deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-16 19:03:46 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'refs/remotes/origin/rs2' into jdrs2icd

Browse Source
This commit is contained in:
jdeckerMS
2017-02-24 08:54:43 -08:00
parent 3690c62baa f4ba1b46b9
commit 3055d055e7
13 changed files with 157 additions and 169 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
education/windows/TOC.md
View File

@ -12,7 +12,6 @@
## [Take tests in Windows 10 ](take-tests-in-windows-10.md)
### [Set up Take a Test on a single PC](take-a-test-single-pc.md)
### [Set up Take a Test on multiple PCs](take-a-test-multiple-pcs.md)
### [Create tests using Microsoft Forms](create-tests-using-microsoft-forms.md)
### [Take a Test app technical reference](take-a-test-app-technical.md)
## [Deployment recommendations for school IT administrators](edu-deployment-recommendations.md)
## [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)

1
education/windows/create-tests-using-microsoft-forms.md
View File

@ -7,6 +7,7 @@ ms.mktglfcycl: plan
ms.sitesec: library
ms.pagetype: edu
author: CelesteDG
redirect_url: https://support.microsoft.com/help/4000711/windows-10-create-tests-using-microsoft-forms
---
# Create tests using Microsoft Forms

BIN
education/windows/images/take_a_test_flow.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 12 KiB

BIN
education/windows/images/take_a_test_workflow.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 12 KiB

