic</td>
</tr>
<tr class="even">
<td align="left">Maps</td>
<td align="left">ED27A07E-AF57-416B-BC0C-2596B622EF7D</td>
<td align="left">Microsoft.WindowsMaps_8wekyb3d8bbwe!App</td>
</tr>
<tr class="odd">
<td align="left">Messaging</td>
<td align="left">27E26F40-E031-48A6-B130-D1F20388991A</td>
<td align="left">Microsoft.Messaging_8wekyb3d8bbwe!x27e26f40ye031y48a6yb130yd1f20388991ax</td>
</tr>
<tr class="even">
<td align="left">Microsoft Edge</td>
<td align="left">395589FB-5884-4709-B9DF-F7D558663FFD</td>
<td align="left">Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge</td>
</tr>
<tr class="odd">
<td align="left">Money</td>
<td align="left">1E0440F1-7ABF-4B9A-863D-177970EEFB5E</td>
<td align="left">Microsoft.BingFinance_8wekyb3d8bbwe!AppexFinance</td>
</tr>
<tr class="even">
<td align="left">Movies and TV</td>
<td align="left">6AFFE59E-0467-4701-851F-7AC026E21665</td>
<td align="left">Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo</td>
</tr>
<tr class="odd">
<td align="left">News</td>
<td align="left">9C3E8CAD-6702-4842-8F61-B8B33CC9CAF1</td>
<td align="left">Microsoft.BingNews_8wekyb3d8bbwe!AppexNews</td>
</tr>
<tr class="even">
<td align="left">OneDrive</td>
<td align="left">AD543082-80EC-45BB-AA02-FFE7F4182BA8</td>
<td align="left">Microsoft.MicrosoftSkydrive_8wekyb3d8bbwe!App</td>
</tr>
<tr class="odd">
<td align="left">OneNote</td>
<td align="left">CA05B3AB-F157-450C-8C49-A1F127F5E71D</td>
<td align="left">Microsoft.Office.OneNote_8wekyb3d8bbwe!microsoft.onenoteim</td>
</tr>
<tr class="even">
<td align="left">Outlook Calendar</td>
<td align="left"><p>A558FEBA-85D7-4665-B5D8-A2FF9C19799B</p></td>
<td align="left"><p>Microsoft.WindowsCommunicationsApps_8wekyb3d8bbwe!Microsoft.WindowsLive.Calendar</p></td>
</tr>
<tr class="odd">
<td align="left">Outlook Mail</td>
<td align="left"><p>A558FEBA-85D7-4665-B5D8-A2FF9C19799B</p></td>
<td align="left"><p>Microsoft.WindowsCommunicationsApps_8wekyb3d8bbwe!Microsoft.WindowsLive.Mail</p></td>
</tr>
<tr class="even">
<td align="left">People</td>
<td align="left">60BE1FB8-3291-4B21-BD39-2221AB166481</td>
<td align="left">Microsoft.People_8wekyb3d8bbwe!xb94d6231y84ddy49a8yace3ybc955e769e85x</td>
</tr>
<tr class="odd">
<td align="left">Phone (dialer)</td>
<td align="left">F41B5D0E-EE94-4F47-9CFE-3D3934C5A2C7</td>
<td align="left">Microsoft.CommsPhone_8wekyb3d8bbwe!App</td>
</tr>
<tr class="even">
<td align="left">Photos</td>
<td align="left">FCA55E1B-B9A4-4289-882F-084EF4145005</td>
<td align="left">Microsoft.Windows.Photos_8wekyb3d8bbwe!App</td>
</tr>
<tr class="odd">
<td align="left">Podcasts</td>
<td align="left">C3215724-B279-4206-8C3E-61D1A9D63ED3</td>
<td align="left">Microsoft.MSPodcast_8wekyb3d8bbwe!xc3215724yb279y4206y8c3ey61d1a9d63ed3x</td>
</tr>
<tr class="even">
<td align="left">Powerpoint</td>
<td align="left">B50483C4-8046-4E1B-81BA-590B24935798</td>
<td align="left">Microsoft.Office.PowerPoint_8wekyb3d8bbwe!microsoft.pptim</td>
</tr>
<tr class="odd">
<td align="left">Settings</td>
<td align="left">2A4E62D8-8809-4787-89F8-69D0F01654FB</td>
<td align="left">2a4e62d8-8809-4787-89f8-69d0f01654fb_8wekyb3d8bbwe!App</td>
</tr>
<tr class="even">
<td align="left">Skype</td>
<td align="left">C3F8E570-68B3-4D6A-BDBB-C0A3F4360A51</td>
<td align="left">Microsoft.SkypeApp_kzf8qxf38zg5c!Skype.AppId</td>
</tr>
<tr class="odd">
<td align="left">Skype Video</td>
<td align="left">27E26F40-E031-48A6-B130-D1F20388991A</td>
<td align="left">Microsoft.Messaging_8wekyb3d8bbwe!App</td>
</tr>
<tr class="even">
<td align="left">Sports</td>
<td align="left">0F4C8C7E-7114-4E1E-A84C-50664DB13B17</td>
<td align="left">Microsoft.BingSports_8wekyb3d8bbwe!AppexSports</td>
</tr>
<tr class="odd">
<td align="left">Storage</td>
<td align="left">5B04B775-356B-4AA0-AAF8-6491FFEA564D</td>
<td align="left">N/A</td>
</tr>
<tr class="even">
<td align="left">Store</td>
<td align="left">7D47D89A-7900-47C5-93F2-46EB6D94C159</td>
<td align="left">Microsoft.WindowsStore_8wekyb3d8bbwe!App</td>
</tr>
<tr class="odd">
<td align="left">Voice recorder</td>
<td align="left">7311B9C5-A4E9-4C74-BC3C-55B06BA95AD0</td>
<td align="left">Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe!App</td>
</tr>
<tr class="even">
<td align="left">Wallet</td>
<td align="left">587A4577-7868-4745-A29E-F996203F1462</td>
<td align="left">Microsoft.MicrosoftWallet_8wekyb3d8bbwe!App</td>
</tr>
<tr class="odd">
<td align="left">Weather</td>
<td align="left">63C2A117-8604-44E7-8CEF-DF10BE3A57C8</td>
<td align="left">Microsoft.BingWeather_8wekyb3d8bbwe!App</td>
</tr>
<tr class="even">
<td align="left">Windows Feedback</td>
<td align="left">7604089D-D13F-4A2D-9998-33FC02B63CE3</td>
<td align="left">Microsoft.WindowsFeedback_8wekyb3d8bbwe!App</td>
</tr>
<tr class="odd">
<td align="left">Word</td>
<td align="left">258F115C-48F4-4ADB-9A68-1387E634459B</td>
<td align="left">Microsoft.Office.Word_8wekyb3d8bbwe!microsoft.word</td>
</tr>
<tr class="even">
<td align="left">Xbox</td>
<td align="left">B806836F-EEBE-41C9-8669-19E243B81B83</td>
<td align="left">Microsoft.XboxApp_8wekyb3d8bbwe!Microsoft.XboxApp</td>
</tr>
</tbody>
</table>
 
## Related topics
[Configure Windows 10 Mobile using Lockdown XML](lockdown-xml.md)
[Settings and quick actions that can be locked down in Windows 10 Mobile](settings-that-can-be-locked-down.md)
 
 

91
windows/configuration/mobile-devices/provisioning-configure-mobile.md
View File

@ -1,91 +0,0 @@
---
title: Configure Windows 10 Mobile devices with Configuration Designer
description: Use Windows Configuration Designer to configure Windows 10 Mobile devices
keywords: phone, handheld, lockdown, customize
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: greg-lindsay
ms.author: greglin
ms.topic: article
ms.date: 07/27/2017
ms.reviewer:
manager: dansimp
---
# Use Windows Configuration Designer to configure Windows 10 Mobile devices
Windows provisioning makes it easy for IT administrators to configure end-user devices without imaging. Using provisioning packages, you can easily specify desired configuration, settings, and information required to enroll the devices into management, and then apply that configuration to target devices in a matter of minutes.
A provisioning package (.ppkg) is a container for a collection of configuration settings. Using Windows Configuration Designer, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image.
Windows Configuration Designer can be installed from the [Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). Windows Configuration Designer is also available as an app in the Microsoft Store. [Learn more about installing Windows Configuration Designer.](../provisioning-packages/provisioning-install-icd.md)
## Create a provisioning package using the wizard
The **Provision Windows mobile devices** wizard lets you configure common settings for devices running Windows 10 Mobile in a simple, graphical workflow.
### Start a new project
1. Open Windows Configuration Designer:
- From either the Start screen or Start menu search, type 'Windows Configuration Designer' and click the Windows Configuration Designer shortcut,
or
- If you installed Windows Configuration Designer from the ADK, navigate to `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86` (on an x64 computer) or `C:\Program Files\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe` (on an x86 computer), and then double-click **ICD.exe**.
2. On the **Start** page, choose **Provision Windows mobile devices**.
3. Enter a name for your project, and then click **Next**.
### Configure settings in the wizard
<table>
<tr><td valign="top"><img src="../images/one.png" alt="step one"/><img src="../images/set-up-device-mobile.png" alt="set up device"/></br></br>Enter a device name.</br></br> Optionally, you can enter a product key to upgrade the device from Windows 10 Mobile to Windows 10 Mobile Enterprise. </td><td><img src="../images/set-up-device-details-mobile.png" alt="device name, upgrade license"/></td></tr>
<tr><td valign="top"><img src="../images/two.png" alt="step two"/> <img src="../images/set-up-network-mobile.png" alt="set up network"/></br></br>Toggle <strong>On</strong> or <strong>Off</strong> for wireless network connectivity. </br></br>If you select <strong>On</strong>, enter the SSID, network type (<strong>Open</strong> or <strong>WPA2-Personal</strong>), and (if <strong>WPA2-Personal</strong>) the password for the wireless network.</td><td><img src="../images/set-up-network-details-mobile.png" alt="Enter network SSID and type"/></td></tr>
<tr><td valign="top"><img src="../images/three.png" alt="step three"/> <img src="../images/bulk-enroll-mobile.png" alt="bulk enrollment in Azure Active Directory"/></br></br>Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, <a href="/azure/active-directory/active-directory-azureadjoin-setup" data-raw-source="[set up Azure AD join in your organization](/azure/active-directory/active-directory-azureadjoin-setup)">set up Azure AD join in your organization</a>. The <strong>maximum number of devices per user</strong> setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. </br></br> Set an expiration date for the token (maximum is 180 days from the date you get the token). Click <strong>Get bulk token</strong>. In the <strong>Let&#39;s get you signed in</strong> window, enter an account that has permissions to join a device to Azure AD, and then the password. Click <strong>Accept</strong> to give Windows Configuration Designer the necessary permissions.</br></br><strong>Warning:</strong> You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards. </td><td><img src="../images/bulk-enroll-mobile-details.png" alt="Enter expiration and get bulk token"/></td></tr>
<tr><td valign="top"><img src="../images/four.png" alt="step four"/> <img src="../images/finish-mobile.png" alt="finish"/></br></br>You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.</td><td><img src="../images/finish-details-mobile.png" alt="Protect your package"/></td></tr>
</table>
After you're done, click **Create**. It only takes a few seconds. When the package is built, the location where the package is stored is displayed as a hyperlink at the bottom of the page.
### Apply provisioning package
You can apply a provisioning package to a device running Windows 10 Mobile by using:
- removable media
- copying the provisioning package to the device
- [NFC tags](provisioning-nfc.md)
- [barcodes](provisioning-package-splitter.md)
### Using removable media
1. Insert an SD card containing the provisioning package into the device.
2. Navigate to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package to install.
![add a package option.](../images/packages-mobile.png)
3. Click **Add**.
4. On the device, the **Is this package from a source you trust?** message will appear. Tap **Yes, add it**.
![Is this package from a source you trust.](../images/package-trust.png)
### Copying the provisioning package to the device
1. Connect the device to your PC through USB.
2. On the PC, select the provisioning package that you want to use to provision the device and then drag and drop the file to your device.
3. On the device, the **Is this package from a source you trust?** message will appear. Tap **Yes, add it**.
![Is this package from a source you trust.](../images/package-trust.png)
## Related topics
- [NFC-based device provisioning](provisioning-nfc.md)
- [Use the package splitter tool](provisioning-package-splitter.md)

144
windows/configuration/mobile-devices/provisioning-nfc.md
View File

@ -1,144 +0,0 @@
---
title: NFC-based device provisioning (Windows 10)
description:
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: greg-lindsay
ms.author: greglin
ms.topic: article
ms.localizationpriority: medium
ms.date: 07/27/2017
ms.reviewer:
manager: dansimp
---
# NFC-based device provisioning
**Applies to**
- Windows 10 Mobile
Near field communication (NFC) enables Windows 10 Mobile Enterprise and Windows 10 Mobile devices to communicate with an NFC tag or another NFC-enabled transmitting device. Enterprises that do bulk provisioning can use NFC-based device provisioning to provide a provisioning package to the device that's being provisioned. NFC provisioning is simple and convenient and it can easily store an entire provisioning package.
The NFC provisioning option enables the administrator to provide a provisioning package during initial device setup (the out-of-box experience or OOBE phase). Administrators can use the NFC provisioning option to transfer provisioning information to persistent storage by tapping an unprovisioned mobile device to an NFC tag or NFC-enabled device. To use NFC for pre-provisioning a device, you must either prepare your own NFC tags by storing your provisioning package to a tag as described in this section, or build the infrastructure needed to transmit a provisioning package between an NFC-enabled device and a mobile device during OOBE.
## Provisioning OOBE UI
All Windows 10 Mobile Enterprise and Windows 10 Mobile images have the NFC provisioning capability incorporated into the operating system. On devices that support NFC and are running Windows 10 Mobile Enterprise or Windows 10 Mobile, NFC-based device provisioning provides an additional mechanism to provision the device during OOBE.
On all Windows devices, device provisioning during OOBE can be triggered by 5 fast taps on the Windows hardware key, which shows the **Provision this device** screen. In the **Provision this device** screen, select **NFC** for NFC-based provisioning.
![Example of Provision this device screen.](../images/nfc.png)
If there is an error during NFC provisioning, the device will show a message if any of the following errors occur:
- **NFC initialization error** - This can be caused by any error that occurs before data transfer has started. For example, if the NFC driver isn't enabled or there's an error communicating with the proximity API.
- **Interrupted download or incomplete package transfer** - This error can happen if the peer device is out of range or the transfer is aborted. This error can be caused whenever the device being provisioned fails to receive the provisioning package in time.
- **Incorrect package format** - This error can be caused by any protocol error that the operating system encounters during the data transfer between the devices.
- **NFC is disabled by policy** - Enterprises can use policies to disallow any NFC usage on the managed device. In this case, NFC functionality is not enabled.
## NFC tag
You can use an NFC tag for minimal provisioning and use an NFC-enabled device tag for larger provisioning packages.
The protocol used for NFC-based device provisioning is similar to the one used for NFC provisioning on Windows Embedded 8.1 Handheld, which supported both single-chunk and multi-chunk transfer when the total transfer didn't fit in one NDEP message size. In Windows 10, the provisioning stack contains the following changes:
- **Protocol namespace** - The protocol namespace has changed from Windows.WEH.PreStageProv.Chunk to Windows.ProvPlugins.Chunk.
- **Tag data type** - The tag data type has changed from UTF-8 into binary raw data.
>[!NOTE]
>The NFC tag doesn't go in the secondary device. You can transfer the NFC tag by using a provisioning package from device-to-device using the NFC radio or by re-reading the provisioning package from an NFC tag.
### NFC tag components
NFC tags are suitable for very light applications where minimal provisioning is required. The size of NFC tags that contain provisioning packages is typically 4 KB to 10 KB.
To write to an NFC tag, you will need to use an NFC Writer tool, or you can use the [ProximityDevice class API](/uwp/api/Windows.Networking.Proximity.ProximityDevice) to write your own custom tool to transfer your provisioning package file to your NFC tag. The tool must publish a binary message (write) a Chunk data type to your NFC tag.
The following table describes the information that is required when writing to an NFC tag.
| Required field | Description |
| --- | --- |
| **Type** | Windows.ProvPlugins.Chunk<br></br>The receiving device uses this information to understand information in the Data field. |
| **Data** | Tag data with small header in raw binary format that contains a chunk of the provisioning package to be transferred. |
### NFC provisioning helper
The NFC provisioning helper device must split the provisioning package raw content into multiple parts and publish these in order. Each part should follow the following format:
<table><tr><td><strong>Version</strong></br>(1 byte)</td><td><strong>Leading</strong><br>(1 byte)</td><td><strong>Order</strong></br>(1 byte)</td><td><strong>Total</strong></br>(1 byte)</td><td><strong>Chunk payload</strong></br>(N bytes)</td></tr></table>
For each part:
- <strong>Version</strong> should always be 0x00.
- <strong>Leading byte</strong> should always be 0xFF.
- <strong>Order</strong> represents which message chunk (out of the whole message) the part belongs to. The Order begins with zero (0).
- <strong>Total</strong> represents the total number of chunks to be transferred for the whole message.
- <strong>Chunk payload</strong> represents each of the split parts.
The NFC provisioning helper device must publish the record in a type of Windows.ProvPlugins.Chunk.
**Code example**
The following example shows how to write to an NFC tag. This example assumes that the tag is already in range of the writing device.
```
private async void WriteProvPkgToTag(IStorageFile provPkgFile)
{
var buffer = await FileIO.ReadBufferAsync(provPkgFile);
if (null == buffer)
{
return;
}
var proximityDevice = Windows.Networking.Proximity.ProximityDevice.GetDefault();
if (null == proximityDevice)
{
return;
}
var dataWriter = new DataWriter();
var header = new NfcProvHeader();
header.version = NFC_PROV_MESSAGE_CURRENT_VERSION; // Currently the supported version is 0x00.
header.leading = NFC_PROV_MESSAGE_LEADING_BYTE; // The leading byte should be always 0xFF.
header.index = 0; // Assume we only have 1 chunk.
header.total = 1; // Assume we only have 1 chunk.
// Write the header first and then the raw data of the provisioning package.
dataWriter.WriteBytes(GetBytes(header));
dataWriter.WriteBuffer(buffer);
var chunkPubId = proximityDevice.PublishBinaryMessage(
"Windows:WriteTag.ProvPlugins.Chunk",
dataWriter.DetachBuffer());
}
```
### NFC-enabled device tag components
Provisioning from an NFC-enabled source device allows for larger provisioning packages than can be transferred using an NFC tag. When provisioning from an NFC-enabled device, we recommend that the total file size not exceed 120 KB. Be aware that the larger the NFC file is, the longer it will take to transfer the provisioning file. Depending on your NFC hardware, the transfer time for a 120 KB file will vary between 2.5 seconds and 10 seconds.
To provision from an NFC-enabled source device, use [ProximityDevice class API](/uwp/api/Windows.Networking.Proximity.ProximityDevice) to write your own custom tool that transfers your provisioning package in chunks to your target mobile device. The tool must publish binary messages (transmit) a Header message, followed by one or more Chunk messages. The Header specifies the total amount of data that will be transferred to the target device; the Chunks must contain binary raw data formatted provisioning data, as shown in the NFC tag components section.
For detailed information and code samples on how to implement an NFC-enabled device tag, see **ConvertToNfcMessageAsync** in [this GitHub NfcProvisioner Universal Windows app example](https://github.com/Microsoft/Windows-universal-samples/blob/master/Samples/NfcProvisioner/cs/Scenario1.xaml.cs). The sample app shows you how to host the provisioning package on a master device so that you can transfer it to the receiving device.
## Related topics
- [Use Windows Configuration Designer to configure Windows 10 Mobile devices](provisioning-configure-mobile.md)
- [Barcode provisioning and the package splitter tool](provisioning-package-splitter.md)

