diff --git a/windows/client-management/mdm/assignedaccess-ddf.md b/windows/client-management/mdm/assignedaccess-ddf.md index 4c003123f7..f5e0e84d26 100644 --- a/windows/client-management/mdm/assignedaccess-ddf.md +++ b/windows/client-management/mdm/assignedaccess-ddf.md @@ -54,7 +54,7 @@ The following XML file contains the device description framework (DDF) for the A This node can accept and return json string which comprises of account name, and AUMID for Kiosk mode app. -Example: {"User":"domain\\user", "AUMID":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"}. +Example: {"User":"domain\\user", "AUMID":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"}. When configuring kiosk mode app, account name will be used to find the target user. Account name includes domain name and user name. Domain name can be optional if user name is unique across the system. For a local account, domain name should be machine name. When "Get" is executed on this node, domain name is always returned in the output. diff --git a/windows/client-management/mdm/bitlocker-ddf-file.md b/windows/client-management/mdm/bitlocker-ddf-file.md index ea131ee762..5f89c0bace 100644 --- a/windows/client-management/mdm/bitlocker-ddf-file.md +++ b/windows/client-management/mdm/bitlocker-ddf-file.md @@ -142,7 +142,7 @@ The following XML file contains the device description framework (DDF) for the B If you disable or do not configure this policy setting, BitLocker will use the default encryption method of XTS-AES 128-bit or the encryption method specified by any setup script.” The format is string. Sample value for this node to enable this policy and set the encryption methods is: - + EncryptionMethodWithXtsOsDropDown_Name = Select the encryption method for operating system drives. EncryptionMethodWithXtsFdvDropDown_Name = Select the encryption method for fixed data drives. @@ -194,7 +194,7 @@ The following XML file contains the device description framework (DDF) for the B Note: If you want to require the use of a startup PIN and a USB flash drive, you must configure BitLocker settings using the command-line tool manage-bde instead of the BitLocker Drive Encryption setup wizard. The format is string. Sample value for this node to enable this policy is: - + ConfigureNonTPMStartupKeyUsage_Name = Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive) All of the below settings are for computers with a TPM. @@ -250,7 +250,7 @@ The following XML file contains the device description framework (DDF) for the B NOTE: If minimum PIN length is set below 6 digits, Windows will attempt to update the TPM 2.0 lockout period to be greater than the default when a PIN is changed. If successful, Windows will only reset the TPM lockout period back to default if the TPM is reset. The format is string. Sample value for this node to enable this policy is: - + Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML: @@ -291,7 +291,7 @@ The following XML file contains the device description framework (DDF) for the B Note: Not all characters and languages are supported in pre-boot. It is strongly recommended that you test that the characters you use for the custom message or URL appear correctly on the pre-boot recovery screen. The format is string. Sample value for this node to enable this policy is: - + The possible values for 'xx' are: 0 = Empty @@ -344,7 +344,7 @@ The following XML file contains the device description framework (DDF) for the B If this policy setting is disabled or not configured, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information is not backed up to AD DS. The format is string. Sample value for this node to enable this policy is: - + The possible values for 'xx' are: true = Explicitly allow @@ -402,7 +402,7 @@ The following XML file contains the device description framework (DDF) for the B If you enable this policy setting, you can control the methods available to users to recover data from BitLocker-protected fixed data drives. The format is string. Sample value for this node to enable this policy is: - + The possible values for 'xx' are: true = Explicitly allow @@ -454,7 +454,7 @@ The following XML file contains the device description framework (DDF) for the B If you disable or do not configure this policy setting, all fixed data drives on the computer will be mounted with read and write access. The format is string. Sample value for this node to enable this policy is: - + Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML: @@ -495,7 +495,7 @@ The following XML file contains the device description framework (DDF) for the B Note: This policy setting can be overridden by the group policy settings under User Configuration\Administrative Templates\System\Removable Storage Access. If the "Removable Disks: Deny write access" group policy setting is enabled this policy setting will be ignored. The format is string. Sample value for this node to enable this policy is: - + The possible values for 'xx' are: true = Explicitly allow @@ -575,7 +575,7 @@ The following XML file contains the device description framework (DDF) for the B require reinstallation of Windows. Note: This policy takes effect only if "RequireDeviceEncryption" policy is set to 1. The format is integer. - The expected values for this policy are: + The expected values for this policy are: 1 = This is the default, when the policy is not set. Warning prompt and encryption notification is allowed. 0 = Disables the warning prompt and encryption notification. Starting in Windows 10, next major update, @@ -623,7 +623,7 @@ The following XML file contains the device description framework (DDF) for the B If "AllowWarningForOtherDiskEncryption" is not set, or is set to "1", "RequireDeviceEncryption" policy will not try to encrypt drive(s) if a standard user is the current logged on user in the system. - The expected values for this policy are: + The expected values for this policy are: 1 = "RequireDeviceEncryption" policy will try to enable encryption on all fixed drives even if a current logged in user is standard user. 0 = This is the default, when the policy is not set. If current logged on user is a standard user, "RequireDeviceEncryption" policy @@ -741,7 +741,7 @@ The policy only comes into effect when Active Directory backup for a recovery pa * status\RotateRecoveryPasswordsStatus * status\RotateRecoveryPasswordsRequestID - + Supported Values: String form of request ID. Example format of request ID is GUID. Server can choose the format as needed according to the management tools.\ diff --git a/windows/client-management/mdm/clientcertificateinstall-ddf-file.md b/windows/client-management/mdm/clientcertificateinstall-ddf-file.md index f0fb439bfa..8de5700e56 100644 --- a/windows/client-management/mdm/clientcertificateinstall-ddf-file.md +++ b/windows/client-management/mdm/clientcertificateinstall-ddf-file.md @@ -640,7 +640,7 @@ SCEP enrolled cert doesn’t support TPM PIN protection. 5 - Optional. When the SCEP server sends pending status, specify device retry waiting time in minutes. + Optional. When the SCEP server sends pending status, specify device retry waiting time in minutes. Default value is: 5 The min value is 1. @@ -764,7 +764,7 @@ Valid value: 1024, 2048, 4096. For NGC, only 2048 is the supported keylength. - Required for enrollment. Hash algorithm family (SHA-1, SHA-2, SHA-3) specified by MDM server. If multiple hash algorithm families are specified, they must be separated via +. + Required for enrollment. Hash algorithm family (SHA-1, SHA-2, SHA-3) specified by MDM server. If multiple hash algorithm families are specified, they must be separated via +. For NGC, only SHA256 is supported as the supported algorithm @@ -1723,7 +1723,7 @@ SCEP enrolled cert doesn’t support TPM PIN protection. 5 - Optional. When the SCEP server sends pending status, specify device retry waiting time in minutes. + Optional. When the SCEP server sends pending status, specify device retry waiting time in minutes. Default value is: 5 The min value is 1. @@ -1847,7 +1847,7 @@ Valid value: 1024, 2048, 4096. For NGC, only 2048 is the supported keylength. - Required for enrollment. Hash algorithm family (SHA-1, SHA-2, SHA-3) specified by MDM server. If multiple hash algorithm families are specified, they must be separated via +. + Required for enrollment. Hash algorithm family (SHA-1, SHA-2, SHA-3) specified by MDM server. If multiple hash algorithm families are specified, they must be separated via +. For NGC, only SHA256 is supported as the supported algorithm diff --git a/windows/client-management/mdm/passportforwork-ddf.md b/windows/client-management/mdm/passportforwork-ddf.md index 8c1832dac1..92e080ba93 100644 --- a/windows/client-management/mdm/passportforwork-ddf.md +++ b/windows/client-management/mdm/passportforwork-ddf.md @@ -934,7 +934,7 @@ If you disable or do not configure this policy setting, the PIN recovery secret False - Windows Hello for Business can use certificates to authenticate to on-premise resources. + Windows Hello for Business can use certificates to authenticate to on-premise resources. If you enable this policy setting, Windows Hello for Business will wait until the device has received a certificate payload from the mobile device management server before provisioning a PIN. diff --git a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md index 11a98be2e2..cd2bf997f6 100644 --- a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md +++ b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md @@ -37,7 +37,7 @@ If set to 1 then any MDM policy that's set that has an equivalent GP policy will > [!NOTE] -> MDMWinsOverGP only applies to policies in Policy CSP. MDM policies win over Group Policies where applicable; not all Group Policies are available via MDM or CSP. It does not apply to other MDM settings with equivalent GP settings that are defined in other CSPs such as the [Defender CSP](defender-csp.md). Nor does it apply to the [Update Policy CSP](policy-csp-update.md) for managing Windows updates. +> MDMWinsOverGP only applies to policies in Policy CSP. MDM policies win over Group Policies where applicable; not all Group Policies are available via MDM or CSP. It does not apply to other MDM settings with equivalent GP settings that are defined in other CSPs such as the [Defender CSP](defender-csp.md). Nor does it apply to the [Update Policy CSP](policy-csp-update.md) for managing Windows updates. This policy is used to ensure that MDM policy wins over GP when policy is configured on MDM channel. The default value is 0. The MDM policies in Policy CSP will behave as described if this policy value is set 1. diff --git a/windows/client-management/mdm/policy-csp-enterprisecloudprint.md b/windows/client-management/mdm/policy-csp-enterprisecloudprint.md index f0c354b20c..016c5d5a51 100644 --- a/windows/client-management/mdm/policy-csp-enterprisecloudprint.md +++ b/windows/client-management/mdm/policy-csp-enterprisecloudprint.md @@ -267,7 +267,7 @@ Resource URI for which access is being requested by the Mopria discovery client This policy must target ./User, otherwise it fails. -The default value is an empty string. Otherwise, the value should contain a URL. +The default value is an empty string. Otherwise, the value should contain a URL. **Example**: diff --git a/windows/client-management/mdm/policy-csp-windowslogon.md b/windows/client-management/mdm/policy-csp-windowslogon.md index 0c07ef2d66..9d17406fe6 100644 --- a/windows/client-management/mdm/policy-csp-windowslogon.md +++ b/windows/client-management/mdm/policy-csp-windowslogon.md @@ -34,11 +34,11 @@ ms.date: 01/18/2024 This policy setting controls whether a device will automatically sign in and lock the last interactive user after the system restarts or after a shutdown and cold boot. -This only occurs if the last interactive user didn't sign out before the restart or shutdown. +This only occurs if the last interactive user didn't sign out before the restart or shutdown. If the device is joined to Active Directory or Microsoft Entra ID, this policy only applies to Windows Update restarts. Otherwise, this will apply to both Windows Update restarts and user-initiated restarts and shutdowns. -- If you don't configure this policy setting, it's enabled by default. When the policy is enabled, the user is automatically signed in and the session is automatically locked with all lock screen apps configured for that user after the device boots. +- If you don't configure this policy setting, it's enabled by default. When the policy is enabled, the user is automatically signed in and the session is automatically locked with all lock screen apps configured for that user after the device boots. After enabling this policy, you can configure its settings through the ConfigAutomaticRestartSignOn policy, which configures the mode of automatically signing in and locking the last interactive user after a restart or cold boot . diff --git a/windows/configuration/TOC.yml b/windows/configuration/TOC.yml index 97c1386a73..a9b2a23294 100644 --- a/windows/configuration/TOC.yml +++ b/windows/configuration/TOC.yml @@ -22,6 +22,7 @@ href: windows-10-start-layout-options-and-policies.md - name: Use XML items: + - name: Customize and export Start layout href: customize-and-export-start-layout.md - name: Customize the taskbar @@ -53,7 +54,7 @@ - name: Configure cellular settings for tablets and PCs href: provisioning-apn.md - name: Lockdown features from Windows Embedded 8.1 Industry - href: lockdown-features-windows-10.md + href: lockdown-features-windows-10.md - name: Configure kiosks and digital signs @@ -91,16 +92,17 @@ - name: Use MDM Bridge WMI Provider to create a Windows client kiosk href: kiosk-mdm-bridge.md - name: Troubleshoot kiosk mode issues - href: /troubleshoot/windows-client/shell-experience/kiosk-mode-issues-troubleshooting + href: /troubleshoot/windows-client/shell-experience/kiosk-mode-issues-troubleshooting - name: Configure multi-user and guest devices + items: - name: Shared devices concepts href: shared-devices-concepts.md - name: Configure shared devices with Shared PC href: set-up-shared-or-guest-pc.md - name: Shared PC technical reference - href: shared-pc-technical.md + href: shared-pc-technical.md - name: Use provisioning packages items: @@ -131,7 +133,7 @@ - name: Diagnose provisioning packages href: provisioning-packages/diagnose-provisioning-packages.md - name: Windows Configuration Designer command-line interface (reference) - href: provisioning-packages/provisioning-command-line.md + href: provisioning-packages/provisioning-command-line.md - name: Configure Cortana items: @@ -176,12 +178,12 @@ - name: Test scenario 6 - Review a reminder suggested by Cortana based on what you’ve promised in email href: cortana-at-work/test-scenario-6.md - name: Test scenario 7 - Use Cortana and Windows Information Protection (WIP) to help protect your organization’s data on a device - href: cortana-at-work/cortana-at-work-scenario-7.md + href: cortana-at-work/cortana-at-work-scenario-7.md - name: Set up and test custom voice commands in Cortana for your organization href: cortana-at-work/cortana-at-work-voice-commands.md - name: Use Group Policy and mobile device management (MDM) settings to configure Cortana in your organization - href: cortana-at-work/cortana-at-work-policy-settings.md + href: cortana-at-work/cortana-at-work-policy-settings.md - name: Reference @@ -196,108 +198,151 @@ href: wcd/wcd-accountmanagement.md - name: Accounts href: wcd/wcd-accounts.md + - name: ADMXIngestion href: wcd/wcd-admxingestion.md + - name: AssignedAccess href: wcd/wcd-assignedaccess.md + - name: Browser href: wcd/wcd-browser.md + - name: CellCore href: wcd/wcd-cellcore.md - name: Cellular href: wcd/wcd-cellular.md + - name: Certificates href: wcd/wcd-certificates.md + - name: CleanPC href: wcd/wcd-cleanpc.md + - name: Connections href: wcd/wcd-connections.md + - name: ConnectivityProfiles href: wcd/wcd-connectivityprofiles.md + - name: CountryAndRegion href: wcd/wcd-countryandregion.md + - name: DesktopBackgroundAndColors href: wcd/wcd-desktopbackgroundandcolors.md + - name: DeveloperSetup href: wcd/wcd-developersetup.md + - name: DeviceFormFactor href: wcd/wcd-deviceformfactor.md + - name: DeviceManagement href: wcd/wcd-devicemanagement.md + - name: DeviceUpdateCenter href: wcd/wcd-deviceupdatecenter.md - name: DMClient href: wcd/wcd-dmclient.md + - name: EditionUpgrade href: wcd/wcd-editionupgrade.md + - name: FirewallConfiguration href: wcd/wcd-firewallconfiguration.md + - name: FirstExperience href: wcd/wcd-firstexperience.md + - name: Folders href: wcd/wcd-folders.md + - name: HotSpot href: wcd/wcd-hotspot.md - name: KioskBrowser href: wcd/wcd-kioskbrowser.md + - name: Licensing href: wcd/wcd-licensing.md + - name: Location href: wcd/wcd-location.md + - name: Maps href: wcd/wcd-maps.md + - name: NetworkProxy href: wcd/wcd-networkproxy.md + - name: NetworkQOSPolicy href: wcd/wcd-networkqospolicy.md + - name: OOBE href: wcd/wcd-oobe.md + - name: Personalization href: wcd/wcd-personalization.md + - name: Policies href: wcd/wcd-policies.md + - name: Privacy href: wcd/wcd-privacy.md + - name: ProvisioningCommands href: wcd/wcd-provisioningcommands.md - name: SharedPC href: wcd/wcd-sharedpc.md + - name: SMISettings href: wcd/wcd-smisettings.md + - name: Start href: wcd/wcd-start.md + - name: StartupApp href: wcd/wcd-startupapp.md + - name: StartupBackgroundTasks href: wcd/wcd-startupbackgroundtasks.md + - name: StorageD3InModernStandby href: wcd/wcd-storaged3inmodernstandby.md - name: SurfaceHubManagement href: wcd/wcd-surfacehubmanagement.md + - name: TabletMode href: wcd/wcd-tabletmode.md + - name: TakeATest href: wcd/wcd-takeatest.md - name: Time href: wcd/wcd-time.md + - name: UnifiedWriteFilter href: wcd/wcd-unifiedwritefilter.md + - name: UniversalAppInstall href: wcd/wcd-universalappinstall.md + - name: UniversalAppUninstall href: wcd/wcd-universalappuninstall.md + - name: UsbErrorsOEMOverride href: wcd/wcd-usberrorsoemoverride.md - name: WeakCharger href: wcd/wcd-weakcharger.md + - name: WindowsHelloForBusiness href: wcd/wcd-windowshelloforbusiness.md - name: WindowsTeamSettings href: wcd/wcd-windowsteamsettings.md + - name: WLAN href: wcd/wcd-wlan.md + - name: Workplace - href: wcd/wcd-workplace.md + href: wcd/wcd-workplace.md - name: User Experience Virtualization (UE-V) items: diff --git a/windows/configuration/windows-accessibility-for-ITPros.md b/windows/configuration/accessibility/index.md similarity index 83% rename from windows/configuration/windows-accessibility-for-ITPros.md rename to windows/configuration/accessibility/index.md index cda104c484..aa8561ee8e 100644 --- a/windows/configuration/windows-accessibility-for-ITPros.md +++ b/windows/configuration/accessibility/index.md @@ -1,134 +1,124 @@ --- title: Windows accessibility information for IT Pros description: Lists the various accessibility features available in Windows client with links to detailed guidance on how to set them. -ms.prod: windows-client -ms.technology: itpro-configure -ms.author: lizlong -author: lizgt2000 ms.date: 08/11/2023 -ms.reviewer: -manager: aaroncz -ms.localizationpriority: medium ms.topic: conceptual ms.collection: tier1 -appliesto: - - ✅ Windows 10 - - ✅ Windows 11 ---- +--- - + -# Accessibility information for IT professionals +# Accessibility information for IT professionals -Microsoft is dedicated to making its products and services accessible and usable for everyone. Windows includes accessibility features that benefit all users. These features make it easier to customize the computer and give users with different abilities options to improve their experience with Windows. +Microsoft is dedicated to making its products and services accessible and usable for everyone. Windows includes accessibility features that benefit all users. These features make it easier to customize the computer and give users with different abilities options to improve their experience with Windows. -This article helps you as the IT administrator learn about built-in accessibility features. It also includes recommendations for how to support people in your organization who use these features. +This article helps you as the IT administrator learn about built-in accessibility features. It also includes recommendations for how to support people in your organization who use these features. -Windows 11, version 22H2, includes improvements for people with disabilities: system-wide live captions, Focus sessions, voice access, and more natural voices for Narrator. For more information, see [New accessibility features coming to Windows 11](https://blogs.windows.com/windowsexperience/2022/05/10/new-accessibility-features-coming-to-windows-11/) and [How inclusion drives innovation in Windows 11](https://blogs.windows.com/windowsexperience/?p=177554). +Windows 11, version 22H2, includes improvements for people with disabilities: system-wide live captions, Focus sessions, voice access, and more natural voices for Narrator. For more information, see [New accessibility features coming to Windows 11](https://blogs.windows.com/windowsexperience/2022/05/10/new-accessibility-features-coming-to-windows-11/) and [How inclusion drives innovation in Windows 11](https://blogs.windows.com/windowsexperience/?p=177554). -## General recommendations +## General recommendations -- **Be aware of Ease of Access settings**. Understand how people in your organization might use these settings. Help people in your organization learn how they can customize Windows. +- **Be aware of Ease of Access settings**. Understand how people in your organization might use these settings. Help people in your organization learn how they can customize Windows. -- **Don't block settings**. Avoid using group policy or MDM settings that override Ease of Access settings. +- **Don't block settings**. Avoid using group policy or MDM settings that override Ease of Access settings. -- **Encourage choice**. Allow people in your organization to customize their computers based on their needs. That customization might be installing an add-on for their browser, or a non-Microsoft assistive technology. +- **Encourage choice**. Allow people in your organization to customize their computers based on their needs. That customization might be installing an add-on for their browser, or a non-Microsoft assistive technology. -## Vision +## Vision -- [Use Narrator to use devices without a screen](https://support.microsoft.com/windows/complete-guide-to-narrator-e4397a0d-ef4f-b386-d8ae-c172f109bdb1). Narrator describes Windows and apps and enables you to control devices by using a keyboard, controller, or with a range of gestures on touch-supported devices. Now the user is able to download and install 10 more natural languages. +- [Use Narrator to use devices without a screen](https://support.microsoft.com/windows/complete-guide-to-narrator-e4397a0d-ef4f-b386-d8ae-c172f109bdb1). Narrator describes Windows and apps and enables you to control devices by using a keyboard, controller, or with a range of gestures on touch-supported devices. Now the user is able to download and install 10 more natural languages. -- [Create accessible apps](/windows/apps/develop/accessibility). You can develop accessible apps just like Mail, Groove, and Store that work well with Narrator and other leading screen readers. +- [Create accessible apps](/windows/apps/develop/accessibility). You can develop accessible apps just like Mail, Groove, and Store that work well with Narrator and other leading screen readers. -- Use keyboard shortcuts. Get the most out of Windows with shortcuts for apps and desktops. +- Use keyboard shortcuts. Get the most out of Windows with shortcuts for apps and desktops. - [Keyboard shortcuts in Windows](https://support.microsoft.com/windows/keyboard-shortcuts-in-windows-dcc61a57-8ff0-cffe-9796-cb9706c75eec) - [Narrator keyboard commands and touch gestures](https://support.microsoft.com/windows/appendix-b-narrator-keyboard-commands-and-touch-gestures-8bdab3f4-b3e9-4554-7f28-8b15bd37410a) - - [Windows keyboard shortcuts for accessibility](https://support.microsoft.com/windows/windows-keyboard-shortcuts-for-accessibility-021bcb62-45c8-e4ef-1e4f-41b8c1fc87fd) + - [Windows keyboard shortcuts for accessibility](https://support.microsoft.com/windows/windows-keyboard-shortcuts-for-accessibility-021bcb62-45c8-e4ef-1e4f-41b8c1fc87fd) -- Get closer with [Magnifier](https://support.microsoft.com/windows/use-magnifier-to-make-things-on-the-screen-easier-to-see-414948ba-8b1c-d3bd-8615-0e5e32204198). Magnifier enlarges all or part of your screen and offers various configuration settings. +- Get closer with [Magnifier](https://support.microsoft.com/windows/use-magnifier-to-make-things-on-the-screen-easier-to-see-414948ba-8b1c-d3bd-8615-0e5e32204198). Magnifier enlarges all or part of your screen and offers various configuration settings. -- [Make Windows easier to see](https://support.microsoft.com/windows/make-windows-easier-to-see-c97c2b0d-cadb-93f0-5fd1-59ccfe19345d). +- [Make Windows easier to see](https://support.microsoft.com/windows/make-windows-easier-to-see-c97c2b0d-cadb-93f0-5fd1-59ccfe19345d). - Changing the size or color of pointers or adding trails or touch feedback make it easier to follow the mouse. - Adjust the size of text, icons, and other screen items to make them easier to see. - - Many high-contrast themes are available to suit your needs. + - Many high-contrast themes are available to suit your needs. -- [Have Cortana assist](https://support.microsoft.com/topic/what-is-cortana-953e648d-5668-e017-1341-7f26f7d0f825). Cortana can handle various tasks for you, including setting reminders, opening apps, finding facts, and sending emails and texts. +- [Have Cortana assist](https://support.microsoft.com/topic/what-is-cortana-953e648d-5668-e017-1341-7f26f7d0f825). Cortana can handle various tasks for you, including setting reminders, opening apps, finding facts, and sending emails and texts. -- [Dictate text and commands](https://support.microsoft.com/windows/use-voice-recognition-in-windows-83ff75bd-63eb-0b6c-18d4-6fae94050571). Windows includes speech recognition that lets you tell it what to do. +- [Dictate text and commands](https://support.microsoft.com/windows/use-voice-recognition-in-windows-83ff75bd-63eb-0b6c-18d4-6fae94050571). Windows includes speech recognition that lets you tell it what to do. -- [Simplify for focus](https://support.microsoft.com/windows/make-it-easier-to-focus-on-tasks-0d259fd9-e9d0-702c-c027-007f0e78eaf2). Reducing animations and turning off background images and transparency can minimize distractions. +- [Simplify for focus](https://support.microsoft.com/windows/make-it-easier-to-focus-on-tasks-0d259fd9-e9d0-702c-c027-007f0e78eaf2). Reducing animations and turning off background images and transparency can minimize distractions. -- [Keep notifications around longer](https://support.microsoft.com/windows/make-windows-easier-to-hear-9c18cfdc-63be-2d47-0f4f-5b00facfd2e1). If notifications aren't staying visible long enough for you to notice them, you can increase the time a notification will be displayed up to five minutes. +- [Keep notifications around longer](https://support.microsoft.com/windows/make-windows-easier-to-hear-9c18cfdc-63be-2d47-0f4f-5b00facfd2e1). If notifications aren't staying visible long enough for you to notice them, you can increase the time a notification will be displayed up to five minutes. -- [Read in braille](https://support.microsoft.com/windows/chapter-8-using-narrator-with-braille-3e5f065b-1c9d-6eb2-ec6d-1d07c9e94b20). Narrator supports braille displays from more than 35 manufacturers using more than 40 languages and multiple braille variants. +- [Read in braille](https://support.microsoft.com/windows/chapter-8-using-narrator-with-braille-3e5f065b-1c9d-6eb2-ec6d-1d07c9e94b20). Narrator supports braille displays from more than 35 manufacturers using more than 40 languages and multiple braille variants. -- Starting in Windows 11, version 22H2 with [KB5022913](https://support.microsoft.com/kb/5022913), the compatibility of braille displays has been expanded. Braille displays work seamlessly and reliably across multiple screen readers, improving the end user experience. +- Starting in Windows 11, version 22H2 with [KB5022913](https://support.microsoft.com/kb/5022913), the compatibility of braille displays has been expanded. Braille displays work seamlessly and reliably across multiple screen readers, improving the end user experience. -## Hearing +## Hearing -- [Use live captions to better understand audio](https://support.microsoft.com/windows/use-live-captions-to-better-understand-audio-b52da59c-14b8-4031-aeeb-f6a47e6055df). Use Windows 11, version 22H2 or later to better understand any spoken audio with real time captions. +- [Use live captions to better understand audio](https://support.microsoft.com/windows/use-live-captions-to-better-understand-audio-b52da59c-14b8-4031-aeeb-f6a47e6055df). Use Windows 11, version 22H2 or later to better understand any spoken audio with real time captions. -- Starting with Windows 11, version 22H2 with [KB5026446](https://support.microsoft.com/kb/5026446), live captions now supports additional languages. +- Starting with Windows 11, version 22H2 with [KB5026446](https://support.microsoft.com/kb/5026446), live captions now supports additional languages. -- [View live transcription in a Teams meeting](https://support.microsoft.com/office/view-live-transcription-in-a-teams-meeting-dc1a8f23-2e20-4684-885e-2152e06a4a8b). During any Teams meeting, view a live transcription so you don't miss what's being said. +- [View live transcription in a Teams meeting](https://support.microsoft.com/office/view-live-transcription-in-a-teams-meeting-dc1a8f23-2e20-4684-885e-2152e06a4a8b). During any Teams meeting, view a live transcription so you don't miss what's being said. -- [Use Teams for sign language](https://www.microsoft.com/microsoft-teams/group-chat-software). Teams is available on various platforms and devices, so you don't have to worry about whether your co-workers, friends, and family can communicate with you. +- [Use Teams for sign language](https://www.microsoft.com/microsoft-teams/group-chat-software). Teams is available on various platforms and devices, so you don't have to worry about whether your co-workers, friends, and family can communicate with you. -- [Make Windows easier to hear](https://support.microsoft.com/windows/make-windows-easier-to-hear-9c18cfdc-63be-2d47-0f4f-5b00facfd2e1). +- [Make Windows easier to hear](https://support.microsoft.com/windows/make-windows-easier-to-hear-9c18cfdc-63be-2d47-0f4f-5b00facfd2e1). - Replace audible alerts with visual alerts. - If notifications aren't staying visible long enough for you to notice them, you can increase the time a notification will be displayed up to five minutes. - - Send all sounds to both left and right channels, which is helpful for those people with partial hearing loss or deafness in one ear. + - Send all sounds to both left and right channels, which is helpful for those people with partial hearing loss or deafness in one ear. -- [Read spoken words with captioning](https://support.microsoft.com/windows/change-caption-settings-135c465b-8cfd-3bac-9baf-4af74bc0069a). You can customize things like color, size, and background transparency to suit your needs and tastes. +- [Read spoken words with captioning](https://support.microsoft.com/windows/change-caption-settings-135c465b-8cfd-3bac-9baf-4af74bc0069a). You can customize things like color, size, and background transparency to suit your needs and tastes. -- Use the [Azure Cognitive Services Translator](/azure/cognitive-services/translator/) service to add machine translation to your solutions. +- Use the [Azure Cognitive Services Translator](/azure/cognitive-services/translator/) service to add machine translation to your solutions. -## Physical +## Physical -- [Have Cortana assist you](https://support.microsoft.com/topic/what-is-cortana-953e648d-5668-e017-1341-7f26f7d0f825). Cortana can handle various tasks for you, including setting reminders, opening apps, finding facts, and sending emails and texts. +- [Have Cortana assist you](https://support.microsoft.com/topic/what-is-cortana-953e648d-5668-e017-1341-7f26f7d0f825). Cortana can handle various tasks for you, including setting reminders, opening apps, finding facts, and sending emails and texts. -- [Dictate text and commands](https://support.microsoft.com/windows/use-voice-recognition-in-windows-83ff75bd-63eb-0b6c-18d4-6fae94050571). Windows includes voice recognition that lets you tell it what to do. +- [Dictate text and commands](https://support.microsoft.com/windows/use-voice-recognition-in-windows-83ff75bd-63eb-0b6c-18d4-6fae94050571). Windows includes voice recognition that lets you tell it what to do. -- [Use the On-Screen Keyboard (OSK)](https://support.microsoft.com/windows/use-the-on-screen-keyboard-osk-to-type-ecbb5e08-5b4e-d8c8-f794-81dbf896267a). Instead of relying on a physical keyboard, use the OSK to enter data and select keys with a mouse or other pointing device. It also offers word prediction and completion. +- [Use the On-Screen Keyboard (OSK)](https://support.microsoft.com/windows/use-the-on-screen-keyboard-osk-to-type-ecbb5e08-5b4e-d8c8-f794-81dbf896267a). Instead of relying on a physical keyboard, use the OSK to enter data and select keys with a mouse or other pointing device. It also offers word prediction and completion. -- [Make your mouse, keyboard, and other input devices easier to use](https://support.microsoft.com/windows/make-your-mouse-keyboard-and-other-input-devices-easier-to-use-10733da7-fa82-88be-0672-f123d4b3dcfe). +- [Make your mouse, keyboard, and other input devices easier to use](https://support.microsoft.com/windows/make-your-mouse-keyboard-and-other-input-devices-easier-to-use-10733da7-fa82-88be-0672-f123d4b3dcfe). - If you have limited control of your hands, you can personalize your keyboard to do helpful things like ignore repeated keys. - - If a mouse is difficult to use, you can control the pointer by using your numeric keypad. + - If a mouse is difficult to use, you can control the pointer by using your numeric keypad. -## Cognition +## Cognition -- [Simplify for focus](https://support.microsoft.com/windows/make-it-easier-to-focus-on-tasks-0d259fd9-e9d0-702c-c027-007f0e78eaf2). Reducing animations and turning off background images and transparency can minimize distractions. +- [Simplify for focus](https://support.microsoft.com/windows/make-it-easier-to-focus-on-tasks-0d259fd9-e9d0-702c-c027-007f0e78eaf2). Reducing animations and turning off background images and transparency can minimize distractions. -- [Download and use fonts that are easier to read](https://www.microsoft.com/download/details.aspx?id=50721). **Fluent Sitka Small** and **Fluent Calibri** are fonts that address "visual crowding" by adding character and enhance word and line spacing. +- [Download and use fonts that are easier to read](https://www.microsoft.com/download/details.aspx?id=50721). **Fluent Sitka Small** and **Fluent Calibri** are fonts that address "visual crowding" by adding character and enhance word and line spacing. -- [Microsoft Edge reading view](https://support.microsoft.com/windows/take-your-reading-with-you-b6699255-4436-708e-7b93-4d2e19a15af8). Clears distracting content from web pages so you can stay focused on what you really want to read. +- [Microsoft Edge reading view](https://support.microsoft.com/windows/take-your-reading-with-you-b6699255-4436-708e-7b93-4d2e19a15af8). Clears distracting content from web pages so you can stay focused on what you really want to read. -## Assistive technology devices built into Windows +## Assistive technology devices built into Windows -- [Hear text read aloud with Narrator](https://support.microsoft.com/windows/hear-text-read-aloud-with-narrator-040f16c1-4632-b64e-110a-da4a0ac56917). Narrator reads text on your PC screen aloud and describes events, such as notifications or calendar appointments, so you can use your PC without a display. +- [Hear text read aloud with Narrator](https://support.microsoft.com/windows/hear-text-read-aloud-with-narrator-040f16c1-4632-b64e-110a-da4a0ac56917). Narrator reads text on your PC screen aloud and describes events, such as notifications or calendar appointments, so you can use your PC without a display. -- Scripting functionality has been added to Narrator. There is store delivery of Narrator extension scripts which currently include an Outlook script and an Excel script. +- Scripting functionality has been added to Narrator. There is store delivery of Narrator extension scripts which currently include an Outlook script and an Excel script. -- [Use voice recognition](https://support.microsoft.com/windows/use-voice-recognition-in-windows-83ff75bd-63eb-0b6c-18d4-6fae94050571). +- [Use voice recognition](https://support.microsoft.com/windows/use-voice-recognition-in-windows-83ff75bd-63eb-0b6c-18d4-6fae94050571). -- With spellings experience in voice access, you can dictate a complex or non-standard word letter-by-letter and add it to Windows dictionary. The next time you try to dictate the same word, voice access improves its recognition. +- With spellings experience in voice access, you can dictate a complex or non-standard word letter-by-letter and add it to Windows dictionary. The next time you try to dictate the same word, voice access improves its recognition. -- [Save time with keyboard shortcuts](https://support.microsoft.com/windows/keyboard-shortcuts-in-windows-dcc61a57-8ff0-cffe-9796-cb9706c75eec). +- [Save time with keyboard shortcuts](https://support.microsoft.com/windows/keyboard-shortcuts-in-windows-dcc61a57-8ff0-cffe-9796-cb9706c75eec). -- [Use voice access to control your PC and author text with your voice](https://support.microsoft.com/en-us/topic/use-voice-access-to-control-your-pc-author-text-with-your-voice-4dcd23ee-f1b9-4fd1-bacc-862ab611f55d). +- [Use voice access to control your PC and author text with your voice](https://support.microsoft.com/en-us/topic/use-voice-access-to-control-your-pc-author-text-with-your-voice-4dcd23ee-f1b9-4fd1-bacc-862ab611f55d). -## Other resources +## Other resources -[Windows accessibility](https://www.microsoft.com/Accessibility/windows) +[Windows accessibility](https://www.microsoft.com/Accessibility/windows) -[Designing accessible software](/windows/apps/design/accessibility/designing-inclusive-software) +[Designing accessible software](/windows/apps/design/accessibility/designing-inclusive-software) -[Inclusive design](https://www.microsoft.com/design/inclusive) +[Inclusive design](https://www.microsoft.com/design/inclusive) [Accessibility guide for Microsoft 365 Apps](/deployoffice/accessibility-guide) diff --git a/windows/configuration/provisioning-apn.md b/windows/configuration/cellular/provisioning-apn.md similarity index 78% rename from windows/configuration/provisioning-apn.md rename to windows/configuration/cellular/provisioning-apn.md index 4600c0eaf2..44acf9a714 100644 --- a/windows/configuration/provisioning-apn.md +++ b/windows/configuration/cellular/provisioning-apn.md @@ -1,63 +1,40 @@ --- -title: Configure cellular settings for tablets and PCs (Windows 10) +title: Configure cellular settings for tablets and PCs description: Enterprises can provision cellular settings for tablets and PC with built-in cellular modems or plug-in USB modem dongles. -ms.reviewer: -manager: aaroncz -ms.prod: windows-client -author: lizgt2000 -ms.author: lizlong -ms.topic: article -ms.localizationpriority: medium +ms.topic: concept-article ms.date: 04/13/2018 -ms.technology: itpro-configure ---- +--- -# Configure cellular settings for tablets and PCs +# Configure cellular settings for tablets and PCs +>**Looking for consumer information?