62
education/windows/index.md
View File

@ -14,42 +14,74 @@ author: CelesteDG
# Windows 10 for Education
<link rel="stylesheet" href="https://az835927.vo.msecnd.net/sites/uwp/Resources/css/custom.css">
## ![Learn more about Windows](images/education.png) Learn
## Windows 10
### ![Learn more about Windows](images/education.png) Learn
<div class="side-by-side"> <div class="side-by-side-content">
<div class="side-by-side-content-left"><p>
<b>[Windows 10 editions for education customers](windows-editions-for-education-customers.md)</b><br />Windows 10, version 1607 introduces two editions designed for the unique needs of K-12 institutions: Windows 10 Pro Education and Windows 10 Education. These editions provide education-specific default settings for the evolving landscape in K-12 education IT environments.</p></div>
<div class="side-by-side-content-right"><p><b>[Compare each Windows edition](https://www.microsoft.com/en-us/WindowsForBusiness/Compare)</b><br />Find out more about the features and functionality we support in each edition of Windows.</p><p>
<b>[Get Windows 10 Education or Windows 10 Pro Education](https://www.microsoft.com/en-us/education/buy-license/overview-of-how-to-buy/default.aspx?tabshow=schools)</b><br />When you've made your decision, find out how to buy Windows for your school.</p></div>
<div class="side-by-side-content-left">
<p><b>[Windows 10 editions for education customers](windows-editions-for-education-customers.md)</b><br />Windows 10, version 1607 introduces two editions designed for the unique needs of K-12 institutions: Windows 10 Pro Education and Windows 10 Education. These editions provide education-specific default settings for the evolving landscape in K-12 education IT environments.</p>
<p><b>[Compare each Windows edition](https://www.microsoft.com/en-us/WindowsForBusiness/Compare)</b><br />Find out more about the features and functionality we support in each edition of Windows.</p>
<p><b>[Get Windows 10 Education or Windows 10 Pro Education](https://www.microsoft.com/en-us/education/buy-license/overview-of-how-to-buy/default.aspx?tabshow=schools)</b><br />When you've made your decision, find out how to buy Windows for your school.</p></div>
<div class="side-by-side-content-right">
<p><b>How-to videos</b><br />
<ul>
<li><a href="https://technet.microsoft.com/en-us/windows/mt723345" target="_blank">Automate common Windows 10 deployment and configuration tasks</a></li>
<li><a href="https://technet.microsoft.com/en-us/windows/mt723346" target="_blank">Deploy a custom Windows 10 Start menu</a></li>
<li><a href="https://technet.microsoft.com/en-us/windows/mt723347" target="_blank">Manage Windows 10 updates and upgrades</a></li>
<li><a href="https://technet.microsoft.com/en-us/windows/mt723344" target="_blank">Reprovision devices at the end of the school year</a></li>
<li><a href="https://technet.microsoft.com/en-us/windows/mt723343" target="_blank">Use MDT to deploy Windows 10</a></li>
<li><a href="https://technet.microsoft.com/en-us/windows/mt723348" target="_blank">Use Windows Store for Business</a></li>
</ul>
</div>
</div></div>
## ![Plan for Windows 10 in your school](images/clipboard.png) Plan
### ![Plan for Windows 10 in your school](images/clipboard.png) Plan
<div class="side-by-side"> <div class="side-by-side-content">
<div class="side-by-side-content-left"><p>
<b>[Provisioning options for Windows 10](set-up-windows-10.md)</b><br />Depending on your school's device management needs, Windows offers a variety of options that you can use to set up Windows 10 on your devices.</p><p>
<b>[Provisioning options for Windows 10](set-up-windows-10.md)</b><br />Depending on your school's device management needs, you can use **Set up School PCs** or the *Provision school devices* option in **Windows Imaging and Configuration Designer** to quickly set up student PCs.</p><p>
<b>[Get Minecraft Education Edition](get-minecraft-for-education.md)</b><br />Minecraft Education Edition is built for learning. Learn how to get early access and add it to your Microsoft Store for Business for distribution.</p></div>
<div class="side-by-side-content-right"><p><b>[Take tests in Windows 10](take-tests-in-windows-10.md)</b><br />Take a Test is a new app that lets you create the right environment for taking tests. Learn how to use and get it set up.</p>
<p><b>[Chromebook migration guide](chromebook-migration-guide.md)</b><br />Find out how you can migrate a Chromebook-based learning environment to a Windows 10-based learning environment.</p></div>
</div></div>
## ![Deploy Windows 10 for education](images/PCicon.png) Deploy
### ![Deploy Windows 10 for education](images/PCicon.png) Deploy
<div class="side-by-side"> <div class="side-by-side-content">