93
windows/configuration/mobile-devices/provisioning-package-splitter.md
View File

@ -1,93 +0,0 @@
---
title: Barcode provisioning and the package splitter tool (Windows 10)
description:
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: greg-lindsay
ms.author: greglin
ms.topic: article
ms.localizationpriority: medium
ms.date: 07/27/2017
ms.reviewer:
manager: dansimp
---
# Barcode provisioning and the package splitter tool
**Applies to**
- Windows 10 Mobile
Enterprises that do bulk provisioning can use barcode-based device provisioning to provide a provisioning package to the device that's being provisioned.
The barcode provisioning option enables the administrator to provide a provisioning package during initial device setup (the out-of-box experience or OOBE phase). To use barcodes to provision a device, your devices must have an integrated barcode scanner. You can get the barcode format that the scanner supports from your OEM or device provider, and use your existing tools and processes to convert a provisioning package into barcodes.
Enterprise IT professionals who want to use a barcode to provision mobile devices during OOBE can use the package splitter tool, **ppkgtobase64.exe**, which is a command-line tool to split the provisioning package into smaller files.
The smallest provisioning package is typically 5-6 KB, which cannot fit into one single barcode. The package splitter tool allows partners to split the original provisioning package into multiple smaller sized chunks that are encoded with Base64 so that enterprises can leverage their existing tools to convert these files into barcodes.
When you [install Windows Configuration Designer](../provisioning-packages/provisioning-install-icd.md) from the Windows Assessment and Deployment Kit (ADK), **ppkgtobase64.exe** is installed to the same folder.
## Prerequisites
Before you can use the tool, you must have a built provisioning package. The package file is the input to the package splitter tool.
- To build a provisioning package using the Windows Configuration Designer UI, see [Use Windows Configuration Designer to configure Windows 10 Mobile devices](provisioning-configure-mobile.md).
- To build a provisioning package using the Windows Configuration Designer CLI, see [Windows Configuration Designer command-line interface](../provisioning-packages/provisioning-command-line.md).
## To use the package splitter tool (ppkgtobase64.exe)
1. Open a command-line window with administrator privileges.
2. From the command-line, navigate to the Windows Configuration Designer install directory.
On an x64 computer, type:
```
cd C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86
```
- or -
On an x86 computer, type:
```
cd C:\Program Files\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86
```
3. Run `ppkgtobase64.exe`. The [syntax](#syntax) and [switches and arguments](#switches-and-arguments) sections provide details for the command.
### Syntax
```
ppkgtobase64.exe -i <InputFile> -o <OutputDirectory> -s <BlockSize> [-c] [/?]
```
### Switches and arguments
| Switch | Required? | Arguments |
| --- | --- | --- |
| -i | Yes | Use to specify the path and file name of the provisioning package that you want to divide into smaller files.</br></br>The tool allows you to specify the absolute path of the provisioning package file. However, if you don't specify the path, the tool will search the current folder for a package that matches the file name you specified. |
| -o | Yes | Use to specify the directory where the output files will be saved. |
| -s | Yes | Use to specify the size of the block that will be encoded in Base64. |
| -c | No | Use to delete any files in the output directory if the directory already exists. This parameter is optional. |
| /? | No | Lists the switches and their descriptions for the command-line tool or for certain commands. |
## Related topics

202
windows/configuration/mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md
View File

@ -1,202 +0,0 @@
---
title: Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise (Windows 10)
description: A device in kiosk mode runs a specified app with no access to other device functions, menus, or settings.
ms.assetid: 35EC82D8-D9E8-45C3-84E9-B0C8C167BFF7
ms.reviewer:
manager: dansimp
keywords: kiosk, lockdown, assigned access
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: mobile
author: greg-lindsay
ms.author: greglin
ms.topic: article
ms.localizationpriority: medium
ms.date: 07/27/2017
---
# Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise
**Applies to**
- Windows 10 Mobile
A device in kiosk mode runs a specified app with no access to other device functions, menus, or settings. You use the [Enterprise Assigned Access](#enterprise-assigned-access) configuration service provider (CSP) to configure a kiosk experience. You can also configure a device running Windows 10 Mobile or Windows 10 Mobile Enterprise, version 1607 or earlier, for kiosk mode by using the [Apps Corner](#apps-corner) feature. (Apps Corner is removed in version 1703.)
## Enterprise Assigned Access
Enterprise Assigned Access allows you to put your Windows 10 Mobile or Windows 10 Mobile Enterprise device in kiosk mode by creating a user role that has only a single app, set to run automatically, in the Allow list.
>[!NOTE]
>The app can be a Universal Windows app, Universal Windows Phone 8 app, or a legacy Silverlight app.
### Set up Enterprise Assigned Access in MDM
In AssignedAccessXml, for Application, you enter the product ID for the app to run in kiosk mode. Find product IDs at [Product IDs in Windows 10 Mobile](product-ids-in-windows-10-mobile.md).
[See the technical reference for the Enterprise Assigned Access configuration service provider (CSP).](/windows/client-management/mdm/enterpriseassignedaccess-csp)
### Set up assigned access using Windows Configuration Designer
>[!IMPORTANT]
>When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
#### Create the *AssignedAccess*.xml file
1. Create an *AssignedAccess*.xml file that specifies the app the device will run. (You can name use any file name.) For instructions on AssignedAccessXml, see [EnterpriseAssignedAccess CSP](/windows/client-management/mdm/enterpriseassignedaccess-csp).
>[!NOTE]
>Do not escape the xml in *AssignedAccess*.xml file as Windows Configuration Designer will do that when building the package. Providing escaped xml in Windows ICD will cause building the package fail.
#### Create the provisioning package
1. [Install Windows Configuration Designer.](../provisioning-packages/provisioning-install-icd.md)
2. Open Windows Configuration Designer (if you installed it from the Windows ADK, `%windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe`).
3. Choose **Advanced provisioning**.
4. Name your project, and click **Next**.
5. Choose **All Windows mobile editions** and click **Next**.
6. On **New project**, click **Finish**. The workspace for your package opens.
7. Expand **Runtime settings** &gt; **EmbeddedLockdownProfiles**, and click **AssignedAccessXml**.
8. Click **Browse** to select the *AssignedAccess*.xml file.
9. On the **File** menu, select **Save.**
10. On the **Export** menu, select **Provisioning package**.
11. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.**
12. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing.
- **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
- **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select** and choosing the certificate you want to use to sign the package.
13. Click **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows ICD uses the project folder as the output location.
Optionally, you can click **Browse** to change the default output location.
14. Click **Next**.
15. Click **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status.
If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
16. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
- If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
- If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
17. Select the **output location** link to go to the location of the package.
#### Distribute the provisioning package
You can distribute that .ppkg to mobile devices using any of the following methods:
- Removable media (USB/SD)
**To apply a provisioning package from removable media**
1. Copy the provisioning package file to the root directory on a micro SD card.
2. On the device, insert the micro SD card containing the provisioning package.
3. Go to **Settings** &gt; **Accounts** &gt; **Provisioning.**
4. Tap **Add a package**.
5. On the **Choose a method** screen, in the **Add from** dropdown menu, select **Removable Media**.
6. Select a package will list all available provisioning packages on the micro SD card. Tap the desired package, and then tap **Add**.
7. You will see a message that tells you what the package will do the device, such as **Adding it will: Lock down the user interface**. Tap **Yes, add it**.
8. Restart the device and verify that the runtime settings that were configured in the provisioning package were applied to the device.
- Email
**To apply a provisioning package sent in email**
1. Send the provisioning package in email to an account on the device.
2. Open the email on the device, and then double-tap the attached file.
3. You will see a message that tells you what the package will do the device, such as **Adding it will: Lock down the user interface**. Tap **Yes, add it**.
4. Restart the device and verify that the runtime settings that were configured in the provisioning package were applied to the device.
- USB tether
**To apply a provisioning package using USB tether**
1. Connect the device to your PC by USB.
2. Select the provisioning package that you want to use to provision the device, and then drag and drop the file to your device.
3. The provisioning package installation dialog will appear on the phone.
4. You will see a message that tells you what the package will do the device, such as **Adding it will: Lock down the user interface**. Tap **Yes, add it**.
5. Restart the device and verify that the runtime settings that were configured in the provisioning package were applied to the device.
## Apps Corner
>[!NOTE]
>For Windows 10, versions 1507, 1511, and 1607 only.
Apps Corner lets you set up a custom Start screen on your Windows 10 Mobile or Windows 10 Mobile Enterprise device, where you can share only the apps you choose with the people you let use your device. You configure a device for kiosk mode by selecting a single app to use in Apps Corner.
**To set up Apps Corner**
1. On Start ![start.](../images/starticon.png), swipe over to the App list, then tap **Settings** ![settings](../images/settingsicon.png) &gt; **Accounts** &gt; **Apps Corner**.
2. Tap **Apps**, tap to select the app that you want people to use in the kiosk mode, and then tap done ![done icon.](images/doneicon.png).
3. If your phone doesn't already have a lock screen password, you can set one now to ensure that people can't get to your Start screen from Apps Corner. Tap **Protect my phone with a password**, click **Add**, type a PIN in the **New PIN** box, type it again in the **Confirm PIN** box, and then tap **OK**. Press **Back** ![back.](../images/backicon.png) to the Apps Corner settings.
4. Turn **Action center** on or off, depending on whether you want people to be able to use these features when using the device in kiosk mode.
5. Tap **advanced**, and then turn features on or off, depending on whether you want people to be able to use them.
6. Press **Back** ![back.](../images/backicon.png) when you're done.
**To use Apps Corner**
1. On Start ![start.](../images/starticon.png), swipe over to the App list, then tap **Settings** ![settings](../images/settingsicon.png) &gt; **Accounts** &gt; **Apps Corner** &gt; launch ![launch](../images/launchicon.png).
>[!TIP]
>Want to get to Apps Corner with one tap? In **Settings**, tap **Apps Corner** &gt; **pin** to pin the Apps Corner tile to your Start screen.
2. Give the device to someone else, so they can use the device and only the one app you chose.
3. When they're done and you get the device back, press and hold Power ![power.](../images/powericon.png), and then swipe right to exit Apps Corner.
## Related topics
[Set up a kiosk on Windows 10 Pro, Enterprise, or Education](../kiosk-single-app.md)
[Configure Windows 10 Mobile using Lockdown XML](lockdown-xml.md)
[Product IDs in Windows 10 Mobile](product-ids-in-windows-10-mobile.md)

499
windows/configuration/mobile-devices/settings-that-can-be-locked-down.md
View File