** See [Cellular settings in Windows 10](https://support.microsoft.com/help/10739/windows-10-cellular-settings) -**Applies to** +Enterprises can configure cellular settings for tablets and PC that have built-in cellular modems or plug-in USB modem dongles and apply the settings in a [provisioning package](provisioning-packages/provisioning-packages.md). After the devices are configured, users are automatically connected using the access point name (APN) defined by the enterprise without needing to manually connect. -- Windows 10 +For users who work in different locations, you can configure one APN to connect when the users are at work and a different APN when the users are traveling. ->**Looking for consumer information?** See [Cellular settings in Windows 10](https://support.microsoft.com/help/10739/windows-10-cellular-settings) - -Enterprises can configure cellular settings for tablets and PC that have built-in cellular modems or plug-in USB modem dongles and apply the settings in a [provisioning package](provisioning-packages/provisioning-packages.md). After the devices are configured, users are automatically connected using the access point name (APN) defined by the enterprise without needing to manually connect. - -For users who work in different locations, you can configure one APN to connect when the users are at work and a different APN when the users are traveling. - - -## Prerequisites +## Prerequisites - Windows 10, version 1703, desktop editions (Home, Pro, Enterprise, Education) - - Tablet or PC with built-in cellular modem or plug-in USB modem dongle - - [Windows Configuration Designer](provisioning-packages/provisioning-install-icd.md) +- APN (the address that your PC uses to connect to the Internet when using the cellular data connection) -- APN (the address that your PC uses to connect to the Internet when using the cellular data connection) - - >[!NOTE] - >You can get the APN from your mobile operator. - -## How to configure cellular settings in a provisioning package +## How to configure cellular settings in a provisioning package 1. In Windows Configuration Designer, [start a new project](provisioning-packages/provisioning-create-package.md) using the **Advanced provisioning** option. - 2. Enter a name for your project, and then click **Next**. - 3. Select **All Windows desktop editions**, click **Next**, and then click **Finish**. - 4. Go to **Runtime settings > Connections > EnterpriseAPN**. +5. Enter a name for the connection, and then click **Add**. -5. Enter a name for the connection, and then click **Add**. +![Example of APN connection name.](images/apn-add.png) - ![Example of APN connection name.](images/apn-add.png) - -6. The connection appears in the **Available customizations** pane. Select it to view the settings that you can configure for the connection. +6. The connection appears in the **Available customizations** pane. Select it to view the settings that you can configure for the connection. - ![settings for new connection.](images/apn-add-details.png) - -7. The following table describes the settings available for the connection. +![settings for new connection.](images/apn-add-details.png) + +7. The following table describes the settings available for the connection. | Setting | Description | | --- | --- | @@ -71,46 +48,40 @@ For users who work in different locations, you can configure one APN to connect | IsAttachAPN | Specify whether this APN should be requested as part of an LTE Attach. | | Password | If you select PAP, CHAP, or MSCHAPv2 authentication, enter a password that corresponds to the user name. | | Roaming | Select the behavior that you want when the device is roaming. The options are:

-Disallowed
-Allowed (default)
-DomesticRoaming
-Use OnlyForDomesticRoaming
-UseOnlyForNonDomesticRoaming
-UseOnlyForRoaming | - | UserName | If you select PAP, CHAP, or MSCHAPv2 authentication, enter a user name. | - + | UserName | If you select PAP, CHAP, or MSCHAPv2 authentication, enter a user name. | + 8. After you configure the connection settings, [build the provisioning package](provisioning-packages/provisioning-create-package.md#build-package). +9. [Apply the package to devices.](provisioning-packages/provisioning-apply-package.md) -9. [Apply the package to devices.](provisioning-packages/provisioning-apply-package.md) +## Confirm the settings - -## Confirm the settings - -After you apply the provisioning package, you can confirm that the settings have been applied. +After you apply the provisioning package, you can confirm that the settings have been applied. 1. On the configured device, open a command prompt as an administrator. - -2. Run the following command: +2. Run the following command: ``` netsh mbn show profiles - ``` + ``` -3. The command will list the mobile broadband profiles. Using the "Name" for the listed mobile broadband profile, run: +3. The command will list the mobile broadband profiles. Using the "Name" for the listed mobile broadband profile, run: ``` netsh mbn show profiles name="name" - ``` + ``` - This command will list details for that profile, including Access Point Name. + This command will list details for that profile, including Access Point Name. - -Alternatively, you can also use the command: +Alternatively, you can also use the command: ``` netsh mbn show interface -``` +``` -From the results of that command, get the name of the cellular/mobile broadband interface and run: +From the results of that command, get the name of the cellular/mobile broadband interface and run: ``` netsh mbn show connection interface="name" -``` +``` The result of that command will show details for the cellular interface, including Access Point Name. - - diff --git a/windows/configuration/cortana-at-work/cortana-at-work-feedback.md b/windows/configuration/cortana-at-work/cortana-at-work-feedback.md index d238ab8539..e98471615d 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-feedback.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-feedback.md @@ -1,27 +1,20 @@ --- title: Send feedback about Cortana at work back to Microsoft description: Learn how to send feedback to Microsoft about Cortana at work so you can provide more information to help diagnose reported issues. -ms.prod: windows-client -ms.collection: tier3 -author: aczechowski -ms.localizationpriority: medium -ms.author: aaroncz ms.date: 10/05/2017 -ms.reviewer: -manager: aaroncz -ms.technology: itpro-configure ---- +ms.topic: article +--- # Send feedback about Cortana back to Microsoft -[!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)] +[!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)] -To provide feedback on an individual request or response, select the item in the conversation history and then select **Give feedback**. The Feedback Hub application is launched, where you can provide more information to help diagnose reported issues. +To provide feedback on an individual request or response, select the item in the conversation history and then select **Give feedback**. The Feedback Hub application is launched, where you can provide more information to help diagnose reported issues. -:::image type="content" source="../screenshot1.png" alt-text="Screenshot: Send feedback page"::: +:::image type="content" source="../screenshot1.png" alt-text="Screenshot: Send feedback page"::: -To provide feedback about the application in general, go to the **Settings** menu by selecting the three dots in the top left of the application, and select **Feedback**. The Feedback Hub is launched, where more information on the issue can be provided. +To provide feedback about the application in general, go to the **Settings** menu by selecting the three dots in the top left of the application, and select **Feedback**. The Feedback Hub is launched, where more information on the issue can be provided. -:::image type="content" source="../screenshot12.png" alt-text="Screenshot: Select Feedback to go to the Feedback Hub"::: +:::image type="content" source="../screenshot12.png" alt-text="Screenshot: Select Feedback to go to the Feedback Hub"::: In order for enterprise users to provide feedback, admins must unblock the Feedback Hub in the [Azure portal](https://portal.azure.com/). Go to the **Enterprise applications section** and enable **Users can allow apps to access their data**. diff --git a/windows/configuration/cortana-at-work/cortana-at-work-o365.md b/windows/configuration/cortana-at-work/cortana-at-work-o365.md index 8cc906cd9f..b902c9bd3d 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-o365.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-o365.md @@ -1,60 +1,51 @@ --- title: Set up and test Cortana in Windows 10, versions 1909 and earlier, with Microsoft 365 in your organization description: Learn how to connect Cortana to Office 365 so employees are notified about regular meetings and unusual events. You can even set an alarm for early meetings. -ms.prod: windows-client -ms.collection: tier3 -ms.mktglfcycl: manage -ms.sitesec: library -author: aczechowski -ms.localizationpriority: medium -ms.author: aaroncz ms.date: 10/05/2017 -ms.reviewer: -manager: aaroncz -ms.technology: itpro-configure ---- +ms.topic: article +--- -# Set up and test Cortana in Windows 10, versions 1909 and earlier, with Microsoft 365 in your organization +# Set up and test Cortana in Windows 10, versions 1909 and earlier, with Microsoft 365 in your organization -[!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)] +[!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)] ## What can you do with in Windows 10, versions 1909 and earlier? -Your employees can use Cortana to help manage their day and be more productive by getting quick answers to common questions, setting reminders, adding tasks to their To-Do lists, and find out where their next meeting is. +Your employees can use Cortana to help manage their day and be more productive by getting quick answers to common questions, setting reminders, adding tasks to their To-Do lists, and find out where their next meeting is. -**See also:** +**See also:** -[Known issues for Windows Desktop Search and Cortana in Windows 10](/troubleshoot/windows-client/shell-experience/windows-desktop-search-and-cortana-issues). +[Known issues for Windows Desktop Search and Cortana in Windows 10](/troubleshoot/windows-client/shell-experience/windows-desktop-search-and-cortana-issues). ### Before you begin -There are a few things to be aware of before you start using Cortana in Windows 10, versions 1909 and earlier. +There are a few things to be aware of before you start using Cortana in Windows 10, versions 1909 and earlier. -- **Microsoft Entra account.** Before your employees can use Cortana in your org, they must be logged in using their Microsoft Entra account through Cortana's notebook. They must also authorize Cortana to access Microsoft 365 on their behalf. +- **Microsoft Entra account.** Before your employees can use Cortana in your org, they must be logged in using their Microsoft Entra account through Cortana's notebook. They must also authorize Cortana to access Microsoft 365 on their behalf. -- **Office 365 Trust Center.** Cortana in Windows 10, version 1909 and earlier, isn't a service governed by the [Online Services Terms](https://www.microsoft.com/en-us/licensing/product-licensing/products). [Learn more about how Cortana in Windows 10, versions 1909 and earlier, treats your data](https://support.microsoft.com/en-us/help/4468233/cortana-and-privacy-microsoft-privacy). +- **Office 365 Trust Center.** Cortana in Windows 10, version 1909 and earlier, isn't a service governed by the [Online Services Terms](https://www.microsoft.com/en-us/licensing/product-licensing/products). [Learn more about how Cortana in Windows 10, versions 1909 and earlier, treats your data](https://support.microsoft.com/en-us/help/4468233/cortana-and-privacy-microsoft-privacy). -- Windows Information Protection (WIP). If you want to secure the calendar, email, and contact info provided to Cortana on a device, you can use WIP. For more info about WIP, see [Protect your enterprise data using Windows Information Protection (WIP)](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip). If you decide to use WIP, you must also have a management solution. This solution can be Microsoft Intune, Configuration Manager (version 1606 or later), or your current company-wide third-party mobile device management (MDM) solution. +- Windows Information Protection (WIP). If you want to secure the calendar, email, and contact info provided to Cortana on a device, you can use WIP. For more info about WIP, see [Protect your enterprise data using Windows Information Protection (WIP)](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip). If you decide to use WIP, you must also have a management solution. This solution can be Microsoft Intune, Configuration Manager (version 1606 or later), or your current company-wide third-party mobile device management (MDM) solution. -- **Troubleshooting tips.** If you run into issues, check out these [troubleshooting tips](/office365/troubleshoot/miscellaneous/issues-in-cortana). +- **Troubleshooting tips.** If you run into issues, check out these [troubleshooting tips](/office365/troubleshoot/miscellaneous/issues-in-cortana). ### Turn on Cortana enterprise services on employees' devices -Your employees must connect Cortana to their Microsoft 365 account to be able to use skills like email and calendar. +Your employees must connect Cortana to their Microsoft 365 account to be able to use skills like email and calendar. -#### Turn on Cortana enterprise services +#### Turn on Cortana enterprise services -1. Select the **Cortana** search box in the taskbar, and then select the **Notebook** icon. +1. Select the **Cortana** search box in the taskbar, and then select the **Notebook** icon. -2. Select **Manage Skills** , select **Manage accounts** , and under **Microsoft 365** select **Link**. The employee will be directed to sign into their Microsoft 365 account. +2. Select **Manage Skills** , select **Manage accounts** , and under **Microsoft 365** select **Link**. The employee will be directed to sign into their Microsoft 365 account. -3. The employee can also disconnect by selecting **Microsoft 365**, then **Unlink**. +3. The employee can also disconnect by selecting **Microsoft 365**, then **Unlink**. #### Turn off Cortana enterprise services -Cortana in Windows 10, versions 1909 and earlier can only access data in your Microsoft 365 organization when it's turned on. If you don't want Cortana to access your corporate data, you can turn it off in the Microsoft 365 admin center. +Cortana in Windows 10, versions 1909 and earlier can only access data in your Microsoft 365 organization when it's turned on. If you don't want Cortana to access your corporate data, you can turn it off in the Microsoft 365 admin center. -1. Sign into the [Microsoft 365 admin center](https://admin.microsoft.com/) using your admin account. +1. Sign into the [Microsoft 365 admin center](https://admin.microsoft.com/) using your admin account. -2. Select the app launcher icon in the upper-left and choose **Admin**. +2. Select the app launcher icon in the upper-left and choose **Admin**. -3. Expand **Settings** and select **Org Settings**. +3. Expand **Settings** and select **Org Settings**. 4. Select **Cortana** to toggle Cortana's access to Microsoft 365 data off. diff --git a/windows/configuration/cortana-at-work/cortana-at-work-overview.md b/windows/configuration/cortana-at-work/cortana-at-work-overview.md index 9bd3833b21..7f8a3a5077 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-overview.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-overview.md @@ -1,66 +1,58 @@ --- title: Configure Cortana in Windows 10 and Windows 11 -ms.reviewer: -manager: aaroncz description: Cortana includes powerful configuration options specifically to optimize for unique small to medium-sized business and for enterprise environments. -ms.prod: windows-client -ms.collection: tier3 -author: aczechowski -ms.localizationpriority: medium -ms.author: aaroncz -ms.technology: itpro-configure ms.date: 12/31/2017 ms.topic: article ---- +--- # Configure Cortana in Windows 10 and Windows 11 [!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)] -## Who is Cortana? +## Who is Cortana? -Cortana is a personal productivity assistant in Microsoft 365, helping your users achieve more with less effort and focus on what matters. The Cortana app in Windows 10 and Windows 11 helps users quickly get information across Microsoft 365, using typed or spoken queries to connect with people, check calendars, set reminders, add tasks, and more. +Cortana is a personal productivity assistant in Microsoft 365, helping your users achieve more with less effort and focus on what matters. The Cortana app in Windows 10 and Windows 11 helps users quickly get information across Microsoft 365, using typed or spoken queries to connect with people, check calendars, set reminders, add tasks, and more. -:::image type="content" source="./images/screenshot1.png" alt-text="Screenshot: Cortana home page example"::: +:::image type="content" source="./images/screenshot1.png" alt-text="Screenshot: Cortana home page example"::: -## Where is Cortana available for use in my organization? +## Where is Cortana available for use in my organization? -Your employees can use Cortana in the languages listed [here](https://support.microsoft.com/help/4026948/cortanas-regions-and-languages). However, most productivity skills are currently only enabled for English (United States), for users with mailboxes in the United States. +Your employees can use Cortana in the languages listed [here](https://support.microsoft.com/help/4026948/cortanas-regions-and-languages). However, most productivity skills are currently only enabled for English (United States), for users with mailboxes in the United States. -The Cortana app in Windows 10, version 2004 requires the latest Microsoft Store update to support languages other than English (United States). +The Cortana app in Windows 10, version 2004 requires the latest Microsoft Store update to support languages other than English (United States). -## Required hardware and software +## Required hardware and software -Cortana requires a PC running Windows 10, version 1703 or later, and the following software to successfully run the included scenario in your organization. +Cortana requires a PC running Windows 10, version 1703 or later, and the following software to successfully run the included scenario in your organization. >[!NOTE] ->A microphone isn't required to use Cortana. +>A microphone isn't required to use Cortana. | Software | Minimum version | |---------|---------| |Client operating system | - Windows 10, version 2004 (recommended)

- Windows 10, version 1703 (legacy version of Cortana)

For more information on the differences between Cortana in Windows 10, version 2004 and earlier versions, see [**How is my data processed by Cortana**](#how-is-my-data-processed-by-cortana) below. | |Microsoft Entra ID | While all employees signing into Cortana need a Microsoft Entra account, a Microsoft Entra ID P1 or P2 tenant isn't required. | -|Additional policies (Group Policy and Mobile Device Management (MDM)) |There's a rich set of policies that can be used to manage various aspects of Cortana. Most of these policies will limit the abilities of Cortana but won't turn off Cortana. For example, if you turn **Speech** off, your employees won't be able to use the wake word ("Cortana") for hands-free activation or voice commands to easily ask for help. | +|Additional policies (Group Policy and Mobile Device Management (MDM)) |There's a rich set of policies that can be used to manage various aspects of Cortana. Most of these policies will limit the abilities of Cortana but won't turn off Cortana. For example, if you turn **Speech** off, your employees won't be able to use the wake word ("Cortana") for hands-free activation or voice commands to easily ask for help. | >[!NOTE] ->For Windows 11, Cortana is no longer pinned to the taskbar by default. You can still pin the Cortana app to the taskbar as you would any other app. In addition, the keyboard shortcut that launched Cortana (Win+C) no longer opens Cortana. +>For Windows 11, Cortana is no longer pinned to the taskbar by default. You can still pin the Cortana app to the taskbar as you would any other app. In addition, the keyboard shortcut that launched Cortana (Win+C) no longer opens Cortana. - + -## Signing in using Microsoft Entra ID +## Signing in using Microsoft Entra ID -Your organization must have a Microsoft Entra tenant and your employees' devices must all be Microsoft Entra joined for the best Cortana experience. (Users may also sign into Cortana with a Microsoft account, but won't be able to use their enterprise email or calendar.) For info about what a Microsoft Entra tenant is, how to get your devices joined, and other Microsoft Entra maintenance info, see [Microsoft Entra documentation.](/azure/active-directory/) +Your organization must have a Microsoft Entra tenant and your employees' devices must all be Microsoft Entra joined for the best Cortana experience. (Users may also sign into Cortana with a Microsoft account, but won't be able to use their enterprise email or calendar.) For info about what a Microsoft Entra tenant is, how to get your devices joined, and other Microsoft Entra maintenance info, see [Microsoft Entra documentation.](/azure/active-directory/) -## How is my data processed by Cortana? +## How is my data processed by Cortana? -Cortana's approach to integration with Microsoft 365 has changed with Windows 10, version 2004 and later. +Cortana's approach to integration with Microsoft 365 has changed with Windows 10, version 2004 and later. -### Cortana in Windows 10, version 2004 and later, or Windows 11 +### Cortana in Windows 10, version 2004 and later, or Windows 11 -Cortana enterprise services that can be accessed using Microsoft Entra ID through Cortana meet the same enterprise-level privacy, security, and compliance promises as reflected in the [Online Services Terms (OST)](https://www.microsoft.com/en-us/licensing/product-licensing/products). To learn more, see [Cortana in Microsoft 365](/microsoft-365/admin/misc/cortana-integration?view=o365-worldwide#what-data-is-processed-by-cortana-in-office-365&preserve-view=true). +Cortana enterprise services that can be accessed using Microsoft Entra ID through Cortana meet the same enterprise-level privacy, security, and compliance promises as reflected in the [Online Services Terms (OST)](https://www.microsoft.com/en-us/licensing/product-licensing/products). To learn more, see [Cortana in Microsoft 365](/microsoft-365/admin/misc/cortana-integration?view=o365-worldwide#what-data-is-processed-by-cortana-in-office-365&preserve-view=true). -#### How does Microsoft store, retain, process, and use Customer Data in Cortana? +#### How does Microsoft store, retain, process, and use Customer Data in Cortana? -The table below describes the data handling for Cortana enterprise services. +The table below describes the data handling for Cortana enterprise services. | Name | Description | @@ -69,31 +61,31 @@ The table below describes the data handling for Cortana enterprise services. |**Stays in Geo** |Customer Data is stored on Microsoft servers inside the Office 365 cloud in Geo. Your data is part of your tenant. | |**Retention** |Customer Data is deleted when the account is closed by the tenant administrator or when a GDPR Data Subject Rights deletion request is made. Speech audio isn't retained. | |**Processing and confidentiality** |Personnel engaged in the processing of Customer Data and personal data (i) will process such data only on instructions from Customer, and (ii) will be obligated to maintain the confidentiality and security of such data even after their engagement ends. | -|**Usage** |Microsoft uses Customer Data only to provide the services agreed upon, and for purposes that are compatible with those services. Machine learning to develop and improve models is one of those purposes. Machine learning is done inside the Office 365 cloud consistent with the Online Services Terms. Your data isn't used to target advertising. | +|**Usage** |Microsoft uses Customer Data only to provide the services agreed upon, and for purposes that are compatible with those services. Machine learning to develop and improve models is one of those purposes. Machine learning is done inside the Office 365 cloud consistent with the Online Services Terms. Your data isn't used to target advertising. | -#### How does the wake word (Cortana) work? If I enable it, is Cortana always listening? +#### How does the wake word (Cortana) work? If I enable it, is Cortana always listening? >[!NOTE] ->The wake word has been re-enabled in the latest version of Cortana in Windows. If you're on Windows 10, version 2004, be sure that you've updated to build 19041.329 or later to use the wake word with Cortana. For earlier builds, you can still click on the microphone button to use your voice with Cortana. +>The wake word has been re-enabled in the latest version of Cortana in Windows. If you're on Windows 10, version 2004, be sure that you've updated to build 19041.329 or later to use the wake word with Cortana. For earlier builds, you can still click on the microphone button to use your voice with Cortana. -Cortana only begins listening for commands or queries when the wake word is detected, or the microphone button has been selected. +Cortana only begins listening for commands or queries when the wake word is detected, or the microphone button has been selected. -First, the user must enable the wake word from within Cortana settings. Once it has been enabled, a component of Windows called the [Windows Multiple Voice Assistant platform](/windows-hardware/drivers/audio/voice-activation-mva#voice-activation) will start listening for the wake word. No audio is processed by speech recognition unless two local wake word detectors and a server-side one agree with high confidence that the wake word was heard. +First, the user must enable the wake word from within Cortana settings. Once it has been enabled, a component of Windows called the [Windows Multiple Voice Assistant platform](/windows-hardware/drivers/audio/voice-activation-mva#voice-activation) will start listening for the wake word. No audio is processed by speech recognition unless two local wake word detectors and a server-side one agree with high confidence that the wake word was heard. -The first decision is made by the Windows Multiple Voice Assistant platform using hardware optionally included in the user's PC for power savings. If the wake word is detected, Windows will show a microphone icon in the system tray indicating an assistant app is listening. +The first decision is made by the Windows Multiple Voice Assistant platform using hardware optionally included in the user's PC for power savings. If the wake word is detected, Windows will show a microphone icon in the system tray indicating an assistant app is listening. -:::image type="content" source="./images/screenshot2.png" alt-text="Screenshot: Microphone icon in the system tray indicating an assistant app is listening"::: +:::image type="content" source="./images/screenshot2.png" alt-text="Screenshot: Microphone icon in the system tray indicating an assistant app is listening"::: -At that point, the Cortana app will receive the audio, run a second, more accurate wake word detector, and optionally send it to a Microsoft cloud service where a third wake word detector will confirm. If the service doesn't confirm that the activation was valid, the audio will be discarded and deleted from any further processing or server logs. On the user's PC, the Cortana app will be silently dismissed, and no query will be shown in conversation history because the query was discarded. +At that point, the Cortana app will receive the audio, run a second, more accurate wake word detector, and optionally send it to a Microsoft cloud service where a third wake word detector will confirm. If the service doesn't confirm that the activation was valid, the audio will be discarded and deleted from any further processing or server logs. On the user's PC, the Cortana app will be silently dismissed, and no query will be shown in conversation history because the query was discarded. -If all three wake word detectors agree, the Cortana canvas will show what speech has been recognized. +If all three wake word detectors agree, the Cortana canvas will show what speech has been recognized. -### Cortana in Windows 10, versions 1909 and earlier +### Cortana in Windows 10, versions 1909 and earlier -Cortana in Windows 10, versions 1909 and earlier, isn't a service covered by the Office 365 Trust Center. [Learn more about how Cortana in Windows 10, version 1909 and earlier, treats your data](https://go.microsoft.com/fwlink/p/?LinkId=536419). +Cortana in Windows 10, versions 1909 and earlier, isn't a service covered by the Office 365 Trust Center. [Learn more about how Cortana in Windows 10, version 1909 and earlier, treats your data](https://go.microsoft.com/fwlink/p/?LinkId=536419). -Cortana is covered under the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) and [Microsoft Services Agreement](https://www.microsoft.com/servicesagreement). +Cortana is covered under the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) and [Microsoft Services Agreement](https://www.microsoft.com/servicesagreement). -## See also +## See also - [What is Cortana?](https://go.microsoft.com/fwlink/p/?LinkId=746818) diff --git a/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md b/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md index e0881606c0..564a64eb3c 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md @@ -1,88 +1,80 @@ --- title: Configure Cortana with Group Policy and MDM settings (Windows) description: The list of Group Policy and mobile device management (MDM) policy settings that apply to Cortana at work. -ms.prod: windows-client -ms.collection: tier3 -author: aczechowski -ms.localizationpriority: medium -ms.author: aaroncz -ms.reviewer: -manager: aaroncz -ms.technology: itpro-configure ms.date: 12/31/2017 ms.topic: article ---- +--- # Use Group Policy and mobile device management (MDM) settings to configure Cortana in your organization -[!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)] +[!