<div class="side-by-side-content-left"><p><b>[Deployment recommendations for school IT administrators](edu-deployment-recommendations.md)</b><br />Learn how to customize the OS privacy settings, Skype, and Xbox for Windows-based devices used in schools so that you can choose what information is shared with Microsoft.</p></div>
<div class="side-by-side-content-right"><p>
<b>[Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)</b><br />Get step-by-step guidance to help you deploy Windows 10 in a school environment.</p><p>
<b>[Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)</b><br />Get step-by-step guidance on how to deploy Windows 10 to PCs and devices across a school district.</p></div>
</div></div>
<div class="side-by-side-content-left">
<p><b>[Deployment recommendations for school IT administrators](edu-deployment-recommendations.md)</b><br />Learn how to customize the OS privacy settings, Skype, and Xbox for Windows-based devices used in schools so that you can choose what information is shared with Microsoft.</p>
<p><b>[Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)</b><br />Get step-by-step guidance to help you deploy Windows 10 in a school environment.</p>
<p><b>[Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)</b><br />Get step-by-step guidance on how to deploy Windows 10 to PCs and devices across a school district.</p>
</div>
<div class="side-by-side-content-right">
<p><b><a href="https://technet.microsoft.com/en-us/windows/mt574244" target="_blank">Try it out: Windows 10 deployment (for education)</a></b><br />Learn how to upgrade devices running the Windows 7 operating system to Windows 10 Anniversary Update, and how to manage devices, apps, and users in Windows 10 Anniversary Update.<br /><br />For the best experience, use this guide in tandem with the <a href="https://vlabs.holsystems.com/vlabs/technet?eng=VLabs&auth=none&src=vlabs&altadd=true&labid=20949&lod=true" target="_blank">TechNet Virtual Lab: IT Pro Try-It-Out</a>.</p>
</div>
</div></div>
## ![Deploy Windows 10 for education](images/windows.png) Upgrade
### ![Upgrade to Windows 10 for education](images/windows.png) Upgrade
<div class="side-by-side"> <div class="side-by-side-content">
<div class="side-by-side-content-left"><p><b>[Upgrade Windows 10 Pro to Pro Education from Windows Store for Business](windows-10-pro-to-pro-edu-upgrade.md)</b><br />If you have an education tenant and use Windows 10 Pro in your schools now, find out how you can opt-in to a free upgrade to Windows 10 Pro Education.</p></div>
</div>
## Windows 8.1
Follow these links to find step-by-step guidance on how to deploy Windows 8.1 in an academic environment.
<div class="side-by-side"> <div class="side-by-side-content">
<div class="side-by-side-content-left">
<p><b><a href="https://technet.microsoft.com/library/dn645509.aspx" target="_blank">Windows 8.1 deployment planning</a></b><br />Explore key considerations and questions that should be answered when planning for Windows 8.1 deployment.</p>
<p><b><a href="https://technet.microsoft.com/library/dn645528.aspx" target="_blank">Windows 8.1 deployment to PCs</a></b><br />Get an overview of Windows 8.1 deployment to PCs in an educational environment.</p>
<p><b><a href="https://technet.microsoft.com/library/dn645510.aspx" target="_blank">BYOD</a></b><br />Explore Bring Your Own Device (BYOD) considerations, including device types, infrastructure, and deployment models.</p>
<p><b><a href="https://technet.microsoft.com/library/dn645488.aspx" target="_blank">Deploying Windows RT 8.1</a></b><br />Get step-by-step instructions on how to configure and deploy Windows RT devices (like Surface and other tablets) in educational environments.</p>
</div>
<div class="side-by-side-content-right">
<p><b><a href="https://technet.microsoft.com/library/dn645483.aspx" target="_blank">Virtual Desktop Infrastructure</a></b><br />Learn how to address challenges related to BYOD scenarios using Virtual Desktop Infrastructure (VDI).</p>
<p><b><a href="https://technet.microsoft.com/library/dn645532.aspx" target="_blank">Windows Store apps</a></b><br />Explore Windows Store app deployment strategies and considerations for educational institutions running Windows 8.1.</p>
<p><b><a href="https://technet.microsoft.com/library/dn645486.aspx" target="_blank">Windows To Go</a></b><br />Learn about the benefits, limitations, and processes involved in deploying Windows To Go.</p>
</div>
</div></div>
## Related topics
- [Try it out: virtual labs and how-to videos for Windows 10 Education](https://technet.microsoft.com/en-us/windows/dn610356)
- [Windows 10 and Windows 10 Mobile](https://technet.microsoft.com/itpro/windows/index)