@ -1,499 +0,0 @@
---
title: Lock down settings and quick actions in Windows 10 Mobile
description: This topic lists the settings and quick actions that can be locked down in Windows 10 Mobile.
ms.assetid: 69E2F202-D32B-4FAC-A83D-C3051DF02185
ms.reviewer:
manager: dansimp
keywords: ["lockdown"]
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: mobile
author: greg-lindsay
ms.author: greglin
ms.topic: article
ms.localizationpriority: medium
ms.date: 07/27/2017
---
# Settings and quick actions that can be locked down in Windows 10 Mobile
**Applies to**
- Windows 10 Mobile
This topic lists the settings and quick actions that can be locked down in Windows 10 Mobile.
## Settings lockdown in Windows 10, version 1703
In earlier versions of Windows 10, you used the page name to define allowed settings. Starting in Windows 10, version 1703, you use the settings URI.
For example, in place of **SettingsPageDisplay**, you would use **ms-settings:display**.
See the [ms-settings: URI scheme reference](/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference) to find the URI for each Settings page.
## Settings lockdown in Windows 10, version 1607 and earlier
You can use Lockdown.xml to configure lockdown settings.
The following table lists the settings pages and page groups. Use the page name in the Settings section of Lockdown.xml. The Settings section contains an allow list of pages in the Settings app.
<table>
<thead>
<tr class="header">
<th align="left">Main menu</th>
<th align="left">Sub-menu</th>
<th align="left">Page name</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left">System</td>
<td align="left"></td>
<td align="left">SettingsPageGroupPCSystem</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Display</td>
<td align="left">SettingsPageDisplay</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Notifications & actions</td>
<td align="left">SettingsPageAppsNotifications</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Phone</td>
<td align="left">SettingsPageCalls</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Messaging</td>
<td align="left">SettingsPageMessaging</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Battery</td>
<td align="left">SettingsPageBatterySaver</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Apps for websites</td>
<td align="left">SettingsPageAppsForWebsites</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Storage</td>
<td align="left">SettingsPageStorageSenseStorageOverview</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Driving mode</td>
<td align="left">SettingsPageDrivingMode</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Offline maps</td>
<td align="left">SettingsPageMaps</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">About</td>
<td align="left">SettingsPagePCSystemInfo</td>
</tr>
<tr class="even">
<td align="left">Devices</td>
<td align="left"></td>
<td align="left">SettingsPageGroupDevices</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Default camera</td>
<td align="left">SettingsPagePhotos</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Bluetooth</td>
<td align="left">SettingsPagePCSystemBluetooth</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">NFC</td>
<td align="left">SettingsPagePhoneNFC</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Mouse</td>
<td align="left">SettingsPageMouseTouchpad</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">USB</td>
<td align="left">SettingsPageUsb</td>
</tr>
<tr class="even">
<td align="left">Network and wireless</td>
<td align="left"></td>
<td align="left">SettingsPageGroupNetwork</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Cellular & SIM</td>
<td align="left">SettingsPageNetworkCellular</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Wi-Fi</td>
<td align="left">SettingsPageNetworkWiFi</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Airplane mode</td>
<td align="left">SettingsPageNetworkAirplaneMode</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Data usage</td>
<td align="left">SettingsPageDataSenseOverview</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Mobile hotspot</td>
<td align="left">SettingsPageNetworkMobileHotspot</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">VPN</td>
<td align="left">SettingsPageNetworkVPN</td>
</tr>
<tr class="odd">
<td align="left">Personalization</td>
<td align="left"></td>
<td align="left">SettingsPageGroupPersonalization</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Start</td>
<td align="left">SettingsPageBackGround</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Colors</td>
<td align="left">SettingsPageColors</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Sounds</td>
<td align="left">SettingsPageSounds</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Lock screen</td>
<td align="left">SettingsPageLockscreen</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Glance screen</td>
<td align="left">SettingsPageGlance</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Navigation bar</td>
<td align="left">SettingsNagivationBar</td>
</tr>
<tr class="odd">
<td align="left">Accounts</td>
<td align="left"></td>
<td align="left">SettingsPageGroupAccounts</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Your info</td>
<td align="left">SettingsPageAccountsPicture</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Sign-in options</td>
<td align="left">SettingsPageAccountsSignInOptions</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Email & app accounts</td>
<td align="left">SettingsPageAccountsEmailApp</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Access work or school</td>
<td align="left">SettingsPageWorkAccess</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Sync your settings</td>
<td align="left">SettingsPageAccountsSync</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left"><p>Apps corner</p>
<p>(disabled in Assigned Access)</p></td>
<td align="left">SettingsPageAppsCorner</td>
</tr>
<tr class="odd">
<td align="left">Time & language</td>
<td align="left"></td>
<td align="left">SettingsPageGroupTimeRegion</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Date & time</td>
<td align="left">SettingsPageTimeRegionDateTime</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Language</td>
<td align="left">SettingsPageTimeLanguage</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Region</td>
<td align="left">SettingsPageTimeRegion</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Keyboard</td>
<td align="left">SettingsPageKeyboard</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Speech</td>
<td align="left">SettingsPageSpeech</td>
</tr>
<tr class="odd">
<td align="left">Ease of access</td>
<td align="left"></td>
<td align="left">SettingsPageGroupEaseOfAccess</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Narrator</td>
<td align="left">SettingsPageEaseOfAccessNarrator</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Magnifier</td>
<td align="left">SettingsPageEaseOfAccessMagnifier</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">High contrast</td>
<td align="left">SettingsPageEaseOfAccessHighContrast</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Closed captions</td>
<td align="left">SettingsPageEaseOfAccessClosedCaptioning</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">More options</td>
<td align="left">SettingsPageEaseOfAccessMoreOptions</td>
</tr>
<tr class="odd">
<td align="left">Privacy</td>
<td align="left"></td>
<td align="left">SettingsPageGroupPrivacy</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Location</td>
<td align="left">SettingsPagePrivacyLocation</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Camera</td>
<td align="left">SettingsPagePrivacyWebcam</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Microphone</td>
<td align="left">SettingsPagePrivacyMicrophone</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Motion</td>
<td align="left">SettingsPagePrivacyMotionData</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Notifications</td>
<td align="left">SettingsPagePrivacyNotifications</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Speech. inking, & typing</td>
<td align="left">SettingsPagePrivacyPersonalization</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Account info</td>
<td align="left">SettingsPagePrivacyAccountInfo</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Contacts</td>
<td align="left">SettingsPagePrivacyContacts</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Calendar</td>
<td align="left">SettingsPagePrivacyCalendar</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Phone calls</td>
<td align="left">SettingsPagePrivacyPhoneCall</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Call history</td>
<td align="left">SettingsPagePrivacyCallHistory</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Email</td>
<td align="left">SettingsPagePrivacyEmail</td>
</tr><tr class="even">
<td align="left"></td>
<td align="left">Messaging</td>
<td align="left">SettingsPagePrivacyMessaging</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Radios</td>
<td align="left">SettingsPagePrivacyRadios</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Continue App Experiences</td>
<td align="left">SettingsPagePrivacyCDP</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Background apps</td>
<td align="left">SettingsPagePrivacyBackgroundApps</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Accessory apps</td>
<td align="left">SettingsPageAccessories</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Advertising ID</td>
<td align="left">SettingsPagePrivacyAdvertisingId</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Other devices</td>
<td align="left">SettingsPagePrivacyCustomPeripherals</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Feedback and diagnostics</td>
<td align="left">SettingsPagePrivacySIUFSettings</td>
</tr>
<tr class="odd">
<td align="left">Update and security</td>
<td align="left"></td>
<td align="left">SettingsPageGroupRestore</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Phone update</td>
<td align="left">SettingsPageRestoreMusUpdate</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Windows Insider Program</td>
<td align="left">SettingsPageFlights</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Device encryption</td>
<td align="left">SettingsPageGroupPCSystemDeviceEncryption</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Backup</td>
<td align="left">SettingsPageRestoreOneBackup</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Find my phone</td>
<td align="left">SettingsPageFindMyDevice</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">For developers</td>
<td align="left">SettingsPageSystemDeveloperOptions</td>
</tr>
<tr class="even">
<td align="left">OEM</td>
<td align="left"></td>
<td align="left">SettingsPageGroupExtensibility</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Extensibility</td>
<td align="left">SettingsPageExtensibility</td>
</tr>
</tbody>
</table>
 
## Quick actions lockdown
Quick action buttons are locked down in exactly the same way as Settings pages/groups. By default they are always conditional.
You can specify the quick actions as follows:
```xml
<Settings>
<System name="QuickActions_Launcher_AllSettings" />
<System name="QuickActions_Launcher_DeviceDiscovery" />
<System name="SystemSettings_BatterySaver_LandingPage_OverrideControl" />
<System name="SystemSettings_Device_BluetoothQuickAction"/>
<System name="SystemSettings_Flashlight_Toggle"/>
<System name="SystemSettings_Launcher_QuickNote" />
<System name="SystemSettings_Network_VPN_QuickAction"/>
<System name="SystemSettings_Privacy_LocationEnabledUserPhone"/>
<System name="SystemSettings_QuickAction_AirplaneMode"/>
<System name="SystemSettings_QuickAction_Camera" />
<System name="SystemSettings_QuickAction_CellularData"/>
<System name="SystemSettings_QuickAction_InternetSharing"/>
<System name="SystemSettings_QuickAction_QuietHours" />
<System name="SystemSettings_QuickAction_WiFi"/>
<System name="SystemSettings_System_Display_Internal_Rotation"/>
<System name="SystemSettings_System_Display_QuickAction_Brightness"/>
</Settings>
```
 
## Related topics
[Configure Windows 10 Mobile using Lockdown XML](lockdown-xml.md)
[Product IDs in Windows 10 Mobile](product-ids-in-windows-10-mobile.md)
 
 

393
windows/configuration/mobile-devices/start-layout-xml-mobile.md
View File

@ -1,393 +0,0 @@
---
title: Start layout XML for mobile editions of Windows 10 (Windows 10)
description: This topic describes the options for customizing Start layout in LayoutModification.xml for Windows 10 mobile editions.
keywords: ["start screen"]
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: greg-lindsay
ms.author: greglin
ms.topic: article
ms.localizationpriority: medium
ms.date: 07/27/2017
ms.reviewer:
manager: dansimp
---
# Start layout XML for mobile editions of Windows 10 (reference)
**Applies to**
- Windows 10
>**Looking for consumer information?** See [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630)
On Windows 10 Mobile, you can use the XML-based layout to modify the Start screen and provide the most robust and complete Start customization experience.
On Windows 10 Mobile, the customized Start works by:
- Windows 10 performs checks to determine the correct base default layout. The checks include the mobile edition, whether the device is dual SIM, the column width, and whether Cortana is supported for the country/region.
- Windows 10 ensures that it does not overwrite the layout that you have set and will sequence the level checks and read the file layout such that any multivariant settings that you have set is not overwritten.
- Windows 10 reads the LayoutModification.xml file and appends the group to the Start screen.
## Default Start layouts
The following diagrams show the default Windows 10, version 1607 Start layouts for single SIM and dual SIM devices with Cortana support, and single SIM and dual SIM devices with no Cortana support.
![Start layout for Windows 10 Mobile.](../images/mobile-start-layout.png)
The diagrams show:
- Tile coordinates - These are determined by the row number and the column number.
- Fold - Tiles "above the fold" are visible when users first navigate to the Start screen. Tiles "below the fold" are visible after users scroll up.
- Partner-customizable tiles - OEM and mobile operator partners can customize these areas of the Start screen by prepinning content. The partner configurable slots are:
- Rows 6-9
- Rows 16-19
## LayoutModification XML
IT admins can provision the Start layout by creating a LayoutModification.xml file. This file supports several mechanisms to modify or replace the default Start layout and its tiles.
>[!NOTE]
>To make sure the Start layout XML parser processes your file correctly, follow these guidelines when writing your LayoutModification.xml file:
>- Do not leave spaces or white lines in between each element.
>- Do not add comments inside the StartLayout node or any of its children elements.
>- Do not add multiple rows of comments.
The following table lists the supported elements and attributes for the LayoutModification.xml file.
| Element | Attributes | Description |
| --- | --- | --- |
| LayoutModificationTemplate | xmlns</br>xmlns:defaultlayout</br>xmlns:start</br>Version | Use to describe the changes to the default Start layout. |
| DefaultLayoutOverride</br></br>Parent:</br>LayoutModificationTemplate | n/a | Use to specify the customized Start layout for mobile devices. |
| StartLayoutCollection</br></br>Parent:</br>DefaultLayoutOverride | n/a | Use to contain a collection of Start layouts. |
| StartLayout</br></br>Parent:</br>StartLayoutCollection | n/a | Use to specify the tile groups that will be appended to the Start screen. |
| start:Group</br></br>Parent:</br>StartLayout | Name | Use to specify the tiles that need to be appended to the default Start layout. |
| start:Tile</br></br>Parent:</br>start:Group | AppUserModelID</br>Size</br>Row</br>Column | Use to specify any Universal Windows app that has a valid **AppUserModelID** attribute. |
| start:SecondaryTile</br></br>Parent:</br>start:Group | AppUserModelID</br>TileID</br>Arguments</br>DisplayName</br>Square150x150LogoUri</br>ShowNameOnSquare150x150Logo</br>ShowNameOnWide310x150Logo</br>Wide310x150LogoUri</br>BackgroundColor</br>ForegroundText</br>IsSuggestedApp</br>Size</br>Row</br>Column | Use to pin a Web link through a Microsoft Edge secondary tile. |
| start:PhoneLegacyTile</br></br>Parent:</br>start:Group | ProductID</br>Size</br>Row</br>Column | Use to add a mobile app that has a valid **ProductID** attribute. |
| start:Folder</br></br>Parent:</br>start:Group | Name</br>Size</br>Row</br>Column | Use to add a folder to the mobile device's Start screen. |
| RequiredStartTiles</br></br>Parent:</br>LayoutModificationTemplate | n/a | Use to specify the tiles that will be pinned to the bottom of the Start screen even if a restored Start screen does not have the tiles during backup or restore. |
### start:Group
**start:Group** tags specify a group of tiles that will be appended to Start. You can set the **Name** attribute to specify a name for the Start group.
>[!NOTE]
>Windows 10 Mobile only supports one Start group.
For Windows 10 Mobile, **start:Group** tags can contain the following tags or elements:
- **start:Tile**
- **start:SecondaryTile**
- **start:PhoneLegacyTile**
- **start:Folder**
### Specify Start tiles
To pin tiles to Start, you must use the right kind of tile depending on what you want to pin.
#### Tile size and coordinates
All tile types require a size (**Size**) and coordinates (**Row** and **Column**) attributes regardless of the tile type that you use when prepinning items to Start.
The following table describes the attributes that you must use to specify the size and location for the tile.
| Attribute | Description |
| --- | --- |
| Size | Determines how large the tile will be. </br>- 1x1 - small tile</br>- 2x2 - medium tile</br>- 4x2 - wide tile</br>- 4x4 - large tile |
| Row | Specifies the row where the tile will appear. |
| Column | Specifies the column where the tile will appear. |
For example, a tile with Size="2x2", Row="2", and Column="2" results in a tile located at (2,2) where (0,0) is the top-left corner of a group.
#### start:Tile
You can use the **start:Tile** tag to pin a Universal Windows app to Start.
To specify an app, you must set the **AppUserModelID** attribute to the application user model ID that's associated with the corresponding app.
The following example shows how to pin the Microsoft Edge Universal Windows app:
```XML
<start:Tile
AppUserModelID="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge"
Size="2x2"
Row="0"
Column="0"/>
```
#### start:SecondaryTile
You can use the **start:SecondaryTile** tag to pin a Web link through a Microsoft Edge secondary tile.
The following example shows how to create a tile of the Web site's URL using the Microsoft Edge secondary tile:
```XML
<start:SecondaryTile
AppUserModelID="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge"
TileID="MyWeblinkTile"
Arguments="http://msn.com"
DisplayName="MySite"
Square150x150LogoUri="ms-appx:///Assets/MicrosoftEdgeSquare150x150.png"
Wide310x150LogoUri="ms-appx:///Assets/MicrosoftEdgeWide310x150.png"
ShowNameOnSquare150x150Logo="true"
ShowNameOnWide310x150Logo="false"
BackgroundColor="#FF112233"
Size="2x2"
Row="0"
Column="4"/>
```
The following table describes the other attributes that you can use with the **start:SecondaryTile** tag in addition to **Size**, **Row**, and **Column**.
| Attribute | Required/optional | Description |
| --- | --- | --- |
| AppUserModelID | Required | Must point to Microsoft Edge. |
| TileID | Required | Must uniquely identify your Web site tile. |
| Arguments | Required | Must contain the URL of your Web site. |
| DisplayName | Required | Must specify the text that you want users to see. |
| Square150x150LogoUri | Required | Specifies the logo to use on the 2x2 tile. |
| Wide310x150LogoUri | Optional | Specifies the logo to use on the 4x2 tile. |
| ShowNameOnSquare150x150Logo | Optional | Specifies whether the display name is shown on the 2x2 tile. You can set the value for this attribute to true or false. By default, this is set to false. |
| ShowNameOnWide310x150Logo | Optional | Specifies whether the display name is shown on the 4x2 tile. You can set the value for this attribute to true or false. By default, this is set to false. |
| BackgroundColor | Optional | Specifies the color of the tile. You can specify the value in ARGB hexadecimal (for example, #FF112233) or specify "transparent". |
| ForegroundText | Optional | Specifies the color of the foreground text. Set the value to either "light" or "dark". |
Secondary Microsoft Edge tiles have the same size and location behavior as a Universal Windows app.
#### start:PhoneLegacyTile
You can use the **start:PhoneLegacyTile** tag to add a mobile app that has a valid ProductID, which you can find in the app's manifest file. The **ProductID** attribute must be set to the GUID of the app.
The following example shows how to add a mobile app with a valid ProductID using the start:PhoneLegacyTile tag:
```XML
<start:PhoneLegacyTile
ProductID="{00000000-0000-0000-0000-000000000000}"
Size="2x2"
Row="0"
Column="2"/>
```
#### start:Folder
You can use the **start:Folder** tag to add a folder to the mobile device's Start screen.
You must set these attributes to specify the size and location of the folder: **Size**, **Row**, and **Column**.
Optionally, you can also specify a folder name by using the **Name** attribute. If you specify a name, set the value to a string.
The position of the tiles inside a folder is relative to the folder. You can add any of the following tile types to the folder:
- Tile - Use to pin a Universal Windows app to Start.
- SecondaryTile - Use to pin a Web link through a Microsoft Edge secondary tile.
- PhoneLegacyTile - Use to pin a mobile app that has a valid ProductID.
The following example shows how to add a medium folder that contains two apps inside it:
```XML
<start:Folder
Name="Contoso apps"
Size="2x2"
Row="0"
Column="2">
<start:Tile
AppUserModelID="Microsoft.BingMaps_8wekyb3d8bbwe!ApplicationID"
Size="2x2"
Row="0"
Column="0"/>
<start:PhoneLegacyTile
ProductID="{00000000-0000-0000-0000-000000000000}"
Size="1x1"
Row="0"
Column="2"/>
</start:Folder>
```
#### RequiredStartTiles
You can use the **RequiredStartTiles** tag to specify the tiles that will be pinned to the bottom of the Start screen even if a restored Start screen does not have the tiles during backup or restore.
>[!NOTE]
>Enabling this Start customization may be disruptive to the user experience.
For Windows 10 Mobile, **RequiredStartTiles** tags can contain the following tags or elements. These are similar to the tiles supported in **start:Group**.
- Tile - Use to pin a Universal Windows app to Start.
- SecondaryTile - Use to pin a Web link through a Microsoft Edge secondary tile.
- PhoneLegacyTile - Use to pin a mobile app that has a valid ProductID.
- Folder - Use to pin a folder to the mobile device's Start screen.
Tiles specified within the **RequiredStartTiles** tag have the following behavior:
- The partner-pinned tiles will begin in a new row at the end of the user-restored Start screen.
- If theres a duplicate tile between what the user has in their Start screen layout and what the OEM has pinned to the Start screen, only the app or tile shown in the user-restored Start screen layout will be shown and the duplicate tile will be omitted from the pinned partner tiles at the bottom of the Start screen.
The lack of duplication only applies to pinned apps. Pinned Web links may be duplicated.
- If partners have prepinned folders to the Start screen, Windows 10 treats these folders in the same way as appended apps on the Start screen. Duplicate folders will be removed.
- All partner tiles that are appended to the bottom of the user-restored Start screen will be medium-sized. There will be no gaps in the appended partner Start screen layout. Windows 10 will shift tiles accordingly to prevent gaps.
## Sample LayoutModification.xml
The following sample LayoutModification.xml shows how you can configure the Start layout for devices running Windows 10 Mobile:
```XML
<?xml version="1.0" encoding="utf-8"?>
<LayoutModificationTemplate
xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"
xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout"
xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout"
Version="1">
<DefaultLayoutOverride>
<StartLayoutCollection>
<defaultlayout:StartLayout>
<start:Group
Name="First Group">
<start:Tile
AppUserModelID="Microsoft.BingFinance_8wekyb3d8bbwe!ApplicationID"
Size="2x2"
Row="0"
Column="0"/>
<start:Tile
AppUserModelID="Microsoft.BingMaps_8wekyb3d8bbwe!ApplicationID"
Size="1x1"
Row="0"
Column="2"/>
</start:Group>
</defaultlayout:StartLayout>
</StartLayoutCollection>
</DefaultLayoutOverride>
<RequiredStartTiles>
<PhoneLegacyTile ProductID="{b00d3141-1caa-43aa-b0b5-78c1acf778fd}"/>
<PhoneLegacyTile ProductID="{C3F8E570-68B3-4D6A-BDBB-C0A3F4360A51}"/>
<PhoneLegacyTile ProductID="{C60904B7-8DF4-4C2E-A417-C8E1AB2E51C7}"/>
<Tile AppUserModelID="Microsoft.MicrosoftFeedback_8wekyb3d8bbwe!ApplicationID"/>
</RequiredStartTiles>
</LayoutModificationTemplate>
```
## Use Windows Provisioning multivariant support
The Windows Provisioning multivariant capability allows you to declare target conditions that, when met, supply specific customizations for each variant condition. For Start customization, you can create specific layouts for each variant that you have. To do this, you must create a separate LayoutModification.xml file for each variant that you want to support and then include these in your provisioning package. For more information on how to do this, see Create a provisioning package with multivariant settings.
The provisioning engine chooses the right customization file based on the target conditions that were met, adds the file in the location that's specified for the setting, and then uses the specific file to customize Start. To differentiate between layouts, you can add modifiers to the LayoutModification.xml filename such as "LayoutCustomization1". Regardless of the modifier that you use, the provsioning engine will always output "LayoutCustomization.xml" so that the OS has a consistent file name to query against.
For example, if you want to ensure that there's a specific layout for a certain mobile operator in a certain country/region, you can:
1. Create a specific layout customization file and then name it LayoutCustomization1.xml.
2. Include the file as part of your provisioning package.
3. Create your multivariant target and reference the XML file within the target condition in the main customization XML file.
The following example shows what the overall customization file might look like with multivariant support for Start:
```XML
<?xml version="1.0" encoding="utf-8"?>
<WindowsCustomizatons>
<PackageConfig xmlns="urn:schemas-Microsoft-com:Windows-ICD-Package-Config.v1.0">
<ID>{6aaa4dfa-00d7-4aaa-8adf-73c6a7e2501e}</ID>
<Name>My Provisioning Package</Name>
<Version>1.0</Version>
<OwnerType>OEM</OwnerType>
<Rank>50</Rank>
</PackageConfig>
<Settings xmlns="urn:schemas-microsoft-com:windows-provisioning">
<Customizations>
<Targets>
<Target Id="Operator XYZ">
<TargetState>
<Condition Name="MCC" Value="Range:310, 320" />
<Condition Name="MNC" Value="!Range:400, 550" />
</TargetState>
</Target>
<Target Id="Processor ABC">
<TargetState>
<TargetState>
<Condition Name="ProcessorName" Value="Pattern:.*Celeron.*" />
<Condition Name="ProcessorType" Value="Pattern:.*I|intel.*" />
</TargetState>
</TargetState>
</Target>
</Targets>
<Common>
<Settings>
<Policies>
<AllowBrowser>1</AllowBrowser>
<AllowCamera>1</AllowCamera>
<AllowBluetooth>1</AllowBluetooth>
</Policies>
<HotSpot>
<Enabled>1</Enabled>
</HotSpot>
</Settings>
</Common>
<Variant>
<TargetRefs>
<TargetRef Id="Operator XYZ" />
</TargetRefs>
<Settings>
<StartLayout>c:\users\<userprofile>\appdata\local\Microsoft\Windows\Shell\LayoutCustomization1.XML</StartLayout>
<HotSpot>
<Enabled>1</Enabled>
</HotSpot>
</Settings>
</Variant>
</Customizations>
</Settings>
</WindowsCustomizatons>
```
When the condition is met, the provisioning engine takes the XML file and places it in the location that Windows 10 has set and then the Start subsystem reads the file and applies the specific customized layout.
You must repeat this process for all variants that you want to support so that each variant can have a distinct layout for each of the conditions and targets that need to be supported. For example, if you add a **Language** condition, you can create a Start layout that has it's own localized group or folder titles.
## Add the LayoutModification.xml file to the image
Once you have created your LayoutModification.xml file to customize devices that will run Windows 10 Mobile, you can use Windows ICD to add the XML file to the device:
1. In the **Available customizations** pane, expand **Runtime settings**, select **Start** and then click the **StartLayout** setting.
2. In the middle pane, click **Browse** to open File Explorer.
3. In the File Explorer window, navigate to the location where you saved your LayoutModification.xml file.
4. Select the file and then click **Open**.
This should set the value of **StartLayout**. The setting appears in the **Selected customizations** pane.
## Related topics
- [Manage Windows 10 Start layout options](../windows-10-start-layout-options-and-policies.md)
- [Configure Windows 10 taskbar](../configure-windows-10-taskbar.md)
- [Customize Windows 10 Start and taskbar with Group Policy](../customize-windows-10-start-screens-by-using-group-policy.md)
- [Customize Windows 10 Start and taskbar with ICD and provisioning packages](../customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
- [Customize Windows 10 Start with mobile device management (MDM)](../customize-windows-10-start-screens-by-using-mobile-device-management.md)
- [Changes to Group Policy settings for Windows 10 Start](../changes-to-start-policies-in-windows-10.md)
- [Start layout XML for desktop editions of Windows 10 (reference)](../start-layout-xml-desktop.md)
 