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)] -For specific info about how to set, manage, and use each of these MDM policies to configure Cortana in your enterprise, see the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider). +For specific info about how to set, manage, and use each of these MDM policies to configure Cortana in your enterprise, see the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider). - **Allow Cortana** - **Group policy**: `Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana` - **MDM policy CSP**: [Experience/AllowCortana](/windows/client-management/mdm/policy-csp-experience#experience-allowcortana) - - **Description**: Specifies if users can use Cortana. + - **Description**: Specifies if users can use Cortana. - Cortana won’t work if this setting is turned off (disabled). On Windows 10, version 1809 and below, users can still do local searches, even with Cortana turned off. + Cortana won't work if this setting is turned off (disabled). On Windows 10, version 1809 and below, users can still do local searches, even with Cortana turned off. - **AllowCortanaAboveLock** - **Group policy**: `Computer Configuration\Administrative Templates\Windows Components\Search\AllowCortanaAboveLock` - **MDM policy CSP**: [AboveLock/AllowCortanaAboveLock](/windows/client-management/mdm/policy-csp-abovelock#abovelock-allowcortanaabovelock) - - **Description**: Specifies whether users can interact with Cortana using voice commands when the system is locked. + - **Description**: Specifies whether users can interact with Cortana using voice commands when the system is locked. - This setting: + This setting: - Doesn't apply to Windows 10, versions 2004 and later - - Doesn't apply to Windows 11 + - Doesn't apply to Windows 11 - **LetAppsActivateWithVoice** - **Group policy**: `Computer Configuration\Administrative Templates\Windows Components\App Privacy\LetAppsActivateWithVoice` - **MDM policy CSP**: [Privacy/LetAppsActivateWithVoice](/windows/client-management/mdm/policy-csp-privacy#privacy-letappsactivatewithvoice) - - **Description**: Specifies if apps, like Cortana or other voice assistants, can activate using a wake word, like “Hey Cortana”. + - **Description**: Specifies if apps, like Cortana or other voice assistants, can activate using a wake word, like "Hey Cortana". - This setting applies to: + This setting applies to: - Windows 10 versions 2004 and later - - Windows 11 + - Windows 11 - To disable wake word activation on Windows 10 versions 1909 and earlier, disable voice commands using the [Privacy/AllowInputPersonalization CSP](/windows/client-management/mdm/policy-csp-privacy#privacy-allowinputpersonalization). + To disable wake word activation on Windows 10 versions 1909 and earlier, disable voice commands using the [Privacy/AllowInputPersonalization CSP](/windows/client-management/mdm/policy-csp-privacy#privacy-allowinputpersonalization). - **LetAppsAccessMicrophone** - **Group policy**: `Computer Configuration\Administrative Templates\Windows Components\App Privacy\LetAppsAccessMicrophone` - **MDM policy CSP**: [Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps](/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessmicrophone-forcedenytheseapps) - - **Description**: Disables Cortana’s access to the microphone. To use this setting, enter Cortana’s Package Family Name: `Microsoft.549981C3F5F10_8wekyb3d8bbwe`. Users can still type queries to Cortana. + - **Description**: Disables Cortana's access to the microphone. To use this setting, enter Cortana's Package Family Name: `Microsoft.549981C3F5F10_8wekyb3d8bbwe`. Users can still type queries to Cortana. - **Allow users to enable online speech recognition services** - **Group policy**: `Computer Configuration\Administrative Templates\Control Panel\Regional and Language Options\Allow users to enable online speech recognition services` - **MDM policy CSP**: [Privacy/AllowInputPersonalization](/windows/client-management/mdm/policy-csp-privacy#privacy-allowinputpersonalization) - **Description**: Specifies whether users can use voice commands with Cortana in your organization. - - **Windows 10, version 1511**: Cortana won’t work if this setting is turned off (disabled). + - **Windows 10, version 1511**: Cortana won't work if this setting is turned off (disabled). - **Windows 10, version 1607 and later**: Non-speech aspects of Cortana will still work if this setting is turned off (disabled). - - **Windows 10, version 2004 and later**: Cortana will work, but voice input will be disabled. + - **Windows 10, version 2004 and later**: Cortana will work, but voice input will be disabled. - **AllowLocation** - **Group policy**: None - **MDM policy CSP**: [System/AllowLocation](/windows/client-management/mdm/policy-csp-system#system-allowlocation) - **Description**: Specifies whether to allow app access to the Location service. - - **Windows 10, version 1511**: Cortana won’t work if this setting is turned off (disabled). + - **Windows 10, version 1511**: Cortana won't work if this setting is turned off (disabled). - **Windows 10, version 1607 and later**: Cortana still works if this setting is turned off (disabled). - - **Windows 10, version 2004 and later**: Cortana still works if this setting is turned off (disabled). Cortana in Windows 10, versions 2004 and later, or Windows 11 don't use the Location service. + - **Windows 10, version 2004 and later**: Cortana still works if this setting is turned off (disabled). Cortana in Windows 10, versions 2004 and later, or Windows 11 don't use the Location service. - **AllowMicrosoftAccountConnection** - **Group policy**: None - **MDM policy CSP**: [Accounts/AllowMicrosoftAccountConnection](/windows/client-management/mdm/policy-csp-accounts#accounts-allowmicrosoftaccountconnection) - - **Description**: Specifies whether to allow users to sign in using a Microsoft account (MSA) from Windows apps. If you only want to allow users to sign in with their Microsoft Entra account, then disable this setting. + - **Description**: Specifies whether to allow users to sign in using a Microsoft account (MSA) from Windows apps. If you only want to allow users to sign in with their Microsoft Entra account, then disable this setting. - **Allow search and Cortana to use location** - **Group policy**: `Computer Configuration\Administrative Templates\Windows Components\Search\Allow search and Cortana to use location` - **MDM policy CSP**: [Search/AllowSearchToUseLocation](/windows/client-management/mdm/policy-csp-search#search-allowsearchtouselocation) - - **Description**: Specifies whether Cortana can use your current location during searches and for location reminders. In **Windows 10, version 2004 and later**, Cortana still works if this setting is turned off (disabled). Cortana in Windows 10, versions 2004 and later, or Windows 11, don't use the Location service. + - **Description**: Specifies whether Cortana can use your current location during searches and for location reminders. In **Windows 10, version 2004 and later**, Cortana still works if this setting is turned off (disabled). Cortana in Windows 10, versions 2004 and later, or Windows 11, don't use the Location service. - **Don't search the web or display web results** - **Group policy**: `Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results` - **MDM policy CSP**: [Search/DoNotUseWebResults](/windows/client-management/mdm/policy-csp-search#search-donotusewebresults) - **Description**: Specifies if search can do queries on the web, and if the web results are shown in search. - - **Windows 10 Pro edition**: This setting can’t be managed. + - **Windows 10 Pro edition**: This setting can't be managed. - **Windows 10 Enterprise edition**: Cortana won't work if this setting is turned off (disabled). - **Windows 10, version 2004 and later**: This setting no longer impacts Cortana. diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md index 28baf34fab..5605206b96 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md @@ -1,38 +1,30 @@ --- title: Sign into Microsoft Entra ID, enable the wake word, and try a voice query description: A test scenario walking you through signing in and managing the notebook. -ms.prod: windows-client -ms.collection: tier3 -author: aczechowski -ms.localizationpriority: medium -ms.author: aaroncz -ms.reviewer: -manager: aaroncz -ms.technology: itpro-configure ms.date: 12/31/2017 ms.topic: article ---- +--- -# Test scenario 1 – Sign into Microsoft Entra ID, enable the wake word, and try a voice query +# Test scenario 1 - Sign into Microsoft Entra ID, enable the wake word, and try a voice query -[!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)] +[!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)] >[!NOTE] ->The wake word has been re-enabled in the latest version of Cortana in Windows. If you're on Windows 10, version 2004, be sure that you've updated to build 19041.329 or later to use the wake word with Cortana. For earlier builds, you can still click on the microphone button to use your voice with Cortana. +>The wake word has been re-enabled in the latest version of Cortana in Windows. If you're on Windows 10, version 2004, be sure that you've updated to build 19041.329 or later to use the wake word with Cortana. For earlier builds, you can still click on the microphone button to use your voice with Cortana. -1. Select the **Cortana** icon in the task bar and sign in using your Microsoft Entra account. +1. Select the **Cortana** icon in the task bar and sign in using your Microsoft Entra account. -2. Select the "…" menu and select **Talking to Cortana**. +2. Select the "…" menu and select **Talking to Cortana**. -3. Toggle **Wake word** to **On** and close Cortana. +3. Toggle **Wake word** to **On** and close Cortana. -4. Say **Cortana, what can you do?** +4. Say **Cortana, what can you do?** - When you say **Cortana**, Cortana will open in listening mode to acknowledge the wake word. + When you say **Cortana**, Cortana will open in listening mode to acknowledge the wake word. - :::image type="content" source="../screenshot4.png" alt-text="Screenshot: Cortana listening mode"::: + :::image type="content" source="../screenshot4.png" alt-text="Screenshot: Cortana listening mode"::: - Once you finish saying your query, Cortana will open with the result. + Once you finish saying your query, Cortana will open with the result. >[!NOTE] >If you've disabled the wake word using MDM or Group Policy, you will need to manually activate the microphone by selecting Cortana, then the mic button. diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md index c107c97a64..b47a41ac09 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md @@ -1,28 +1,21 @@ --- title: Perform a quick search with Cortana at work (Windows) description: This scenario is a test scenario about how to perform a quick search with Cortana at work. -ms.prod: windows-client -ms.collection: tier3 -author: aczechowski -ms.localizationpriority: medium -ms.author: aaroncz ms.date: 10/05/2017 -ms.reviewer: -manager: aaroncz -ms.technology: itpro-configure ---- +ms.topic: article +--- -# Test scenario 2 – Perform a Bing search with Cortana +# Test scenario 2 - Perform a Bing search with Cortana -[!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)] +[!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)] -1. Select the **Cortana** icon in the taskbar. +1. Select the **Cortana** icon in the taskbar. -2. Type **What time is it in Hyderabad?**. +2. Type **What time is it in Hyderabad?**. -Cortana will respond with the information from Bing. +Cortana will respond with the information from Bing. -:::image type="content" source="../screenshot5.png" alt-text="Screenshot: Cortana showing current time in Hyderabad"::: +:::image type="content" source="../screenshot5.png" alt-text="Screenshot: Cortana showing current time in Hyderabad"::: >[!NOTE] >This scenario requires Bing Answers to be enabled. To learn more, see [Set up and configure the Bing Answers feature](./set-up-and-test-cortana-in-windows-10.md#set-up-and-configure-the-bing-answers-feature). diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md index 50fb4c4d32..7196a43e37 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md @@ -1,27 +1,20 @@ --- title: Set a reminder for a location with Cortana at work (Windows) description: A test scenario about how to set a location-based reminder using Cortana at work. -ms.prod: windows-client -ms.collection: tier3 -author: aczechowski -ms.localizationpriority: medium -ms.author: aaroncz ms.date: 10/05/2017 -ms.reviewer: -manager: aaroncz -ms.technology: itpro-configure ---- +ms.topic: article +--- # Test scenario 3 - Set a reminder -[!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)] +[!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)] -This scenario helps you set up, review, and edit a reminder. For example, you can remind yourself to send someone a link to a document after a meeting. +This scenario helps you set up, review, and edit a reminder. For example, you can remind yourself to send someone a link to a document after a meeting. -1. Select the **Cortana** icon in the taskbar and type **Remind me to send a link to the deck at 3:05pm** and press **Enter**. +1. Select the **Cortana** icon in the taskbar and type **Remind me to send a link to the deck at 3:05pm** and press **Enter**. -Cortana will create a reminder in Microsoft To Do and will remind you at the appropriate time. +Cortana will create a reminder in Microsoft To Do and will remind you at the appropriate time. -:::image type="content" source="../screenshot6.png" alt-text="Screenshot: Cortana set a reminder"::: +:::image type="content" source="../screenshot6.png" alt-text="Screenshot: Cortana set a reminder"::: :::image type="content" source="../screenshot7.png" alt-text="Screenshot: Cortana showing reminder on page"::: diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md index 997bd2f471..90780db1c2 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md @@ -1,30 +1,23 @@ --- title: Use Cortana at work to find your upcoming meetings (Windows) description: A test scenario on how to use Cortana at work to find your upcoming meetings. -ms.prod: windows-client -ms.collection: tier3 -author: aczechowski -ms.localizationpriority: medium -ms.author: aaroncz ms.date: 10/05/2017 -ms.reviewer: -manager: aaroncz -ms.technology: itpro-configure ---- +ms.topic: article +--- -# Test scenario 4 - Use Cortana to find free time on your calendar for your upcoming meetings. +# Test scenario 4 - Use Cortana to find free time on your calendar for your upcoming meetings. -[!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)] +[!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)] -This scenario helps you find out if a time slot is free on your calendar. +This scenario helps you find out if a time slot is free on your calendar. -1. Select the **Cortana** icon in the taskbar. +1. Select the **Cortana** icon in the taskbar. -2. Click on the **Cortana** icon in the taskbar, and then click in the **Search** bar. +2. Click on the **Cortana** icon in the taskbar, and then click in the **Search** bar. -3. Type **Am I free at 3 PM tomorrow?** +3. Type **Am I free at 3 PM tomorrow?** -Cortana will respond with your availability for that time, and nearby meetings. +Cortana will respond with your availability for that time, and nearby meetings. :::image type="content" source="../screenshot8.png" alt-text="Screenshot: Cortana showing free time on a calendar"::: diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md index 67d77779e6..2d8353fd4d 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md @@ -1,27 +1,20 @@ --- title: Use Cortana to send email to a coworker (Windows) description: A test scenario about how to use Cortana at work to send email to a coworker. -ms.prod: windows-client -ms.collection: tier3 -author: aczechowski -ms.localizationpriority: medium -ms.author: aaroncz ms.date: 10/05/2017 -ms.reviewer: -manager: aaroncz -ms.technology: itpro-configure ---- +ms.topic: article +--- -# Test scenario 5 - Test scenario 5 – Find out about a person +# Test scenario 5 - Test scenario 5 - Find out about a person -[!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)] +[!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)] -Cortana can help you quickly look up information about someone or the org chart. +Cortana can help you quickly look up information about someone or the org chart. -1. Select the **Cortana** icon in the taskbar. +1. Select the **Cortana** icon in the taskbar. -2. Type or select the mic and say, **Who is name of person in your organization's?** +2. Type or select the mic and say, **Who is name of person in your organization's?** -:::image type="content" source="../screenshot9.png" alt-text="Screenshot: Cortana showing name of person in your organization"::: +:::image type="content" source="../screenshot9.png" alt-text="Screenshot: Cortana showing name of person in your organization"::: Cortana will respond with information about the person. You can select the person to see more information about them in Microsoft Search. diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md index a940f6be39..183069669a 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md @@ -1,27 +1,20 @@ --- title: Review a reminder suggested by Cortana (Windows) description: A test scenario on how to use Cortana with the Suggested reminders feature. -ms.prod: windows-client -ms.collection: tier3 -author: aczechowski -ms.localizationpriority: medium -ms.author: aaroncz ms.date: 10/05/2017 -ms.reviewer: -manager: aaroncz -ms.technology: itpro-configure ---- +ms.topic: article +--- -# Test scenario 6 – Change your language and perform a quick search with Cortana +# Test scenario 6 - Change your language and perform a quick search with Cortana -[!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)] +[!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)] -Cortana can help employees in regions outside the US search for quick answers like currency conversions, time zone conversions, or weather in their location. +Cortana can help employees in regions outside the US search for quick answers like currency conversions, time zone conversions, or weather in their location. -1. Select the **Cortana** icon in the taskbar. +1. Select the **Cortana** icon in the taskbar. -2. Select the **…** menu, then select **Settings**, **Language**, then select **Español (España)**. You'll be prompted to restart the app. +2. Select the **…** menu, then select **Settings**, **Language**, then select **Español (España)**. You'll be prompted to restart the app. -3. Once the app has restarted, type or say **Convierte 100 Euros a Dólares**. +3. Once the app has restarted, type or say **Convierte 100 Euros a Dólares**. :::image type="content" source="../screenshot10.png" alt-text="Screenshot: Cortana showing a change your language and showing search results in Spanish"::: diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md index 88e5901e0c..ed62fcb38a 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md @@ -1,38 +1,31 @@ --- title: Help protect data with Cortana and WIP (Windows) description: An optional test scenario about how to use Cortana at work with Windows Information Protection (WIP). -ms.prod: windows-client -ms.collection: tier3 -author: aczechowski -ms.localizationpriority: medium -ms.author: aaroncz ms.date: 10/05/2017 -ms.reviewer: -manager: aaroncz -ms.technology: itpro-configure ---- +ms.topic: article +--- -# Test scenario 7 - Use Cortana and Windows Information Protection (WIP) to help protect your organization’s data on a device +# Test scenario 7 - Use Cortana and Windows Information Protection (WIP) to help protect your organization's data on a device -[!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)] +[!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)] >[!IMPORTANT] ->The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering. +>The data created as part of these scenarios will be uploaded to Microsoft's Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering. -This optional scenario helps you to protect your organization’s data on a device, based on an inspection by Cortana. +This optional scenario helps you to protect your organization's data on a device, based on an inspection by Cortana. -## Use Cortana and WIP to protect your organization’s data +## Use Cortana and WIP to protect your organization's data -1. Create and deploy a WIP policy to your organization. For information about how to do this step, see [Protect your enterprise data using Windows Information Protection (WIP)](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip). +1. Create and deploy a WIP policy to your organization. For information about how to do this step, see [Protect your enterprise data using Windows Information Protection (WIP)](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip). -2. Create a new email from a non-protected or personal mailbox, including the text _I’ll send you that presentation tomorrow_. +2. Create a new email from a non-protected or personal mailbox, including the text _I'll send you that presentation tomorrow_. -3. Wait up to 2 hours to make sure everything has updated, click the **Cortana** icon in the taskbar, and then click in the **Search** bar. +3. Wait up to 2 hours to make sure everything has updated, click the **Cortana** icon in the taskbar, and then click in the **Search** bar. - Cortana automatically pulls your commitment to sending the presentation out of your email, showing it to you. + Cortana automatically pulls your commitment to sending the presentation out of your email, showing it to you. -4. Create a new email from a protected mailbox, including the same text as above, _I’ll send you that presentation tomorrow_. +4. Create a new email from a protected mailbox, including the same text as above, _I'll send you that presentation tomorrow_. -5. Wait until everything has updated again, click the **Cortana** icon in the taskbar, and then click in the **Search** bar. +5. Wait until everything has updated again, click the **Cortana** icon in the taskbar, and then click in the **Search** bar. - Because it was in an WIP-protected email, the presentation info isn’t pulled out and it isn’t shown to you. + Because it was in an WIP-protected email, the presentation info isn't pulled out and it isn't shown to you. diff --git a/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md b/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md index 9260043d11..fe85525c40 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md @@ -1,23 +1,16 @@ --- title: Cortana at work testing scenarios description: Suggested testing scenarios that you can use to test Cortana in your organization. -ms.prod: windows-client -ms.collection: tier3 -author: aczechowski -ms.localizationpriority: medium -ms.author: aaroncz ms.date: 06/28/2021 -ms.reviewer: -manager: aaroncz -ms.technology: itpro-configure ---- +ms.topic: article +--- -# Cortana at work testing scenarios +# Cortana at work testing scenarios -[!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)] +[!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)] -We've come up with a list of suggested testing scenarios that you can use to test Cortana in your organization. After you complete all the scenarios, you should be able to: +We've come up with a list of suggested testing scenarios that you can use to test Cortana in your organization. After you complete all the scenarios, you should be able to: - [Sign into Microsoft Entra ID, enable the Cortana wake word, and try a voice query](cortana-at-work-scenario-1.md) - [Perform a Bing search with Cortana](cortana-at-work-scenario-2.md) @@ -25,4 +18,4 @@ We've come up with a list of suggested testing scenarios that you can use to tes - [Use Cortana to find free time on your calendar](cortana-at-work-scenario-4.md) - [Find out about a person](cortana-at-work-scenario-5.md) - [Change your language and perform a quick search with Cortana](cortana-at-work-scenario-6.md) -- [Use Windows Information Protection (WIP) to secure content on a device and then try to manage your organization’s entries in the notebook](cortana-at-work-scenario-7.md) +- [Use Windows Information Protection (WIP) to secure content on a device and then try to manage your organization's entries in the notebook](cortana-at-work-scenario-7.md) diff --git a/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md b/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md index 21f168168d..7ba852aa7d 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md @@ -1,64 +1,57 @@ --- title: Set up and test custom voice commands in Cortana for your organization (Windows) description: How to create voice commands that use Cortana to perform voice-enabled actions in your line-of-business (LOB) Universal Windows Platform (UWP) apps. -ms.prod: windows-client -ms.collection: tier3 -author: aczechowski -ms.localizationpriority: medium -ms.author: aaroncz ms.date: 10/05/2017 -ms.reviewer: -manager: aaroncz -ms.technology: itpro-configure ---- +ms.topic: article +--- # Set up and test custom voice commands in Cortana for your organization -[!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)] +[!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)] >[!NOTE] ->This content applies to Cortana in versions 1909 and earlier, but will not be available in future releases. +>This content applies to Cortana in versions 1909 and earlier, but will not be available in future releases. -Working with a developer, you can create voice commands that use Cortana to perform voice-enabled actions in your line-of-business (LOB) Universal Windows Platform (UWP) apps. These voice-enabled actions can reduce the time necessary to access your apps and to complete simple actions. +Working with a developer, you can create voice commands that use Cortana to perform voice-enabled actions in your line-of-business (LOB) Universal Windows Platform (UWP) apps. These voice-enabled actions can reduce the time necessary to access your apps and to complete simple actions. ## High-level process -Cortana uses a Voice Command Definition (VCD) file, aimed at an installed app, to define the actions that are to happen during certain vocal commands. A VCD file can be simple to complex, supporting anything from a single sound to a collection of more flexible, natural language sounds, all with the same intent. +Cortana uses a Voice Command Definition (VCD) file, aimed at an installed app, to define the actions that are to happen during certain vocal commands. A VCD file can be simple to complex, supporting anything from a single sound to a collection of more flexible, natural language sounds, all with the same intent. -To enable voice commands in Cortana +To enable voice commands in Cortana -1. **Extend your LOB app.** Add a custom VCD file to your app package. This file defines what capabilities are available to Cortana from the app, letting you tell Cortana what vocal commands should be understood and handled by your app and how the app should start when the command is vocalized. +1. **Extend your LOB app.** Add a custom VCD file to your app package. This file defines what capabilities are available to Cortana from the app, letting you tell Cortana what vocal commands should be understood and handled by your app and how the app should start when the command is vocalized. - Cortana can perform actions on apps in the foreground (taking focus from Cortana) or in the background (allowing Cortana to keep focus). We recommend that you decide where an action should happen, based on what your voice command is intended to do. For example, if your voice command requires employee input, it’s best for that to happen in the foreground. However, if the app only uses basic commands and doesn’t require interaction, it can happen in the background. + Cortana can perform actions on apps in the foreground (taking focus from Cortana) or in the background (allowing Cortana to keep focus). We recommend that you decide where an action should happen, based on what your voice command is intended to do. For example, if your voice command requires employee input, it's best for that to happen in the foreground. However, if the app only uses basic commands and doesn't require interaction, it can happen in the background. - - **Start Cortana with focus on your app, using specific voice-enabled statements.** [Activate a foreground app with voice commands through Cortana](/cortana/voice-commands/launch-a-foreground-app-with-voice-commands-in-cortana). + - **Start Cortana with focus on your app, using specific voice-enabled statements.** [Activate a foreground app with voice commands through Cortana](/cortana/voice-commands/launch-a-foreground-app-with-voice-commands-in-cortana). - - **Start Cortana removing focus from your app, using specific voice-enabled statements.** [Activate a background app in Cortana using voice commands](/cortana/voice-commands/launch-a-background-app-with-voice-commands-in-cortana). + - **Start Cortana removing focus from your app, using specific voice-enabled statements.** [Activate a background app in Cortana using voice commands](/cortana/voice-commands/launch-a-background-app-with-voice-commands-in-cortana). -2. **Install the VCD file on employees' devices**. You can use Configuration Manager or Microsoft Intune to deploy and install the VCD file on your employees' devices, the same way you deploy and install any other package in your organization. +2. **Install the VCD file on employees' devices**. You can use Configuration Manager or Microsoft Intune to deploy and install the VCD file on your employees' devices, the same way you deploy and install any other package in your organization. ## Test scenario: Use voice commands in a Microsoft Store app -While these apps aren't line-of-business apps, we've worked to make sure to implement a VCD file, allowing you to test how the functionality works with Cortana in your organization. +While these apps aren't line-of-business apps, we've worked to make sure to implement a VCD file, allowing you to test how the functionality works with Cortana in your organization. **To get a Microsoft Store app** -1. Go to the Microsoft Store, scroll down to the **Collections** area, select **Show All**, and then select **Better with Cortana**. +1. Go to the Microsoft Store, scroll down to the **Collections** area, select **Show All**, and then select **Better with Cortana**. -2. Select **Uber**, and then select **Install**. +2. Select **Uber**, and then select **Install**. -3. Open Uber, create an account or sign in, and then close the app. +3. Open Uber, create an account or sign in, and then close the app. **To set up the app with Cortana** -1. Select on the **Cortana** search box in the taskbar, and then select the **Notebook** icon. +1. Select on the **Cortana** search box in the taskbar, and then select the **Notebook** icon. -2. Select on **Connected Services**, select **Uber**, and then select **Connect**. +2. Select on **Connected Services**, select **Uber**, and then select **Connect**. - ![Cortana at work, showing where to connect the Uber service to Cortana.](../images/cortana-connect-uber.png) + ![Cortana at work, showing where to connect the Uber service to Cortana.](../images/cortana-connect-uber.png) **To use the voice-enabled commands with Cortana** -1. Select on the **Cortana** icon in the taskbar, and then select the **Microphone** icon (to the right of the **Search** box). +1. Select on the **Cortana** icon in the taskbar, and then select the **Microphone** icon (to the right of the **Search** box). -2. Say _Uber get me a taxi_. +2. Say _Uber get me a taxi_. - Cortana changes, letting you provide your trip details for Uber. + Cortana changes, letting you provide your trip details for Uber. ## See also - [Cortana for developers](/cortana/skills/) diff --git a/windows/configuration/screenshot10.png b/windows/configuration/cortana-at-work/images/screenshot10.png similarity index 100% rename from windows/configuration/screenshot10.png rename to windows/configuration/cortana-at-work/images/screenshot10.png diff --git a/windows/configuration/screenshot12.png b/windows/configuration/cortana-at-work/images/screenshot12.png similarity index 100% rename from windows/configuration/screenshot12.png rename to windows/configuration/cortana-at-work/images/screenshot12.png diff --git a/windows/configuration/screenshot3.png b/windows/configuration/cortana-at-work/images/screenshot3.png similarity index 100% rename from windows/configuration/screenshot3.png rename to windows/configuration/cortana-at-work/images/screenshot3.png diff --git a/windows/configuration/screenshot4.png b/windows/configuration/cortana-at-work/images/screenshot4.png similarity index 100% rename from windows/configuration/screenshot4.png rename to windows/configuration/cortana-at-work/images/screenshot4.png diff --git a/windows/configuration/screenshot5.png b/windows/configuration/cortana-at-work/images/screenshot5.png similarity index 100% rename from windows/configuration/screenshot5.png rename to windows/configuration/cortana-at-work/images/screenshot5.png diff --git a/windows/configuration/screenshot6.png b/windows/configuration/cortana-at-work/images/screenshot6.png similarity index 100% rename from windows/configuration/screenshot6.png rename to windows/configuration/cortana-at-work/images/screenshot6.png diff --git a/windows/configuration/screenshot7.png b/windows/configuration/cortana-at-work/images/screenshot7.png similarity index 100% rename from windows/configuration/screenshot7.png rename to windows/configuration/cortana-at-work/images/screenshot7.png diff --git a/windows/configuration/screenshot8.png b/windows/configuration/cortana-at-work/images/screenshot8.png similarity index 100% rename from windows/configuration/screenshot8.png rename to windows/configuration/cortana-at-work/images/screenshot8.png diff --git a/windows/configuration/screenshot9.png b/windows/configuration/cortana-at-work/images/screenshot9.png similarity index 100% rename from windows/configuration/screenshot9.png rename to windows/configuration/cortana-at-work/images/screenshot9.png diff --git a/windows/configuration/cortana-at-work/includes/cortana-deprecation.md b/windows/configuration/cortana-at-work/includes/cortana-deprecation.md index c5ad2bd22a..b4ea52dbcc 100644 --- a/windows/configuration/cortana-at-work/includes/cortana-deprecation.md +++ b/windows/configuration/cortana-at-work/includes/cortana-deprecation.md @@ -1,14 +1,12 @@ --- author: mestew ms.author: mstewart -manager: aaroncz -ms.technology: itpro-updates -ms.prod: windows-client ms.topic: include -ms.date: 06/08/2023 -ms.localizationpriority: medium +ms.date: 06/08/2023 + --- - + > [!Important] > Cortana in Windows as a standalone app is [deprecated](/windows/whats-new/deprecated-features). This change only impacts Cortana in Windows, and your productivity assistant, Cortana, will continue to be available in Outlook mobile, Teams mobile, Microsoft Teams display, and Microsoft Teams rooms. + diff --git a/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md b/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md index b9fd7b9023..d181bdfec8 100644 --- a/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md +++ b/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md @@ -1,52 +1,44 @@ --- title: Set up and test Cortana in Windows 10, version 2004 and later -ms.reviewer: -manager: aaroncz description: Cortana includes powerful configuration options specifically to optimize unique small to medium-sized business and enterprise environments. -ms.prod: windows-client -ms.collection: tier3 -author: aczechowski -ms.localizationpriority: medium -ms.author: aaroncz -ms.technology: itpro-configure ms.date: 12/31/2017 ms.topic: article ---- +--- # Set up and test Cortana in Windows 10, version 2004 and later [!