127
education/windows/take-a-test-multiple-pcs.md
View File

@ -25,43 +25,38 @@ Many schools use online testing for formative and summative assessments. It's cr
- Students cant change settings, extend their display, see notifications, get updates, or use autofill features.
- Cortana is turned off.
## How to use Take a Test
![Set up and user flow for the Take a Test app](images/take_a_test_workflow.png)
## How you use Take a Test
![Use test account or test url in Take a Test](images/take-a-test-flow.png)
- **Use a test URL and a [dedicated testing account](#set-up-a-dedicated-test-account)** - A user signs in to the account and the **Take a Test** app automatically launches the pre-configured assessment URL in Microsoft Edge in a single-app, kiosk mode. A student will never have access to the desktop in this configuration. We recommend this configuration for high stakes testing.
- **[Put a test URL with an included prefix](#provide-link-to-test) on a web page or OneNote for students to click** - This allows teachers and test administrators an easier way to deploy assessments. We recommend this method for lower stakes assessments.
- **Use an assessment URL and a [dedicated testing account](#set-up-a-dedicated-test-account)** - A user signs in to the account and the **Take a Test** app automatically launches the pre-configured assessment URL in Microsoft Edge in a single-app, kiosk mode. A student will never have access to the desktop in this configuration. We recommend this configuration for high stakes testing.
- **[Put an assessment URL with an included prefix](#provide-link-to-test) on a web page or OneNote for students to click** - This allows teachers and test administrators an easier way to deploy assessments. We recommend this method for lower stakes assessments.
## Set up a dedicated test account
To configure a dedicated test account on multiple PCs, you can use:
- [Mobile device management (MDM) or Microsoft System Center Configuration Manager](#set-up-test-account-in-mdm-or-configuration-manager)
- [A provisioning package](#set-up-test-account-in-a-provisioning-package) created in Windows Imaging and Configuration Designer (ICD)
- [Group Policy](#set-up-test-account-in-group-policy) to deploy a scheduled task that runs a Powershell script
### Set up test account in MDM or Configuration Manager
- [Mobile device management (MDM) or Microsoft System Center Configuration Manager](#set-up-a-test-account-in-mdm-or-configuration-manager)
- [A provisioning package](#set-up-a-test-account-in-a-provisioning-package) created in Windows Imaging and Configuration Designer (ICD)
- [Group Policy](#set-up-a-test-account-in-group-policy) to deploy a scheduled task that runs a Powershell script
### Set up a test account in MDM or Configuration Manager
1. Launch your management console.
2. Create a policy to set up single app kiosk mode, using the following values:
- **Custom OMA-DM URI** = ./Vendor/MSFT/AssignedAccess/KioskModeApp
- **String value** = {"Account":"*redmond\\kioskuser*","AUMID":” Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App "}
> Account can be in one of the following formats:
> - username
> - domain\username
> - computer name\\username
> - username@tenant.com
Account can be in one of the following formats:
- username
- domain\username
- computer name\\username
- username@tenant.com
3. Create a policy to configure the assessment URL, using the following values:
- **Custom OMA-DM URI** = ./Vendor/MSFT/SecureAssessment/LaunchURI
- **String value** = *assessment URL*
> See [Assessment URLs](#assessment-urls)
See [Assessment URLs](#assessment-urls) for more information.
4. Create a policy that associates the assessment URL to the account, using the following values:
@ -70,11 +65,11 @@ To configure a dedicated test account on multiple PCs, you can use:
5. To take the test, the student signs in to the test account.
### Set up test account in a provisioning package
### Set up a test account in a provisioning package
Prerequisite: You must first [download the Windows ADK](https://msdn.microsoft.com/en-us/windows/hardware/dn913721.aspx) for Windows 10, Version 1607, and install Windows Imaging and Configuration Designer (ICD).
**Prerequisite:** You must first download the Windows ADK for Windows 10, Version 1607, and install Windows Imaging and Configuration Designer (ICD). For more info, see [Install Windows Imaging and Configuration Designer](https://technet.microsoft.com/en-us/itpro/windows/deploy/provisioning-install-icd).
**Create a provisioning package to set up a test account
**Create a provisioning package to set up a test account**
1. Open Windows ICD (by default, %windir%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe).
2. Select **Advanced provisioning**.
@ -85,25 +80,21 @@ Prerequisite: You must first [download the Windows ADK](https://msdn.microsoft.c
7. Enter **{"Account":"*redmond\\kioskuser*","AUMID":” Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App "}**, using the account that you want to set up, as shown in the following image.
![Enter account and app for Assigned Access Settings](images/test-account-icd.png)
> Account can be in one of the following formats:
> - username
> - domain\username
> - computer name\\username
> - username@tenant.com
Account can be in one of the following formats:
- username
- domain\username
- computer name\\username
- username@tenant.com
8. Go to **Runtime settings** > **TakeATest**.
9. Enter the test URL in **LaunchURI**.
9. Enter the assessment URL in **LaunchURI**.
10. Enter the test account from step 7 in **TesterAccount**.
On the **File** menu, select **Save.**
9. On the **Export** menu, select **Provisioning package**.
10. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.**
11. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing.
- **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
- **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select** and choosing the certificate you want to use to sign the package.
12. Click **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows ICD uses the project folder as the output location.
@ -111,7 +102,6 @@ On the **File** menu, select **Save.**
Optionally, you can click **Browse** to change the default output location.
13. Click **Next**.
14. Click **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status.
If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
@ -123,25 +113,20 @@ On the **File** menu, select **Save.**
- If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
- If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
**Apply the provisioning package**
1. Select the provisioning package that you want to apply, double-click the file, and then allow admin privileges.
**Apply the provisioning package**
1. Select the provisioning package that you want to apply, double-click the file, and then allow admin privileges.
2. Consent to allow the package to be installed.
After you allow the package to be installed, the settings will be applied to the device
After you allow the package to be installed, the settings will be applied to the device. [Learn how to apply a provisioning package in audit mode or OOBE](https://go.microsoft.com/fwlink/p/?LinkID=692012).
[Learn how to apply a provisioning package in audit mode or OOBE.](https://go.microsoft.com/fwlink/p/?LinkID=692012)
### Set up a test account in Group Policy
To set up a test account using Group Policy, first create a Powershell script that configures the test account and assessment URL, and then create a scheduled task to run the script.
### Set up test account in Group Policy
To set up a test account using Group Policy, first create a Powershell script that configures the test account and test URL, and then create a scheduled task to run the script.