 

2
windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md
View File

@ -70,8 +70,6 @@ When a CSP is available but is not explicitly included in your MDM solution, you
### CSPs in Lockdown XML
Starting with Windows 10 version 1703, you can use the [Lockdown Designer app](../mobile-devices/mobile-lockdown-designer.md) to configure your Lockdown XML.
## <a href="" id="bkmk-csp-doc"></a>How do you use the CSP documentation?
All CSPs are documented in the [Configuration service provider reference](/windows/client-management/mdm/configuration-service-provider-reference).

2
windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md
View File

@ -159,7 +159,5 @@ After you're done, click **Create**. It only takes a few seconds. When the packa
- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
- [PowerShell cmdlets for provisioning Windows client (reference)](provisioning-powershell.md)
- [NFC-based device provisioning](../mobile-devices/provisioning-nfc.md)
- [Use the package splitter tool](../mobile-devices/provisioning-package-splitter.md)
- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md)
- [Create a provisioning package with multivariant settings](provisioning-multivariant.md)

2
windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md
View File

@ -194,8 +194,6 @@ For details about the settings you can customize in provisioning packages, see [
- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md)
- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
- [NFC-based device provisioning](../mobile-devices/provisioning-nfc.md)
- [Use the package splitter tool](../mobile-devices/provisioning-package-splitter.md)
- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md)
- [Create a provisioning package with multivariant settings](provisioning-multivariant.md)

2
windows/configuration/provisioning-packages/provision-pcs-with-apps.md
View File

@ -203,7 +203,5 @@ For details about the settings you can customize in provisioning packages, see [
- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md)
- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
- [PowerShell cmdlets for provisioning Windows client (reference)](provisioning-powershell.md)
- [NFC-based device provisioning](../mobile-devices/provisioning-nfc.md)
- [Use the package splitter tool](../mobile-devices/provisioning-package-splitter.md)
- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md)
- [Create a provisioning package with multivariant settings](provisioning-multivariant.md)

1
windows/configuration/provisioning-packages/provisioning-packages.md
View File

@ -43,7 +43,6 @@ Windows Configuration Designer is available as an [app in the Microsoft Store](h
<!-- - When provisioning packages are applied to a device, a status screen indicates successful or failed provisioning. -->
<!-- - Windows 10 includes PowerShell cmdlets that simplify scripted provisioning. Using these cmdlets, you can add provisioning packages, remove provisioning packages and generate log files to investigate provisioning errors.-->
<!-- - The Provision school devices wizard is removed from Windows Configuration Designer. Instead, use the [Setup School PCs app](https://www.microsoft.com/store/p/set-up-school-pcs/9nblggh4ls40) from the Microsoft Store. -->
<!-- Provisioning packages can be made available [using NFC and barcodes](provisioning-nfc.md).-->
## Benefits of provisioning packages