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)] -## Before you begin +## Before you begin - If your enterprise had previously disabled Cortana for your employees using the **Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana** Group Policy or the **Experience\AllowCortana** MDM setting but want to enable it now that Cortana is part of Microsoft 365, you'll need to re-enable it at least for Windows 10, version 2004 and later, or Windows 11. -- **Cortana is regularly updated through the Microsoft Store.** Beginning with Windows 10, version 2004, Cortana is an appx preinstalled with Windows and is regularly updated through the Microsoft Store. To receive the latest updates to Cortana, you'll need to [enable updates through the Microsoft Store](../stop-employees-from-using-microsoft-store.md). +- **Cortana is regularly updated through the Microsoft Store.** Beginning with Windows 10, version 2004, Cortana is an appx preinstalled with Windows and is regularly updated through the Microsoft Store. To receive the latest updates to Cortana, you'll need to [enable updates through the Microsoft Store](../stop-employees-from-using-microsoft-store.md). ## Set up and configure the Bing Answers feature -Bing Answers provides fast, authoritative results to search queries based on search terms. When the Bing Answers feature is enabled, users will be able to ask Cortana web-related questions in the Cortana in Windows app, such as "What's the current weather?" or "Who is the president of the U.S.?," and get a response, based on public results from Bing.com. +Bing Answers provides fast, authoritative results to search queries based on search terms. When the Bing Answers feature is enabled, users will be able to ask Cortana web-related questions in the Cortana in Windows app, such as "What's the current weather?" or "Who is the president of the U.S.?," and get a response, based on public results from Bing.com. -The above experience is powered by Microsoft Bing, and Cortana sends the user queries to Bing. The use of Microsoft Bing is governed by the [Microsoft Services Agreement](https://www.microsoft.com/servicesagreement) and [Privacy Statement](https://privacy.microsoft.com/en-US/privacystatement). +The above experience is powered by Microsoft Bing, and Cortana sends the user queries to Bing. The use of Microsoft Bing is governed by the [Microsoft Services Agreement](https://www.microsoft.com/servicesagreement) and [Privacy Statement](https://privacy.microsoft.com/en-US/privacystatement). -## Configure the Bing Answers feature +## Configure the Bing Answers feature -Admins can configure the Cortana in Windows Bing Answers feature for their organizations. As the admin, use the following steps to change the setting for Bing Answers at the tenant/security group level. This setting is enabled by default, so that all users who have Cortana enabled will be able to receive Bing Answers. By default, the Bing Answer feature will be available to your users. +Admins can configure the Cortana in Windows Bing Answers feature for their organizations. As the admin, use the following steps to change the setting for Bing Answers at the tenant/security group level. This setting is enabled by default, so that all users who have Cortana enabled will be able to receive Bing Answers. By default, the Bing Answer feature will be available to your users. -Users can't enable or disable the Bing Answer feature individually. So, if you disable this feature at the tenant/security group level, no users in your organization or specific security group will be able to use Bing Answers in Cortana in Windows. +Users can't enable or disable the Bing Answer feature individually. So, if you disable this feature at the tenant/security group level, no users in your organization or specific security group will be able to use Bing Answers in Cortana in Windows. -Sign in to the [Office Configuration Admin tool](https://config.office.com/). +Sign in to the [Office Configuration Admin tool](https://config.office.com/). -Follow the steps [here](/deployoffice/overview-office-cloud-policy-service#steps-for-creating-a-policy-configuration) to create this policy configuration. Once completed, the policy will look as shown below: +Follow the steps [here](/deployoffice/overview-office-cloud-policy-service#steps-for-creating-a-policy-configuration) to create this policy configuration. Once completed, the policy will look as shown below: -:::image type="content" source="../screenshot3.png" alt-text="Screenshot: Bing policy example"::: +:::image type="content" source="../screenshot3.png" alt-text="Screenshot: Bing policy example"::: -## How does Microsoft handle customer data for Bing Answers? +## How does Microsoft handle customer data for Bing Answers? -When a user enters a search query (by speech or text), Cortana evaluates if the request is for any of our first-party compliant skills if enabled in a specific market, and does the following actions: +When a user enters a search query (by speech or text), Cortana evaluates if the request is for any of our first-party compliant skills if enabled in a specific market, and does the following actions: -1. If it is for any of the first-party compliant skills, the query is sent to that skill, and results/action are returned. +1. If it is for any of the first-party compliant skills, the query is sent to that skill, and results/action are returned. -2. If it isn't for any of the first-party compliant skills, the query is sent to Bing for a search of public results from Bing.com. Because enterprise searches might be sensitive, similar to [Microsoft Search in Bing](/MicrosoftSearch/security-for-search#microsoft-search-in-bing-protects-workplace-searches), Bing Answers in Cortana has implemented a set of trust measures, described below, that govern how the separate search of public results from Bing.com is handled. The Bing Answers in Cortana trust measures are consistent with the enhanced privacy and security measures described in [Microsoft Search in Bing](/MicrosoftSearch/security-for-search). All Bing.com search logs that pertain to Cortana traffic are disassociated from users' workplace identity. All Cortana queries issued via a work or school account are stored separately from public, non-Cortana traffic. +2. If it isn't for any of the first-party compliant skills, the query is sent to Bing for a search of public results from Bing.com. Because enterprise searches might be sensitive, similar to [Microsoft Search in Bing](/MicrosoftSearch/security-for-search#microsoft-search-in-bing-protects-workplace-searches), Bing Answers in Cortana has implemented a set of trust measures, described below, that govern how the separate search of public results from Bing.com is handled. The Bing Answers in Cortana trust measures are consistent with the enhanced privacy and security measures described in [Microsoft Search in Bing](/MicrosoftSearch/security-for-search). All Bing.com search logs that pertain to Cortana traffic are disassociated from users' workplace identity. All Cortana queries issued via a work or school account are stored separately from public, non-Cortana traffic. -Bing Answers is enabled by default for all users. However, admins can configure and change this setting for specific users and user groups in their organization. +Bing Answers is enabled by default for all users. However, admins can configure and change this setting for specific users and user groups in their organization. ## How the Bing Answer policy configuration is applied Before a query is sent to Bing for a search of public results from Bing.com, the Bing Answers service checks with the Office Cloud Policy Service to see if there are any policy configurations that pertain to the user for allowing Bing Answers to respond to questions users ask Cortana. If the user is a member of a Microsoft Entra group that is assigned that policy configuration, then the appropriate policy settings are applied and a check is made again in 10 minutes. diff --git a/windows/configuration/cortana-at-work/test-scenario-1.md b/windows/configuration/cortana-at-work/test-scenario-1.md index cd72adceb2..3df3cfceba 100644 --- a/windows/configuration/cortana-at-work/test-scenario-1.md +++ b/windows/configuration/cortana-at-work/test-scenario-1.md @@ -1,48 +1,41 @@ --- -title: Test scenario 1 – Sign in with your work or school account and use Cortana to manage the notebook +title: Test scenario 1 - Sign in with your work or school account and use Cortana to manage the notebook description: A test scenario about how to sign in with your work or school account and use Cortana to manage the notebook. -ms.prod: windows-client -ms.collection: tier3 -author: aczechowski -ms.localizationpriority: medium -ms.author: aaroncz ms.date: 10/05/2017 -ms.reviewer: -manager: aaroncz -ms.technology: itpro-configure ---- +ms.topic: article +--- -# Test scenario 1 – Sign in with your work or school account and use Cortana to manage the notebook +# Test scenario 1 - Sign in with your work or school account and use Cortana to manage the notebook -[!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)] +[!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)] -This scenario turns on Microsoft Entra ID and lets your employee use Cortana to manage an entry in the notebook. +This scenario turns on Microsoft Entra ID and lets your employee use Cortana to manage an entry in the notebook. -## Sign in with your work or school account +## Sign in with your work or school account -This process helps you to sign out of a Microsoft Account and to sign into a Microsoft Entra account. +This process helps you to sign out of a Microsoft Account and to sign into a Microsoft Entra account. -1. Click on the **Cortana** icon in the taskbar, then click the profile picture in the navigation to open Cortana settings. +1. Click on the **Cortana** icon in the taskbar, then click the profile picture in the navigation to open Cortana settings. -2. Click your email address. +2. Click your email address. -A dialog box appears, showing the associated account info. +A dialog box appears, showing the associated account info. -3. Click **Sign out** under your email address. +3. Click **Sign out** under your email address. -This signs out the Microsoft account, letting you continue to add your work or school account. +This signs out the Microsoft account, letting you continue to add your work or school account. -4. Open Cortana again and select the **Sign in** glyph in the left rail and follow the instructions to sign in with your work or school account. +4. Open Cortana again and select the **Sign in** glyph in the left rail and follow the instructions to sign in with your work or school account. -## Use Cortana to manage the notebook content +## Use Cortana to manage the notebook content -This process helps you to manage the content Cortana shows in your Notebook. +This process helps you to manage the content Cortana shows in your Notebook. -1. Select the **Cortana** icon in the taskbar, click **Notebook**, select **Manage Skills.** Scroll down and click **Weather**. +1. Select the **Cortana** icon in the taskbar, click **Notebook**, select **Manage Skills.** Scroll down and click **Weather**. -2. In the **Weather** settings, scroll down to the **Cities you're tracking** area, and then click **Add a city**. +2. In the **Weather** settings, scroll down to the **Cities you're tracking** area, and then click **Add a city**. -3. Add **Redmond, Washington**. +3. Add **Redmond, Washington**. > [!IMPORTANT] > The data created as part of these scenarios will be uploaded to Microsoft's Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering. diff --git a/windows/configuration/cortana-at-work/test-scenario-2.md b/windows/configuration/cortana-at-work/test-scenario-2.md index f69b1c2789..ecd48e134e 100644 --- a/windows/configuration/cortana-at-work/test-scenario-2.md +++ b/windows/configuration/cortana-at-work/test-scenario-2.md @@ -1,40 +1,34 @@ --- title: Test scenario 2 - Perform a quick search with Cortana at work description: A test scenario about how to perform a quick search with Cortana at work. -ms.prod: windows-client -ms.collection: tier3 -author: aczechowski -ms.localizationpriority: medium -ms.author: aaroncz ms.date: 10/05/2017 -ms.reviewer: -manager: aaroncz -ms.technology: itpro-configure ---- +ms.topic: article +--- -# Test scenario 2 – Perform a quick search with Cortana at work +# Test scenario 2 - Perform a quick search with Cortana at work -[!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)] +[!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)] >[!Important] ->The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering. +>The data created as part of these scenarios will be uploaded to Microsoft's Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering. -This scenario helps you perform a quick search using Cortana, both by typing and through voice commands. +This scenario helps you perform a quick search using Cortana, both by typing and through voice commands. -## Search using Cortana +## Search using Cortana -1. Click on the Cortana icon in the taskbar, and then click in the Search bar. +1. Click on the Cortana icon in the taskbar, and then click in the Search bar. -2. Type **Type Weather in New York**. +2. Type **Type Weather in New York**. You should see the weather in New York, New York at the top of the search results. -Insert screenshot -## Search with Cortana, by using voice commands +Insert screenshot -This process helps you to use Cortana at work and voice commands to perform a quick search. +## Search with Cortana, by using voice commands -1. Click on the **Cortana** icon in the taskbar, and then click the **Microphone** icon (to the right of the Search box). +This process helps you to use Cortana at work and voice commands to perform a quick search. + +1. Click on the **Cortana** icon in the taskbar, and then click the **Microphone** icon (to the right of the Search box). 2. Say **What's the weather in Chicago?** Cortana tells you and shows you the current weather in Chicago. Insert screenshot diff --git a/windows/configuration/cortana-at-work/test-scenario-3.md b/windows/configuration/cortana-at-work/test-scenario-3.md index b57dded7f3..110f22b3b8 100644 --- a/windows/configuration/cortana-at-work/test-scenario-3.md +++ b/windows/configuration/cortana-at-work/test-scenario-3.md @@ -1,81 +1,74 @@ --- title: Test scenario 3 - Set a reminder for a specific location using Cortana at work description: A test scenario about how to set up, review, and edit a reminder based on a location. -ms.prod: windows-client -ms.collection: tier3 -author: aczechowski -ms.localizationpriority: medium -ms.author: aaroncz ms.date: 10/05/2017 -ms.reviewer: -manager: aaroncz -ms.technology: itpro-configure ---- +ms.topic: article +--- # Test scenario 3 - Set a reminder for a specific location using Cortana at work -[!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)] +[!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)] >[!Important] ->The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering. +>The data created as part of these scenarios will be uploaded to Microsoft's Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering. -This scenario helps you set up, review, and edit a reminder based on a location. For example, reminding yourself to grab your expense report receipts before you leave the house. +This scenario helps you set up, review, and edit a reminder based on a location. For example, reminding yourself to grab your expense report receipts before you leave the house. >[!Note] ->You can set each reminder location individually as you create the reminders, or you can go into the About me screen and add both Work and Home addresses as favorites. Make sure that you use real addresses since you’ll need to go to these locations to complete your testing scenario. +>You can set each reminder location individually as you create the reminders, or you can go into the About me screen and add both Work and Home addresses as favorites. Make sure that you use real addresses since you'll need to go to these locations to complete your testing scenario. -Additionally, if you’ve turned on the Meeting & reminder cards & notifications option (in the Meetings & reminders option of your Notebook), you’ll also see your pending reminders on the Cortana Home page. +Additionally, if you've turned on the Meeting & reminder cards & notifications option (in the Meetings & reminders option of your Notebook), you'll also see your pending reminders on the Cortana Home page. -## Create a reminder for a specific location +## Create a reminder for a specific location -This process helps you to create a reminder based on a specific location. +This process helps you to create a reminder based on a specific location. -1. Click on the **Cortana** icon in the taskbar, click on the **Notebook** icon, and then click **Reminders**. +1. Click on the **Cortana** icon in the taskbar, click on the **Notebook** icon, and then click **Reminders**. -2. Click the **+** sign, add a subject for your reminder, such as **Remember to file expense report receipts**, and then click **Place**. +2. Click the **+** sign, add a subject for your reminder, such as **Remember to file expense report receipts**, and then click **Place**. -3. Choose **Arrive** from the drop-down box, and then type a location to associate with your reminder. For example, you can use the physical address of where you work. Just make sure you can physically get to your location, so you can test the reminder. +3. Choose **Arrive** from the drop-down box, and then type a location to associate with your reminder. For example, you can use the physical address of where you work. Just make sure you can physically get to your location, so you can test the reminder. -4. Click **Done**. +4. Click **Done**. >[!Note] ->If you’ve never used this location before, you’ll be asked to add a name for it so it can be added to the Favorites list in Windows Maps. +>If you've never used this location before, you'll be asked to add a name for it so it can be added to the Favorites list in Windows Maps. -5. Choose to be reminded the Next time you arrive at the location or on a specific day of the week from the drop-down box. +5. Choose to be reminded the Next time you arrive at the location or on a specific day of the week from the drop-down box. -6. Take a picture of your receipts and store them locally on your device. +6. Take a picture of your receipts and store them locally on your device. -7. Click **Add Photo**, click **Library**, browse to your picture, and then click **OK**. +7. Click **Add Photo**, click **Library**, browse to your picture, and then click **OK**. -The photo is stored with the reminder. +The photo is stored with the reminder. -Insert screenshot 6 +Insert screenshot 6 -8. Review the reminder info, and then click **Remind**. +8. Review the reminder info, and then click **Remind**. The reminder is saved and ready to be triggered. -Insert screenshot +Insert screenshot -## Create a reminder for a specific location by using voice commands +## Create a reminder for a specific location by using voice commands -This process helps you to use Cortana at work and voice commands to create a reminder for a specific location. +This process helps you to use Cortana at work and voice commands to create a reminder for a specific location. -1. Click on the **Cortana** icon in the taskbar, and then click the **Microphone* icon (to the right of the Search box). +1. Click on the **Cortana** icon in the taskbar, and then click the **Microphone* icon (to the right of the Search box). -2. Say **Remind me to grab my expense report receipts before I leave home**. +2. Say **Remind me to grab my expense report receipts before I leave home**. Cortana opens a new reminder task and asks if it sounds good. -insert screenshot +insert screenshot 3. Say **Yes** so Cortana can save the reminder. -insert screenshot +insert screenshot -## Edit or archive an existing reminder +## Edit or archive an existing reminder -This process helps you to edit or archive and existing or completed reminder. +This process helps you to edit or archive and existing or completed reminder. -1. Click on the **Cortana** icon in the taskbar, click on the **Notebook** icon, and then click **Reminders**. +1. Click on the **Cortana** icon in the taskbar, click on the **Notebook** icon, and then click **Reminders**. -2. Click the pending reminder you want to edit. +2. Click the pending reminder you want to edit. 3. Change any text that you want to change, click **Add photo** if you want to add or replace an image, click **Delete** if you want to delete the entire reminder, click Save to save your changes, and click **Complete and move to History** if you want to save a completed reminder in your **Reminder History**. diff --git a/windows/configuration/cortana-at-work/test-scenario-4.md b/windows/configuration/cortana-at-work/test-scenario-4.md index 206010600b..d4633b3bce 100644 --- a/windows/configuration/cortana-at-work/test-scenario-4.md +++ b/windows/configuration/cortana-at-work/test-scenario-4.md @@ -1,54 +1,47 @@ --- title: Use Cortana to find your upcoming meetings at work (Windows) description: A test scenario about how to use Cortana at work to find your upcoming meetings. -ms.prod: windows-client -ms.collection: tier3 -author: aczechowski -ms.localizationpriority: medium -ms.author: aaroncz ms.date: 10/05/2017 -ms.reviewer: -manager: aaroncz -ms.technology: itpro-configure ---- +ms.topic: article +--- # Test scenario 4 - Use Cortana to find your upcoming meetings at work -[!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)] +[!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)] >[!Important] ->The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering. +>The data created as part of these scenarios will be uploaded to Microsoft's Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering. -This scenario helps you search for both general upcoming meetings, and specific meetings, both manually and verbally. +This scenario helps you search for both general upcoming meetings, and specific meetings, both manually and verbally. >[!Note] ->If you’ve turned on the Meeting & reminder cards & notifications option (in the Meetings & reminders option of your Notebook), you’ll also see your pending reminders on the Cortana Home page. +>If you've turned on the Meeting & reminder cards & notifications option (in the Meetings & reminders option of your Notebook), you'll also see your pending reminders on the Cortana Home page. -## Find out about upcoming meetings +## Find out about upcoming meetings -This process helps you find your upcoming meetings. +This process helps you find your upcoming meetings. -1. Check to make sure your work calendar is connected and synchronized with your Microsoft Entra account. +1. Check to make sure your work calendar is connected and synchronized with your Microsoft Entra account. -2. Click on the **Cortana** icon in the taskbar, and then click in the **Search** bar. +2. Click on the **Cortana** icon in the taskbar, and then click in the **Search** bar. -3. Type **Show me my meetings for tomorrow**. +3. Type **Show me my meetings for tomorrow**. -You’ll see all your meetings scheduled for the next day. +You'll see all your meetings scheduled for the next day. Cortana at work, showing all upcoming meetings -screenshot +screenshot -## Find out about upcoming meetings by using voice commands +## Find out about upcoming meetings by using voice commands -This process helps you to use Cortana at work and voice commands to find your upcoming meetings. +This process helps you to use Cortana at work and voice commands to find your upcoming meetings. -1. Click on the **Cortana** icon in the taskbar, and then click the **Microphone** icon (to the right of the Search box. +1. Click on the **Cortana** icon in the taskbar, and then click the **Microphone** icon (to the right of the Search box. -2. Say **Show me what meeting I have at 3pm tomorrow**. +2. Say **Show me what meeting I have at 3pm tomorrow**. >[!Important] ->Make sure that you have a meeting scheduled for the time you specify here. +>Make sure that you have a meeting scheduled for the time you specify here. Cortana at work, showing the meeting scheduled for 3pm screenshot diff --git a/windows/configuration/cortana-at-work/test-scenario-5.md b/windows/configuration/cortana-at-work/test-scenario-5.md index f8dfb7cf8e..17a133892f 100644 --- a/windows/configuration/cortana-at-work/test-scenario-5.md +++ b/windows/configuration/cortana-at-work/test-scenario-5.md @@ -1,63 +1,56 @@ --- title: Use Cortana to send an email to co-worker (Windows) description: A test scenario on how to use Cortana at work to send email to a co-worker. -ms.prod: windows-client -ms.collection: tier3 -author: aczechowski -ms.localizationpriority: medium -ms.author: aaroncz ms.date: 10/05/2017 -ms.reviewer: -manager: aaroncz -ms.technology: itpro-configure ---- +ms.topic: article +--- # Test scenario 5 - Use Cortana to send an email to co-worker -[!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)] +[!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)] >[!Important] ->The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering. +>The data created as part of these scenarios will be uploaded to Microsoft's Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering. -This scenario helps you to send an email to a co-worker listed in your work address book, both manually and verbally. +This scenario helps you to send an email to a co-worker listed in your work address book, both manually and verbally. -## Send email to a co-worker +## Send email to a co-worker -This process helps you to send a quick message to a co-worker from the work address book. +This process helps you to send a quick message to a co-worker from the work address book. -1. Check to make sure your Microsoft Outlook or mail app is connected and synchronized with your Microsoft Entra account. +1. Check to make sure your Microsoft Outlook or mail app is connected and synchronized with your Microsoft Entra account. -2. Click on the **Cortana** icon in the taskbar, and then click in the **Search** bar. +2. Click on the **Cortana** icon in the taskbar, and then click in the **Search** bar. -3. Type **Send an email to **. +3. Type **Send an email to **. -Where is the name of someone in your work address book. +Where is the name of someone in your work address book. -4. Type your email message subject into the **Quick message** (255 characters or less) box and your message into the **Message** (unlimited characters) box, and then click **Send**. +4. Type your email message subject into the **Quick message** (255 characters or less) box and your message into the **Message** (unlimited characters) box, and then click **Send**. Cortana at work, showing the email text -screenshot +screenshot -## Send an email to a co-worker by using voice commands +## Send an email to a co-worker by using voice commands -This process helps you to use Cortana at work and voice commands to send a quick message to a co-worker from the work address book. +This process helps you to use Cortana at work and voice commands to send a quick message to a co-worker from the work address book. -1. Click on the **Cortana** icon in the taskbar, and then click the **Microphone** icon (to the right of the Search box. +1. Click on the **Cortana** icon in the taskbar, and then click the **Microphone** icon (to the right of the Search box. -2. Say **Send an email** to . +2. Say **Send an email** to . -Where is the name of someone in your work address book. +Where is the name of someone in your work address book. -3. Add your email message by saying, **Hello this is a test email using Cortana at work**. +3. Add your email message by saying, **Hello this is a test email using Cortana at work**. -The message is added and you’re asked if you want to **Send it**, **Add more**, or **Make changes**. +The message is added and you're asked if you want to **Send it**, **Add more**, or **Make changes**. Cortana at work, showing the email text created from verbal commands -screenshot +screenshot -4. Say **Send it**. +4. Say **Send it**. -The email is sent. +The email is sent. Cortana at work, showing the sent email text screenshot diff --git a/windows/configuration/cortana-at-work/test-scenario-6.md b/windows/configuration/cortana-at-work/test-scenario-6.md index 8915d4300d..7a1f00b2af 100644 --- a/windows/configuration/cortana-at-work/test-scenario-6.md +++ b/windows/configuration/cortana-at-work/test-scenario-6.md @@ -1,50 +1,43 @@ --- -title: Test scenario 6 - Review a reminder suggested by Cortana based on what you’ve promised in email +title: Test scenario 6 - Review a reminder suggested by Cortana based on what you've promised in email description: A test scenario about how to use Cortana with the Suggested reminders feature. -ms.prod: windows-client -ms.collection: tier3 -author: aczechowski -ms.localizationpriority: medium -ms.author: aaroncz ms.date: 10/05/2017 -ms.reviewer: -manager: aaroncz -ms.technology: itpro-configure ---- +ms.topic: article +--- -# Test scenario 6 - Review a reminder suggested by Cortana based on what you’ve promised in email +# Test scenario 6 - Review a reminder suggested by Cortana based on what you've promised in email -[!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)] +[!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)] >[!Important] ->The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering. For more info, see the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) and the [Microsoft Services Agreement](https://www.microsoft.com/servicesagreement). +>The data created as part of these scenarios will be uploaded to Microsoft's Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering. For more info, see the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) and the [Microsoft Services Agreement](https://www.microsoft.com/servicesagreement). -Cortana automatically finds patterns in your email, suggesting reminders based things that you said you would do so you don’t forget about them. For example, Cortana recognizes that if you include the text, I’ll get something to you by the end of the week in an email, you're making a commitment to provide something by a specific date. Cortana can now suggest that you be reminded about this event, letting you decide whether to keep it or to cancel it. +Cortana automatically finds patterns in your email, suggesting reminders based things that you said you would do so you don't forget about them. For example, Cortana recognizes that if you include the text, I'll get something to you by the end of the week in an email, you're making a commitment to provide something by a specific date. Cortana can now suggest that you be reminded about this event, letting you decide whether to keep it or to cancel it. >[!Important] ->The Suggested reminders feature is currently only available in English (en-us). +>The Suggested reminders feature is currently only available in English (en-us). -## Use Cortana to create suggested reminders for you +## Use Cortana to create suggested reminders for you -1. Make sure that you've connected Cortana to Office 365. For the steps to connect, see [Set up and test Cortana with Office 365 in your organization](./cortana-at-work-o365.md). +1. Make sure that you've connected Cortana to Office 365. For the steps to connect, see [Set up and test Cortana with Office 365 in your organization](./cortana-at-work-o365.md). -2. Click on the **Cortana** search box in the taskbar, click the **Notebook** icon, and then click **Permissions**. +2. Click on the **Cortana** search box in the taskbar, click the **Notebook** icon, and then click **Permissions**. -3. Make sure the **Contacts**, **email**, **calendar**, and **communication history** option is turned on. +3. Make sure the **Contacts**, **email**, **calendar**, and **communication history** option is turned on. Permissions options for Cortana at work -screenshot +screenshot -4. Click the **Notebook** icon again, click the **Suggested reminders** option, click to turn on the **All reminder suggestions cards** option, click the **Notify me when something I mentioned doing is coming up** box, and then click **Save**. +4. Click the **Notebook** icon again, click the **Suggested reminders** option, click to turn on the **All reminder suggestions cards** option, click the **Notify me when something I mentioned doing is coming up** box, and then click **Save**. Suggested reminders options for Cortana at work -screenshot +screenshot -5. Create and send an email to yourself (so you can see the Suggested reminder), including the text, **I’ll finish this project by end of day today**. +5. Create and send an email to yourself (so you can see the Suggested reminder), including the text, **I'll finish this project by end of day today**. -6. After you get the email, click on the Cortana **Home** icon, and scroll to today’s events. +6. After you get the email, click on the Cortana **Home** icon, and scroll to today's events. -If the reminder has a specific date or time associated with it, like end of day, Cortana notifies you at the appropriate time and puts the reminder into the Action Center. Also from the Home screen, you can view the email where you made the promise, set aside time on your calendar, officially set the reminder, or mark the reminder as completed. +If the reminder has a specific date or time associated with it, like end of day, Cortana notifies you at the appropriate time and puts the reminder into the Action Center. Also from the Home screen, you can view the email where you made the promise, set aside time on your calendar, officially set the reminder, or mark the reminder as completed. Cortana Home screen with your suggested reminder showing screenshot diff --git a/windows/configuration/cortana-at-work/testing-scenarios-using-cortana-in-business-org.md b/windows/configuration/cortana-at-work/testing-scenarios-using-cortana-in-business-org.md index a7ad523655..b1c853cb8d 100644 --- a/windows/configuration/cortana-at-work/testing-scenarios-using-cortana-in-business-org.md +++ b/windows/configuration/cortana-at-work/testing-scenarios-using-cortana-in-business-org.md @@ -1,22 +1,15 @@ --- title: Testing scenarios using Cortana in your business or organization description: A list of suggested testing scenarios that you can use to test Cortana in your organization. -ms.prod: windows-client -ms.collection: tier3 -author: aczechowski -ms.localizationpriority: medium -ms.author: aaroncz ms.date: 10/05/2017 -ms.reviewer: -manager: aaroncz -ms.technology: itpro-configure ---- +ms.topic: article +--- # Testing scenarios using Cortana in your business or organization -[!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)] +[!