#### Create a Powershell script
This sample Powershell script configures the test account and the test URL. Edit the sample to:
#### Create a PowerShell script
This sample PowerShell script configures the test account and the assessment URL. Edit the sample to:
- Use your test account for **$obj.LaunchURI**
- Use your test URL for **$obj.TesterAccount**
- Use your assessment URL for **$obj.TesterAccount**
- Use your test account for **-UserName**
```
@ -152,9 +137,7 @@ $obj.put()
Set-AssignedAccess -AppUserModelId Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App -UserName TestAccount
```
#### Create a scheduled task in Group Policy
1. Open the Group Policy Management Console.
2. Right-click the Group Policy object (GPO) that should contain the new preference item, and then click **Edit**.
3. In the console tree under **Computer Configuration** or **User Configuration**, go to **Preferences** > **Control Panel Settings**.
@ -164,42 +147,36 @@ Set-AssignedAccess -AppUserModelId Microsoft.Windows.SecureAssessmentBrowser_cw5
7. In the **Advanced** dialog box, click **Find Now**.
8. Select **System** in the search results
9. Go back to the **Properties** dialog box and select **Run with highest privileges** under **Security options**.
9. Specify the operating system in the **Configure for** field.
9. Navigate to the **Actions** tab.
9. Create a new **Action**.
9. Configure the action to **Start a program**.
9. In the **Program/script** field, enter **powershell**.
9. In the **Add arguments** field, enter **-file “<path to powershell script>”**.
9. Click **OK**.
9. Navigate to the **Triggers** tab and create a new trigger.
9. Specify the trigger to be **On a schedule**.
9. Specify the trigger to be **One time**.
9. Specify the time the trigger should start.
9. Click **OK**.
9. In the **Settings** tab, select **Run task as soon as possible after a scheduled start is missed**.
9. Click **OK**.
10. Specify the operating system in the **Configure for** field.
11. Navigate to the **Actions** tab.
12. Create a new **Action**.
13. Configure the action to **Start a program**.
14. In the **Program/script** field, enter **powershell**.
15. In the **Add arguments** field, enter **-file “<path to powershell script>”**.
16. Click **OK**.
17. Navigate to the **Triggers** tab and create a new trigger.
18. Specify the trigger to be **On a schedule**.
19. Specify the trigger to be **One time**.
20. Specify the time the trigger should start.
21. Click **OK**.
22. In the **Settings** tab, select **Run task as soon as possible after a scheduled start is missed**.
23. Click **OK**.
## Provide link to test
Anything hosted on the web can be presented in a locked down manner, not just assessments. To lock down online content, just embed a URL with a specific prefix and devices will be locked down when users follow the link. We recommend using this method for lower stakes assessments.
1. Create a link to the test URL. Use **ms-edu-secureassessment:** before the URL and **!enforceLockdown** after the URL.
```
ms-edu-secureassessment:<URL>!enforceLockdown
1. Create a link to the assessment URL. Use **ms-edu-secureassessment:** before the URL and **!enforceLockdown** after the URL.
```
> **Note**: You may want to remove !enforceLockdown for tests that utilizes our lockdown API that checks for running processes before locking down. Removing !enforceLockdown will result in the app not locking down immediately which allows you to close apps that are not allowed to run during lockdown. The test web application may lock down the device once you have closed the apps.
ms-edu-secureassessment:<URL>!enforceLockdown
```
> [!NOTE]
> You may want to remove !enforceLockdown for tests that utilizes our lockdown API that checks for running processes before locking down. Removing !enforceLockdown will result in the app not locking down immediately which allows you to close apps that are not allowed to run during lockdown. The test web application may lock down the device once you have closed the apps.
2. Distribute the link. You can use the web, email, OneNote, or any other method of your choosing.
3. To take the test, the student clicks on the link and provides user consent.
## Assessment URLs
This assessment URL uses our lockdown API:
- SBAC/AIR: [http://mobile.tds.airast.org/launchpad/](http://mobile.tds.airast.org/launchpad/).

28
education/windows/take-a-test-single-pc.md
View File

@ -29,20 +29,14 @@ The **Take a Test** app in Windows 10, Version 1607, creates the right environme
> To exit **Take a Test**, press Ctrl+Alt+Delete.
## How you use Take a Test
## How to use Take a Test
![Use test account or test url in Take a Test](images/take-a-test-flow.png)
![Set up and user flow for the Take a Test app](images/take_a_test_workflow.png)
- **Use a test URL and a [dedicated testing account](#set-up-a-dedicated-test-account)** - A user signs in to the account and the **Take a Test** app automatically launches the pre-configured assessment URL in Microsoft Edge in a single-app, kiosk mode. A student will never have access to the desktop in this configuration. We recommend this configuration for high stakes testing.
- **[Put a test URL with an included prefix](#provide-link-to-test) on a web page or OneNote for students to click** - This allows teachers and test administrators an easier way to deploy assessments. We recommend this method for lower stakes assessments.
- **Use an assessment URL and a [dedicated testing account](#set-up-a-dedicated-test-account)** - A user signs in to the account and the **Take a Test** app automatically launches the pre-configured assessment URL in Microsoft Edge in a single-app, kiosk mode. A student will never have access to the desktop in this configuration. We recommend this configuration for high stakes testing.
- **[Put an assessment URL with an included prefix](#provide-a-link-to-the-test) on a web page or OneNote for students to click** - This allows teachers and test administrators an easier way to deploy assessments. We recommend this method for lower stakes assessments.
## Set up a dedicated test account
1. Sign into the device with an administrator account.
2. Go to **Settings** > **Accounts** > **Work or school access** > **Set up an account for taking tests**.
3. Select an existing account to use as the dedicated testing account.
@ -51,21 +45,17 @@ The **Take a Test** app in Windows 10, Version 1607, creates the right environme
> If you don't have an account on the device, you can create a new account. To do this, go to **Settings** > **Accounts** > **Other Users** > **Add someone else to this PC** > **I dont have this persons sign-in information** > **Add a user without a Microsoft account**.
4. Specify an assessment URL.
5. Click **Save**.
6. To take the test, the student signs in to the selected account.
## Provide link to test
## Provide a link to the test
Anything hosted on the web can be presented in a locked down manner, not just assessments. To lock down online content, just embed a URL with a specific prefix and devices will be locked down when users follow the link. We recommend using this method for lower stakes assessments.
1. Create a link to the test URL. Use **ms-edu-secureassessment:** before the URL and **!enforceLockdown** after the URL.
```
ms-edu-secureassessment:<URL>!enforceLockdown
1. Create a link to the assessment URL. Use **ms-edu-secureassessment:** before the URL and **!enforceLockdown** after the URL.
```
ms-edu-secureassessment:<URL>!enforceLockdown
```
> [!NOTE]
> You may want to remove !enforceLockdown for tests that utilizes our lockdown API that checks for running processes before locking down. Removing !enforceLockdown will result in the app not locking down immediately which allows you to close apps that are not allowed to run during lockdown. The test web application may lock down the device once you have closed the apps.