60
windows/configuration/start-layout-xml-desktop.md
View File

@ -1,6 +1,6 @@
---
title: Start layout XML for desktop editions of Windows 10 (Windows 10)
description: This topic describes the options for customizing Start layout in LayoutModification.xml for Windows 10 desktop editions.
description: This article describes the options for customizing Start layout in LayoutModification.xml for Windows 10 desktop editions.
keywords: ["start screen"]
ms.prod: w10
ms.mktglfcycl: manage
@ -28,9 +28,9 @@ On Windows 10 for desktop editions, the customized Start works by:
- Windows 10 checks the chosen base default layout, such as the desktop edition and whether Cortana is supported for the country/region.
- Windows 10 reads the LayoutModification.xml file and allows groups to be appended to Start. The groups have the following constraints:
- 2 groups that are 6 columns wide, or equivalent to the width of 3 medium tiles.
- 2 medium-sized tile rows in height. Windows 10 ignores any tiles that are pinned beyond the second row.
- No limit to the number of apps that can be pinned. There is a theoretical limit of 24 tiles per group (4 small tiles per medium square x 3 columns x 2 rows).
- Two groups that are six columns wide, or equivalent to the width of three medium tiles.
- Two medium-sized tile rows in height. Windows 10 ignores any tiles that are pinned beyond the second row.
- No limit to the number of apps that can be pinned. There's a theoretical limit of 24 tiles per group (four small tiles per medium square x 3 columns x 2 rows).
>[!NOTE]
>To use the layout modification XML to configure Start with roaming user profiles, see [Deploying Roaming User Profiles](/windows-server/storage/folder-redirection/deploy-roaming-user-profiles#step-7-optionally-specify-a-start-layout-for-windows-10-pcs).
@ -78,18 +78,18 @@ The following table lists the supported elements and attributes for the LayoutMo
| [RequiredStartGroups](#requiredstartgroups)</br></br>Parent:</br>RequiredStartGroupsCollection | Region | Use to contain the AppendGroup tags, which represent groups that can be appended to the default Start layout |
| [AppendGroup](#appendgroup)</br></br>Parent:</br>RequiredStartGroups | Name | Use to specify the tiles that need to be appended to the default Start layout |
| [start:Tile](#specify-start-tiles)</br></br>Parent:</br>AppendGroup | AppUserModelID</br>Size</br>Row</br>Column | Use to specify any of the following:</br>- A Universal Windows app</br>- A Windows 8 or Windows 8.1 app</br></br>Note that AppUserModelID is case-sensitive. |
start:Folder<br><br>Parent:<br>start:Group | Name (in Windows 10, version 1809 and later only)<br>Size<br>Row<br>Column<br>LocalizedNameResourcetag | Use to specify a folder of icons; can include [Tile](#start-tile), [SecondaryTile](#start-secondarytile), and [DesktopApplicationTile](#start-desktopapplicationtile).
| start:DesktopApplicationTile</br></br>Parent:</br>AppendGroup | DesktopApplicationID</br>DesktopApplicationLinkPath</br>Size</br>Row</br>Column | Use to specify any of the following:</br>- A Windows desktop application with a known AppUserModelID</br>- An application in a known folder with a link in a legacy Start Menu folder</br>- A Windows desktop application link in a legacy Start Menu folder</br>- A Web link tile with an associated .url file that is in a legacy Start Menu folder |
| start:Folder<br><br>Parent:<br>start:Group | Name (in Windows 10, version 1809 and later only)<br>Size<br>Row<br>Column<br>LocalizedNameResourcetag | Use to specify a folder of icons; can include [Tile](#start-tile), [SecondaryTile](#start-secondarytile), and [DesktopApplicationTile](#start-desktopapplicationtile). |
| start:DesktopApplicationTile</br></br>Parent:</br>AppendGroup | DesktopApplicationID</br>DesktopApplicationLinkPath</br>Size</br>Row</br>Column | Use to specify any of the following:</br>- A Windows desktop application with a known AppUserModelID</br>- An application in a known folder with a link in a legacy Start Menu folder</br>- A Windows desktop application link in a legacy Start Menu folder</br>- A Web link tile with an associated `.url` file that is in a legacy Start Menu folder |
| start:SecondaryTile</br></br>Parent:</br>AppendGroup | AppUserModelID</br>TileID</br>Arguments</br>DisplayName</br>Square150x150LogoUri</br>ShowNameOnSquare150x150Logo</br>ShowNameOnWide310x150Logo</br>Wide310x150LogoUri</br>BackgroundColor</br>ForegroundText</br>IsSuggestedApp</br>Size</br>Row</br>Column | Use to pin a Web link through a Microsoft Edge secondary tile. Note that AppUserModelID is case-sensitive. |
| TopMFUApps</br></br>Parent:</br>LayoutModificationTemplate | n/a | Use to add up to 3 default apps to the frequently used apps section in the system area.</br></br>**Note**: Only applies to versions of Windows 10 earlier than version 1709. In Windows 10, version 1709, you can no longer pin apps to the Most Frequently Used apps list in Start. |
| TopMFUApps</br></br>Parent:</br>LayoutModificationTemplate | n/a | Use to add up to three default apps to the frequently used apps section in the system area.</br></br>**Note**: Only applies to versions of Windows 10 earlier than version 1709. In Windows 10, version 1709, you can no longer pin apps to the Most Frequently Used apps list in Start. |
| Tile</br></br>Parent:</br>TopMFUApps | AppUserModelID | Use with the TopMFUApps tags to specify an app with a known AppUserModelID. </br></br>**Note**: Only applies to versions of Windows 10 earlier than version 1709. In Windows 10, version 1709, you can no longer pin apps to the Most Frequently Used apps list in Start. |
| DesktopApplicationTile</br></br>Parent:</br>TopMFUApps | LinkFilePath | Use with the TopMFUApps tags to specify an app without a known AppUserModelID.</br></br>**Note**: Only applies to versions of Windows 10 earlier than version 1709. In Windows 10, version 1709, you can no longer pin apps to the Most Frequently Used apps list in Start. |
| AppendOfficeSuite</br></br>Parent:</br>LayoutModificationTemplate | n/a | Use to add the in-box installed Office suite to Start. For more information, see [Customize the Office suite of tiles](/windows-hardware/customize/desktop/customize-start-layout#customize-the-office-suite-of-tiles).</br></br>Do not use this tag with AppendDownloadOfficeTile |
| AppendOfficeSuite</br></br>Parent:</br>LayoutModificationTemplate | n/a | Use to add the in-box installed Office suite to Start. For more information, see [Customize the Office suite of tiles](/windows-hardware/customize/desktop/customize-start-layout#customize-the-office-suite-of-tiles).</br></br>Don't use this tag with AppendDownloadOfficeTile. |
| AppendDownloadOfficeTile</br></br>Parent:</br>LayoutModificationTemplate | n/a | Use to add a specific **Download Office** tile to a specific location in Start</br></br>Do not use this tag with AppendOfficeSuite |
### LayoutOptions
New devices running Windows 10 for desktop editions will default to a Start menu with 2 columns of tiles unless boot to tablet mode is enabled. Devices with screens that are under 10" have boot to tablet mode enabled by default. For these devices, users see the full screen Start on the desktop. You can adjust the following features:
New devices running Windows 10 for desktop editions will default to a Start menu with two columns of tiles unless boot to tablet mode is enabled. Devices with screens that are under 10" have boot to tablet mode enabled by default. For these devices, users see the full screen Start on the desktop. You can adjust the following features:
- Boot to tablet mode can be set on or off.
- Set full screen Start on desktop to on or off.
@ -97,7 +97,7 @@ New devices running Windows 10 for desktop editions will default to a Start menu
- Specify the number of columns in the Start menu to 1 or 2.
To do this, add the LayoutOptions element in your LayoutModification.xml file and set the StartTileGroupsColumnCount attribute to 1 or 2.
The following example shows how to use the LayoutOptions element to specify full screen Start on the desktop and to use 1 column in the Start menu:
The following example shows how to use the LayoutOptions element to specify full screen Start on the desktop and to use one column in the Start menu:
```XML
<LayoutModificationTemplate
@ -114,8 +114,8 @@ The following example shows how to use the LayoutOptions element to specify full
For devices being upgraded to Windows 10 for desktop editions:
- Devices being upgraded from Windows 7 will default to a Start menu with 1 column.
- Devices being upgraded from Windows 8.1 or Windows 8.1 Upgrade will default to a Start menu with 2 columns.
- Devices being upgraded from Windows 7 will default to a Start menu with one column.
- Devices being upgraded from Windows 8.1 or Windows 8.1 Upgrade will default to a Start menu with two columns.
### RequiredStartGroups
@ -124,7 +124,7 @@ The **RequiredStartGroups** tag contains **AppendGroup** tags that represent gro
>[!IMPORTANT]
>For Windows 10 for desktop editions, you can add a maximum of two (2) **AppendGroup** tags per **RequiredStartGroups** tag.
You can also assign regions to the append groups in the **RequiredStartGroups** tag's using the optional **Region** attribute or you can use the multivariant capabilities in Windows provisioning. If you are using the **Region** attribute, you must use a two-letter country code to specify the country/region that the append group(s) apply to. To specify more than one country/region, use a pipe ("|") delimiter as shown in the following example:
You can also assign regions to the append groups in the **RequiredStartGroups** tag's using the optional **Region** attribute or you can use the multivariant capabilities in Windows provisioning. If you're using the **Region** attribute, you must use a two-letter country code to specify the country/region that the append group(s) apply to. To specify more than one country/region, use a pipe ("|") delimiter as shown in the following example:
```XML
<RequiredStartGroups
@ -133,7 +133,7 @@ You can also assign regions to the append groups in the **RequiredStartGroups**
If the country/region setting for the Windows device matches a **RequiredStartGroups**, then the tiles laid out within the **RequiredStartGroups** is applied to Start.
If you specify a region-agnostic **RequiredStartGroups** (or one without the optional Region attribute) then the region-agnostic **RequiredStartGroups** is applied to Start.
If you specify a region-agnostic **RequiredStartGroups** (or one without the optional Region attribute), then the region-agnostic **RequiredStartGroups** is applied to Start.
### AppendGroup
@ -141,11 +141,11 @@ If you specify a region-agnostic **RequiredStartGroups** (or one without the opt
For Windows 10 for desktop editions, AppendGroup tags contain start:Tile, start:DesktopApplicationTile, or start:SecondaryTile tags.
You can specify any number of tiles in an **AppendGroup**, but you cannot specify a tile with a **Row** attribute greater than 4. The Start layout does not support overlapping tiles.
You can specify any number of tiles in an **AppendGroup**, but you can't specify a tile with a **Row** attribute greater than 4. The Start layout doesn't support overlapping tiles.
### Specify Start tiles
To pin tiles to Start, partners must use the right kind of tile depending on what you want to pin.
To pin tiles to Start, partners must use the right tile depending on what you want to pin.
#### Tile size and coordinates
@ -189,7 +189,7 @@ The following example shows how to pin the Microsoft Edge Universal Windows app:
You can use the **start:DesktopApplicationTile** tag to pin a Windows desktop application to Start. There are two ways you can specify a Windows desktop application:
- By using a path to a shortcut link (.lnk file) to a Windows desktop application.
- Use a path to a shortcut link (.lnk file) to a Windows desktop application.
>[!NOTE]
>In Start layouts for Windows 10, version 1703, you should use **DesktopApplicationID** rather than **DesktopApplicationLinkPath** if you are using Group Policy or MDM to apply the start layout and the application was installed after the user's first sign-in.
@ -210,7 +210,7 @@ You can use the **start:DesktopApplicationTile** tag to pin a Windows desktop ap
If you are pointing to a third-party Windows desktop application and the layout is being applied before the first boot, you must put the .lnk file in a legacy Start Menu directory before first boot; for example, "%APPDATA%\Microsoft\Windows\Start Menu\Programs\" or the all users profile "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\".
- By using the application's application user model ID, if this is known. If the Windows desktop application doesn't have one, use the shortcut link option.
- Use the application's application user model ID, if this is known. If the Windows desktop application doesn't have one, use the shortcut link option.
You can use the [Get-StartApps cmdlet](/powershell/module/startlayout/get-startapps) on a PC that has the application pinned to Start to obtain the app ID.
@ -230,7 +230,7 @@ You can use the **start:DesktopApplicationTile** tag to pin a Windows desktop ap
You can also use the **start:DesktopApplicationTile** tag as one of the methods for pinning a Web link to Start. The other method is to use a Microsoft Edge secondary tile.
To pin a legacy .url shortcut to Start, you must create .url file (right-click on the desktop, select **New** > **Shortcut**, and then type a Web URL). You must add this .url file in a legacy Start Menu directory before first boot; for example, `%APPDATA%\Microsoft\Windows\Start Menu\Programs\` or the all users profile `%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\`.
To pin a legacy `.url` shortcut to Start, you must create a `.url` file (right-click on the desktop, select **New** > **Shortcut**, and then type a Web URL). You must add this `.url` file in a legacy Start Menu directory before first boot; for example, `%APPDATA%\Microsoft\Windows\Start Menu\Programs\` or the all users profile `%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\`.
The following example shows how to create a tile of the Web site's URL, which you can treat similarly to a Windows desktop application tile:
@ -248,7 +248,7 @@ The following example shows how to create a tile of the Web site's URL, which yo
<span id="start-secondarytile" />
#### start:SecondaryTile
You can use the **start:SecondaryTile** tag to pin a Web link through a Microsoft Edge secondary tile. This method doesn't require any additional action compared to the method of using legacy .url shortcuts (through the start:DesktopApplicationTile tag).
You can use the **start:SecondaryTile** tag to pin a Web link through a Microsoft Edge secondary tile. This method doesn't require any additional action compared to the method of using legacy `.url` shortcuts (through the start:DesktopApplicationTile tag).
The following example shows how to create a tile of the Web site's URL using the Microsoft Edge secondary tile:
@ -444,7 +444,7 @@ The following sample LayoutModification.xml shows how you can configure the Star
The Windows Provisioning multivariant capability allows you to declare target conditions that, when met, supply specific customizations for each variant condition. For Start customization, you can create specific layouts for each variant that you have. To do this, you must create a separate LayoutModification.xml file for each variant that you want to support and then include these in your provisioning package. For more information on how to do this, see [Create a provisioning package with multivariant settings](./provisioning-packages/provisioning-multivariant.md).
The provisioning engine chooses the right customization file based on the target conditions that were met, adds the file in the location that's specified for the setting, and then uses the specific file to customize Start. To differentiate between layouts, you can add modifiers to the LayoutModification.xml filename such as "LayoutCustomization1". Regardless of the modifier that you use, the provsioning engine will always output "LayoutCustomization.xml" so that the operating system has a consistent file name to query against.
The provisioning engine chooses the right customization file based on the target conditions that were met, adds the file in the location that's specified for the setting, and then uses the specific file to customize Start. To differentiate between layouts, you can add modifiers to the LayoutModification.xml filename such as "LayoutCustomization1". Regardless of the modifier that you use, the provisioning engine will always output "LayoutCustomization.xml" so that the operating system has a consistent file name to query against.
For example, if you want to ensure that there's a specific layout for a certain condition, you can:
1. Create a specific layout customization file and then name it LayoutCustomization1.xml.
@ -511,7 +511,7 @@ You must repeat this process for all variants that you want to support so that e
Once you have created your LayoutModification.xml file to customize devices that will run Windows 10 for desktop editions, you can use Windows ICD methods to add the XML file to the device.
1. In the **Available customizations** pane, expand **Runtime settings**, select **Start** and then click the **StartLayout** setting.
1. In the **Available customizations** pane, expand **Runtime settings**, select **Start** > Select the **StartLayout** setting.
2. In the middle pane, click **Browse** to open File Explorer.
3. In the File Explorer window, navigate to the location where you saved your LayoutModification.xml file.
4. Select the file and then click **Open**.
@ -524,16 +524,6 @@ This should set the value of **StartLayout**. The setting appears in the **Selec
Once you have created the LayoutModification.xml file and it is present in the device, the system overrides the base default layout and any Unattend settings used to customize Start.
## Related topics
- [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md)
@ -542,9 +532,5 @@ Once you have created the LayoutModification.xml file and it is present in the d
- [Add image for secondary tiles](start-secondary-tiles.md)
- [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
- [Customize Windows 10 Start and taskbar with provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
- [Customize Windows 10 Start and tasbkar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
- [Customize Windows 10 Start and taskbar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
- [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md)
- [Start layout XML for mobile editions of Windows 10 (reference)](mobile-devices/start-layout-xml-mobile.md)

29
windows/configuration/wcd/wcd-accounts.md
View File

@ -19,19 +19,18 @@ Use these settings to join a device to an Active Directory domain or an Azure Ac
## Applies to
| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | :---: | :---: | :---: | :---: | :---: |
| [Azure](#azure) | X | X | X | X | |
| [ComputerAccount](#computeraccount) | X | | X | | X |
| [Users](#users) | X | | X | X | |
| Setting groups | Desktop editions | Surface Hub | HoloLens | IoT Core |
| --- | :---: | :---: | :---: | :---: |
| [Azure](#azure) | ✔️ | ✔️ | ✔️ | |
| [ComputerAccount](#computeraccount) | ✔️ | ✔️ | | ✔️ |
| [Users](#users) | ✔️ | ✔️ | ✔️ | |
## Azure
The **Azure > Authority** and **Azure > BPRT** settings for bulk Azure Active Directory (Azure AD) enrollment can only be configured using one of the provisioning wizards. After you get a bulk token for Azure AD enrollment in a wizard, you can switch to the advanced editor to configure additional provisioning settings. For information about using the wizards, see:
The **Azure > Authority** and **Azure > BPRT** settings for bulk Azure Active Directory (Azure AD) enrollment can only be configured using one of the provisioning wizards. After you get a bulk token for Azure AD enrollment in a wizard, you can switch to the advanced editor to configure more provisioning settings. For information about using the wizards, see:
- [Instructions for desktop wizard](../provisioning-packages/provision-pcs-for-initial-deployment.md)
- [Instructions for the mobile wizard](../mobile-devices/provisioning-configure-mobile.md)
- [Instructions for the kiosk wizard](../kiosk-single-app.md#wizard)
## ComputerAccount
@ -43,11 +42,11 @@ Specifies the settings you can configure when joining a device to a domain, incl
| Setting | Value | Description |
| --- | --- | --- |
| Account | string | Account to use to join computer to domain |
| Account | String | Account to use to join computer to domain |
| AccountOU | Enter the full path for the organizational unit. For example: OU=testOU,DC=domain,DC=Domain,DC=com. | Name of organizational unit for the computer account |
| ComputerName | On desktop PCs, this setting specifies the DNS hostname of the computer (Computer Name) up to 63 characters. Use `%RAND:x%` to generate x number of random digits in the name, where x must be a number less than 63. For domain-joined computers, the unique name must use `%RAND:x%`. Use `%SERIAL%` to generate the name with the `computer's` serial number embedded. If the serial number exceeds the character limit, it will be truncated from the beginning of the sequence. The character restriction limit does not count the length of the macros, `%RAND:x%` and `%SERIAL%`. This setting is supported only in Windows 10, version 1803 and later. To change this setting in Windows 10, version 1709 and earlier releases, use the **ComputerName** setting under **Accounts**. | Specifies the name of the Windows device (computer name on PCs) |
| DomainName | string (cannot be empty) | Specify the name of the domain that the device will join |
| Password | string (cannot be empty) | Corresponds to the password of the user account that's authorized to join the computer account to the domain. |
| ComputerName | On desktop PCs, this setting specifies the DNS hostname of the computer (Computer Name) up to 63 characters. Use `%RAND:x%` to generate x number of random digits in the name, where x must be a number less than 63. For domain-joined computers, the unique name must use `%RAND:x%`. Use `%SERIAL%` to generate the name with the `computer's` serial number embedded. If the serial number exceeds the character limit, it will be truncated from the beginning of the sequence. The character restriction limit doesn't count the length of the macros, including `%RAND:x%` and `%SERIAL%`. This setting is supported only in Windows 10, version 1803 and later. To change this setting in Windows 10 version 1709 and earlier releases, use the **ComputerName** setting under **Accounts**. | Specifies the name of the Windows device (computer name on PCs) |
| DomainName | String (cannot be empty) | Specify the name of the domain that the device will join |
| Password | String (cannot be empty) | Corresponds to the password of the user account that's authorized to join the computer account to the domain. |
## Users
@ -55,7 +54,7 @@ Use these settings to add local user accounts to the device.
| Setting | Value | Description |
| --- | --- | --- |
| UserName | string (cannot be empty) | Specify a name for the local user account |
| HomeDir | string (cannot be empty) | Specify the path of the home directory for the user |
| Password | string (cannot be empty) | Specify the password for the user account |
| UserGroup | string (cannot be empty) | Specify the local user group for the user |
| UserName | String (cannot be empty) | Specify a name for the local user account |
| HomeDir | String (cannot be empty) | Specify the path of the home directory for the user |
| Password | String (cannot be empty) | Specify the password for the user account |
| UserGroup | String (cannot be empty) | Specify the local user group for the user |

32
windows/configuration/wcd/wcd-embeddedlockdownprofiles.md
View File

@ -1,32 +0,0 @@
---
title: EmbeddedLockdownProfiles (Windows 10)
description: This section describes the EmbeddedLockdownProfiles setting that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: greg-lindsay
ms.localizationpriority: medium
ms.author: greglin
ms.topic: article
ms.date: 09/06/2017
ms.reviewer:
manager: dansimp
---
# EmbeddedLockdownProfiles (Windows Configuration Designer reference)
Use to apply an XML configuration to a mobile device that locks down the device, configures custom layouts, and define multiple roles.
## Applies to
| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | :---: | :---: | :---: | :---: | :---: |
| AssignedAccessXml | | X | | | |
1. Create a lockdown XML file, either by using [the Lockdown Designer app](../mobile-devices/mobile-lockdown-designer.md) or [manually](../mobile-devices/lockdown-xml.md).
2. In the **AssignedAccessXml** setting, browse to and select the lockdown XML file that you created.
## Related topics
- [EnterpriseAssignedAccess configuration service provider (CSP)](/windows/client-management/mdm/enterpriseassignedaccess-csp)

15
windows/configuration/wcd/wcd-start.md
View File

@ -19,10 +19,9 @@ Use Start settings to apply a customized Start screen to devices.
## Applies to
| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | :---: | :---: | :---: | :---: | :---: |
| StartLayout | X | X | | | |
| StartLayoutFilePath | | X | | | |
| Setting | Desktop editions | Surface Hub | HoloLens | IoT Core |
| --- | :---: | :---: | :---: | :---: |
| StartLayout | X | | | |
>[!IMPORTANT]
>The StartLayout setting is available in the advanced provisioning for Windows 10 desktop editions, but should only be used to apply a layout to Windows 10 Mobile devices. For desktop editions, use [Policies > StartLayout](wcd-policies.md#start).
@ -31,11 +30,3 @@ Use Start settings to apply a customized Start screen to devices.
Use StartLayout to select the `LayoutModification.xml` file that applies a customized Start screen to a mobile device.
>[!NOTE]
>The XML file that defines the Start layout for Windows 10 Mobile must be named `LayoutModification.xml`.
For more information, see [Start layout XML for mobile editions of Windows 10](../mobile-devices/lockdown-xml.md)).
## StartLayoutFilePath
Do not use.