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)] -We've come up with a list of suggested testing scenarios that you can use to test Cortana in your organization. After you complete all the scenarios, you should be able to: +We've come up with a list of suggested testing scenarios that you can use to test Cortana in your organization. After you complete all the scenarios, you should be able to: - [Sign in with your work or school account and use Cortana to manage the notebook](./cortana-at-work-scenario-1.md) - [Perform a quick search with Cortana at work](./cortana-at-work-scenario-2.md) diff --git a/windows/configuration/docfx.json b/windows/configuration/docfx.json index 6d8d824a07..56fd39f780 100644 --- a/windows/configuration/docfx.json +++ b/windows/configuration/docfx.json @@ -41,9 +41,8 @@ "zone_pivot_group_filename": "resources/zone-pivot-groups.json", "breadcrumb_path": "/windows/resources/breadcrumb/toc.json", "uhfHeaderId": "MSDocsHeader-Windows", - "ms.technology": "itpro-configure", - "ms.topic": "article", - "ms.prod": "windows-client", + "ms.subservice": "itpro-configure", + "ms.service": "windows-client", "manager": "aaroncz", "feedback_system": "Standard", "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332", @@ -73,10 +72,48 @@ "feedback_system": { "ue-v/**/*.*": "None", "cortana-at-work/**/*.*": "None" + }, + "author":{ + "*//**/*.md": "paolomatarazzo", + "*//**/*.yml": "paolomatarazzo", + "cortana-at-work//**/*.md": "aczechowski", + "cortana-at-work//**/*.yml": "aczechowski", + "wcd//**/*.md": "aczechowski", + "wcd//**/*.yml": "aczechowski", + "ue-v//**/*.md": "aczechowski", + "ue-v//**/*.yml": "aczechowski" + }, + "ms.author":{ + "*//**/*.md": "paoloma", + "*//**/*.yml": "paoloma", + "cortana-at-work//**/*.md": "aaroncz", + "cortana-at-work//**/*.yml": "aaroncz", + "wcd//**/*.md": "aaroncz", + "wcd//**/*.yml": "aaroncz", + "ue-v//**/*.md": "aaroncz", + "ue-v//**/*.yml": "aaroncz" + }, + "ms.collection":{ + "cortana-at-work//**/*.md": "tier3", + "wcd//**/*.md": "must-keep", + "ue-v//**/*.md": [ + "must-keep", + "tier3" + ] + }, + "appliesto": { + "*/**/*.md": [ + "✅ Windows 11", + "✅ Windows 10" + ], + "wcd//**/*.md": "✅ Windows 10" } }, "template": [], "dest": "win-configuration", "markdownEngineName": "markdig" } -} +} + + + diff --git a/windows/configuration/includes/insider-note.md b/windows/configuration/includes/insider-note.md index a1160f8047..4c68c54254 100644 --- a/windows/configuration/includes/insider-note.md +++ b/windows/configuration/includes/insider-note.md @@ -3,7 +3,7 @@ author: paolomatarazzo ms.author: paoloma ms.topic: include ms.date: 01/11/2024 ---- +--- :::row::: :::column span="1"::: diff --git a/windows/configuration/includes/multi-app-kiosk-support-windows11.md b/windows/configuration/includes/multi-app-kiosk-support-windows11.md index 10bfe16e1d..40fa0e706d 100644 --- a/windows/configuration/includes/multi-app-kiosk-support-windows11.md +++ b/windows/configuration/includes/multi-app-kiosk-support-windows11.md @@ -2,10 +2,8 @@ author: aczechowski ms.author: aaroncz ms.date: 09/21/2021 -ms.reviewer: -manager: aaroncz ms.service: windows-client ms.topic: include ---- +--- Currently, multi-app kiosk is only supported on Windows 10. It's not supported on Windows 11. diff --git a/windows/configuration/index.yml b/windows/configuration/index.yml index 4bcaa16c51..1b8306cf5a 100644 --- a/windows/configuration/index.yml +++ b/windows/configuration/index.yml @@ -1,7 +1,7 @@ -### YamlMime:Landing +### YamlMime:Landing title: Configure Windows client # < 60 chars -summary: Find out how to apply custom configurations to Windows client devices. # < 160 chars +summary: Find out how to apply custom configurations to Windows client devices. # < 160 chars metadata: title: Configure Windows client # Required; page title displayed in search results. Include the brand. < 60 chars. @@ -16,7 +16,8 @@ metadata: ms.date: 12/20/2023 localization_priority: medium -# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new + +# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new landingContent: # Cards and links should be based on top customer tasks or top subjects @@ -33,7 +34,7 @@ landingContent: - text: Configure Windows Spotlight on the lock screen url: windows-spotlight.md - text: Accessibility information for IT pros - url: windows-accessibility-for-itpros.md + url: windows-accessibility-for-itpros.md # Card (optional) @@ -48,7 +49,7 @@ landingContent: - text: Set up a multi-app kiosk for Windows 11 url: lock-down-windows-11-to-specific-apps.md - text: Manage multi-user and guest devices - url: shared-devices-concepts.md + url: shared-devices-concepts.md # Card (optional) @@ -63,7 +64,7 @@ landingContent: - text: Create a provisioning package url: provisioning-packages/provisioning-create-package.md - text: Apply a provisioning package - url: provisioning-packages/provisioning-apply-package.md + url: provisioning-packages/provisioning-apply-package.md # Card (optional) - title: Use Windows Configuration Designer (WCD) @@ -77,7 +78,7 @@ landingContent: - text: ProvisioningCommands url: wcd/wcd-provisioningcommands.md - text: Accounts - url: wcd/wcd-accounts.md + url: wcd/wcd-accounts.md # Card (optional) - title: Configure Cortana in Windows client @@ -87,7 +88,8 @@ landingContent: - text: Configure Cortana in Windows 10 url: cortana-at-work/cortana-at-work-overview.md - text: Custom voice commands in Cortana - url: cortana-at-work/cortana-at-work-voice-commands.md + + url: cortana-at-work/cortana-at-work-voice-commands.md # Card (optional) - title: User Experience Virtualization (UE-V) for Windows client diff --git a/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md b/windows/configuration/kiosk/find-the-application-user-model-id-of-an-installed-app.md similarity index 81% rename from windows/configuration/find-the-application-user-model-id-of-an-installed-app.md rename to windows/configuration/kiosk/find-the-application-user-model-id-of-an-installed-app.md index 5b78101494..0aa9874fff 100644 --- a/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md +++ b/windows/configuration/kiosk/find-the-application-user-model-id-of-an-installed-app.md @@ -2,27 +2,25 @@ title: Find the Application User Model ID of an installed app ms.reviewer: sybruckm description: To configure assigned access (kiosk mode), you need the Application User Model ID (AUMID) of apps installed on a device. -author: lizgt2000 -ms.author: lizlong ms.topic: article ms.date: 12/31/2017 --- -# Find the Application User Model ID of an installed app +# Find the Application User Model ID of an installed app -To configure assigned access (kiosk mode), you need the Application User Model ID (AUMID) of apps installed on a device. You can find the AUMID by using Windows PowerShell, File Explorer, or the registry. +To configure assigned access (kiosk mode), you need the Application User Model ID (AUMID) of apps installed on a device. You can find the AUMID by using Windows PowerShell, File Explorer, or the registry. -## To find the AUMID by using Windows PowerShell +## To find the AUMID by using Windows PowerShell -To get the names and AUMIDs for all apps installed for the current user, open a Windows PowerShell command prompt and enter the following command: +To get the names and AUMIDs for all apps installed for the current user, open a Windows PowerShell command prompt and enter the following command: ```powershell Get-StartApps -``` +``` -To get the names and AUMIDs for Windows Store apps installed for another user, open a Windows PowerShell command prompt and enter the following commands: +To get the names and AUMIDs for Windows Store apps installed for another user, open a Windows PowerShell command prompt and enter the following commands: ```powershell -$installedapps = Get-AppxPackage +$installedapps = Get-AppxPackage $aumidList = @() foreach ($app in $installedapps) @@ -31,39 +29,39 @@ foreach ($app in $installedapps) { $aumidList += $app.packagefamilyname + "!" + $id } -} +} $aumidList -``` +``` -You can add the `-user ` or the `-allusers` parameters to the **Get-AppxPackage** cmdlet to list AUMIDs for other users. You must use an elevated Windows PowerShell prompt to use the `-user` or -`allusers` parameters. +You can add the `-user ` or the `-allusers` parameters to the **Get-AppxPackage** cmdlet to list AUMIDs for other users. You must use an elevated Windows PowerShell prompt to use the `-user` or -`allusers` parameters. -## To find the AUMID by using File Explorer +## To find the AUMID by using File Explorer -To get the names and AUMIDs for all apps installed for the current user, perform the following steps: +To get the names and AUMIDs for all apps installed for the current user, perform the following steps: -1. Open **Run**, enter **shell:Appsfolder**, and select **OK**. +1. Open **Run**, enter **shell:Appsfolder**, and select **OK**. -2. A File Explorer window opens. Press **Alt** > **View** > **Choose details**. +2. A File Explorer window opens. Press **Alt** > **View** > **Choose details**. -3. In the **Choose Details** window, select **AppUserModelId**, and then select **OK**. (You might need to change the **View** setting from **Tiles** to **Details**.) +3. In the **Choose Details** window, select **AppUserModelId**, and then select **OK**. (You might need to change the **View** setting from **Tiles** to **Details**.) -![Image of the Choose Details options.](images/aumid-file-explorer.png) +![Image of the Choose Details options.](images/aumid-file-explorer.png) -## To find the AUMID of an installed app for the current user by using the registry +## To find the AUMID of an installed app for the current user by using the registry -Querying the registry can only return information about Microsoft Store apps that are installed for the current user, while the Windows PowerShell query can find information for any account on the device. +Querying the registry can only return information about Microsoft Store apps that are installed for the current user, while the Windows PowerShell query can find information for any account on the device. -At a command prompt, type the following command: +At a command prompt, type the following command: -`reg query HKEY_CURRENT_USER\Software\Classes\ActivatableClasses\Package /s /f AppUserModelID | find "REG_SZ"` +`reg query HKEY_CURRENT_USER\Software\Classes\ActivatableClasses\Package /s /f AppUserModelID | find "REG_SZ"` -### Example to get AUMIDs of the installed apps for the specified user +### Example to get AUMIDs of the installed apps for the specified user -The following code sample creates a function in Windows PowerShell that returns an array of AUMIDs of the installed apps for the specified user. +The following code sample creates a function in Windows PowerShell that returns an array of AUMIDs of the installed apps for the specified user. ```powershell -function listAumids( $userAccount ) { +function listAumids( $userAccount ) { if ($userAccount -eq "allusers") { @@ -79,7 +77,7 @@ function listAumids( $userAccount ) { { # Find installed packages for the current account. $installedapps = Get-AppxPackage - } + } $aumidList = @() foreach ($app in $installedapps) @@ -88,28 +86,28 @@ function listAumids( $userAccount ) { { $aumidList += $app.packagefamilyname + "!" + $id } - } + } return $aumidList } -``` +``` -The following Windows PowerShell commands demonstrate how you can call the listAumids function after you've created it. +The following Windows PowerShell commands demonstrate how you can call the listAumids function after you've created it. ```powershell # Get a list of AUMIDs for the current account: -listAumids +listAumids # Get a list of AUMIDs for an account named "CustomerAccount": -listAumids("CustomerAccount") +listAumids("CustomerAccount") # Get a list of AUMIDs for all accounts on the device: listAumids("allusers") -``` +``` -### Example to get the AUMID of any application in the Start menu +### Example to get the AUMID of any application in the Start menu -The following code sample creates a function in Windows PowerShell that returns the AUMID of any application currently listed in the Start menu. +The following code sample creates a function in Windows PowerShell that returns the AUMID of any application currently listed in the Start menu. ```powershell function Get-AppAUMID { @@ -129,16 +127,16 @@ else { Return $Result } } -``` +``` -The following Windows PowerShell commands demonstrate how you can call the Get-AppAUMID function after you've created it. +The following Windows PowerShell commands demonstrate how you can call the Get-AppAUMID function after you've created it. ```powershell # Get the AUMID for OneDrive -Get-AppAUMID -AppName OneDrive +Get-AppAUMID -AppName OneDrive # Get the AUMID for Microsoft Word -Get-AppAUMID -AppName Word +Get-AppAUMID -AppName Word # List all apps and their AUMID in the Start menu Get-AppAUMID diff --git a/windows/configuration/guidelines-for-assigned-access-app.md b/windows/configuration/kiosk/guidelines-for-assigned-access-app.md similarity index 87% rename from windows/configuration/guidelines-for-assigned-access-app.md rename to windows/configuration/kiosk/guidelines-for-assigned-access-app.md index 95bcd1a788..01193a4bb5 100644 --- a/windows/configuration/guidelines-for-assigned-access-app.md +++ b/windows/configuration/kiosk/guidelines-for-assigned-access-app.md @@ -1,66 +1,63 @@ --- title: Guidelines for choosing an app for assigned access description: The following guidelines may help you choose an appropriate Windows app for your assigned access experience. -author: lizgt2000 -ms.author: lizlong ms.topic: article ms.reviewer: sybruckm -ms.technology: itpro-configure ms.date: 12/31/2017 ---- +--- -# Guidelines for choosing an app for assigned access (kiosk mode) +# Guidelines for choosing an app for assigned access (kiosk mode) -**Applies to** +**Applies to** - Windows 10 -- Windows 11 +- Windows 11 -You can use assigned access to restrict customers at your business to using only one Windows app so your device acts like a kiosk. Administrators can use assigned access to restrict a selected user account to access a single Windows app. You can choose almost any Windows app for assigned access; however, some apps may not provide a good user experience. +You can use assigned access to restrict customers at your business to using only one Windows app so your device acts like a kiosk. Administrators can use assigned access to restrict a selected user account to access a single Windows app. You can choose almost any Windows app for assigned access; however, some apps may not provide a good user experience. -The following guidelines may help you choose an appropriate Windows app for your assigned access experience. +The following guidelines may help you choose an appropriate Windows app for your assigned access experience. -## General guidelines +## General guidelines -- Windows apps must be provisioned or installed for the assigned access account before they can be selected as the assigned access app. [Learn how to provision and install apps](/windows/client-management/mdm/enterprise-app-management#install_your_apps). +- Windows apps must be provisioned or installed for the assigned access account before they can be selected as the assigned access app. [Learn how to provision and install apps](/windows/client-management/mdm/enterprise-app-management#install_your_apps). -- Updating a Windows app can sometimes change the Application User Model ID (AUMID) of the app. If this change happens, you must update the assigned access settings to launch the updated app, because assigned access uses the AUMID to determine which app to launch. +- Updating a Windows app can sometimes change the Application User Model ID (AUMID) of the app. If this change happens, you must update the assigned access settings to launch the updated app, because assigned access uses the AUMID to determine which app to launch. -- Apps that are generated using the [Desktop App Converter (Desktop Bridge)](/windows/uwp/porting/desktop-to-uwp-run-desktop-app-converter) can't be used as kiosk apps. +- Apps that are generated using the [Desktop App Converter (Desktop Bridge)](/windows/uwp/porting/desktop-to-uwp-run-desktop-app-converter) can't be used as kiosk apps. + + +## Guidelines for Windows apps that launch other apps +Some Windows apps can launch other apps. Assigned access prevents Windows apps from launching other apps. -## Guidelines for Windows apps that launch other apps +Avoid selecting Windows apps that are designed to launch other apps as part of their core functionality. -Some Windows apps can launch other apps. Assigned access prevents Windows apps from launching other apps. +## Guidelines for web browsers -Avoid selecting Windows apps that are designed to launch other apps as part of their core functionality. +Starting with Windows 10 version 1809+, Microsoft Edge includes support for kiosk mode. [Learn how to deploy Microsoft Edge kiosk mode.](/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy) -## Guidelines for web browsers - -Starting with Windows 10 version 1809+, Microsoft Edge includes support for kiosk mode. [Learn how to deploy Microsoft Edge kiosk mode.](/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy) - -In Windows client, you can install the **Kiosk Browser** app from Microsoft to use as your kiosk app. For digital signage scenarios, you can configure **Kiosk Browser** to navigate to a URL and show only that content -- no navigation buttons, no address bar, etc. For kiosk scenarios, you can configure more settings, such as allowed and blocked URLs, navigation buttons, and end session buttons. For example, you could configure your kiosk to show the online catalog for your store, where customers can navigate between departments and items, but aren't allowed to go to a competitor's website. +In Windows client, you can install the **Kiosk Browser** app from Microsoft to use as your kiosk app. For digital signage scenarios, you can configure **Kiosk Browser** to navigate to a URL and show only that content -- no navigation buttons, no address bar, etc. For kiosk scenarios, you can configure more settings, such as allowed and blocked URLs, navigation buttons, and end session buttons. For example, you could configure your kiosk to show the online catalog for your store, where customers can navigate between departments and items, but aren't allowed to go to a competitor's website. >[!NOTE] >Kiosk Browser supports a single tab. If a website has links that open a new tab, those links will not work with Kiosk Browser. Kiosk Browser does not support .pdfs. > ->Kiosk Browser can't access intranet websites. +>Kiosk Browser can't access intranet websites. -**Kiosk Browser** must be downloaded for offline licensing using Microsoft Store For Business. You can deploy **Kiosk Browser** to devices running Windows 10, version 1803 (Pro, Business, Enterprise, and Education) and Windows 11. +**Kiosk Browser** must be downloaded for offline licensing using Microsoft Store For Business. You can deploy **Kiosk Browser** to devices running Windows 10, version 1803 (Pro, Business, Enterprise, and Education) and Windows 11. 1. [Get **Kiosk Browser** in Microsoft Store for Business with offline license type.](/microsoft-store/acquire-apps-microsoft-store-for-business#acquire-apps) 2. [Deploy **Kiosk Browser** to kiosk devices.](/microsoft-store/distribute-offline-apps) -3. Configure policies using settings from the Policy Configuration Service Provider (CSP) for [KioskBrowser](/windows/client-management/mdm/policy-csp-kioskbrowser). These settings can be configured using your MDM service provider, or [in a provisioning package](provisioning-packages/provisioning-create-package.md). In Windows Configuration Designer, the settings are located in **Policies > KioskBrowser** when you select advanced provisioning for Windows desktop editions. +3. Configure policies using settings from the Policy Configuration Service Provider (CSP) for [KioskBrowser](/windows/client-management/mdm/policy-csp-kioskbrowser). These settings can be configured using your MDM service provider, or [in a provisioning package](provisioning-packages/provisioning-create-package.md). In Windows Configuration Designer, the settings are located in **Policies > KioskBrowser** when you select advanced provisioning for Windows desktop editions. >[!NOTE] ->If you configure the kiosk using a provisioning package, you must apply the provisioning package after the device completes the out-of-box experience (OOBE). +>If you configure the kiosk using a provisioning package, you must apply the provisioning package after the device completes the out-of-box experience (OOBE). -### Kiosk Browser settings +### Kiosk Browser settings Kiosk Browser settings | Use this setting to --- | --- @@ -70,36 +67,41 @@ Default URL | Specify the URL that Kiosk Browser will open with. **Tip!** Make s Enable End Session Button | Show a button in Kiosk Browser that people can use to reset the browser. End Session will clear all browsing data and navigate back to the default URL. Enable Home Button | Show a Home button in Kiosk Browser. Home will return the browser to the default URL. Enable Navigation Buttons | Show forward and back buttons in Kiosk Browser. -Restart on Idle Time | Specify when Kiosk Browser should restart in a fresh state after an amount of idle time since the last user interaction. +Restart on Idle Time | Specify when Kiosk Browser should restart in a fresh state after an amount of idle time since the last user interaction. > [!IMPORTANT] > To configure multiple URLs for **Blocked URL Exceptions** or **Blocked URLs** in Windows Configuration Designer: > + > 1. Create the provisioning package. When ready to export, close the project in Windows Configuration Designer. > 2. Open the customizations.xml file in the project folder (e.g C:\Users\name\Documents\Windows Imaging and Configuration Designer (WICD)\Project_18). + > 3. Insert the null character string in between each URL (e.g www.bing.com``www.contoso.com). + > 4. Save the XML file. > 5. Open the project again in Windows Configuration Designer. > 6. Export the package. Ensure you do not revisit the created policies under Kiosk Browser or else the null character will be removed. > + > + > [!TIP] > To enable the **End Session** button for Kiosk Browser in Intune, you must [create a custom OMA-URI policy](/intune/custom-settings-windows-10) with the following information: > - OMA-URI: ./Vendor/MSFT/Policy/Config/KioskBrowser/EnableEndSessionButton > - Data type: Integer -> - Value: 1 +> - Value: 1 -#### Rules for URLs in Kiosk Browser settings +#### Rules for URLs in Kiosk Browser settings -Kiosk Browser filtering rules are based on the [Chromium Project](https://www.chromium.org/Home). +Kiosk Browser filtering rules are based on the [Chromium Project](https://www.chromium.org/Home). URLs can include: - A valid port value from 1 to 65,535. - The path to the resource. -- Query parameters. +- Query parameters. -More guidelines for URLs: +More guidelines for URLs: - If a period precedes the host, the policy filters exact host matches only. - You can't use user:pass fields. @@ -107,19 +109,19 @@ More guidelines for URLs: - The policy searches wildcards (*) last. - The optional query is a set of key-value and key-only tokens delimited by '&'. - Key-value tokens are separated by '='. -- A query token can optionally end with a '*' to indicate prefix match. Token order is ignored during matching. +- A query token can optionally end with a '*' to indicate prefix match. Token order is ignored during matching. -### Examples of blocked URLs and exceptions +### Examples of blocked URLs and exceptions -The following table describes the results for different combinations of blocked URLs and blocked URL exceptions. +The following table describes the results for different combinations of blocked URLs and blocked URL exceptions. Blocked URL rule | Block URL exception rule | Result --- | --- | --- `*` | `contoso.com`
`fabrikam.com` | All requests are blocked unless it's to contoso.com, fabrikam.com, or any of their subdomains. `contoso.com` | `mail.contoso.com`
`.contoso.com`
`.www.contoso.com` | Block all requests to contoso.com, except for the main page and its mail subdomain. -`youtube.com` | `youtube.com/watch?v=v1`
`youtube.com/watch?v=v2` | Blocks all access to youtube.com except for the specified videos (v1 and v2). +`youtube.com` | `youtube.com/watch?v=v1`
`youtube.com/watch?v=v2` | Blocks all access to youtube.com except for the specified videos (v1 and v2). -The following table gives examples for blocked URLs. +The following table gives examples for blocked URLs. | Entry | Result | @@ -133,35 +135,36 @@ The following table gives examples for blocked URLs. | `*:8080` | Blocks all requests to port 8080. | | `contoso.com/stuff` | Blocks all requests to contoso.com/stuff and its subdomains. | | `192.168.1.2` | Blocks requests to 192.168.1.2. | -| `youtube.com/watch?v=V1` | Blocks YouTube video with id V1. | - -### Other browsers +| `youtube.com/watch?v=V1` | Blocks YouTube video with id V1. | +### Other browsers + You can create your own web browser Windows app by using the WebView class. Learn more about developing your own web browser app: - [Creating your own browser with HTML and JavaScript](https://blogs.windows.com/msedgedev/2015/08/27/creating-your-own-browser-with-html-and-javascript/) + - [WebView class](/uwp/api/Windows.UI.Xaml.Controls.WebView) -- [A web browser built with JavaScript as a Windows app](https://github.com/MicrosoftEdge/JSBrowser/tree/v1.0) +- [A web browser built with JavaScript as a Windows app](https://github.com/MicrosoftEdge/JSBrowser/tree/v1.0) + +## Secure your information -## Secure your information +Avoid selecting Windows apps that may expose the information you don't want to show in your kiosk, since kiosk usually means anonymous access and locates in a public setting like a shopping mall. For example, an app that has a file picker allows the user to gain access to files and folders on the user's system, avoid selecting these types of apps if they provide unnecessary data access. -Avoid selecting Windows apps that may expose the information you don't want to show in your kiosk, since kiosk usually means anonymous access and locates in a public setting like a shopping mall. For example, an app that has a file picker allows the user to gain access to files and folders on the user's system, avoid selecting these types of apps if they provide unnecessary data access. +## App configuration -## App configuration +Some apps may require more configurations before they can be used appropriately in assigned access. For example, Microsoft OneNote requires you to set up a Microsoft account for the assigned access user account before OneNote will open in assigned access. -Some apps may require more configurations before they can be used appropriately in assigned access. For example, Microsoft OneNote requires you to set up a Microsoft account for the assigned access user account before OneNote will open in assigned access. +Check the guidelines published by your selected app and set up accordingly. -Check the guidelines published by your selected app and set up accordingly. +## Develop your kiosk app -## Develop your kiosk app +Assigned access in Windows client uses the new lock framework. When an assigned access user signs in, the selected kiosk app is launched above the lock screen. The kiosk app is running as an above lock screen app. -Assigned access in Windows client uses the new lock framework. When an assigned access user signs in, the selected kiosk app is launched above the lock screen. The kiosk app is running as an above lock screen app. +Follow the [best practices guidance for developing a kiosk app for assigned access](/windows-hardware/drivers/partnerapps/create-a-kiosk-app-for-assigned-access). -Follow the [best practices guidance for developing a kiosk app for assigned access](/windows-hardware/drivers/partnerapps/create-a-kiosk-app-for-assigned-access). - -## Test your assigned access experience +## Test your assigned access experience The above guidelines may help you select or develop an appropriate Windows app for your assigned access experience. Once you've selected your app, we recommend that you thoroughly test the assigned access experience to ensure that your device provides a good customer experience. diff --git a/windows/configuration/images/kiosk-account-details.PNG b/windows/configuration/kiosk/images/kiosk-account-details.PNG similarity index 100% rename from windows/configuration/images/kiosk-account-details.PNG rename to windows/configuration/kiosk/images/kiosk-account-details.PNG diff --git a/windows/configuration/images/kiosk-common-details.PNG b/windows/configuration/kiosk/images/kiosk-common-details.PNG similarity index 100% rename from windows/configuration/images/kiosk-common-details.PNG rename to windows/configuration/kiosk/images/kiosk-common-details.PNG diff --git a/windows/configuration/images/kiosk-desktop.PNG b/windows/configuration/kiosk/images/kiosk-desktop.PNG similarity index 100% rename from windows/configuration/images/kiosk-desktop.PNG rename to windows/configuration/kiosk/images/kiosk-desktop.PNG diff --git a/windows/configuration/images/kiosk-fullscreen-sm.png b/windows/configuration/kiosk/images/kiosk-fullscreen-sm.png similarity index 100% rename from windows/configuration/images/kiosk-fullscreen-sm.png rename to windows/configuration/kiosk/images/kiosk-fullscreen-sm.png diff --git a/windows/configuration/images/kiosk-fullscreen.PNG b/windows/configuration/kiosk/images/kiosk-fullscreen.PNG similarity index 100% rename from windows/configuration/images/kiosk-fullscreen.PNG rename to windows/configuration/kiosk/images/kiosk-fullscreen.PNG diff --git a/windows/configuration/images/kiosk-settings.PNG b/windows/configuration/kiosk/images/kiosk-settings.PNG similarity index 100% rename from windows/configuration/images/kiosk-settings.PNG rename to windows/configuration/kiosk/images/kiosk-settings.PNG diff --git a/windows/configuration/images/kiosk-wizard.png b/windows/configuration/kiosk/images/kiosk-wizard.png similarity index 100% rename from windows/configuration/images/kiosk-wizard.png rename to windows/configuration/kiosk/images/kiosk-wizard.png diff --git a/windows/configuration/images/kiosk.png b/windows/configuration/kiosk/images/kiosk.png similarity index 100% rename from windows/configuration/images/kiosk.png rename to windows/configuration/kiosk/images/kiosk.png diff --git a/windows/configuration/kiosk-additional-reference.md b/windows/configuration/kiosk/kiosk-additional-reference.md similarity index 83% rename from windows/configuration/kiosk-additional-reference.md rename to windows/configuration/kiosk/kiosk-additional-reference.md index 91f7ece2cf..95e5d10453 100644 --- a/windows/configuration/kiosk-additional-reference.md +++ b/windows/configuration/kiosk/kiosk-additional-reference.md @@ -1,27 +1,22 @@ --- title: More kiosk methods and reference information (Windows 10/11) description: Find more information for configuring, validating, and troubleshooting kiosk configuration. -ms.reviewer: sybruckm -manager: aaroncz -ms.author: lizlong -ms.prod: windows-client -author: lizgt2000 -ms.localizationpriority: medium +ms.reviewer: sybruckm + ms.topic: reference -ms.technology: itpro-configure ms.date: 12/31/2017 ---- +--- -# More kiosk methods and reference information +# More kiosk methods and reference information -**Applies to** +**Applies to** -- Windows 10 Pro, Enterprise, and Education -- Windows 11 +- Windows 10 Pro, Enterprise, and Education +- Windows 11 -## In this section +## In this section Topic | Description --- | --- diff --git a/windows/configuration/kiosk-mdm-bridge.md b/windows/configuration/kiosk/kiosk-mdm-bridge.md similarity index 91% rename from windows/configuration/kiosk-mdm-bridge.md rename to windows/configuration/kiosk/kiosk-mdm-bridge.md index 4b2f8a1fe8..cca8302015 100644 --- a/windows/configuration/kiosk-mdm-bridge.md +++ b/windows/configuration/kiosk/kiosk-mdm-bridge.md @@ -1,36 +1,32 @@ --- title: Use MDM Bridge WMI Provider to create a Windows 10/11 kiosk (Windows 10/11) description: Environments that use Windows Management Instrumentation (WMI) can use the MDM Bridge WMI Provider to configure the MDM_AssignedAccess class. -ms.reviewer: sybruckm -manager: aaroncz -ms.author: lizlong -ms.prod: windows-client -author: lizgt2000 -ms.localizationpriority: medium +ms.reviewer: sybruckm + ms.topic: article -ms.technology: itpro-configure ms.date: 12/31/2017 ---- +--- -# Use MDM Bridge WMI Provider to create a Windows client kiosk +# Use MDM Bridge WMI Provider to create a Windows client kiosk -**Applies to** +**Applies to** -- Windows 10 Pro, Enterprise, and Education -- Windows 11 +- Windows 10 Pro, Enterprise, and Education +- Windows 11 -Environments that use [Windows Management Instrumentation (WMI)](/windows/win32/wmisdk/wmi-start-page) can use the [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal) to configure the MDM_AssignedAccess class. For more information about using a PowerShell script to configure AssignedAccess, see [PowerShell Scripting with WMI Bridge Provider](/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider). +Environments that use [Windows Management Instrumentation (WMI)](/windows/win32/wmisdk/wmi-start-page) can use the [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal) to configure the MDM_AssignedAccess class. For more information about using a PowerShell script to configure AssignedAccess, see [PowerShell Scripting with WMI Bridge Provider](/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider). -Here's an example to set AssignedAccess configuration: +Here's an example to set AssignedAccess configuration: 1. Download the [psexec tool](/sysinternals/downloads/psexec). + 2. Run `psexec.exe -i -s cmd.exe`. -3. In the command prompt launched by psexec.exe, enter `powershell.exe` to open PowerShell. +3. In the command prompt launched by psexec.exe, enter `powershell.exe` to open PowerShell. -Step 4 is different for Windows 10 or Windows 11 +Step 4 is different for Windows 10 or Windows 11 -4. Execute the following script for Windows 10: +4. Execute the following script for Windows 10: ```xml $nameSpaceName="root\cimv2\mdm\dmmap" @@ -86,37 +82,50 @@ $obj.Configuration = [System.Web.HttpUtility]::HtmlEncode(@" -"@) +"@) Set-CimInstance -CimInstance $obj ``` -4. Execute the following script for Windows 11: +4. Execute the following script for Windows 11: ```xml $nameSpaceName="root\cimv2\mdm\dmmap" $className="MDM_AssignedAccess" $obj = Get-CimInstance -Namespace $namespaceName -ClassName $className Add-Type -AssemblyName System.Web -$obj.Configuration = [System.Web.HttpUtility]::HtmlEncode(@" +$obj.Configuration = [System.Web.HttpUtility]::HtmlEncode(@" + + + + + + + + + + + + @@ -138,7 +148,8 @@ $obj.Configuration = [System.Web.HttpUtility]::HtmlEncode(@" -"@) + +"@) Set-CimInstance -CimInstance $obj ``` \ No newline at end of file diff --git a/windows/configuration/kiosk-methods.md b/windows/configuration/kiosk/kiosk-methods.md similarity index 82% rename from windows/configuration/kiosk-methods.md rename to windows/configuration/kiosk/kiosk-methods.md index d722a89cf2..9fa5a42cfd 100644 --- a/windows/configuration/kiosk-methods.md +++ b/windows/configuration/kiosk/kiosk-methods.md @@ -1,106 +1,108 @@ --- title: Configure kiosks and digital signs on Windows 10/11 desktop editions ms.reviewer: sybruckm -manager: aaroncz -ms.author: lizlong -description: In this article, learn about the methods for configuring kiosks and digital signs on Windows 10 or Windows 11 desktop editions. -ms.prod: windows-client -ms.localizationpriority: medium -author: lizgt2000 -ms.topic: article -ms.technology: itpro-configure -ms.date: 12/31/2017 ---- +description: In this article, learn about the methods for configuring kiosks and digital signs on Windows 10 or Windows 11 desktop editions. -# Configure kiosks and digital signs on Windows desktop editions +ms.topic: article +ms.date: 12/31/2017 +--- + +# Configure kiosks and digital signs on Windows desktop editions >[!WARNING] ->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -**Applies to** +**Applies to** - Windows 10 -- Windows 11 +- Windows 11 -Some desktop devices in an enterprise serve a special purpose. For example, a PC in the lobby that customers use to see your product catalog. Or, a PC displaying visual content as a digital sign. Windows client offers two different locked-down experiences for public or specialized use: +Some desktop devices in an enterprise serve a special purpose. For example, a PC in the lobby that customers use to see your product catalog. Or, a PC displaying visual content as a digital sign. Windows client offers two different locked-down experiences for public or specialized use: - **A single-app kiosk**: Runs a single Universal Windows Platform (UWP) app in full screen above the lock screen. People using the kiosk can see only that app. When the kiosk account (a local standard user account) signs in, the kiosk app launches automatically, and you can configure the kiosk account to sign in automatically as well. If the kiosk app is closed, it will automatically restart. + - A single-app kiosk is ideal for public use. Using [Shell Launcher](kiosk-shelllauncher.md), you can configure a kiosk device that runs a Windows desktop application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on. This type of single-app kiosk doesn't run above the lock screen. - ![Illustration of a full-screen kiosk experience that runs one app on a Windows client device.](images/kiosk-fullscreen.png) + A single-app kiosk is ideal for public use. Using [Shell Launcher](kiosk-shelllauncher.md), you can configure a kiosk device that runs a Windows desktop application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on. This type of single-app kiosk doesn't run above the lock screen. -- **A multi-app kiosk**: Runs one or more apps from the desktop. People using the kiosk see a customized Start that shows only the tiles for the apps that are allowed. With this approach, you can configure a locked-down experience for different account types. + ![Illustration of a full-screen kiosk experience that runs one app on a Windows client device.](images/kiosk-fullscreen.png) - A multi-app kiosk is appropriate for devices that are shared by multiple people. When you configure a multi-app kiosk, [specific policies are enforced](kiosk-policies.md) that affects **all** non-administrator users on the device. +- **A multi-app kiosk**: Runs one or more apps from the desktop. People using the kiosk see a customized Start that shows only the tiles for the apps that are allowed. With this approach, you can configure a locked-down experience for different account types. - ![Illustration of a kiosk Start screen that runs multiple apps on a Windows client device.](images/kiosk-desktop.png) + A multi-app kiosk is appropriate for devices that are shared by multiple people. When you configure a multi-app kiosk, [specific policies are enforced](kiosk-policies.md) that affects **all** non-administrator users on the device. -Kiosk configurations are based on **Assigned Access**, a feature in Windows client that allows an administrator to manage the user's experience by limiting the application entry points exposed to the user. + ![Illustration of a kiosk Start screen that runs multiple apps on a Windows client device.](images/kiosk-desktop.png) -There are several kiosk configuration methods that you can choose from, depending on your answers to the following questions. +Kiosk configurations are based on **Assigned Access**, a feature in Windows client that allows an administrator to manage the user's experience by limiting the application entry points exposed to the user. -- **Which type of app will your kiosk run?