17
education/windows/take-tests-in-windows-10.md
View File

@ -27,18 +27,17 @@ Many schools use online testing for formative and summative assessments. It's cr
## How you use Take a Test
## How to use Take a Test
![Use test account or test url in Take a Test](images/take-a-test-flow.png)
- **Use a test URL and a dedicated testing account** - A user signs in to the account and the **Take a Test** app automatically launches the pre-configured assessment URL in a single-app, kiosk mode. A student will never have access to the desktop in this configuration. We recommend this configuration for high stakes testing.
- **Put a test URL with an included prefix on a web page or OneNote for students to click** - This allows teachers and test administrators an easier way to deploy assessments. We recommend this method for lower stakes assessments.
[Learn how to set up Take a Test on a single PC](take-a-test-single-pc.md)
[Learn how to set up Take a Test on multiple PCs](take-a-test-multiple-pcs.md)
![Set up and user flow for the Take a Test app](images/take_a_test_workflow.png)
- **Use an assessment URL and a dedicated testing account** - A user signs in to the account and the **Take a Test** app automatically launches the pre-configured assessment URL in a single-app, kiosk mode. A student will never have access to the desktop in this configuration. We recommend this configuration for high stakes testing.
- **Put an assessment URL with an included prefix on a web page or OneNote for students to click** - This allows teachers and test administrators an easier way to deploy assessments. We recommend this method for lower stakes assessments.
## How to set up Take a Test on PCs
You can use Take a Test to set up a test for a single PC or multiple PCs. Follow these links to learn how:
- [Set up Take a Test on a single PC](take-a-test-single-pc.md)
- [Set up Take a Test on multiple PCs](take-a-test-multiple-pcs.md)
## Related topics

2
windows/configure/configure-windows-10-taskbar.md
View File

@ -42,6 +42,8 @@ To configure the taskbar:
>[!IMPORTANT]
>If you use a provisioning package to configure the taskbar, your configuration will be reapplied each time the explorer.exe process restarts. If your configuration pins an app and the user then unpins that app, the user's change will be overwritten the next time the configuration is applied. To apply a taskbar configuration that allows users to make changes that will persist, apply your configuration by using Group Policy.
>
>If you use Group Policy and your configuration only contains a taskbar layout, the default Windows tile layout will be applied and cannot be changed by users. If you use Group Policy and your configuration includes taskbar and a full Start layout, users can only make changes to the taskbar. If you use Group Policy and your configuration includes taskbar and a [partial Start layout](https://technet.microsoft.com/itpro/windows/manage/customize-and-export-start-layout#configure-a-partial-start-layout), users can make changes to the taskbar and to tile groups not defined in the partial Start layout.
### Tips for finding AUMID and Desktop Application Link Path

2
windows/keep-secure/credential-guard.md
View File

@ -85,7 +85,7 @@ Applications may cause performance issues when they attempt to hook the isolated
The following tables provide more information about the hardware, firmware, and software required for deployment of Credential Guard. The tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, available in 2016, and announced as options for 2017.
> [!NOTE]
> For new computers running Windows 10, Trusted Platform Module (TPM 2.0) must be enabled by default. This requirement is not restated in the tables that follow.<br>
> Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new computers. This requirement is not restated in the tables that follow.<br>
> If you are an OEM, see the requirements information at [PC OEM requirements for Device Guard and Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514.aspx).<br>
> Starting in Widows 10, 1607, TPM 2.0 is required.