138
windows/configuration/wcd/wcd.md
View File

@ -18,74 +18,74 @@ This section describes the settings that you can configure in [provisioning pack
## Edition that each group of settings applies to
| Setting group | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | :---: | :---: | :---: | :---: | :---: |
[AccountManagement](wcd-accountmanagement.md) | | | | X | |
| [Accounts](wcd-accounts.md) | X | X | X | X | X |
| [ADMXIngestion](wcd-admxingestion.md) | X | | | | |
| [AssignedAccess](wcd-assignedaccess.md) | X | | | X | |
| [AutomaticTime](wcd-automatictime.md) | | X | | | |
| [Browser](wcd-browser.md) | X | X | X | | |
| [CallAndMessagingEnhancement](wcd-callandmessagingenhancement.md) | | X | | | |
| [Calling](wcd-calling.md) | | X | | | |
| [CellCore](wcd-cellcore.md) | X | X | | | |
| [Cellular](wcd-cellular.md) | X | | | | |
| [Certificates](wcd-certificates.md) | X | X | X | X | X |
| [CleanPC](wcd-cleanpc.md) | X | | | | |
| [Connections](wcd-connections.md) | X | X | X | | |
| [ConnectivityProfiles](wcd-connectivityprofiles.md) | X | X | X | X | |
| [CountryAndRegion](wcd-countryandregion.md) | X | X | X | | |
| [DesktopBackgroundAndColors](wcd-desktopbackgroundandcolors.md) | X | | | | |
| [DeveloperSetup](wcd-developersetup.md) | | | | X | |
| [DeviceFormFactor](wcd-deviceformfactor.md) | X | X | X | | |
| [DeviceInfo](wcd-deviceinfo.md) | | X | | | |
| [DeviceManagement](wcd-devicemanagement.md) | X | X | X | X | |
| [DeviceUpdateCenter](wcd-deviceupdatecenter.md) | X | | | | |
| [DMClient](wcd-dmclient.md) | X | X | X | | X |
| [EditionUpgrade](wcd-editionupgrade.md) | X | X | | X | |
| [EmbeddedLockdownProfiles](wcd-embeddedlockdownprofiles.md) | | X | | | |
| [FirewallConfiguration](wcd-firewallconfiguration.md) | | | | | X |
| [FirstExperience](wcd-firstexperience.md) | | | | X | |
| [Folders](wcd-folders.md) |X | X | X | | |
| [InitialSetup](wcd-initialsetup.md) | | X | | | |
| [InternetExplorer](wcd-internetexplorer.md) | | X | | | |
| [KioskBrowser](wcd-kioskbrowser.md) | | | | | X |
| [Licensing](wcd-licensing.md) | X | | | | |
| [Location](wcd-location.md) | | | | | X |
| [Maps](wcd-maps.md) |X | X | X | | |
| [Messaging](wcd-messaging.md) | | X | | | |
| [ModemConfigurations](wcd-modemconfigurations.md) | | X | | | |
| [Multivariant](wcd-multivariant.md) | | X | | | |
| [NetworkProxy](wcd-networkproxy.md) | | | X | | |
| [NetworkQOSPolicy](wcd-networkqospolicy.md) | | | X | | |
| [NFC](wcd-nfc.md) | | X | | | |
| [OOBE](wcd-oobe.md) | X | X | | | |
| [OtherAssets](wcd-otherassets.md) | | X | | | |
| [Personalization](wcd-personalization.md) | X | | | | |
| [Policies](wcd-policies.md) | X | X | X | X | X |
| [Privacy](wcd-folders.md) |X | X | X | | X |
| [ProvisioningCommands](wcd-provisioningcommands.md) | X | | | | |
| [RcsPresence](wcd-rcspresence.md) | | X | | | |
| [SharedPC](wcd-sharedpc.md) | X | | | | |
| [Shell](wcd-shell.md) | | X | | | |
| [SMISettings](wcd-smisettings.md) | X | | | | |
| [Start](wcd-start.md) | X | X | | | |
| [StartupApp](wcd-startupapp.md) | | | | | X |
| [StartupBackgroundTasks](wcd-startupbackgroundtasks.md) | | | | | X |
| [StorageD3InModernStandby](wcd-storaged3inmodernstandby.md) |X | X | X | | X |
| [SurfaceHubManagement](wcd-surfacehubmanagement.md) | | | X | | |
| [TabletMode](wcd-tabletmode.md) |X | X | X | | |
| [TakeATest](wcd-takeatest.md) | X | | | | |
| [TextInput](wcd-textinput.md) | | X | | | |
| [Theme](wcd-theme.md) | | X | | | |
| [Time](wcd-time.md) | X | | | | |
| [UnifiedWriteFilter](wcd-unifiedwritefilter.md) | X | | | | X |
| [UniversalAppInstall](wcd-universalappinstall.md) | X | X | X | | X |
| [UniversalAppUninstall](wcd-universalappuninstall.md) | X | X | X | | X |
| [UsbErrorsOEMOverride](wcd-usberrorsoemoverride.md) | X | X | X | | |
| [WeakCharger](wcd-weakcharger.md) |X | X | X | | |
| [WindowsHelloForBusiness](wcd-windowshelloforbusiness.md) | X | | | | |
| [WindowsTeamSettings](wcd-windowsteamsettings.md) | | | X | | |
| [Workplace](wcd-workplace.md) |X | X | X | | X |
| Setting group | Desktop editions | Surface Hub | HoloLens | IoT Core |
| --- | :---: | :---: | :---: | :---: |
| [AccountManagement](wcd-accountmanagement.md) | | | ✔️ | |
| [Accounts](wcd-accounts.md) | ✔️ | ✔️ | ✔️ | ✔️ |
| [ADMXIngestion](wcd-admxingestion.md) | ✔️ | | | |
| [AssignedAccess](wcd-assignedaccess.md) | ✔️ | | ✔️ | |
| [AutomaticTime](wcd-automatictime.md) | | | | |
| [Browser](wcd-browser.md) | ✔️ | ✔️ | | |
| [CallAndMessagingEnhancement](wcd-callandmessagingenhancement.md) | | | | |
| [Calling](wcd-calling.md) | | | | |
| [CellCore](wcd-cellcore.md) | ✔️ | | | |
| [Cellular](wcd-cellular.md) | ✔️ | | | |
| [Certificates](wcd-certificates.md) | ✔️ | ✔️ | ✔️ | ✔️ |
| [CleanPC](wcd-cleanpc.md) | ✔️ | | | |
| [Connections](wcd-connections.md) | ✔️ | ✔️ | | |
| [ConnectivityProfiles](wcd-connectivityprofiles.md) | ✔️ | ✔️ | ✔️ | |
| [CountryAndRegion](wcd-countryandregion.md) | ✔️ | ✔️ | | |
| [DesktopBackgroundAndColors](wcd-desktopbackgroundandcolors.md) | ✔️ | | | |
| [DeveloperSetup](wcd-developersetup.md) | | | ✔️ | |
| [DeviceFormFactor](wcd-deviceformfactor.md) | ✔️ | ✔️ | | |
| [DeviceInfo](wcd-deviceinfo.md) | | | | |
| [DeviceManagement](wcd-devicemanagement.md) | ✔️ | ✔️ | ✔️ | |
| [DeviceUpdateCenter](wcd-deviceupdatecenter.md) | ✔️ | | | |
| [DMClient](wcd-dmclient.md) | ✔️ | ✔️ | | ✔️ |
| [EditionUpgrade](wcd-editionupgrade.md) | ✔️ | | ✔️ | |
| [EmbeddedLockdownProfiles](wcd-embeddedlockdownprofiles.md) | | | | |
| [FirewallConfiguration](wcd-firewallconfiguration.md) | | | | ✔️ |
| [FirstExperience](wcd-firstexperience.md) | | | ✔️ | |
| [Folders](wcd-folders.md) |✔️ | ✔️ | | |
| [InitialSetup](wcd-initialsetup.md) | | | | |
| [InternetExplorer](wcd-internetexplorer.md) | | | | |
| [KioskBrowser](wcd-kioskbrowser.md) | | | | ✔️ |
| [Licensing](wcd-licensing.md) | ✔️ | | | |
| [Location](wcd-location.md) | | | | ✔️ |
| [Maps](wcd-maps.md) |✔️ | ✔️ | | |
| [Messaging](wcd-messaging.md) | | | | |
| [ModemConfigurations](wcd-modemconfigurations.md) | | | | |
| [Multivariant](wcd-multivariant.md) | | | | |
| [NetworkProxy](wcd-networkproxy.md) | | ✔️ | | |
| [NetworkQOSPolicy](wcd-networkqospolicy.md) | | ✔️ | | |
| [NFC](wcd-nfc.md) | | | | |
| [OOBE](wcd-oobe.md) | ✔️ | | | |
| [OtherAssets](wcd-otherassets.md) | | | | |
| [Personalization](wcd-personalization.md) | ✔️ | | | |
| [Policies](wcd-policies.md) | ✔️ | ✔️ | ✔️ | ✔️ |
| [Privacy](wcd-folders.md) |✔️ | ✔️ | | ✔️ |
| [ProvisioningCommands](wcd-provisioningcommands.md) | ✔️ | | | |
| [RcsPresence](wcd-rcspresence.md) | | | | |
| [SharedPC](wcd-sharedpc.md) | ✔️ | | | |
| [Shell](wcd-shell.md) | | | | |
| [SMISettings](wcd-smisettings.md) | ✔️ | | | |
| [Start](wcd-start.md) | ✔️ | | | |
| [StartupApp](wcd-startupapp.md) | | | | ✔️ |
| [StartupBackgroundTasks](wcd-startupbackgroundtasks.md) | | | | ✔️ |
| [StorageD3InModernStandby](wcd-storaged3inmodernstandby.md) |✔️ | ✔️ | | ✔️ |
| [SurfaceHubManagement](wcd-surfacehubmanagement.md) | | ✔️ | | |
| [TabletMode](wcd-tabletmode.md) |✔️ | ✔️ | | |
| [TakeATest](wcd-takeatest.md) | ✔️ | | | |
| [TextInput](wcd-textinput.md) | | | | |
| [Theme](wcd-theme.md) | | | | |
| [Time](wcd-time.md) | ✔️ | | | |
| [UnifiedWriteFilter](wcd-unifiedwritefilter.md) | ✔️ | | | ✔️ |
| [UniversalAppInstall](wcd-universalappinstall.md) | ✔️ | ✔️ | | ✔️ |
| [UniversalAppUninstall](wcd-universalappuninstall.md) | ✔️ | ✔️ | | ✔️ |
| [UsbErrorsOEMOverride](wcd-usberrorsoemoverride.md) | ✔️ | ✔️ | | |
| [WeakCharger](wcd-weakcharger.md) |✔️ | ✔️ | | |
| [WindowsHelloForBusiness](wcd-windowshelloforbusiness.md) | ✔️ | | | |
| [WindowsTeamSettings](wcd-windowsteamsettings.md) | | ✔️ | | |
| [Workplace](wcd-workplace.md) |✔️ | ✔️ | | ✔️ |

2
windows/security/threat-protection/windows-defender-application-control/TOC.yml
View File

@ -108,6 +108,8 @@
href: querying-application-control-events-centrally-using-advanced-hunting.md
- name: Known Issues
href: operations/known-issues.md
- name: Managed installer and ISG technical reference and troubleshooting guide
href: configure-wdac-managed-installer.md
- name: AppLocker
href: applocker\applocker-overview.md
items:

34
windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md
View File

@ -26,7 +26,7 @@ ms.technology: windows-sec
- Windows Server 2016 and later
> [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Application Control feature availability](feature-availability.md).
The [Microsoft Component Object Model (COM)](/windows/desktop/com/the-component-object-model) is a platform-independent, distributed, object-oriented system for creating binary software components that can interact. COM specifies an object model and programming requirements that enable COM objects to interact with other objects.
@ -104,16 +104,16 @@ Example 3: Allows a specific COM object to register in PowerShell
Here's an example of an error in the Event Viewer (**Application and Service Logs** > **Microsoft** > **Windows** > **AppLocker** > **MSI and Script**):
Log Name: Microsoft-Windows-AppLocker/MSI and Script<br/>
Source: Microsoft-Windows-AppLocker<br/>
Date: 11/11/2020 1:18:11 PM<br/>
Event ID: 8036<br/>
Task Category: None<br/>
Level: Error<br/>
Keywords:<br/>
User: S-1-5-21-3340858017-3068726007-3466559902-3647<br/>
Computer: contoso.com<br/>
Description: {f8d253d9-89a4-4daa-87b6-1168369f0b21} was prevented from running due to Config CI policy.<br/>
> Log Name: Microsoft-Windows-AppLocker/MSI and Script<br/>
> Source: Microsoft-Windows-AppLocker<br/>
> Date: 11/11/2020 1:18:11 PM<br/>
> Event ID: 8036<br/>
> Task Category: None<br/>
> Level: Error<br/>
> Keywords:<br/>
> User: S-1-5-21-3340858017-3068726007-3466559902-3647<br/>
> Computer: contoso.com<br/>
> Description: {f8d253d9-89a4-4daa-87b6-1168369f0b21} was prevented from running due to Config CI policy.
Event XML:
@ -155,10 +155,10 @@ To add this CLSID to the existing policy, follow these steps:
Once the command has been run, you will find that the following section is added to the policy XML.
```XML
<Settings>
<Setting Provider="WSH" Key="{f8d253d9-89a4-4daa-87b6-1168369f0b21}" ValueName="EnterpriseDefinedClsId">
<Value>
<Boolean>true</Boolean>
</Value>
</Setting>
<Settings>
<Setting Provider="WSH" Key="{f8d253d9-89a4-4daa-87b6-1168369f0b21}" ValueName="EnterpriseDefinedClsId">
<Value>
<Boolean>true</Boolean>
</Value>
</Setting>
```

2
windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md
View File

@ -27,7 +27,7 @@ ms.technology: windows-sec
- Windows Server 2016 and above
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Application Control feature availability](feature-availability.md).
Running Application Control in audit mode lets you discover applications, binaries, and scripts that are missing from your WDAC policy but should be included.

2
windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md
View File

@ -27,7 +27,7 @@ ms.technology: windows-sec
- Windows Server 2016 and above
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Application Control feature availability](feature-availability.md).
Running Application Control in audit mode lets you discover applications, binaries, and scripts that are missing from your WDAC policy but should be included.