** +There are several kiosk configuration methods that you can choose from, depending on your answers to the following questions. - ![icon that represents apps.](images/office-logo.png) +- **Which type of app will your kiosk run?** - Your kiosk can run a Universal Windows Platform (UWP) app or a Windows desktop application. For [digital signage](setup-digital-signage.md), select a digital sign player as your kiosk app. [Check out the guidelines for kiosk apps.](guidelines-for-assigned-access-app.md) + ![icon that represents apps.](images/office-logo.png) -- **Which type of kiosk do you need?** + Your kiosk can run a Universal Windows Platform (UWP) app or a Windows desktop application. For [digital signage](setup-digital-signage.md), select a digital sign player as your kiosk app. [Check out the guidelines for kiosk apps.](guidelines-for-assigned-access-app.md) - ![icon that represents a kiosk.](images/kiosk.png) +- **Which type of kiosk do you need?** - If you want your kiosk to run a single app for anyone to see or use, consider a single-app kiosk that runs either a [Universal Windows Platform (UWP) app](#methods-for-a-single-app-kiosk-running-a-uwp-app) or a [Windows desktop application](#classic). For a kiosk that people can sign in to with their accounts or that runs more than one app, choose [a multi-app kiosk](#desktop). + ![icon that represents a kiosk.](images/kiosk.png) -- **Which edition of Windows client will the kiosk run?** + If you want your kiosk to run a single app for anyone to see or use, consider a single-app kiosk that runs either a [Universal Windows Platform (UWP) app](#methods-for-a-single-app-kiosk-running-a-uwp-app) or a [Windows desktop application](#classic). For a kiosk that people can sign in to with their accounts or that runs more than one app, choose [a multi-app kiosk](#desktop). - ![icon that represents Windows.](images/windows.png) +- **Which edition of Windows client will the kiosk run?** - All of the configuration methods work for Windows client Enterprise and Education; some of the methods work for Windows Pro. Kiosk mode isn't available on Windows Home. + ![icon that represents Windows.](images/windows.png) -- **Which type of user account will be the kiosk account?** + All of the configuration methods work for Windows client Enterprise and Education; some of the methods work for Windows Pro. Kiosk mode isn't available on Windows Home. - ![icon that represents a user account.](images/user.png) +- **Which type of user account will be the kiosk account?** - The kiosk account can be a local standard user account, a local administrator account, a domain account, or a Microsoft Entra account, depending on the method that you use to configure the kiosk. If you want people to sign in and authenticate on the device, you should use a multi-app kiosk configuration. The single-app kiosk configuration doesn't require people to sign in to the device, although they can sign in to the kiosk app if you select an app that has a sign-in method. + ![icon that represents a user account.](images/user.png) + + The kiosk account can be a local standard user account, a local administrator account, a domain account, or a Microsoft Entra account, depending on the method that you use to configure the kiosk. If you want people to sign in and authenticate on the device, you should use a multi-app kiosk configuration. The single-app kiosk configuration doesn't require people to sign in to the device, although they can sign in to the kiosk app if you select an app that has a sign-in method. >[!IMPORTANT] ->Single-app kiosk mode isn't supported over a remote desktop connection. Your kiosk users must sign in on the physical device that is set up as a kiosk. +>Single-app kiosk mode isn't supported over a remote desktop connection. Your kiosk users must sign in on the physical device that is set up as a kiosk. -[!INCLUDE [assigned-access-kiosk-mode](../../includes/licensing/assigned-access-kiosk-mode.md)] +[!INCLUDE [assigned-access-kiosk-mode](../../includes/licensing/assigned-access-kiosk-mode.md)] -## Methods for a single-app kiosk running a UWP app +## Methods for a single-app kiosk running a UWP app You can use this method | For this edition | For this kiosk account type + --- | --- | --- [Assigned access in Settings](kiosk-single-app.md#local) | Pro, Ent, Edu | Local standard user [Assigned access cmdlets](kiosk-single-app.md#powershell) | Pro, Ent, Edu | Local standard user [The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) | Pro (version 1709), Ent, Edu | Local standard user, Active Directory, Microsoft Entra ID + [Microsoft Intune or other mobile device management (MDM)](kiosk-single-app.md#mdm) | Pro (version 1709), Ent, Edu | Local standard user, Microsoft Entra ID -[Shell Launcher](kiosk-shelllauncher.md) v2 | Ent, Edu | Local standard user, Active Directory, Microsoft Entra ID +[Shell Launcher](kiosk-shelllauncher.md) v2 | Ent, Edu | Local standard user, Active Directory, Microsoft Entra ID - + -## Methods for a single-app kiosk running a Windows desktop application +## Methods for a single-app kiosk running a Windows desktop application You can use this method | For this edition | For this kiosk account type + --- | --- | --- [The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) | Ent, Edu | Local standard user, Active Directory, Microsoft Entra ID + [Microsoft Intune or other mobile device management (MDM)](kiosk-single-app.md#mdm) | Pro (version 1709), Ent, Edu | Local standard user, Microsoft Entra ID -[Shell Launcher](kiosk-shelllauncher.md) v1 and v2 | Ent, Edu | Local standard user, Active Directory, Microsoft Entra ID +[Shell Launcher](kiosk-shelllauncher.md) v1 and v2 | Ent, Edu | Local standard user, Active Directory, Microsoft Entra ID - + -## Methods for a multi-app kiosk +## Methods for a multi-app kiosk You can use this method | For this edition | For this kiosk account type + --- | --- | --- [XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) | Pro, Ent, Edu | Local standard user, Active Directory, Microsoft Entra ID [Microsoft Intune or other MDM](lock-down-windows-10-to-specific-apps.md) | Pro, Ent, Edu | Local standard user, Microsoft Entra ID -[MDM WMI Bridge Provider](kiosk-mdm-bridge.md) | Pro, Ent, Edu | Local standard user, Active Directory, Microsoft Entra ID +[MDM WMI Bridge Provider](kiosk-mdm-bridge.md) | Pro, Ent, Edu | Local standard user, Active Directory, Microsoft Entra ID -## Summary of kiosk configuration methods +## Summary of kiosk configuration methods Method | App type | Account type | Single-app kiosk | Multi-app kiosk --- | --- | --- | :---: | :---: @@ -110,7 +112,8 @@ Method | App type | Account type | Single-app kiosk | Multi-app kiosk [XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) | UWP, Windows desktop app | Local standard user, Active Directory, Microsoft Entra ID | ✔️ | ✔️ Microsoft Intune or other MDM [for full-screen single-app kiosk](kiosk-single-app.md#mdm) or [for multi-app kiosk with desktop](lock-down-windows-10-to-specific-apps.md) | UWP, Windows desktop app | Local standard user, Microsoft Entra ID | ✔️ | ✔️ [Shell Launcher](kiosk-shelllauncher.md) |Windows desktop app | Local standard user, Active Directory, Microsoft Entra ID | ✔️ | -[MDM Bridge WMI Provider](kiosk-mdm-bridge.md) | UWP, Windows desktop app | Local standard user, Active Directory, Microsoft Entra ID | | ✔️ + +[MDM Bridge WMI Provider](kiosk-mdm-bridge.md) | UWP, Windows desktop app | Local standard user, Active Directory, Microsoft Entra ID | | ✔️ >[!NOTE] diff --git a/windows/configuration/kiosk-policies.md b/windows/configuration/kiosk/kiosk-policies.md similarity index 86% rename from windows/configuration/kiosk-policies.md rename to windows/configuration/kiosk/kiosk-policies.md index 9e599f8790..7389d1296f 100644 --- a/windows/configuration/kiosk-policies.md +++ b/windows/configuration/kiosk/kiosk-policies.md @@ -1,35 +1,30 @@ --- title: Policies enforced on kiosk devices (Windows 10/11) description: Learn about the policies enforced on a device when you configure it as a kiosk. -ms.reviewer: sybruckm -manager: aaroncz -ms.prod: windows-client -author: lizgt2000 -ms.localizationpriority: medium -ms.author: lizlong +ms.reviewer: sybruckm + ms.topic: article -ms.technology: itpro-configure ms.date: 12/31/2017 ---- +--- -# Policies enforced on kiosk devices +# Policies enforced on kiosk devices -**Applies to** +**Applies to** -- Windows 10 Pro, Enterprise, and Education -- Windows 11 +- Windows 10 Pro, Enterprise, and Education +- Windows 11 + + + +It isn't recommended to set policies enforced in assigned access kiosk mode to different values using other channels, as the kiosk mode has been optimized to provide a locked-down experience. + +When the assigned access kiosk configuration is applied on the device, certain policies are enforced system-wide, and will impact other users on the device. +## Group Policy -It isn't recommended to set policies enforced in assigned access kiosk mode to different values using other channels, as the kiosk mode has been optimized to provide a locked-down experience. - -When the assigned access kiosk configuration is applied on the device, certain policies are enforced system-wide, and will impact other users on the device. - - -## Group Policy - -The following local policies affect all **non-administrator** users on the system, regardless whether the user is configured as an assigned access user or not. These users include local users, domain users, and Microsoft Entra users. +The following local policies affect all **non-administrator** users on the system, regardless whether the user is configured as an assigned access user or not. These users include local users, domain users, and Microsoft Entra users. | Setting | Value | | --- | --- | @@ -56,18 +51,18 @@ Turn off toast notifications | Enabled Remove Task Manager | Enabled Remove Change Password option in Security Options UI | Enabled Remove Sign Out option in Security Options UI | Enabled -Remove All Programs list from the Start Menu | Enabled – Remove and disable setting -Prevent access to drives from My Computer | Enabled - Restrict all drives +Remove All Programs list from the Start Menu | Enabled - Remove and disable setting +Prevent access to drives from My Computer | Enabled - Restrict all drives >[!NOTE] ->When **Prevent access to drives from My Computer** is enabled, users can browse the directory structure in File Explorer, but they cannot open folders and access the contents. Also, they cannot use the **Run** dialog box or the **Map Network Drive** dialog box to view the directories on these drives. The icons representing the specified drives still appear in File Explorer, but if users double-click the icons, a message appears explaining that a setting prevents the action. This setting does not prevent users from using programs to access local and network drives. It does not prevent users from using the Disk Management snap-in to view and change drive characteristics. +>When **Prevent access to drives from My Computer** is enabled, users can browse the directory structure in File Explorer, but they cannot open folders and access the contents. Also, they cannot use the **Run** dialog box or the **Map Network Drive** dialog box to view the directories on these drives. The icons representing the specified drives still appear in File Explorer, but if users double-click the icons, a message appears explaining that a setting prevents the action. This setting does not prevent users from using programs to access local and network drives. It does not prevent users from using the Disk Management snap-in to view and change drive characteristics. + + + +## MDM policy - -## MDM policy - - -Some of the MDM policies based on the [Policy configuration service provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider) affect all users on the system (that is, system-wide impact). +Some of the MDM policies based on the [Policy configuration service provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider) affect all users on the system (that is, system-wide impact). Setting | Value | System-wide --- | --- | --- diff --git a/windows/configuration/kiosk-prepare.md b/windows/configuration/kiosk/kiosk-prepare.md similarity index 83% rename from windows/configuration/kiosk-prepare.md rename to windows/configuration/kiosk/kiosk-prepare.md index 05323a4d02..f2ac235565 100644 --- a/windows/configuration/kiosk-prepare.md +++ b/windows/configuration/kiosk/kiosk-prepare.md @@ -1,282 +1,282 @@ --- title: Prepare a device for kiosk configuration on Windows 10/11 | Microsoft Docs description: Learn how to prepare a device for kiosk configuration. Also, learn about the recommended kiosk configuration changes. -ms.reviewer: sybruckm -manager: aaroncz -ms.author: lizlong -ms.prod: windows-client -author: lizgt2000 -ms.localizationpriority: medium +ms.reviewer: sybruckm + ms.topic: article -ms.technology: itpro-configure ms.date: 12/31/2017 ---- +--- -# Prepare a device for kiosk configuration +# Prepare a device for kiosk configuration -**Applies to** +**Applies to** - Windows 10 Pro, Enterprise, and Education -- Windows 11 +- Windows 11 + - -## Before you begin +## Before you begin - [User account control (UAC)](/windows/security/identity-protection/user-account-control/user-account-control-overview) must be turned on to enable kiosk mode. - Kiosk mode isn't supported over a remote desktop connection. Your kiosk users must sign in on the physical device that's set up as a kiosk. -- For kiosks in public-facing environments with auto sign-in enabled, you should use a user account with the least privileges, such as a local standard user account. +- For kiosks in public-facing environments with auto sign-in enabled, you should use a user account with the least privileges, such as a local standard user account. - Assigned access can be configured using Windows Management Instrumentation (WMI) or configuration service provider (CSP). Assigned access runs an application using a domain user or service account, not a local account. Using a domain user or service accounts has risks, and might allow an attacker to gain access to domain resources that are accessible to any domain account. When using domain accounts with assigned access, proceed with caution. Consider the domain resources potentially exposed by using a domain account. + Assigned access can be configured using Windows Management Instrumentation (WMI) or configuration service provider (CSP). Assigned access runs an application using a domain user or service account, not a local account. Using a domain user or service accounts has risks, and might allow an attacker to gain access to domain resources that are accessible to any domain account. When using domain accounts with assigned access, proceed with caution. Consider the domain resources potentially exposed by using a domain account. -- MDM providers, such as [Microsoft Intune](/mem/intune/fundamentals/what-is-intune), use the configuration service providers (CSP) exposed by the Windows OS to manage settings on devices. In this article, we mention these services. If you're not managing your devices using an MDM provider, the following resources may help you get started: +- MDM providers, such as [Microsoft Intune](/mem/intune/fundamentals/what-is-intune), use the configuration service providers (CSP) exposed by the Windows OS to manage settings on devices. In this article, we mention these services. If you're not managing your devices using an MDM provider, the following resources may help you get started: - [Endpoint Management at Microsoft](/mem/endpoint-manager-getting-started) - [What is Microsoft Intune](/mem/intune/fundamentals/what-is-intune) and [Microsoft Intune planning guide](/mem/intune/fundamentals/intune-planning-guide) - - [What is Configuration Manager?](/mem/configmgr/core/understand/introduction) + - [What is Configuration Manager?](/mem/configmgr/core/understand/introduction) -## Configuration recommendations +## Configuration recommendations -For a more secure kiosk experience, we recommend that you make the following configuration changes to the device before you configure it as a kiosk: +For a more secure kiosk experience, we recommend that you make the following configuration changes to the device before you configure it as a kiosk: -- **Hide update notifications**. Starting with Windows 10 version 1809, you can hide notifications from showing on the devices. To enable this feature, you have the following options: +- **Hide update notifications**. Starting with Windows 10 version 1809, you can hide notifications from showing on the devices. To enable this feature, you have the following options: - - **Use Group policy**: `Computer Configuration\Administrative Templates\Windows Components\Windows Update\Display options for update notifications` + - **Use Group policy**: `Computer Configuration\Administrative Templates\Windows Components\Windows Update\Display options for update notifications` - - **Use an MDM provider**: This feature uses the [Update/UpdateNotificationLevel CSP](/windows/client-management/mdm/policy-csp-update#update-updatenotificationlevel). In Intune, you can use the [Windows update settings](/mem/intune/protect/windows-update-settings) to manage this feature. + - **Use an MDM provider**: This feature uses the [Update/UpdateNotificationLevel CSP](/windows/client-management/mdm/policy-csp-update#update-updatenotificationlevel). In Intune, you can use the [Windows update settings](/mem/intune/protect/windows-update-settings) to manage this feature. - - **Use the registry**: + - **Use the registry**: 1. Open Registry Editor (regedit). 2. Go to `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate`. 3. Create a **New** > **DWORD (32-bit) Value**. Enter `SetUpdateNotificationLevel`, and set its value to `1`. - 4. Create a **New** > **DWORD (32-bit) Value**. Enter `UpdateNotificationLevel`. For value, you can enter: + 4. Create a **New** > **DWORD (32-bit) Value**. Enter `UpdateNotificationLevel`. For value, you can enter: - `1`: Hides all notifications except restart warnings. - - `2`: Hides all notifications, including restart warnings. + - `2`: Hides all notifications, including restart warnings. -- **Enable and schedule automatic updates**. To enable this feature, you have the following options: +- **Enable and schedule automatic updates**. To enable this feature, you have the following options: - **Use Group policy**: `Computer Configuration\Administrative Templates\Windows Components\Windows Update\Configure Automatic Updates`. Select `4 - Auto download and schedule the install`. - - **Use an MDM provider**: This feature uses the [Update/AllowAutoUpdate CSP](/windows/client-management/mdm/policy-csp-update#update-allowautoupdate). Select `3 - Auto install and restart at a specified time`. In Intune, you can use the [Windows update settings](/mem/intune/protect/windows-update-settings) to manage this feature. + - **Use an MDM provider**: This feature uses the [Update/AllowAutoUpdate CSP](/windows/client-management/mdm/policy-csp-update#update-allowautoupdate). Select `3 - Auto install and restart at a specified time`. In Intune, you can use the [Windows update settings](/mem/intune/protect/windows-update-settings) to manage this feature. - You can also schedule automatic updates, including **Schedule Install Day**, **Schedule Install Time**, and **Schedule Install Week**. Installations can take between 30 minutes and 2 hours, depending on the device. Schedule updates to occur when a block of 3-4 hours is available. + You can also schedule automatic updates, including **Schedule Install Day**, **Schedule Install Time**, and **Schedule Install Week**. Installations can take between 30 minutes and 2 hours, depending on the device. Schedule updates to occur when a block of 3-4 hours is available. -- **Enable automatic restart at the scheduled time**. To enable this feature, you have the following options: +- **Enable automatic restart at the scheduled time**. To enable this feature, you have the following options: - - **Use Group policy**: `Computer Configuration\Administrative Templates\Windows Components\Windows Update\Always automatically restart at the scheduled time`. Select `4 - Auto download and schedule the install`. + - **Use Group policy**: `Computer Configuration\Administrative Templates\Windows Components\Windows Update\Always automatically restart at the scheduled time`. Select `4 - Auto download and schedule the install`. - - **Use an MDM provider**: This feature uses the [Update/ActiveHoursStart](/windows/client-management/mdm/policy-csp-update#update-activehoursstart) and [Update/ActiveHoursEnd](/windows/client-management/mdm/policy-csp-update#update-activehoursend) CSPs. In Intune, you can use the [Windows update settings](/mem/intune/protect/windows-update-settings) to manage this feature. + - **Use an MDM provider**: This feature uses the [Update/ActiveHoursStart](/windows/client-management/mdm/policy-csp-update#update-activehoursstart) and [Update/ActiveHoursEnd](/windows/client-management/mdm/policy-csp-update#update-activehoursend) CSPs. In Intune, you can use the [Windows update settings](/mem/intune/protect/windows-update-settings) to manage this feature. -- **Replace "blue screen" with blank screen for OS errors**. To enable this feature, use the Registry Editor: +- **Replace "blue screen" with blank screen for OS errors**. To enable this feature, use the Registry Editor: 1. Open Registry Editor (regedit). 2. Go to `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl`. - 3. Create a **New** > **DWORD (32-bit) Value**. Enter `DisplayDisabled`, and set its value to `1`. + 3. Create a **New** > **DWORD (32-bit) Value**. Enter `DisplayDisabled`, and set its value to `1`. -- **Put device in "Tablet mode"**. If you want users to use the touch screen, without using a keyboard or mouse, then turn on tablet mode using the Settings app. If users won't interact with the kiosk, such as for a digital sign, then don't turn on this setting. +- **Put device in "Tablet mode"**. If you want users to use the touch screen, without using a keyboard or mouse, then turn on tablet mode using the Settings app. If users won't interact with the kiosk, such as for a digital sign, then don't turn on this setting. - Applies to Windows 10 only. Currently, Tablet mode isn't supported on Windows 11. + Applies to Windows 10 only. Currently, Tablet mode isn't supported on Windows 11. - Your options: + Your options: - Use the **Settings** app: 1. Open the **Settings** app. 2. Go to **System** > **Tablet mode**. - 3. Configure the settings you want. + 3. Configure the settings you want. - Use the **Action Center**: 1. On your device, swipe in from the left. - 2. Select **Tablet mode**. + 2. Select **Tablet mode**. -- **Hide "Ease of access" feature on the sign-in screen**: To enable this feature, you have the following options: +- **Hide "Ease of access" feature on the sign-in screen**: To enable this feature, you have the following options: - **Use an MDM provider**: In Intune, you can use the [Control Panel and Settings](/mem/intune/configuration/device-restrictions-windows-10#control-panel-and-settings) to manage this feature. - - **Use the registry**: For more information, see [how to disable the Ease of Access button in the registry](/windows-hardware/customize/enterprise/complementary-features-to-custom-logon#welcome-screen). + - **Use the registry**: For more information, see [how to disable the Ease of Access button in the registry](/windows-hardware/customize/enterprise/complementary-features-to-custom-logon#welcome-screen). -- **Disable the hardware power button**: To enable this feature, you have the following options: +- **Disable the hardware power button**: To enable this feature, you have the following options: - **Use the Settings app**: 1. Open the **Settings** app. 2. Go to **System** > **Power & Sleep** > **Additional power settings** > **Choose what the power button does**. 3. Select **Do nothing**. - 4. **Save changes**. + 4. **Save changes**. - - **Use Group Policy**: Your options: + - **Use Group Policy**: Your options: - `Computer Configuration\Administrative Templates\System\Power Management\Button Settings`: Set `Select Power Button Action on Battery` and `Select Power Button Action on Plugged In` to **Take no action**. - `User Configuration\Administrative Templates\Start Menu and Taskbar\Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands`: This policy hides the buttons, but doesn't disable them. - - `Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Shut down the system`: Remove the users or groups from this policy. + - `Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Shut down the system`: Remove the users or groups from this policy. - To prevent this policy from affecting a member of the Administrators group, be sure to keep the Administrators group. + To prevent this policy from affecting a member of the Administrators group, be sure to keep the Administrators group. - - **Use an MDM provider**: In Intune, you have some options: + - **Use an MDM provider**: In Intune, you have some options: - - [Settings Catalog](/mem/intune/configuration/settings-catalog): This option lists all the settings you can configure, including the administrative templates used in on-premises Group Policy. Configure the following settings: + - [Settings Catalog](/mem/intune/configuration/settings-catalog): This option lists all the settings you can configure, including the administrative templates used in on-premises Group Policy. Configure the following settings: - `Power\Select Power Button Action on Battery`: Set to **Take no action**. - `Power\Select Power Button Action on Plugged In`: Set to **Take no action**. - - `Start\Hide Power Button`: Set to **Enabled**. This policy hides the button, but doesn't disable it. + - `Start\Hide Power Button`: Set to **Enabled**. This policy hides the button, but doesn't disable it. - - [Administrative templates](/mem/intune/configuration/administrative-templates-windows): These templates are the administrative templates used in on-premises Group Policy. Configure the following setting: + - [Administrative templates](/mem/intune/configuration/administrative-templates-windows): These templates are the administrative templates used in on-premises Group Policy. Configure the following setting: - - `\Start menu and Taskbar\Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands`: This policy hides the buttons, but doesn't disable them. + - `\Start menu and Taskbar\Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands`: This policy hides the buttons, but doesn't disable them. - When looking at settings, check the supported OS for each setting to make sure it applies. + When looking at settings, check the supported OS for each setting to make sure it applies. - - [Start settings in a device configuration profile](/mem/intune/configuration/device-restrictions-windows-10#start): This option shows this setting, and all the Start menu settings you can manage. + - [Start settings in a device configuration profile](/mem/intune/configuration/device-restrictions-windows-10#start): This option shows this setting, and all the Start menu settings you can manage. -- **Remove the power button from the sign-in screen**. To enable this feature, you have the following options: +- **Remove the power button from the sign-in screen**. To enable this feature, you have the following options: - - **Use Group Policy**: `Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Shutdown: Allow system to be shut down without having to log on`. Select **Disabled**. + - **Use Group Policy**: `Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Shutdown: Allow system to be shut down without having to log on`. Select **Disabled**. - - **Use MDM**: In Intune, you have the following option: + - **Use MDM**: In Intune, you have the following option: - - [Settings Catalog](/mem/intune/configuration/settings-catalog): This option lists all the settings you can configure, including the administrative templates used in on-premises Group Policy. Configure the following setting: + - [Settings Catalog](/mem/intune/configuration/settings-catalog): This option lists all the settings you can configure, including the administrative templates used in on-premises Group Policy. Configure the following setting: - - `Local Policies Security Options\Shutdown Allow System To Be Shut Down Without Having To Log On`: Set to **Disabled**. + - `Local Policies Security Options\Shutdown Allow System To Be Shut Down Without Having To Log On`: Set to **Disabled**. -- **Disable the camera**: To enable this feature, you have the following options: +- **Disable the camera**: To enable this feature, you have the following options: - **Use the Settings app**: + 1. Open the **Settings** app. 2. Go to **Privacy** > **Camera**. - 3. Select **Allow apps use my camera** > **Off**. + 3. Select **Allow apps use my camera** > **Off**. - - **Use Group Policy**: `Computer Configuration\Administrative Templates\Windows Components\Camera: Allow use of camera`: Select **Disabled**. + - **Use Group Policy**: `Computer Configuration\Administrative Templates\Windows Components\Camera: Allow use of camera`: Select **Disabled**. - - **Use an MDM provider**: This feature uses the [Policy CSP - Camera](/windows/client-management/mdm/policy-csp-camera). In Intune, you have the following options: + - **Use an MDM provider**: This feature uses the [Policy CSP - Camera](/windows/client-management/mdm/policy-csp-camera). In Intune, you have the following options: - [General settings in a device configuration profile](/mem/intune/configuration/device-restrictions-windows-10#general): This option shows this setting, and more settings you can manage. - - [Settings Catalog](/mem/intune/configuration/settings-catalog): This option lists all the settings you can configure, including the administrative templates used in on-premises Group Policy. Configure the following setting: + - [Settings Catalog](/mem/intune/configuration/settings-catalog): This option lists all the settings you can configure, including the administrative templates used in on-premises Group Policy. Configure the following setting: - - `Camera\Allow camera`: Set to **Not allowed**. + - `Camera\Allow camera`: Set to **Not allowed**. -- **Turn off app notifications on the lock screen**: To enable this feature, you have the following options: +- **Turn off app notifications on the lock screen**: To enable this feature, you have the following options: - - **Use the Settings app**: + - **Use the Settings app**: 1. Open the **Settings** app. 2. Go to **System** > **Notifications & actions**. - 3. In **Show notifications on the lock screen**, select **Off**. + 3. In **Show notifications on the lock screen**, select **Off**. - **Use Group policy**: - `Computer Configuration\Administrative Templates\System\Logon\Turn off app notifications on the lock screen`: Select **Enabled**. - - `User Configuration\Administrative Templates\Start Menu and Taskbar\Notifications\Turn off toast notifications on the lock screen`: Select **Enabled**. + - `User Configuration\Administrative Templates\Start Menu and Taskbar\Notifications\Turn off toast notifications on the lock screen`: Select **Enabled**. - - **Use an MDM provider**: This feature uses the [AboveLock/AllowToasts CSP](/windows/client-management/mdm/policy-csp-abovelock#abovelock-allowtoasts). In Intune, you have the following options: + - **Use an MDM