2
windows/keep-secure/deploy-code-integrity-policies-steps.md
View File

@ -143,7 +143,7 @@ As of Windows 10, version 1703, you can use code integrity policies not only to
| Approach (as of Windows 10, version 1703) | Guideline |
|---|---|
| You can work from a list of plug-ins, add-ins, or modules that you want only a specific application to be able to run. Other applications would be blocked from running them. | Use `New-CIPolicyRule` with the `-AppID` option. |
| In addition, you can work from a list of plug-ins, add-ins, or modules that you want to block in a specific application. Other applications would be allowed to run them. | Use New-CIPolicyRule with the `-AppID` and `-Deny` options. |
| In addition, you can work from a list of plug-ins, add-ins, or modules that you want to block in a specific application. Other applications would be allowed to run them. | Use `New-CIPolicyRule` with the `-AppID` and `-Deny` options. |
To work with these options, the typical method is to create a policy that only affects plug-ins, add-ins, and modules, then merge it into your master policy (merging is described in the next section).

30
windows/keep-secure/overview-of-threat-mitigations-in-windows-10.md
View File

@ -42,7 +42,7 @@ Windows 10 mitigations that you can configure are listed in the following two ta
| Mitigation and corresponding threat | Description and links |
|---|---|
| **Windows Defender SmartScreen**,<br>which helps prevent<br>malicious applications<br>from even being downloaded | Windows Defender SmartScreen can check the reputation of a downloaded application by using a service that Microsoft maintains. The first time a user runs an app that originates from the Internet (even if the user copied it from another PC), SmartScreen checks to see if the app lacks a reputation or is known to be malicious, and responds accordingly.<br><br>**More information**: [Windows Defender SmartScreen](#windows-defender-smartscreen), later in this topic |
| **Windows Defender SmartScreen**,<br>which helps prevent<br>malicious applications<br>from being downloaded | Windows Defender SmartScreen can check the reputation of a downloaded application by using a service that Microsoft maintains. The first time a user runs an app that originates from the Internet (even if the user copied it from another PC), SmartScreen checks to see if the app lacks a reputation or is known to be malicious, and responds accordingly.<br><br>**More information**: [Windows Defender SmartScreen](#windows-defender-smartscreen), later in this topic |
| **Credential Guard**,<br>which helps keep attackers<br>from gaining access through<br>Pass-the-Hash or<br>Pass-the-Ticket attacks | Credential Guard uses virtualization-based security to isolate secrets, such as NTLM password hashes and Kerberos Ticket Granting Tickets, so that only privileged system software can access them.<br>Credential Guard is included in Windows 10 Enterprise and Windows Server 2016.<br><br>**More information**: [Protect derived domain credentials with Credential Guard](credential-guard.md) |
| **Enterprise certificate pinning**,<br>which helps keep users<br>from being deceived by<br>man-in-the-middle attacks<br>that leverage PKI | With enterprise certificate pinning, you can “pin” (associate) an X.509 certificate and its public key to its legitimate Certification Authority, either root or leaf. This helps protect your enterprises intranet sites (not external Internet sites) by providing validation for digitally signed certificates (SSL certificates) used while browsing. This feature mitigates man-in the-middle attacks that involve these certificates.<br><br>**More information**: ENTERPRISE_CERTIFICATE_PINNING_LINK |
| **Device Guard**,<br>which helps keep a device<br>from running malware or<br>other untrusted apps | Device Guard includes Code Integrity policies, a whitelist you create of trusted apps—the only apps allowed to run in your organization. Device Guard also includes a powerful system mitigation called hypervisor-protected code integrity (HVCI), which leverages virtualization-based security (VBS) to protect Windows kernel-mode code integrity validation process. HVCI has specific hardware requirements, and works with Code Integrity policies to help stop attacks even if they gain entrance to the kernel.<br>Device Guard is included in Windows 10 Enterprise and Windows Server 2016.<br><br>**More information**: [Introduction to Device Guard](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md) |
@ -67,33 +67,21 @@ Also, as an IT professional, you can ask application developers and software ven
### Windows Defender SmartScreen
Windows Defender SmartScreen notifies users if they click on reported phishing and malware websites, and helps protect them against unsafe downloads or make informed decisions about downloads.
Starting with Windows Internet Explorer 8, the SmartScreen Filter has helped protect users from both malicious applications and nefarious websites by using the SmartScreen Filters application and URL reputation services. The SmartScreen Filter in Internet Explorer would check URLs and newly downloaded apps against an online reputation service that Microsoft maintained. If the app or URL were not known to be safe, SmartScreen Filter would warn the user or even prevent the app or URL from loading, depending on how systems administrators had configured Group Policy settings.