299
windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md
View File

@ -1,6 +1,6 @@
---
title: Configure authorized apps deployed with a WDAC-managed installer (Windows)
description: Explains about how to configure a custom Manged Installer.
title: Allow apps deployed with a WDAC managed installer (Windows)
description: Explains how to configure a custom Managed Installer.
keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: m365-security
@ -11,32 +11,31 @@ ms.localizationpriority: medium
audience: ITPro
ms.collection: M365-security-compliance
author: jsuther1974
ms.reviewer: isbrahm
ms.reviewer: jogeurte
ms.author: dansimp
manager: dansimp
ms.date: 10/19/2021
ms.technology: windows-sec
---
# Configuring authorized apps deployed by a managed installer with AppLocker and Windows Defender Application Control
# Automatically allow apps deployed by a managed installer with Windows Defender Application Control
**Applies to:**
- Windows 10
- Windows 11
- Windows Server 2016 and above
- Windows 10
- Windows 11
- Windows Server 2019 and above
> [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
Windows 10, version 1703 introduced a new option for Windows Defender Application Control (WDAC), called _managed installer_, that helps balance security and manageability when enforcing application control policies. This option lets you automatically allow applications installed by a designated software distribution solution such as Microsoft Endpoint Configuration Manager.
With Windows Defender Application Control (WDAC), you can automatically allow applications installed by a software distribution solution, such as Microsoft Endpoint Configuration Manager, using a feature called _managed installer_. Managed installer can help you better balance security and manageability when enforcing application control policies.
## How does a managed installer work?
A new rule collection in AppLocker specifies binaries that are trusted by the organization as an authorized source for application deployment. When one of these trusted binaries runs, Windows will monitor the binary's process (and processes it launches), and then tag all files it writes as having originated from a managed installer. The managed installer rule collection is configured using Group Policy and can be applied with the Set-AppLockerPolicy PowerShell cmdlet. You can't currently set managed installers with the AppLocker CSP through MDM.
Managed installer uses a special rule collection in **AppLocker** to designate binaries that are trusted by your organization as an authorized source for application installation. When one of these trusted binaries runs, Windows monitors the binary's process (and processes it launches) and watches for files being written to disk. As files are written, they are tagged as originating from a managed installer.
Having defined your managed installers by using AppLocker, you can then configure WDAC to trust files that are installed by a managed installer. You do so by adding the "Enabled:Managed Installer" option to your WDAC policy. When that option is set, WDAC will check for managed installer origin information when determining whether or not to allow a binary to run. As long as there are no deny rules present for the file, WDAC will allow a file to run based on its managed installer origin.
Ensure that the WDAC policy allows the system/boot components and any other authorized applications that can't be deployed through a managed installer.
You can then configure WDAC to trust files that are installed by a managed installer by adding the "Enabled:Managed Installer" option to your WDAC policy. When that option is set, WDAC will check for managed installer origin information when determining whether or not to allow a binary to run. As long as there are no deny rules for the binary, WDAC will allow it to run based purely on its managed installer origin.
## Security considerations with managed installer
@ -46,7 +45,7 @@ Users with administrator privileges, or malware running as an administrator user
If a managed installer process runs in the context of a user with standard privileges, then it's possible that standard users or malware running as standard user may be able to circumvent the intent of Windows Defender Application Control.
Some application installers may automatically run the application at the end of the installation process. If this happens when the installer is run by a managed installer, then the managed installer's heuristic tracking and authorization will extend to all files that are created during the first run of the application. Extension of the installer's authorization could result in unintentional authorization of an executable. To avoid that outcome, ensure that the method of application deployment that is used as a managed installer limits running applications as part of installation.
Some application installers may automatically run the application at the end of the installation process. If this happens when the installer is run by a managed installer, then the managed installer's heuristic tracking and authorization will extend to all files that are created during the first run of the application. This could result in unintentional authorization of an executable. To avoid that, ensure that the method of application deployment that is used as a managed installer limits running applications as part of installation.
## Known limitations with managed installer
@ -58,126 +57,138 @@ Some application installers may automatically run the application at the end of
- The managed installer heuristic doesn't authorize kernel drivers. The WDAC policy must have rules that allow the necessary drivers to run.
## Configuring the managed installer
## Configure managed installer tracking with AppLocker and WDAC
Setting up managed installer tracking and application execution enforcement requires applying both an AppLocker and WDAC policy, with specific rules and options enabled.
There are three primary steps to keep in mind:
To turn on managed installer tracking, you must:
- Specify managed installers, by using the Managed Installer rule collection in AppLocker policy.
- Enable service enforcement in AppLocker policy.
- Enable the managed installer option in a WDAC policy.
- Create and deploy an AppLocker policy that defines your managed installer rules and enables services enforcement for executables and DLLs.
- Enable AppLocker's Application Identity and AppLockerFltr services.
## Specify managed installers using the Managed Installer rule collection in AppLocker policy
### Create and deploy an AppLocker policy that defines your managed installer rules and enables services enforcement for executables and DLLs
The identity of the managed installer executable(s) is specified in an AppLocker policy, in a Managed Installer rule collection.
Currently, neither the AppLocker policy creation UI in GPO Editor nor the PowerShell cmdlets allow for directly specifying rules for the Managed Installer rule collection. However, you can use an XML or text editor to convert an EXE rule collection policy into a ManagedInstaller rule collection.
> [!NOTE]
> Only EXE file types can be designated as managed installers.
### Create Managed Installer rule collection
Currently, neither the AppLocker policy creation UI in GPO Editor nor the PowerShell cmdlets allow for directly specifying rules for the Managed Installer rule collection. However, you can use a text editor to make the changes that are needed to an EXE or DLL rule collection policy, to specify Type="ManagedInstaller", so that the new rule can be imported into a GPO.
1. Use [New-AppLockerPolicy](/powershell/module/applocker/new-applockerpolicy?view=win10-ps&preserve-view=true) to make an EXE rule for the file you are designating as a managed installer. Note that only EXE file types can be designated as managed installers. Below is an example using the rule type Publisher with a hash fallback but other rule types can be used as well. You may need to reformat the output for readability.
1. Use [New-AppLockerPolicy](/powershell/module/applocker/new-applockerpolicy?view=win10-ps&preserve-view=true) to make an EXE rule for the file you are designating as a managed installer. This example creates a rule for Microsoft's Intune Management Extension using the Publisher rule type, but any AppLocker rule type can be used. You may need to reformat the output for readability.
```powershell
Get-ChildItem <exe filepath> | Get-AppLockerFileInformation | New-AppLockerPolicy -RuleType Publisher, Hash -User Everyone -Xml > AppLocker_MI_PS_ISE.xml
Get-ChildItem ${env:ProgramFiles(x86)}'\Microsoft Intune Management Extension\Microsoft.Management.Services.IntuneWindowsAgent.exe' | Get-AppLockerFileInformation | New-AppLockerPolicy -RuleType Publisher -User Everyone -Xml > AppLocker_MI_PS_ISE.xml
```
2. Manually rename the rule collection to ManagedInstaller
2. Manually change the rule collection Type from "Exe" to "ManagedInstaller" and set EnforcementMode to "AuditOnly"
Change:
```powershell
```XML
<RuleCollection Type="Exe" EnforcementMode="NotConfigured">
```
to:
```powershell
```XML
<RuleCollection Type="ManagedInstaller" EnforcementMode="AuditOnly">
```
An example of a valid Managed Installer rule collection, using Microsoft Endpoint Config Manager (MEMCM), MEM (Intune), PowerShell, and PowerShell ISE, is shown below. Remove any rules that you do not wish to designate as a Managed Installer.
```xml
<AppLockerPolicy Version="1">
<RuleCollection Type="Appx" EnforcementMode="NotConfigured" />
<RuleCollection Type="Dll" EnforcementMode="AuditOnly" >
<FilePublisherRule Id="86f235ad-3f7b-4121-bc95-ea8bde3a5db5" Name="Allow all" Description="Allow all" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<RuleCollectionExtensions>
<ThresholdExtensions>
<Services EnforcementMode="Enabled" />
</ThresholdExtensions>
<RedstoneExtensions>
<SystemApps Allow="Enabled"/>
</RedstoneExtensions>
</RuleCollectionExtensions>
</RuleCollection>
<RuleCollection Type="Exe" EnforcementMode="AuditOnly">
<FilePublisherRule Id="9420c496-046d-45ab-bd0e-455b2649e41e" Name="Allow all" Description="Allow all" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<RuleCollectionExtensions>
<ThresholdExtensions>
<Services EnforcementMode="Enabled" />
</ThresholdExtensions>
<RedstoneExtensions>
<SystemApps Allow="Enabled"/>
</RedstoneExtensions>
</RuleCollectionExtensions>
</RuleCollection>
<RuleCollection Type="Msi" EnforcementMode="NotConfigured" />
<RuleCollection Type="Script" EnforcementMode="NotConfigured" />
<RuleCollection Type="ManagedInstaller" EnforcementMode="AuditOnly">
<FilePublisherRule Id="55932f09-04b8-44ec-8e2d-3fc736500c56" Name="MICROSOFT.MANAGEMENT.SERVICES.INTUNEWINDOWSAGENT.EXE version 1.39.200.2 or greater in MICROSOFT® INTUNE™ from O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT® INTUNE™" BinaryName="MICROSOFT.MANAGEMENT.SERVICES.INTUNEWINDOWSAGENT.EXE">
<BinaryVersionRange LowSection="1.39.200.2" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePublisherRule Id="6ead5a35-5bac-4fe4-a0a4-be8885012f87" Name="CMM - CCMEXEC.EXE, 5.0.0.0+, Microsoft signed" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
3. Manually edit your AppLocker policy and add the EXE and DLL rule collections with at least one rule for each. To ensure your policy can be safely applied on systems that may already have an active AppLocker policy, we recommend using a benign DENY rule to block a fake binary and set the rule collection's EnforcementMode to AuditOnly. Additionally, since many installation processes rely on services, you need to enable services tracking for each of those rule collections. The following example shows a partial AppLocker policy with the EXE and DLL rule collection configured as recommended.
```xml
<RuleCollection Type="Dll" EnforcementMode="AuditOnly" >
<FilePathRule Id="86f235ad-3f7b-4121-bc95-ea8bde3a5db5" Name="Benign DENY Rule" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
<Conditions>
<FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="CCMEXEC.EXE">
<BinaryVersionRange LowSection="5.0.0.0" HighSection="*" />
</FilePublisherCondition>
<FilePathCondition Path="%OSDRIVE%\ThisWillBeBlocked.dll" />
</Conditions>
</FilePublisherRule>
<FilePublisherRule Id="8e23170d-e0b7-4711-b6d0-d208c960f30e" Name="CCM - CCMSETUP.EXE, 5.0.0.0+, Microsoft signed" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="CCMSETUP.EXE">
<BinaryVersionRange LowSection="5.0.0.0" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePublisherRule Id="a8cb325e-b26e-4f52-b528-a137764cae42" Name="POWERSHELL.EXE, version 10.0.0.0 and above, in MICROSOFT® WINDOWS® OPERATING SYSTEM, from O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="POWERSHELL.EXE">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePublisherRule Id="a8cb325e-b26e-4f52-b528-a137764cae54" Name="POWERSHELL_ISE.EXE, version 10.0.0.0 and above, in MICROSOFT® WINDOWS® OPERATING SYSTEM, from O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="POWERSHELL_ISE.EXE">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
</RuleCollection>
</AppLockerPolicy>
```
</FilePathRule>
<RuleCollectionExtensions>
<ThresholdExtensions>
<Services EnforcementMode="Enabled" />
</ThresholdExtensions>
</RuleCollectionExtensions>
</RuleCollection>
<RuleCollection Type="Exe" EnforcementMode="AuditOnly">
<FilePathRule Id="9420c496-046d-45ab-bd0e-455b2649e41e" Name="Benign DENY Rule" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
<Conditions>
<FilePathCondition Path="%OSDRIVE%\ThisWillBeBlocked.exe" />
</Conditions>
</FilePathRule>
<RuleCollectionExtensions>
<ThresholdExtensions>
<Services EnforcementMode="Enabled" />
</ThresholdExtensions>
</RuleCollectionExtensions>
</RuleCollection>
```
>[!NOTE]
>Since many installation processes rely on services, it is typically necessary to enable tracking of services. Correct tracking of services requires the presence of at least one rule in the rule collection. So, a simple audit-only rule will suffice.
4. Verify your AppLocker policy. The following example shows a complete AppLocker policy that sets Microsoft Endpoint Config Manager (MEMCM)and Microsoft Endpoint Manager Intune as managed installers. Only those AppLocker rule collections that have actual rules defined are included in the final XML. This ensures the policy will merge successfully on devices which may already have an AppLocker policy in place.
```xml
<AppLockerPolicy Version="1">
<RuleCollection Type="Dll" EnforcementMode="AuditOnly" >
<FilePathRule Id="86f235ad-3f7b-4121-bc95-ea8bde3a5db5" Name="Benign DENY Rule" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
<Conditions>
<FilePathCondition Path="%OSDRIVE%\ThisWillBeBlocked.dll" />
</Conditions>
</FilePathRule>
<RuleCollectionExtensions>
<ThresholdExtensions>
<Services EnforcementMode="Enabled" />
</ThresholdExtensions>
</RuleCollectionExtensions>
</RuleCollection>
<RuleCollection Type="Exe" EnforcementMode="AuditOnly">
<FilePathRule Id="9420c496-046d-45ab-bd0e-455b2649e41e" Name="Benign DENY Rule" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
<Conditions>
<FilePathCondition Path="%OSDRIVE%\ThisWillBeBlocked.exe" />
</Conditions>
</FilePathRule>
<RuleCollectionExtensions>
<ThresholdExtensions>
<Services EnforcementMode="Enabled" />
</ThresholdExtensions>
</RuleCollectionExtensions>
</RuleCollection>
<RuleCollection Type="ManagedInstaller" EnforcementMode="AuditOnly">
<FilePublisherRule Id="55932f09-04b8-44ec-8e2d-3fc736500c56" Name="MICROSOFT.MANAGEMENT.SERVICES.INTUNEWINDOWSAGENT.EXE version 1.39.200.2 or greater in MICROSOFT® INTUNE™ from O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="MICROSOFT.MANAGEMENT.SERVICES.INTUNEWINDOWSAGENT.EXE">
<BinaryVersionRange LowSection="1.39.200.2" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePublisherRule Id="6ead5a35-5bac-4fe4-a0a4-be8885012f87" Name="CMM - CCMEXEC.EXE, 5.0.0.0+, Microsoft signed" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="CCMEXEC.EXE">
<BinaryVersionRange LowSection="5.0.0.0" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePublisherRule Id="8e23170d-e0b7-4711-b6d0-d208c960f30e" Name="CCM - CCMSETUP.EXE, 5.0.0.0+, Microsoft signed" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="CCMSETUP.EXE">
<BinaryVersionRange LowSection="5.0.0.0" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
</RuleCollection>
</AppLockerPolicy>
```
5. Deploy your AppLocker managed installer configuration policy. You can either import your AppLocker policy and deploy with Group Policy or use a script to deploy the policy with the Set-AppLockerPolicy cmdlet as shown in the following PowerShell command.
```powershell
Set-AppLockerPolicy -XmlPolicy <AppLocker XML FilePath> -Merge -ErrorAction SilentlyContinue
```
6. If deploying your AppLocker policy via script, use appidtel.exe to configure the AppLocker Application Identity service and AppLocker filter driver.
```console
appidtel.exe start [-mionly]
```
Specify "-mionly" if you don't plan to use the Intelligent Security Graph (ISG).
> [!NOTE]
> Managed installer tracking will start the next time a process runs that matches your managed installer rules. If an intended process is already running, you must restart it.
## Enable the managed installer option in WDAC policy
@ -202,69 +213,11 @@ Below are steps to create a WDAC policy that allows Windows to boot and enables
Set-RuleOption -FilePath <XML filepath> -Option 13
```
## Set the AppLocker filter driver to autostart
4. Deploy your WDAC policy. See [Deploying Windows Defender Application Control (WDAC) policies](windows-defender-application-control-deployment-guide.md).
To enable the managed installer, you need to set the AppLocker filter driver to autostart, and start it.
> [!NOTE]
> Your WDAC policy must include rules for all system/boot components, kernel drivers, and any other authorized applications that can't be deployed through a managed installer.
To do so, run the following command as an Administrator:
## Related articles
```console
appidtel.exe start [-mionly]
```
Specify "-mionly" if you will not use the Intelligent Security Graph (ISG).
## Using fsutil to query SmartLocker EA
Customers using Windows Defender Application Control (WDAC) with Managed Installer (MI) or Intelligent Security Graph enabled can use fsutil to determine whether a file was allowed to run by one of these features. This can be achieved by querying the EAs on a file using fsutil and looking for the KERNEL.SMARTLOCKER.ORIGINCLAIM EA. The presence of this EA indicates that either MI or ISG allowed the file to run. This can be used in conjunction with enabling the MI and ISG logging events.
#### Example:
```powershell
fsutil file queryEA C:\Users\Temp\Downloads\application.exe
Extended Attributes (EA) information for file C:\Users\Temp\Downloads\application.exe:
Ea Buffer Offset: 410
Ea Name: $KERNEL.SMARTLOCKER.ORIGINCLAIM
Ea Value Length: 7e
0000: 01 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 ................
0010: b2 ff 10 66 bc a8 47 c7 00 d9 56 9d 3d d4 20 2a ...f..G...V.=. *
0020: 63 a3 80 e2 d8 33 8e 77 e9 5c 8d b0 d5 a7 a3 11 c....3.w.\......
0030: 83 00 00 00 00 00 00 00 5c 00 00 00 43 00 3a 00 ........\...C.:.
0040: 5c 00 55 00 73 00 65 00 72 00 73 00 5c 00 6a 00 \.U.s.e.r.s.\.T.
0050: 6f 00 67 00 65 00 75 00 72 00 74 00 65 00 2e 00 e.m.p..\D.o.w.n...
0060: 52 00 45 00 44 00 4d 00 4f 00 4e 00 44 00 5c 00 l.o.a.d.\a.p.p.l.
0070: 44 00 6f 00 77 00 6e 00 6c 00 6f 00 61 00 64 i.c.a.t.i.o.n..e.x.e
```
## Enabling managed installer logging events
Refer to [Understanding Application Control Events](event-id-explanations.md#optional-intelligent-security-graph-isg-or-managed-installer-mi-diagnostic-events) for information on enabling optional managed installer diagnostic events.
## Deploying the Managed Installer rule collection
Once you've completed configuring your chosen Managed Installer, by specifying which option to use in the AppLocker policy, enabling the service enforcement of it, and by enabling the Managed Installer option in a WDAC policy, you'll need to deploy it.
1. Use the following command to deploy the policy.
```powershell
$policyFile=
@"
Raw_AppLocker_Policy_XML
"@
Set-AppLockerPolicy -XmlPolicy $policyFile -Merge -ErrorAction SilentlyContinue
```
2. Verify Deployment of the ruleset was successful
```powershell
Get-AppLockerPolicy -Local
Version RuleCollections RuleCollectionTypes
------- --------------- -------------------
1 {0, 0, 0, 0...} {Appx, Dll, Exe, ManagedInstaller...}
```
Verify the output shows the ManagedInstaller rule set.
3. Get the policy XML (optional) using PowerShell:
```powershell
Get-AppLockerPolicy -Effective -Xml -ErrorVariable ev -ErrorAction SilentlyContinue
```
This command will show the raw XML to verify the individual rules that were set.
- [Managed installer and ISG technical reference and troubleshooting guide](configure-wdac-managed-installer.md)

189
windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md
View File

@ -1,5 +1,5 @@
---
title: Configure a WDAC managed installer (Windows)
title: Managed installer and ISG technical reference and troubleshooting guide (Windows)
description: Explains how to configure a custom Manged Installer.
keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
@ -18,148 +18,75 @@ ms.date: 08/14/2020
ms.technology: windows-sec
---
# Configuring a managed installer with AppLocker and Windows Defender Application Control
# Managed installer and ISG technical reference and troubleshooting guide
**Applies to:**
- Windows 10
- Windows 11
- Windows Server 2016 and above
- Windows 10
- Windows 11
- Windows Server 2019 and above
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Application Control feature availability](feature-availability.md).
Setting up managed installer tracking and application execution enforcement requires applying both an AppLocker and WDAC policy with specific rules and options enabled.
There are three primary steps to keep in mind:
## Using fsutil to query SmartLocker EA
- Specify managed installers by using the Managed Installer rule collection in AppLocker policy.
- Enable service enforcement in AppLocker policy.
- Enable the managed installer option in a WDAC policy.
Customers using Windows Defender Application Control (WDAC) with Managed Installer (MI) or Intelligent Security Graph enabled can use fsutil to determine whether a file was allowed to run by one of these features. This can be achieved by querying the EAs on a file using fsutil and looking for the KERNEL.SMARTLOCKER.ORIGINCLAIM EA. The presence of this EA indicates that either MI or ISG allowed the file to run. This can be used in conjunction with enabling the MI and ISG logging events.
## Specify managed installers using the Managed Installer rule collection in AppLocker policy
**Example:**
The identity of the managed installer executable(s) is specified in an AppLocker policy in a Managed Installer rule collection.
```powershell
fsutil file queryEA C:\Users\Temp\Downloads\application.exe
### Create Managed Installer rule collection
Extended Attributes (EA) information for file C:\Users\Temp\Downloads\application.exe:
Currently, neither the AppLocker policy creation UI in GPO Editor nor the PowerShell cmdlets allow for directly specifying rules for the Managed Installer rule collection. However, a text editor can be used to make the simple changes needed to an EXE or DLL rule collection policy to specify Type="ManagedInstaller", so that the new rule can be imported into a GPO.
1. Use [New-AppLockerPolicy](/powershell/module/applocker/new-applockerpolicy?view=win10-ps&preserve-view=true) to make an EXE rule for the file you are designating as a managed installer. Note that only EXE file types can be designated as managed installers. Below is an example using the rule type Publisher with a hash fallback, but other rule types can be used as well. You may need to reformat the output for readability.
```powershell
Get-ChildItem <exe filepath> | Get-AppLockerFileInformation | New-AppLockerPolicy -RuleType Publisher, Hash -User Everyone -Xml > AppLocker_MI_PS_ISE.xml
```
2. Manually rename the rule collection to ManagedInstaller
Change
```powershell
<RuleCollection Type="Exe" EnforcementMode="NotConfigured">
```
to
```powershell
<RuleCollection Type="ManagedInstaller" EnforcementMode="AuditOnly">
```
An example of a valid Managed Installer rule collection using Microsoft Endpoint Config Manager (MEMCM) is shown below.
```xml
<RuleCollection Type="ManagedInstaller" EnforcementMode="AuditOnly">
<FilePublisherRule Id="6cc9a840-b0fd-4f86-aca7-8424a22b4b93" Name="MEMCM - CCMEXEC.EXE, 5.0.0.0+, Microsoft signed" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="CCMEXEC.EXE">
<BinaryVersionRange LowSection="5.0.0.0" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePublisherRule Id="780ae2d3-5047-4240-8a57-767c251cbb12" Name="MEMCM - CCMSETUP.EXE, 5.0.0.0+, Microsoft signed" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="CCMSETUP.EXE">
<BinaryVersionRange LowSection="5.0.0.0" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
</RuleCollection>
Ea Buffer Offset: 410
Ea Name: $KERNEL.SMARTLOCKER.ORIGINCLAIM
Ea Value Length: 7e
0000: 01 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 ................
0010: b2 ff 10 66 bc a8 47 c7 00 d9 56 9d 3d d4 20 2a ...f..G...V.=. *
0020: 63 a3 80 e2 d8 33 8e 77 e9 5c 8d b0 d5 a7 a3 11 c....3.w.\......
0030: 83 00 00 00 00 00 00 00 5c 00 00 00 43 00 3a 00 ........\...C.:.
0040: 5c 00 55 00 73 00 65 00 72 00 73 00 5c 00 6a 00 \.U.s.e.r.s.\.T.
0050: 6f 00 67 00 65 00 75 00 72 00 74 00 65 00 2e 00 e.m.p..\D.o.w.n...
0060: 52 00 45 00 44 00 4d 00 4f 00 4e 00 44 00 5c 00 l.o.a.d.\a.p.p.l.
0070: 44 00 6f 00 77 00 6e 00 6c 00 6f 00 61 00 64 i.c.a.t.i.o.n..e.x.e
```
### Enable service enforcement in AppLocker policy
Since many installation processes rely on services, it is typically necessary to enable tracking of services.
Correct tracking of services requires the presence of at least one rule in the rule collection, so a simple audit only rule will suffice. This can be added to the policy created above which specifies your managed installer rule collection.
For example:
```xml
<RuleCollection Type="Dll" EnforcementMode="AuditOnly" >
<FilePathRule Id="86f235ad-3f7b-4121-bc95-ea8bde3a5db5" Name="Dummy Rule" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
<Conditions>
<FilePathCondition Path="%OSDRIVE%\ThisWillBeBlocked.dll" />
</Conditions>
</FilePathRule>
<RuleCollectionExtensions>
<ThresholdExtensions>
<Services EnforcementMode="Enabled" />
</ThresholdExtensions>
<RedstoneExtensions>
<SystemApps Allow="Enabled"/>
</RedstoneExtensions>
</RuleCollectionExtensions>
</RuleCollection>
<RuleCollection Type="Exe" EnforcementMode="AuditOnly">
<FilePathRule Id="9420c496-046d-45ab-bd0e-455b2649e41e" Name="Dummy Rule" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
<Conditions>
<FilePathCondition Path="%OSDRIVE%\ThisWillBeBlocked.exe" />
</Conditions>
</FilePathRule>
<RuleCollectionExtensions>
<ThresholdExtensions>
<Services EnforcementMode="Enabled" />
</ThresholdExtensions>
<RedstoneExtensions>
<SystemApps Allow="Enabled"/>
</RedstoneExtensions>
</RuleCollectionExtensions>
</RuleCollection>
```
## Enable the managed installer option in WDAC policy
In order to enable trust for the binaries laid down by managed installers, the Enabled: Managed Installer option must be specified in your WDAC policy.
This can be done by using the [Set-RuleOption cmdlet](/powershell/module/configci/set-ruleoption) with Option 13.
Below are steps to create a WDAC policy that allows Windows to boot and enables the managed installer option.
1. Copy the DefaultWindows_Audit policy into your working folder from C:\Windows\schemas\CodeIntegrity\ExamplePolicies\DefaultWindows_Audit.xml
2. Reset the policy ID to ensure it is in multiple policy format and give it a different GUID from the example policies. Also give it a friendly name to help with identification.
Ex.
```powershell
Set-CIPolicyIdInfo -FilePath <XML filepath> -PolicyName "<friendly name>" -ResetPolicyID
```
3. Set Option 13 (Enabled:Managed Installer)
```powershell
Set-RuleOption -FilePath <XML filepath> -Option 13
```
## Set the AppLocker filter driver to autostart
To enable the managed installer, you need to set the AppLocker filter driver to autostart and start it.
To do so, run the following command as an Administrator:
```console
appidtel.exe start [-mionly]
```
Specify `-mionly` if you will not use the Intelligent Security Graph (ISG).
## Enabling managed installer logging events
Refer to [Understanding Application Control Events](event-id-explanations.md#optional-intelligent-security-graph-isg-or-managed-installer-mi-diagnostic-events) for information on enabling optional managed installer diagnostic events.
Refer to [Understanding Application Control Events](event-id-explanations.md#optional-intelligent-security-graph-isg-or-managed-installer-mi-diagnostic-events) for information on enabling optional managed installer diagnostic events.
## Deploying the Managed Installer rule collection
Once you've completed configuring your chosen Managed Installer, by specifying which option to use in the AppLocker policy, enabling the service enforcement of it, and by enabling the Managed Installer option in a WDAC policy, you'll need to deploy it.
1. Use the following command to deploy the policy.
```powershell
$policyFile=
@"
Raw_AppLocker_Policy_XML
"@
Set-AppLockerPolicy -XmlPolicy $policyFile -Merge -ErrorAction SilentlyContinue
```
2. Verify Deployment of the ruleset was successful
```powershell
Get-AppLockerPolicy -Local
Version RuleCollections RuleCollectionTypes
------- --------------- -------------------
1 {0, 0, 0, 0...} {Appx, Dll, Exe, ManagedInstaller...}
```
Verify the output shows the ManagedInstaller rule set.
3. Get the policy XML (optional) using PowerShell:
```powershell
Get-AppLockerPolicy -Effective -Xml -ErrorVariable ev -ErrorAction SilentlyContinue
```
This command will show the raw XML to verify the individual rules that were set.