For Windows 10, Microsoft further developed SmartScreen, now called Windows Defender SmartScreen, by integrating its app reputation abilities into the operating system itself, which allows SmartScreen to check the reputation of files downloaded from the Internet and warn users when theyre about to run a high-risk downloaded file. The first time a user runs an app that originates from the Internet, SmartScreen checks the reputation of the application by using digital signatures and other factors against a service that Microsoft maintains. If the app lacks a reputation or is known to be malicious, SmartScreen warns the user or blocks execution entirely, depending on how the administrator has configured Group Policy (see Figure 4).
For Windows 10, Microsoft further developed SmartScreen, now called Windows Defender SmartScreen, by integrating its app reputation abilities into the operating system itself, which allows SmartScreen to check the reputation of files downloaded from the Internet and warn users when theyre about to run a high-risk downloaded file. The first time a user runs an app that originates from the Internet, SmartScreen checks the reputation of the application by using digital signatures and other factors against a service that Microsoft maintains. If the app lacks a reputation or is known to be malicious, SmartScreen warns the user or blocks execution entirely, depending on how the administrator has configured Microsoft Intune or Group Policy settings.
![SmartScreen Filter at work in Windows 10](images/security-fig7-smartscreenfilter.png)
<!-- Next sentence needs a link to the main SmartScreen topic, whatever it's called. -->
**Figure 4.&nbsp;&nbsp;SmartScreen at work in Windows 10**
<!-- There are probably some deletions to make in the following paragraph, and the screenshot needs to be replaced. Wait and see -- other information will likely be coming in. -->
By default, users have the option to bypass SmartScreen protection so that it will not prevent a user from running a legitimate app. You can use Control Panel or Group Policy settings to disable SmartScreen or to completely prevent users from running apps that SmartScreen does not recognize. The Control Panel settings are shown in Figure 5.
![SmartScreen configuration options](images/security-fig8-smartscreenconfig.png)
**Figure 5.&nbsp;&nbsp;The Windows SmartScreen configuration options in Control Panel**
If you want to try SmartScreen, use Windows 7 to download this simulated (but not dangerous) malware [file:freevideo.exe](https://go.microsoft.com/fwlink/p/?LinkId=626943). Save it to your computer, and then run it from Windows Explorer. As shown in Figure 6, Windows 7 runs the app without much warning. In Windows 7, you might receive a warning message about the app not having a certificate, but you can easily bypass it.
![Windows 7 allows the app to run](images/security-fig9-windows7allow.png)
**Figure 6.&nbsp;&nbsp;Windows 7 allows the app to run**
Now, repeat the test on a computer running Windows 10 by copying the file to a Windows 10 PC or by downloading the file again and saving it to your local computer. Run the file directly from File Explorer, and SmartScreen will warn you before it allows it to run. Microsofts data shows that for a vast majority of users, that extra warning is enough to save them from a malware infection.
For more information, see Windows Defender SmartScreen overview.
### Windows Defender Antivirus
Windows included Windows Defender Antivirus, a robust inbox antimalware solution, starting with Windows 8, when it was called Windows Defender. With Windows 10, Microsoft significantly improved Windows Defender Antivirus. Windows Defender Antivirus in Windows 10 uses a four-pronged approach to improve antimalware:
Windows included Windows Defender Antivirus, a robust inbox antimalware solution, starting with Windows 8, when it was called Windows Defender. With Windows 10, Microsoft significantly improved Windows Defender Antivirus. Windows Defender Antivirus in Windows 10 uses a multi-pronged approach to improve antimalware:
- **Cloud-delivered protection** helps detect and block new malware within seconds, even if the malware has never been seen before. The service uses distributed resources and machine learning to deliver protection to endpoints at a rate that is far faster than traditional signature updates.
- **Rich local context** improves how malware is identified. Windows 10 informs Windows Defender Antivirus not only about content like files and processes but also where the content came from, where it has been stored, and more. The information about source and history enables Windows Defender Antivirus to apply different levels of scrutiny to different content.

2
windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md
View File

@ -42,7 +42,7 @@ You can deploy Device Guard in phases, and plan these phases in relation to the
The following tables provide more information about the hardware, firmware, and software required for deployment of various Device Guard features. The tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, available in 2016, and announced as options for 2017.
> **Notes**
> • To understand the requirements in the following tables, you will need to be familiar with the main features in Device Guard: configurable code integrity policies, virtualization-based security (VBS), and Universal Extensible Firmware Interface (UEFI) Secure Boot. For information about these features, see [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats).
> • To understand the requirements in the following tables, you will need to be familiar with the main features in Device Guard: configurable code integrity policies, virtualization-based security (VBS), and Universal Extensible Firmware Interface (UEFI) Secure Boot. For information about these features, see [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats).<br>
> • Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new computers.
## Device Guard requirements for baseline protections