4
windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md
View File

@ -25,7 +25,7 @@ ms.localizationpriority: medium
- Windows Server 2016 and above
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
You can use Microsoft Endpoint Configuration Manager (MEMCM) to configure Windows Defender Application Control (WDAC) on client machines.
@ -41,7 +41,7 @@ MEMCM includes native support for WDAC, which allows you to configure Windows 10
Note that MEMCM does not remove policies once deployed. To stop enforcement, you should switch the policy to audit mode, which will produce the same effect. If you want to disable WDAC altogether (including audit mode), you can deploy a script to delete the policy file from disk, and either trigger a reboot or wait for the next reboot.
For more information on using MEMCM's native WDAC policies, see [Windows Defender Application Control management with Configuration Manager](/mem/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager)
For more information on using MEMCM's native WDAC policies, see [Windows Defender Application Control management with Configuration Manager](/mem/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager).
## Deploy custom WDAC policies using Packages/Programs or Task Sequences

16
windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md
View File

@ -25,7 +25,7 @@ ms.localizationpriority: medium
- Windows Server 2016 and above
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic describes how to deploy Windows Defender Application Control (WDAC) policies using script. The instructions below use PowerShell but can work with any scripting host.
@ -61,13 +61,15 @@ This topic describes how to deploy Windows Defender Application Control (WDAC) p
In addition to the steps outlined above, the binary policy file must also be copied to the device's EFI partition. Deploying your policy via [MEM](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune) or the Application Control CSP will handle this step automatically.
1. Mount the EFI volume and make the directory, if it does not exist, in an elevated PowerShell prompt:
```powershell
mountvol J: /S
J:
mkdir J:\EFI\Microsoft\Boot\CiPolicies\Active
```
2. Copy the signed policy binary as `{PolicyGUID}.cip` to J:\EFI\Microsoft\Boot\CiPolicies\Active
```powershell
mountvol J: /S
J:
mkdir J:\EFI\Microsoft\Boot\CiPolicies\Active
```
2. Copy the signed policy binary as `{PolicyGUID}.cip` to `J:\EFI\Microsoft\Boot\CiPolicies\Active`.
3. Reboot the system.
## Script-based deployment process for Windows 10 versions earlier than 1903

6
windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md
View File

@ -26,7 +26,7 @@ ms.localizationpriority: medium
- Windows Server 2016 and above
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic covers tips and tricks for admins as well as known issues with WDAC.
Test this configuration in your lab before enabling it in production.
@ -40,12 +40,12 @@ In some cases, the code integrity logs where WDAC errors and warnings are writte
Installing .msi files directly from the internet to a computer protected by WDAC will fail.
For example, this command will not work:
```code
```console
msiexec i https://download.microsoft.com/download/2/E/3/2E3A1E42-8F50-4396-9E7E-76209EA4F429/Windows10_Version_1511_ADMX.msi
```
As a workaround, download the MSI file and run it locally:
```code
```console
msiexec i c:\temp\Windows10_Version_1511_ADMX.msi
```

26
windows/whats-new/whats-new-windows-10-version-1703.md
View File

@ -273,32 +273,6 @@ Learn about the new Group Policies that were added in Windows 10, version 1703.
- [Group Policy Settings Reference for Windows and Windows Server](https://www.microsoft.com/download/details.aspx?id=25250)
## Windows 10 Mobile enhancements
### Lockdown Designer
The Lockdown Designer app helps you configure and create a lockdown XML file to apply to devices running Windows 10 Mobile, and includes a remote simulation to help you determine the layout for tiles on the Start screen. Using Lockdown Designer is easier than [manually creating a lockdown XML file](/windows/configuration/mobile-devices/lockdown-xml).
![Lockdown Designer app in Store.](images/ldstore.png)
[Learn more about the Lockdown Designer app.](/windows/configuration/mobile-devices/mobile-lockdown-designer)
### Other enhancements
Windows 10 Mobile, version 1703 also includes the following enhancements:
- SD card encryption
- Remote PIN resets for Azure Active Directory accounts
- SMS text message archiving
- WiFi Direct management
- OTC update tool
- Continuum display management
- Individually turn off the monitor or phone screen when not in use
- individually adjust screen time-out settings
- Continuum docking solutions
- Set Ethernet port properties
- Set proxy properties for the Ethernet port
## Miracast on existing wireless network or LAN
In the Windows 10, version 1703, Microsoft has extended the ability to send a Miracast stream over a local network rather than over a direct wireless link. This functionality is based on the [Miracast over Infrastructure Connection Establishment Protocol (MS-MICE)](/openspecs/windows_protocols/ms-mice/9598ca72-d937-466c-95f6-70401bb10bdb).