provider**: This feature uses the [AboveLock/AllowToasts CSP](/windows/client-management/mdm/policy-csp-abovelock#abovelock-allowtoasts). In Intune, you have the following options: - - [Locked screen experience device configuration profile](/mem/intune/configuration/device-restrictions-windows-10#locked-screen-experience): See this setting, and more settings you can manage. + - [Locked screen experience device configuration profile](/mem/intune/configuration/device-restrictions-windows-10#locked-screen-experience): See this setting, and more settings you can manage. - - [Administrative templates](/mem/intune/configuration/administrative-templates-windows): These templates are the administrative templates used in on-premises Group Policy. Configure the following settings: + - [Administrative templates](/mem/intune/configuration/administrative-templates-windows): These templates are the administrative templates used in on-premises Group Policy. Configure the following settings: - `\Start Menu and Taskbar\Notifications\Turn off toast notifications on the lock screen`: Select **Enabled**. - - `\System\Logon\Turn off app notifications on the lock screen`: Select **Enabled**. + - `\System\Logon\Turn off app notifications on the lock screen`: Select **Enabled**. - When looking at settings, check the supported OS for each setting to make sure it applies. + When looking at settings, check the supported OS for each setting to make sure it applies. - - [Settings Catalog](/mem/intune/configuration/settings-catalog): This option lists all the settings you can configure, including the administrative templates used in on-premises Group Policy. Configure the following settings: + - [Settings Catalog](/mem/intune/configuration/settings-catalog): This option lists all the settings you can configure, including the administrative templates used in on-premises Group Policy. Configure the following settings: - `\Start Menu and Taskbar\Notifications\Turn off toast notifications on the lock screen`: Select **Enabled**. - - `\System\Logon\Turn off app notifications on the lock screen`: Select **Enabled**. + - `\System\Logon\Turn off app notifications on the lock screen`: Select **Enabled**. -- **Disable removable media**: To enable this feature, you have the following options: +- **Disable removable media**: To enable this feature, you have the following options: - - **Use Group policy**: `Computer Configuration\Administrative Templates\System\Device Installation\Device Installation Restrictions`. Review the available settings that apply to your situation. + - **Use Group policy**: `Computer Configuration\Administrative Templates\System\Device Installation\Device Installation Restrictions`. Review the available settings that apply to your situation. - To prevent this policy from affecting a member of the Administrators group, select `Allow administrators to override Device Installation Restriction policies` > **Enabled**. + To prevent this policy from affecting a member of the Administrators group, select `Allow administrators to override Device Installation Restriction policies` > **Enabled**. - - **Use an MDM provider**: In Intune, you have the following options: + - **Use an MDM provider**: In Intune, you have the following options: - - [General settings in a device configuration profile](/mem/intune/configuration/device-restrictions-windows-10#general): See the **Removable storage** setting, and more settings you can manage. + - [General settings in a device configuration profile](/mem/intune/configuration/device-restrictions-windows-10#general): See the **Removable storage** setting, and more settings you can manage. - - [Administrative templates](/mem/intune/configuration/administrative-templates-windows): These templates are the administrative templates used in on-premises Group Policy. Configure the following settings: + - [Administrative templates](/mem/intune/configuration/administrative-templates-windows): These templates are the administrative templates used in on-premises Group Policy. Configure the following settings: - - `\System\Device Installation`: There are several policies you can manage, including restrictions in `\System\Device Installation\Device Installation Restrictions`. + - `\System\Device Installation`: There are several policies you can manage, including restrictions in `\System\Device Installation\Device Installation Restrictions`. - To prevent this policy from affecting a member of the Administrators group, select `Allow administrators to override Device Installation Restriction policies` > **Enabled**. + To prevent this policy from affecting a member of the Administrators group, select `Allow administrators to override Device Installation Restriction policies` > **Enabled**. - When looking at settings, check the supported OS for each setting to make sure it applies. + When looking at settings, check the supported OS for each setting to make sure it applies. - - [Settings Catalog](/mem/intune/configuration/settings-catalog): This option lists all the settings you can configure, including the administrative templates used in on-premises Group Policy. Configure the following settings: + - [Settings Catalog](/mem/intune/configuration/settings-catalog): This option lists all the settings you can configure, including the administrative templates used in on-premises Group Policy. Configure the following settings: - - `\Administrative Templates\System\Device Installation`: There are several policies you can manage, including restrictions in `\System\Device Installation\Device Installation Restrictions`. + - `\Administrative Templates\System\Device Installation`: There are several policies you can manage, including restrictions in `\System\Device Installation\Device Installation Restrictions`. - To prevent this policy from affecting a member of the Administrators group, select `Allow administrators to override Device Installation Restriction policies` > **Enabled**. + To prevent this policy from affecting a member of the Administrators group, select `Allow administrators to override Device Installation Restriction policies` > **Enabled**. -## Enable logging +## Enable logging -Logs can help you [troubleshoot issues](/troubleshoot/windows-client/shell-experience/kiosk-mode-issues-troubleshooting) kiosk issues. Logs about configuration and runtime issues can be obtained by enabling the **Applications and Services Logs\Microsoft\Windows\AssignedAccess\Operational** channel, which is disabled by default. +Logs can help you [troubleshoot issues](/troubleshoot/windows-client/shell-experience/kiosk-mode-issues-troubleshooting) kiosk issues. Logs about configuration and runtime issues can be obtained by enabling the **Applications and Services Logs\Microsoft\Windows\AssignedAccess\Operational** channel, which is disabled by default. -:::image type="content" source="images/enable-assigned-access-log.png" alt-text="On Windows client, open Event Viewer, right-click Operational, select enable log to turn on logging to help troubleshoot."::: +:::image type="content" source="images/enable-assigned-access-log.png" alt-text="On Windows client, open Event Viewer, right-click Operational, select enable log to turn on logging to help troubleshoot."::: -## Automatic logon +## Automatic logon -You may also want to set up **automatic logon** for your kiosk device. When your kiosk device restarts, from an update or power outage, you can sign in the assigned access account manually. Or, you can configure the device to sign in to the assigned access account automatically. Make sure that Group Policy settings applied to the device don't prevent automatic sign in. +You may also want to set up **automatic logon** for your kiosk device. When your kiosk device restarts, from an update or power outage, you can sign in the assigned access account manually. Or, you can configure the device to sign in to the assigned access account automatically. Make sure that Group Policy settings applied to the device don't prevent automatic sign in. > [!NOTE] -> If you are using a Windows client device restriction CSP to set "Preferred Microsoft Entra tenant domain", this will break the "User logon type" auto-login feature of the Kiosk profile. +> If you are using a Windows client device restriction CSP to set "Preferred Microsoft Entra tenant domain", this will break the "User logon type" auto-login feature of the Kiosk profile. > [!TIP] -> If you use the [kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) or [XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) to configure your kiosk, you can set an account to sign in automatically in the wizard or XML. +> If you use the [kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) or [XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) to configure your kiosk, you can set an account to sign in automatically in the wizard or XML. -**How to edit the registry to have an account sign in automatically** +**How to edit the registry to have an account sign in automatically** -1. Open Registry Editor (regedit.exe). +1. Open Registry Editor (regedit.exe). > [!NOTE] > If you are not familiar with Registry Editor, [learn how to modify the Windows registry](/troubleshoot/windows-server/performance/windows-registry-advanced-users). + -2. Go to - **HKEY\_LOCAL\_MACHINE\SOFTWARE\\Microsoft\Windows NT\CurrentVersion\Winlogon** +2. Go to -3. Set the values for the following keys. + **HKEY\_LOCAL\_MACHINE\SOFTWARE\\Microsoft\Windows NT\CurrentVersion\Winlogon** - - *AutoAdminLogon*: set value as **1**. +3. Set the values for the following keys. - - *DefaultUserName*: set value as the account that you want signed in. + - *AutoAdminLogon*: set value as **1**. - - *DefaultPassword*: set value as the password for the account. + - *DefaultUserName*: set value as the account that you want signed in. + + - *DefaultPassword*: set value as the password for the account. > [!NOTE] - > If *DefaultUserName* and *DefaultPassword* aren't there, add them as **New** > **String Value**. + > If *DefaultUserName* and *DefaultPassword* aren't there, add them as **New** > **String Value**. - - *DefaultDomainName*: set value for domain, only for domain accounts. For local accounts, don't add this key. + - *DefaultDomainName*: set value for domain, only for domain accounts. For local accounts, don't add this key. -4. Close Registry Editor. The next time the computer restarts, the account will sign in automatically. +4. Close Registry Editor. The next time the computer restarts, the account will sign in automatically. > [!TIP] -> You can also configure automatic sign-in [using the Autologon tool from Sysinternals](/sysinternals/downloads/autologon). +> You can also configure automatic sign-in [using the Autologon tool from Sysinternals](/sysinternals/downloads/autologon). > [!NOTE] -> If you are also using [Custom Logon](/windows-hardware/customize/enterprise/custom-logon) with **HideAutoLogonUI** enabled, you might experience a black screen after a password expires. We recommend that you consider [setting the password to never expire](/windows-hardware/customize/enterprise/troubleshooting-custom-logon#the-device-displays-a-black-screen-when-a-password-expiration-screen-is-displayed). +> If you are also using [Custom Logon](/windows-hardware/customize/enterprise/custom-logon) with **HideAutoLogonUI** enabled, you might experience a black screen after a password expires. We recommend that you consider [setting the password to never expire](/windows-hardware/customize/enterprise/troubleshooting-custom-logon#the-device-displays-a-black-screen-when-a-password-expiration-screen-is-displayed). -## Interactions and interoperability +## Interactions and interoperability -The following table describes some features that have interoperability issues we recommend that you consider when running assigned access. +The following table describes some features that have interoperability issues we recommend that you consider when running assigned access. -- **Accessibility**: Assigned access doesn't change Ease of Access settings. We recommend that you use [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter) to block the following key combinations that bring up accessibility features: +- **Accessibility**: Assigned access doesn't change Ease of Access settings. We recommend that you use [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter) to block the following key combinations that bring up accessibility features: | Key combination | Blocked behavior | | --- | --- | + | Left Alt + Left Shift + Print Screen | Open High Contrast dialog box. | | Left Alt + Left Shift + Num Lock | Open Mouse Keys dialog box. | - | Windows logo key + U | Open Ease of Access Center. | + | Windows logo key + U | Open Ease of Access Center. | -- **Assigned access Windows PowerShell cmdlets**: In addition to using the Windows UI, you can use the Windows PowerShell cmdlets to set or clear assigned access. For more information, see [Assigned access Windows PowerShell reference](/powershell/module/assignedaccess/) +- **Assigned access Windows PowerShell cmdlets**: In addition to using the Windows UI, you can use the Windows PowerShell cmdlets to set or clear assigned access. For more information, see [Assigned access Windows PowerShell reference](/powershell/module/assignedaccess/) -- **Key sequences blocked by assigned access**: When in assigned access, some key combinations are blocked for assigned access users. +- **Key sequences blocked by assigned access**: When in assigned access, some key combinations are blocked for assigned access users. - Alt + F4, Alt + Shift + Tab, Alt + Tab aren't blocked by Assigned Access, it's recommended you use [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter) to block these key combinations. + Alt + F4, Alt + Shift + Tab, Alt + Tab aren't blocked by Assigned Access, it's recommended you use [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter) to block these key combinations. - Ctrl + Alt + Delete is the key to break out of Assigned Access. If needed, you can use Keyboard Filter to configure a different key combination to break out of assigned access by setting BreakoutKeyScanCode as described in [WEKF_Settings](/windows-hardware/customize/enterprise/wekf-settings). + Ctrl + Alt + Delete is the key to break out of Assigned Access. If needed, you can use Keyboard Filter to configure a different key combination to break out of assigned access by setting BreakoutKeyScanCode as described in [WEKF_Settings](/windows-hardware/customize/enterprise/wekf-settings). | Key combination | Blocked behavior for assigned access users | | --- | --- | + | Alt + Esc | Cycle through items in the reverse order from which they were opened. | | Ctrl + Alt + Esc | Cycle through items in the reverse order from which they were opened. | | Ctrl + Esc | Open the Start screen. | @@ -286,40 +286,40 @@ The following table describes some features that have interoperability issues we | LaunchApp1 | Open the app that is assigned to this key. | | LaunchApp2 | Open the app that is assigned to this key. On many Microsoft keyboards, the app is Calculator. | | LaunchMail | Open the default mail client. | - | Windows logo key | Open the Start screen. | + | Windows logo key | Open the Start screen. | - Keyboard Filter settings apply to other standard accounts. + Keyboard Filter settings apply to other standard accounts. -- **Key sequences blocked by [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter)**: If Keyboard Filter is turned ON, then some key combinations are blocked automatically without you having to explicitly block them. For more information, see the [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter). +- **Key sequences blocked by [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter)**: If Keyboard Filter is turned ON, then some key combinations are blocked automatically without you having to explicitly block them. For more information, see the [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter). - [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter) is only available on Windows client Enterprise or Education. + [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter) is only available on Windows client Enterprise or Education. -- **Power button**: Customizations for the Power button complement assigned access, letting you implement features such as removing the power button from the Welcome screen. Removing the power button ensures the user can't turn off the device when it's in assigned access. +- **Power button**: Customizations for the Power button complement assigned access, letting you implement features such as removing the power button from the Welcome screen. Removing the power button ensures the user can't turn off the device when it's in assigned access. - For more information on removing the power button or disabling the physical power button, see [Custom Logon](/windows-hardware/customize/enterprise/custom-logon). + For more information on removing the power button or disabling the physical power button, see [Custom Logon](/windows-hardware/customize/enterprise/custom-logon). -- **Unified Write Filter (UWF)**: UWFsettings apply to all users, including users with assigned access. +- **Unified Write Filter (UWF)**: UWFsettings apply to all users, including users with assigned access. - For more information, see [Unified Write Filter](/windows-hardware/customize/enterprise/unified-write-filter). + For more information, see [Unified Write Filter](/windows-hardware/customize/enterprise/unified-write-filter). -- **WEDL_AssignedAccess class**: You can use this class to configure and manage basic lockdown features for assigned access. It's recommended to you use the Windows PowerShell cmdlets instead. +- **WEDL_AssignedAccess class**: You can use this class to configure and manage basic lockdown features for assigned access. It's recommended to you use the Windows PowerShell cmdlets instead. - If you need to use assigned access API, see [WEDL_AssignedAccess](/windows-hardware/customize/enterprise/wedl-assignedaccess). + If you need to use assigned access API, see [WEDL_AssignedAccess](/windows-hardware/customize/enterprise/wedl-assignedaccess). -- **Welcome Screen**: Customizations for the Welcome screen let you personalize not only how the Welcome screen looks, but for how it functions. You can disable the power or language button, or remove all user interface elements. There are many options to make the Welcome screen your own. +- **Welcome Screen**: Customizations for the Welcome screen let you personalize not only how the Welcome screen looks, but for how it functions. You can disable the power or language button, or remove all user interface elements. There are many options to make the Welcome screen your own. - For more information, see [Custom Logon](/windows-hardware/customize/enterprise/custom-logon). + For more information, see [Custom Logon](/windows-hardware/customize/enterprise/custom-logon). -## Testing your kiosk in a virtual machine (VM) +## Testing your kiosk in a virtual machine (VM) -Customers sometimes use virtual machines (VMs) to test configurations before deploying those configurations to physical devices. If you use a VM to test your single-app kiosk configuration, you need to know how to connect to the VM properly. +Customers sometimes use virtual machines (VMs) to test configurations before deploying those configurations to physical devices. If you use a VM to test your single-app kiosk configuration, you need to know how to connect to the VM properly. -A single-app kiosk configuration runs an app above the lock screen. It doesn't work when it's accessed remotely, which includes *enhanced* sessions in Hyper-V. +A single-app kiosk configuration runs an app above the lock screen. It doesn't work when it's accessed remotely, which includes *enhanced* sessions in Hyper-V. -When you connect to a VM configured as a single-app kiosk, you need a *basic* session rather than an enhanced session. In the following image, notice that **Enhanced session** isn't selected in the **View** menu; that means it's a basic session. +When you connect to a VM configured as a single-app kiosk, you need a *basic* session rather than an enhanced session. In the following image, notice that **Enhanced session** isn't selected in the **View** menu; that means it's a basic session. -:::image type="content" source="images/vm-kiosk.png" alt-text="Use a basic session to connect a virtual machine. In the View menu, Extended session isn't selected, which means basic is used."::: +:::image type="content" source="images/vm-kiosk.png" alt-text="Use a basic session to connect a virtual machine. In the View menu, Extended session isn't selected, which means basic is used."::: -To connect to a VM in a basic session, don't select **Connect** in the connection dialog, as shown in the following image, but instead, select the **X** button in the upper-right corner to cancel the dialog: +To connect to a VM in a basic session, don't select **Connect** in the connection dialog, as shown in the following image, but instead, select the **X** button in the upper-right corner to cancel the dialog: :::image type="content" source="images/vm-kiosk-connect.png" alt-text="Don't select the connect button. Use the close X in the top corner to connect to a VM in basic session."::: diff --git a/windows/configuration/kiosk-shelllauncher.md b/windows/configuration/kiosk/kiosk-shelllauncher.md similarity index 76% rename from windows/configuration/kiosk-shelllauncher.md rename to windows/configuration/kiosk/kiosk-shelllauncher.md index 4bd3071b0d..f6442775cf 100644 --- a/windows/configuration/kiosk-shelllauncher.md +++ b/windows/configuration/kiosk/kiosk-shelllauncher.md @@ -1,150 +1,164 @@ --- title: Use Shell Launcher to create a Windows 10/11 kiosk (Windows 10/11) description: Shell Launcher lets you change the default shell that launches when a user signs in to a device. -ms.reviewer: sybruckm -manager: aaroncz -ms.author: lizlong -ms.prod: windows-client -author: lizgt2000 -ms.localizationpriority: medium -ms.topic: article -ms.technology: itpro-configure -ms.date: 12/31/2017 ---- +ms.reviewer: sybruckm -# Use Shell Launcher to create a Windows client kiosk +ms.topic: article +ms.date: 12/31/2017 +--- + +# Use Shell Launcher to create a Windows client kiosk **Applies to** - Windows 10 Ent, Edu -- Windows 11 +- Windows 11 -Using Shell Launcher, you can configure a device that runs an application as the user interface, replacing the default shell (explorer.exe). In **Shell Launcher v1**, available in Windows client, you can only specify a Windows desktop application as the replacement shell. In **Shell Launcher v2**, available in Windows 10 version 1809+ / Windows 11, you can also specify a UWP app as the replacement shell. To use **Shell Launcher v2** in Windows 10 version 1809, you need to install the [KB4551853](https://support.microsoft.com/help/4551853) update. +Using Shell Launcher, you can configure a device that runs an application as the user interface, replacing the default shell (explorer.exe). In **Shell Launcher v1**, available in Windows client, you can only specify a Windows desktop application as the replacement shell. In **Shell Launcher v2**, available in Windows 10 version 1809+ / Windows 11, you can also specify a UWP app as the replacement shell. To use **Shell Launcher v2** in Windows 10 version 1809, you need to install the [KB4551853](https://support.microsoft.com/help/4551853) update. >[!NOTE] >Shell Launcher controls which application the user sees as the shell after sign-in. It does not prevent the user from accessing other desktop applications and system components. + > >Methods of controlling access to other desktop applications and system components can be used in addition to using the Shell Launcher. These methods include, but are not limited to: >- [Group Policy](https://www.microsoft.com/download/details.aspx?id=25250) - example: Prevent access to registry editing tools >- [AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview) - Application control policies ->- [Mobile Device Management](/windows/client-management/mdm) - Enterprise management of device security policies +>- [Mobile Device Management](/windows/client-management/mdm) - Enterprise management of device security policies -You can apply a custom shell through Shell Launcher [by using PowerShell](#configure-a-custom-shell-using-powershell). Starting with Windows 10 version 1803+, you can also [use mobile device management (MDM)](#configure-a-custom-shell-in-mdm) to apply a custom shell through Shell Launcher. +You can apply a custom shell through Shell Launcher [by using PowerShell](#configure-a-custom-shell-using-powershell). Starting with Windows 10 version 1803+, you can also [use mobile device management (MDM)](#configure-a-custom-shell-in-mdm) to apply a custom shell through Shell Launcher. -## Differences between Shell Launcher v1 and Shell Launcher v2 +## Differences between Shell Launcher v1 and Shell Launcher v2 -Shell Launcher v1 replaces `explorer.exe`, the default shell, with `eshell.exe` which can launch a Windows desktop application. +Shell Launcher v1 replaces `explorer.exe`, the default shell, with `eshell.exe` which can launch a Windows desktop application. -Shell Launcher v2 replaces `explorer.exe` with `customshellhost.exe`. This new executable file can launch a Windows desktop application or a UWP app. +Shell Launcher v2 replaces `explorer.exe` with `customshellhost.exe`. This new executable file can launch a Windows desktop application or a UWP app. In addition to allowing you to use a UWP app for your replacement shell, Shell Launcher v2 offers additional enhancements: - You can use a custom Windows desktop application that can then launch UWP apps, such as **Settings** and **Touch Keyboard**. - From a custom UWP shell, you can launch secondary views and run on multiple monitors. -- The custom shell app runs in full screen, and can run other apps in full screen on user’s demand. +- The custom shell app runs in full screen, and can run other apps in full screen on user’s demand. -For sample XML configurations for the different app combinations, see [Samples for Shell Launcher v2](https://github.com/Microsoft/Windows-iotcore-samples/tree/develop/Samples/ShellLauncherV2). +For sample XML configurations for the different app combinations, see [Samples for Shell Launcher v2](https://github.com/Microsoft/Windows-iotcore-samples/tree/develop/Samples/ShellLauncherV2). -## Requirements +## Requirements >[!WARNING] >- Windows 10 doesn’t support setting a custom shell prior to OOBE. If you do, you won’t be able to deploy the resulting image. > ->- Shell Launcher doesn't support a custom shell with an application that launches a different process and exits. For example, you cannot specify **write.exe** in Shell Launcher. Shell Launcher launches a custom shell and monitors the process to identify when the custom shell exits. **Write.exe** creates a 32-bit wordpad.exe process and exits. Because Shell Launcher is not aware of the newly created wordpad.exe process, Shell Launcher will take action based on the exit code of **Write.exe**, such as restarting the custom shell. +>- Shell Launcher doesn't support a custom shell with an application that launches a different process and exits. For example, you cannot specify **write.exe** in Shell Launcher. Shell Launcher launches a custom shell and monitors the process to identify when the custom shell exits. **Write.exe** creates a 32-bit wordpad.exe process and exits. Because Shell Launcher is not aware of the newly created wordpad.exe process, Shell Launcher will take action based on the exit code of **Write.exe**, such as restarting the custom shell. -- A domain, Microsoft Entra ID, or local user account. +- A domain, Microsoft Entra ID, or local user account. -- A Windows application that is installed for that account. The app can be your own company application or a common app like Internet Explorer. +- A Windows application that is installed for that account. The app can be your own company application or a common app like Internet Explorer. -[See the technical reference for the shell launcher component.](/windows-hardware/customize/enterprise/shell-launcher) +[See the technical reference for the shell launcher component.](/windows-hardware/customize/enterprise/shell-launcher) -## Enable Shell Launcher feature +## Enable Shell Launcher feature -To set a custom shell, you first turn on the Shell Launcher feature, and then you can set your custom shell as the default using PowerShell or MDM. +To set a custom shell, you first turn on the Shell Launcher feature, and then you can set your custom shell as the default using PowerShell or MDM. -**To turn on Shell Launcher in Windows features** +**To turn on Shell Launcher in Windows features** -1. Go to Control Panel > **Programs and features** > **Turn Windows features on or off**. +1. Go to Control Panel > **Programs and features** > **Turn Windows features on or off**. -2. Expand **Device Lockdown**. +2. Expand **Device Lockdown**. -2. Select **Shell Launcher** and **OK**. +2. Select **Shell Launcher** and **OK**. -Alternatively, you can turn on Shell Launcher using Windows Configuration Designer in a provisioning package, using `SMISettings > ShellLauncher`, or you can use the Deployment Image Servicing and Management (DISM.exe) tool. +Alternatively, you can turn on Shell Launcher using Windows Configuration Designer in a provisioning package, using `SMISettings > ShellLauncher`, or you can use the Deployment Image Servicing and Management (DISM.exe) tool. -**To turn on Shell Launcher using DISM** +**To turn on Shell Launcher using DISM** 1. Open a command prompt as an administrator. -2. Enter the following command. +2. Enter the following command. ``` Dism /online /Enable-Feature /all /FeatureName:Client-EmbeddedShellLauncher - ``` + ``` -## Configure a custom shell in MDM +## Configure a custom shell in MDM -You can use XML and a [custom OMA-URI setting](#custom-oma-uri-setting) to configure Shell Launcher in MDM. +You can use XML and a [custom OMA-URI setting](#custom-oma-uri-setting) to configure Shell Launcher in MDM. -### XML for Shell Launcher configuration +### XML for Shell Launcher configuration -The following XML sample works for **Shell Launcher v1**: +The following XML sample works for **Shell Launcher v1**: ```xml + + + + + + + -``` +``` -For **Shell Launcher v2**, you can use UWP app type for `Shell` by specifying the v2 namespace, and use `v2:AppType` to specify the type, as shown in the following example. If `v2:AppType` is not specified, it implies the shell is Win32 app. +For **Shell Launcher v2**, you can use UWP app type for `Shell` by specifying the v2 namespace, and use `v2:AppType` to specify the type, as shown in the following example. If `v2:AppType` is not specified, it implies the shell is Win32 app. ```xml + + + + + + + + + + -``` +``` >[!TIP] ->In the XML for Shell Launcher v2, note the **AllAppsFullScreen** attribute. When set to **True**, Shell Launcher will run every app in full screen, or maximized for desktop apps. When this attribute is set to **False** or not set, only the custom shell app runs in full screen; other apps launched by the user will run in windowed mode. +>In the XML for Shell Launcher v2, note the **AllAppsFullScreen** attribute. When set to **True**, Shell Launcher will run every app in full screen, or maximized for desktop apps. When this attribute is set to **False** or not set, only the custom shell app runs in full screen; other apps launched by the user will run in windowed mode. -[Get XML examples for different Shell Launcher v2 configurations.](https://github.com/Microsoft/Windows-iotcore-samples/tree/develop/Samples/ShellLauncherV2) +[Get XML examples for different Shell Launcher v2 configurations.](https://github.com/Microsoft/Windows-iotcore-samples/tree/develop/Samples/ShellLauncherV2) -### Custom OMA-URI setting +### Custom OMA-URI setting -In your MDM service, you can create a [custom OMA-URI setting](/intune/custom-settings-windows-10) to configure Shell Launcher v1 or v2. (The [XML](#xml-for-shell-launcher-configuration) that you use for your setting will determine whether you apply Shell Launcher v1 or v2.) +In your MDM service, you can create a [custom OMA-URI setting](/intune/custom-settings-windows-10) to configure Shell Launcher v1 or v2. (The [XML](#xml-for-shell-launcher-configuration) that you use for your setting will determine whether you apply Shell Launcher v1 or v2.) -The OMA-URI path is `./Device/Vendor/MSFT/AssignedAccess/ShellLauncher`. +The OMA-URI path is `./Device/Vendor/MSFT/AssignedAccess/ShellLauncher`. -For the value, you can select data type `String` and paste the desired configuration file content into the value box. If you wish to upload the xml instead of pasting the content, choose data type `String (XML file)`. +For the value, you can select data type `String` and paste the desired configuration file content into the value box. If you wish to upload the xml instead of pasting the content, choose data type `String (XML file)`. -![Screenshot of custom OMA-URI settings.](images/slv2-oma-uri.png) +![Screenshot of custom OMA-URI settings.](images/slv2-oma-uri.png) -After you configure the profile containing the custom Shell Launcher setting, select **All Devices** or selected groups of devices to apply the profile to. Don't assign the profile to users or user groups. +After you configure the profile containing the custom Shell Launcher setting, select **All Devices** or selected groups of devices to apply the profile to. Don't assign the profile to users or user groups. -## Configure a custom shell using PowerShell +## Configure a custom shell using PowerShell -For scripts for Shell Launcher v2, see [Shell Launcher v2 Bridge WMI sample scripts](https://github.com/Microsoft/Windows-iotcore-samples/blob/develop/Samples/ShellLauncherV2/SampleBridgeWmiScripts/README.md). +For scripts for Shell Launcher v2, see [Shell Launcher v2 Bridge WMI sample scripts](https://github.com/Microsoft/Windows-iotcore-samples/blob/develop/Samples/ShellLauncherV2/SampleBridgeWmiScripts/README.md). -For Shell Launcher v1, modify the following PowerShell script as appropriate. The comments in the sample script explain the purpose of each section and tell you where you will want to change the script for your purposes. Save your script with the extension .ps1, open Windows PowerShell as administrator, and run the script on the kiosk device. +For Shell Launcher v1, modify the following PowerShell script as appropriate. The comments in the sample script explain the purpose of each section and tell you where you will want to change the script for your purposes. Save your script with the extension .ps1, open Windows PowerShell as administrator, and run the script on the kiosk device. ```powershell # Check if shell launcher license is enabled @@ -152,38 +166,39 @@ function Check-ShellLauncherLicenseEnabled { [string]$source = @" using System; -using System.Runtime.InteropServices; +using System.Runtime.InteropServices; static class CheckShellLauncherLicense { - const int S_OK = 0; + const int S_OK = 0; public static bool IsShellLauncherLicenseEnabled() { - int enabled = 0; + int enabled = 0; if (NativeMethods.SLGetWindowsInformationDWORD("EmbeddedFeature-ShellLauncher-Enabled", out enabled) != S_OK) { enabled = 0; } + return (enabled != 0); - } + } static class NativeMethods { [DllImport("Slc.dll")] internal static extern int SLGetWindowsInformationDWORD([MarshalAs(UnmanagedType.LPWStr)]string valueName, out int value); - } + } } -"@ +"@ - $type = Add-Type -TypeDefinition $source -PassThru + $type = Add-Type -TypeDefinition $source -PassThru return $type[0]::IsShellLauncherLicenseEnabled() -} +} -[bool]$result = $false +[bool]$result = $false $result = Check-ShellLauncherLicenseEnabled "`nShell Launcher license enabled is set to " + $result @@ -191,105 +206,107 @@ if (-not($result)) { "`nThis device doesn't have required license to use Shell Launcher" exit -} +} $COMPUTER = "localhost" -$NAMESPACE = "root\standardcimv2\embedded" +$NAMESPACE = "root\standardcimv2\embedded" # Create a handle to the class instance so we can call the static methods. try { $ShellLauncherClass = [wmiclass]"\\$COMPUTER\${NAMESPACE}:WESL_UserSetting" } catch [Exception] { write-host $_.Exception.Message; + write-host "Make sure Shell Launcher feature is enabled" exit - } + } -# This well-known security identifier (SID) corresponds to the BUILTIN\Administrators group. +# This well-known security identifier (SID) corresponds to the BUILTIN\Administrators group. -$Admins_SID = "S-1-5-32-544" +$Admins_SID = "S-1-5-32-544" -# Create a function to retrieve the SID for a user account on a machine. +# Create a function to retrieve the SID for a user account on a machine. -function Get-UsernameSID($AccountName) { +function Get-UsernameSID($AccountName) { $NTUserObject = New-Object System.Security.Principal.NTAccount($AccountName) - $NTUserSID = $NTUserObject.Translate([System.Security.Principal.SecurityIdentifier]) + $NTUserSID = $NTUserObject.Translate([System.Security.Principal.SecurityIdentifier]) return $NTUserSID.Value -} -# Get the SID for a user account named "Cashier". Rename "Cashier" to an existing account on your system to test this script. +} -$Cashier_SID = Get-UsernameSID("Cashier") +# Get the SID for a user account named "Cashier". Rename "Cashier" to an existing account on your system to test this script. -# Define actions to take when the shell program exits. +$Cashier_SID = Get-UsernameSID("Cashier") + +# Define actions to take when the shell program exits. $restart_shell = 0 $restart_device = 1 -$shutdown_device = 2 +$shutdown_device = 2 -# Examples. You can change these examples to use the program that you want to use as the shell. +# Examples. You can change these examples to use the program that you want to use as the shell. -# This example sets the command prompt as the default shell, and restarts the device if the command prompt is closed. +# This example sets the command prompt as the default shell, and restarts the device if the command prompt is closed. -$ShellLauncherClass.SetDefaultShell("cmd.exe", $restart_device) +$ShellLauncherClass.SetDefaultShell("cmd.exe", $restart_device) -# Display the default shell to verify that it was added correctly. +# Display the default shell to verify that it was added correctly. -$DefaultShellObject = $ShellLauncherClass.GetDefaultShell() +$DefaultShellObject = $ShellLauncherClass.GetDefaultShell() -"`nDefault Shell is set to " + $DefaultShellObject.Shell + " and the default action is set to " + $DefaultShellObject.defaultaction +"`nDefault Shell is set to " + $DefaultShellObject.Shell + " and the default action is set to " + $DefaultShellObject.defaultaction -# Set Internet Explorer as the shell for "Cashier", and restart the machine if Internet Explorer is closed. +# Set Internet Explorer as the shell for "Cashier", and restart the machine if Internet Explorer is closed. -$ShellLauncherClass.SetCustomShell($Cashier_SID, "c:\program files\internet explorer\iexplore.exe www.microsoft.com", ($null), ($null), $restart_shell) +$ShellLauncherClass.SetCustomShell($Cashier_SID, "c:\program files\internet explorer\iexplore.exe www.microsoft.com", ($null), ($null), $restart_shell) -# Set Explorer as the shell for administrators. +# Set Explorer as the shell for administrators. -$ShellLauncherClass.SetCustomShell($Admins_SID, "explorer.exe") +$ShellLauncherClass.SetCustomShell($Admins_SID, "explorer.exe") -# View all the custom shells defined. +# View all the custom shells defined. "`nCurrent settings for custom shells:" -Get-WmiObject -namespace $NAMESPACE -computer $COMPUTER -class WESL_UserSetting | Select Sid, Shell, DefaultAction +Get-WmiObject -namespace $NAMESPACE -computer $COMPUTER -class WESL_UserSetting | Select Sid, Shell, DefaultAction -# Enable Shell Launcher +# Enable Shell Launcher -$ShellLauncherClass.SetEnabled($TRUE) +$ShellLauncherClass.SetEnabled($TRUE) -$IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled() +$IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled() + +"`nEnabled is set to " + $IsShellLauncherEnabled.Enabled + +# Remove the new custom shells. + +$ShellLauncherClass.RemoveCustomShell($Admins_SID) + +$ShellLauncherClass.RemoveCustomShell($Cashier_SID) + +# Disable Shell Launcher + +$ShellLauncherClass.SetEnabled($FALSE) + +$IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled() "`nEnabled is set to " + $IsShellLauncherEnabled.Enabled - -# Remove the new custom shells. - -$ShellLauncherClass.RemoveCustomShell($Admins_SID) - -$ShellLauncherClass.RemoveCustomShell($Cashier_SID) - -# Disable Shell Launcher - -$ShellLauncherClass.SetEnabled($FALSE) - -$IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled() - -"`nEnabled is set to " + $IsShellLauncherEnabled.Enabled -``` +``` ## default action, custom action, exit code -Shell launcher defines 4 actions to handle app exits, you can customize shell launcher and use these actions based on different exit code. +Shell launcher defines 4 actions to handle app exits, you can customize shell launcher and use these actions based on different exit code. Value|Description --- | --- 0|Restart the shell 1|Restart the device 2|Shut down the device -3|Do nothing +3|Do nothing -These action can be used as default action, or can be mapped to a specific exit code. Refer to [Shell Launcher](/windows-hardware/customize/enterprise/wesl-usersettingsetcustomshell) to see how these codes with Shell Launcher WMI. +These action can be used as default action, or can be mapped to a specific exit code. Refer to [Shell Launcher](/windows-hardware/customize/enterprise/wesl-usersettingsetcustomshell) to see how these codes with Shell Launcher WMI. To configure these action with Shell Launcher CSP, use below syntax in the shell launcher configuration xml. You can specify at most 4 custom actions mapping to 4 exit codes, and one default action for all other exit codes. When app exits and if the exit code is not found in the custom action mapping, or there is no default action defined, it will be no-op, i.e. nothing happens. So it's recommended to at least define DefaultAction. [Get XML examples for different Shell Launcher v2 configurations.](https://github.com/Microsoft/Windows-iotcore-samples/tree/develop/Samples/ShellLauncherV2) ``` xml @@ -299,6 +316,6 @@ To configure these action with Shell Launcher CSP, use below syntax in the shell - + ``` diff --git a/windows/configuration/kiosk-single-app.md b/windows/configuration/kiosk/kiosk-single-app.md similarity index 82% rename from windows/configuration/kiosk-single-app.md rename to windows/configuration/kiosk/kiosk-single-app.md index 0218a198e2..2c7e68fdb4 100644 --- a/windows/configuration/kiosk-single-app.md +++ b/windows/configuration/kiosk/kiosk-single-app.md @@ -2,73 +2,73 @@ title: Set up a single-app kiosk on Windows description: A single-use device is easy to set up in Windows Pro, Enterprise, and Education editions. ms.reviewer: sybruckm -ms.author: lizlong -author: lizgt2000 ms.topic: article ms.collection: - tier1 ms.date: 07/12/2023 --- - + -# Set up a single-app kiosk on Windows 10/11 +# Set up a single-app kiosk on Windows 10/11 -**Applies to** +**Applies to** - Windows 10 Pro, Enterprise, and Education -- Windows 11 +- Windows 11 -A single-app kiosk uses the Assigned Access feature to run a single app above the lock screen. When the kiosk account signs in, the app is launched automatically. The person using the kiosk cannot do anything on the device outside of the kiosk app. +A single-app kiosk uses the Assigned Access feature to run a single app above the lock screen. When the kiosk account signs in, the app is launched automatically. The person using the kiosk cannot do anything on the device outside of the kiosk app. -![Illustration of a single-app kiosk experience.](images/kiosk-fullscreen-sm.png) +![Illustration of a single-app kiosk experience.](images/kiosk-fullscreen-sm.png) >[!IMPORTANT] >[User account control (UAC)](/windows/security/identity-protection/user-account-control/user-account-control-overview) must be turned on to enable kiosk mode. > ->Kiosk mode is not supported over a remote desktop connection. Your kiosk users must sign in on the physical device that is set up as a kiosk. Apps that run in kiosk mode cannot use copy and paste. +>Kiosk mode is not supported over a remote desktop connection. Your kiosk users must sign in on the physical device that is set up as a kiosk. Apps that run in kiosk mode cannot use copy and paste. -You have several options for configuring your single-app kiosk. +You have several options for configuring your single-app kiosk. -- [Locally, in Settings](#local): The **Set up a kiosk** (previously named **Set up assigned access**) option in **Settings** is a quick and easy method to set up a single device as a kiosk for a local standard user account. +- [Locally, in Settings](#local): The **Set up a kiosk** (previously named **Set up assigned access**) option in **Settings** is a quick and easy method to set up a single device as a kiosk for a local standard user account. - This option supports: + This option supports: - Windows 10 Pro, Enterprise, and Education - - Windows 11 + - Windows 11 -- [PowerShell](#powershell): You can use Windows PowerShell cmdlets to set up a single-app kiosk. First, you need to [create the user account](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10) on the device and install the kiosk app for that account. +- [PowerShell](#powershell): You can use Windows PowerShell cmdlets to set up a single-app kiosk. First, you need to [create the user account](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10) on the device and install the kiosk app for that account. - This option supports: + This option supports: - Windows 10 Pro, Enterprise, and Education - - Windows 11 + - Windows 11 -- [The kiosk wizard in Windows Configuration Designer](#wizard): Windows Configuration Designer is a tool that produces a *provisioning package*. A provisioning package includes configuration settings that can be applied to one or more devices during the first-run experience (OOBE), or after OOBE is done (runtime). Using the kiosk wizard, you can also create the kiosk user account, install the kiosk app, and configure more useful settings. +- [The kiosk wizard in Windows Configuration Designer](#wizard): Windows Configuration Designer is a tool that produces a *provisioning package*. A provisioning package includes configuration settings that can be applied to one or more devices during the first-run experience (OOBE), or after OOBE is done (runtime). Using the kiosk wizard, you can also create the kiosk user account, install the kiosk app, and configure more useful settings. - This option supports: + This option supports: - Windows 10 Pro version 1709+, Enterprise, and Education - - Windows 11 + - Windows 11 -- [Microsoft Intune or other mobile device management (MDM) provider](#mdm): For devices managed by your organization, you can use MDM to set up a kiosk configuration. +- [Microsoft Intune or other mobile device management (MDM) provider](#mdm): For devices managed by your organization, you can use MDM to set up a kiosk configuration. - This option supports: + This option supports: - Windows 10 Pro version 1709+, Enterprise, and Education - - Windows 11 + - Windows 11 > [!TIP] > You can also configure a kiosk account and app for single-app kiosk within [XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) by using a [kiosk profile](lock-down-windows-10-to-specific-apps.md#profile). + > -> Be sure to check the [configuration recommendations](kiosk-prepare.md) before you set up your kiosk. +> Be sure to check the [configuration recommendations](kiosk-prepare.md) before you set up your kiosk. - + -## Set up a kiosk in local Settings +## Set up a kiosk in local Settings >App type: + > - UWP > >OS: @@ -76,116 +76,121 @@ You have several options for configuring your single-app kiosk. > - Windows 11 > >Account type: -> - Local standard user +> - Local standard user -You can use **Settings** to quickly configure one or a few devices as a kiosk. +You can use **Settings** to quickly configure one or a few devices as a kiosk. -When your kiosk is a local device that isn't managed by Active Directory or Microsoft Entra ID, there is a default setting that enables automatic sign-in after a restart. That means that when the device restarts, the last signed-in user will be signed in automatically. If the last signed-in user is the kiosk account, the kiosk app will be launched automatically after the device restarts. +When your kiosk is a local device that isn't managed by Active Directory or Microsoft Entra ID, there is a default setting that enables automatic sign-in after a restart. That means that when the device restarts, the last signed-in user will be signed in automatically. If the last signed-in user is the kiosk account, the kiosk app will be launched automatically after the device restarts. -- If you want the kiosk account to sign in automatically, and the kiosk app launched when the device restarts, then you don't need to do anything. +- If you want the kiosk account to sign in automatically, and the kiosk app launched when the device restarts, then you don't need to do anything. -- If you don't want the kiosk account to sign in automatically when the device restarts, then you must change the default setting before you configure the device as a kiosk. Sign in with the account that you will assign as the kiosk account. Open the **Settings** app > **Accounts** > **Sign-in options**. Set the **Use my sign-in info to automatically finish setting up my device after an update or restart** setting to **Off**. After you change the setting, you can apply the kiosk configuration to the device. +- If you don't want the kiosk account to sign in automatically when the device restarts, then you must change the default setting before you configure the device as a kiosk. Sign in with the account that you will assign as the kiosk account. Open the **Settings** app > **Accounts** > **Sign-in options**. Set the **Use my sign-in info to automatically finish setting up my device after an update or restart** setting to **Off**. After you change the setting, you can apply the kiosk configuration to the device. - ![Screenshot of automatic sign-in setting.](images/auto-signin.png) + ![Screenshot of automatic sign-in setting.](images/auto-signin.png) -### Windows 10 version 1809+ / Windows 11 +### Windows 10 version 1809+ / Windows 11 -When you set up a kiosk (also known as *assigned access*) in **Settings** for Windows client, you create the kiosk user account at the same time. To set up assigned access in PC settings: +When you set up a kiosk (also known as *assigned access*) in **Settings** for Windows client, you create the kiosk user account at the same time. To set up assigned access in PC settings: -1. Open the **Settings** app > **Accounts**. Select **Other users** or **Family and other users**. +1. Open the **Settings** app > **Accounts**. Select **Other users** or **Family and other users**. -2. Select **Set up a kiosk > Assigned access**, and then select **Get started**. +2. Select **Set up a kiosk > Assigned access**, and then select **Get started**. -3. Enter a name for the new account. +3. Enter a name for the new account. >[!NOTE] - >If there are any local standard user accounts on the device already, the **Create an account** page will offer the option to **Choose an existing account**. + >If there are any local standard user accounts on the device already, the **Create an account** page will offer the option to **Choose an existing account**. -4. Choose the app that will run when the kiosk account signs in. Only apps that can run above the lock screen will be available in the list of apps to choose from. For more information, see [Guidelines for choosing an app for assigned access](guidelines-for-assigned-access-app.md). If you select **Microsoft Edge** as the kiosk app, you configure the following options: +4. Choose the app that will run when the kiosk account signs in. Only apps that can run above the lock screen will be available in the list of apps to choose from. For more information, see [Guidelines for choosing an app for assigned access](guidelines-for-assigned-access-app.md). If you select **Microsoft Edge** as the kiosk app, you configure the following options: - Whether Microsoft Edge should display your website full-screen (digital sign) or with some browser controls available (public browser) - Which URL should be displayed when the kiosk accounts signs in - - When Microsoft Edge should restart after a period of inactivity (if you select to run as a public browser) + - When Microsoft Edge should restart after a period of inactivity (if you select to run as a public browser) -5. Select **Close**. +5. Select **Close**. -To remove assigned access, select the account tile on the **Set up a kiosk** page, and then select **Remove kiosk**. +To remove assigned access, select the account tile on the **Set up a kiosk** page, and then select **Remove kiosk**. -### Windows 10 version 1803 and earlier +### Windows 10 version 1803 and earlier -When you set up a kiosk (also known as *assigned access*) in **Settings** for Windows 10 version 1803 and earlier, you must select an existing local standard user account. [Learn how to create a local standard user account.](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10) +When you set up a kiosk (also known as *assigned access*) in **Settings** for Windows 10 version 1803 and earlier, you must select an existing local standard user account. [Learn how to create a local standard user account.](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10) -![The Set up assigned access page in Settings.](images/kiosk-settings.png) +![The Set up assigned access page in Settings.](images/kiosk-settings.png) -**To set up assigned access in PC settings** +**To set up assigned access in PC settings** -1. Go to **Start** > **Settings** > **Accounts** > **Other people**. +1. Go to **Start** > **Settings** > **Accounts** > **Other people**. -2. Select **Set up assigned access**. +2. Select **Set up assigned access**. -3. Choose an account. +3. Choose an account. -4. Choose an app. Only apps that can run above the lock screen will be available in the list of apps to choose from. For more information, see [Guidelines for choosing an app for assigned access](guidelines-for-assigned-access-app.md). +4. Choose an app. Only apps that can run above the lock screen will be available in the list of apps to choose from. For more information, see [Guidelines for choosing an app for assigned access](guidelines-for-assigned-access-app.md). -5. Close **Settings** – your choices are saved automatically, and will be applied the next time that user account signs in. +5. Close **Settings** - your choices are saved automatically, and will be applied the next time that user account signs in. -To remove assigned access, choose **Turn off assigned access and sign out of the selected account**. +To remove assigned access, choose **Turn off assigned access and sign out of the selected account**. - + -## Set up a kiosk using Windows PowerShell +## Set up a kiosk using Windows PowerShell + >App type: + > - UWP > >OS: + > - Windows 10 Pro, Ent, Edu > - Windows 11 > >Account type: -> - Local standard user -![PowerShell windows displaying Set-AssignedAccess cmdlet.](images/set-assignedaccess.png) +> - Local standard user -You can use any of the following PowerShell cmdlets to set up assigned access on multiple devices. +![PowerShell windows displaying Set-AssignedAccess cmdlet.](images/set-assignedaccess.png) -Before you run the cmdlet: +You can use any of the following PowerShell cmdlets to set up assigned access on multiple devices. + +Before you run the cmdlet: 1. Sign in as administrator. 2. [Create the user account](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10) for Assigned Access. 3. Sign in as the Assigned Access user account. 4. Install the Universal Windows app that follows the assigned access/above the lock guidelines. 5. Sign out as the Assigned Access user account. -6. Sign in as administrator. +6. Sign in as administrator. -To open PowerShell on Windows client, search for PowerShell, and find **Windows PowerShell Desktop app** in the results. Run PowerShell as administrator. +To open PowerShell on Windows client, search for PowerShell, and find **Windows PowerShell Desktop app** in the results. Run PowerShell as administrator. - **Configure assigned access by AppUserModelID and user name**: `Set-AssignedAccess -AppUserModelId -UserName ` - **Configure assigned access by AppUserModelID and user SID**: `Set-AssignedAccess -AppUserModelId -UserSID ` - **Configure assigned access by app name and user name**: `Set-AssignedAccess -AppName -UserName ` -- **Configure assigned access by app name and user SID**: `Set-AssignedAccess -AppName -UserSID ` +- **Configure assigned access by app name and user SID**: `Set-AssignedAccess -AppName -UserSID ` > [!NOTE] -> To set up assigned access using `-AppName`, the user account that you enter for assigned access must have signed in at least once. +> To set up assigned access using `-AppName`, the user account that you enter for assigned access must have signed in at least once. -[Learn how to get the AUMID](./find-the-application-user-model-id-of-an-installed-app.md). +[Learn how to get the AUMID](./find-the-application-user-model-id-of-an-installed-app.md). -[Learn how to get the AppName](/powershell/module/assignedaccess/set-assignedaccess) (see **Parameters**). +[Learn how to get the AppName](/powershell/module/assignedaccess/set-assignedaccess) (see **Parameters**). -To remove assigned access, using PowerShell, run the following cmdlet: +To remove assigned access, using PowerShell, run the following cmdlet: ```powershell Clear-AssignedAccess -``` +``` - + -## Set up a kiosk using the kiosk wizard in Windows Configuration Designer +## Set up a kiosk using the kiosk wizard in Windows Configuration Designer >App type: > - UWP + > - Windows desktop application > >OS: @@ -195,60 +200,60 @@ Clear-AssignedAccess > >Account type: > - Local standard user -> - Active Directory +> - Active Directory -![Kiosk wizard option in Windows Configuration Designer.](images/kiosk-wizard.png) +![Kiosk wizard option in Windows Configuration Designer.](images/kiosk-wizard.png) >[!IMPORTANT] ->When Exchange Active Sync (EAS) password restrictions are active on the device, the autologon feature does not work. This behavior is by design. For more informations, see [How to turn on automatic logon in Windows](/troubleshoot/windows-server/user-profiles-and-logon/turn-on-automatic-logon). +>When Exchange Active Sync (EAS) password restrictions are active on the device, the autologon feature does not work. This behavior is by design. For more informations, see [How to turn on automatic logon in Windows](/troubleshoot/windows-server/user-profiles-and-logon/turn-on-automatic-logon). -When you use the **Provision kiosk devices** wizard in Windows Configuration Designer, you can configure the kiosk to run either a Universal Windows app or a Windows desktop application. +When you use the **Provision kiosk devices** wizard in Windows Configuration Designer, you can configure the kiosk to run either a Universal Windows app or a Windows desktop application. -[Install Windows Configuration Designer](provisioning-packages/provisioning-install-icd.md), then open Windows Configuration Designer and select **Provision kiosk devices**. After you name your project, and select **Next**, configure the following settings: +[Install Windows Configuration Designer](provisioning-packages/provisioning-install-icd.md), then open Windows Configuration Designer and select **Provision kiosk devices**. After you name your project, and select **Next**, configure the following settings: -1. Enable device setup: +1. Enable device setup: - :::image type="content" source="images/set-up-device-details.png" alt-text="In Windows Configuration Designer, enable device setup, enter the device name, the product key to upgrade, turn off shared use, and remove preinstalled software."::: + :::image type="content" source="images/set-up-device-details.png" alt-text="In Windows Configuration Designer, enable device setup, enter the device name, the product key to upgrade, turn off shared use, and remove preinstalled software."::: - If you want to enable device setup, select **Set up device**, and configure the following settings: + If you want to enable device setup, select **Set up device**, and configure the following settings: - **Device name**: Required. Enter a unique 15-character name for the device. You can use variables to add unique characters to the name, such as `Contoso-%SERIAL%` and `Contoso-%RAND:5%`. - **Enter product key**: Optional. Select a license file to upgrade Windows client to a different edition. For more information, see [the permitted upgrades](/windows/deployment/upgrade/windows-10-edition-upgrades). - **Configure devices for shared use**: This setting optimizes Windows client for shared use scenarios, and isn't necessary for a kiosk scenario. Set this value to **No**, which may be the default. - - **Remove pre-installed software**: Optional. Select **Yes** if you want to remove preinstalled software. + - **Remove pre-installed software**: Optional. Select **Yes** if you want to remove preinstalled software. -2. Set up the network: +2. Set up the network: - :::image type="content" source="images/set-up-network-details.png" alt-text="In Windows Configuration Designer, turn on wireless connectivity, enter the network SSID, and network type."::: + :::image type="content" source="images/set-up-network-details.png" alt-text="In Windows Configuration Designer, turn on wireless connectivity, enter the network SSID, and network type."::: - If you want to enable network setup, select **Set up network**, and configure the following settings: + If you want to enable network setup, select **Set up network**, and configure the following settings: - **Set up network**: To enable wireless connectivity, select **On**. - **Network SSID**: Enter the Service Set Identifier (SSID) of the network. - - **Network type**: Select **Open** or **WPA2-Personal**. If you select **WPA2-Personal**, enter the password for the wireless network. + - **Network type**: Select **Open** or **WPA2-Personal**. If you select **WPA2-Personal**, enter the password for the wireless network. -3. Enable account management: +3. Enable account management: - :::image type="content" source="images/account-management-details.png" alt-text="In Windows Configuration Designer, join Active Directory, Microsoft Entra ID, or create a local admin account."::: + :::image type="content" source="images/account-management-details.png" alt-text="In Windows Configuration Designer, join Active Directory, Microsoft Entra ID, or create a local admin account."::: - If you want to enable account management, select **Account Management**, and configure the following settings: + If you want to enable account management, select **Account Management**, and configure the following settings: - **Manage organization/school accounts**: Choose how devices are enrolled. Your options: - **Active Directory**: Enter the credentials for a least-privileged user account to join the device to the domain. - - **Microsoft Entra ID**: Before you use a Windows Configuration Designer wizard to configure bulk Microsoft Entra enrollment, [set up Microsoft Entra join in your organization](/azure/active-directory/active-directory-azureadjoin-setup). In your Microsoft Entra tenant, the **maximum number of devices per user** setting determines how many times the bulk token in the wizard can be used. + - **Microsoft Entra ID**: Before you use a Windows Configuration Designer wizard to configure bulk Microsoft Entra enrollment, [set up Microsoft Entra join in your organization](/azure/active-directory/active-directory-azureadjoin-setup). In your Microsoft Entra tenant, the **maximum number of devices per user** setting determines how many times the bulk token in the wizard can be used. - If you select this option, enter a friendly name for the bulk token you get using the wizard. Set an expiration date for the token. The maximum is 180 days from the date you get the token. Select **Get bulk token**. In **Let's get you signed in**, enter an account that has permissions to join a device to Microsoft Entra ID, and then the password. Select **Accept** to give Windows Configuration Designer the necessary permissions. + If you select this option, enter a friendly name for the bulk token you get using the wizard. Set an expiration date for the token. The maximum is 180 days from the date you get the token. Select **Get bulk token**. In **Let's get you signed in**, enter an account that has permissions to join a device to Microsoft Entra ID, and then the password. Select **Accept** to give Windows Configuration Designer the necessary permissions. - You must run Windows Configuration Designer on Windows client to configure Microsoft Entra enrollment using any of the wizards. + You must run Windows Configuration Designer on Windows client to configure Microsoft Entra enrollment using any of the wizards. - - **Local administrator**: If you select this option, enter a user name and password. If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password isn't changed during that period, the account might be locked out, and unable to sign in. + - **Local administrator**: If you select this option, enter a user name and password. If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password isn't changed during that period, the account might be locked out, and unable to sign in. -4. Add applications: +4. Add applications: - :::image type="content" source="images/add-applications-details.png" alt-text="In Windows Configuration Designer, add an application that will run in kiosk mode."::: + :::image type="content" source="images/add-applications-details.png" alt-text="In Windows Configuration Designer, add an application that will run in kiosk mode."::: - To add applications to the devices, select **Add applications**. You can install multiple applications in a provisioning package, including Windows desktop applications (Win32) and Universal Windows Platform (UWP) apps. The settings in this step vary depending on the application you select. For help with the settings, see [Provision PCs with apps](provisioning-packages/provision-pcs-with-apps.md). + To add applications to the devices, select **Add applications**. You can install multiple applications in a provisioning package, including Windows desktop applications (Win32) and Universal Windows Platform (UWP) apps. The settings in this step vary depending on the application you select. For help with the settings, see [Provision PCs with apps](provisioning-packages/provision-pcs-with-apps.md). > [!WARNING] > If you select the plus button to add an application, you must enter an application for the provisioning package to validate. If you select the plus button by mistake, then: @@ -256,90 +261,92 @@ When you use the **Provision kiosk devices** wizard in Windows Configuration Des > 1. In **Installer Path**, select any executable file. > 2. When the **Cancel** button shows, select it. > - > These steps let you complete the provisioning package without adding an application. + > These steps let you complete the provisioning package without adding an application. -5. Add certificates: +5. Add certificates: - :::image type="content" source="images/add-certificates-details.png" alt-text="In Windows Configuration Designer, add a certificate."::: + :::image type="content" source="images/add-certificates-details.png" alt-text="In Windows Configuration Designer, add a certificate."::: - To add a certificate to the devices, select **Add certificates**, and configure the following settings: + To add a certificate to the devices, select **Add certificates**, and configure the following settings: - **Certificate name**: Enter a name for the certificate. - - **Certificate path**: Browse and select the certificate you want to add. + - **Certificate path**: Browse and select the certificate you want to add. -6. Configure the kiosk account, and the kiosk mode app: +6. Configure the kiosk account, and the kiosk mode app: - :::image type="content" source="images/kiosk-account-details.png" alt-text="In Windows Configuration Designer, the Configure kiosk common settings button is shown when provisioning a kiosk device."::: + :::image type="content" source="images/kiosk-account-details.png" alt-text="In Windows Configuration Designer, the Configure kiosk common settings button is shown when provisioning a kiosk device."::: - To add the account that runs the app and choose the app type, select **Configure kiosk account and app**, and configure the following settings: + To add the account that runs the app and choose the app type, select **Configure kiosk account and app**, and configure the following settings: - **Create a local standard user account to run the kiosk mode app**: Select **Yes** to create a local standard user account, and enter the **User name** and **Password**. This user account runs the app. If you select **No**, make sure you have an existing user account to run the kiosk app. - **Auto sign-in**: Select **Yes** to automatically sign in the account when the device starts. **No** doesn't automatically sign in the account. If there are issues with auto sign-in after you apply the provisioning package, then check the Event Viewer logs for auto logon issues (`Applications and Services Logs\Microsoft\Windows\Authentication User Interface\Operational`). - **Configure the kiosk mode app**: Enter the **User name** of the account that will run the kiosk mode app. In **App type**, select the type of app to run. Your options: - **Windows desktop application**: Enter the path or filename. If the file path is in the PATH environment variable, then you can use the filename. Otherwise, the full path is required. - - **Universal Windows app**: Enter the AUMID. + - **Universal Windows app**: Enter the AUMID. -7. Configure kiosk common settings: +7. Configure kiosk common settings: - :::image type="content" source="images/kiosk-common-details.png" alt-text="In Windows Configuration Designer, set tablet mode, configure the welcome and shutdown screens, and turn off the power timeout settings."::: + :::image type="content" source="images/kiosk-common-details.png" alt-text="In Windows Configuration Designer, set tablet mode, configure the welcome and shutdown screens, and turn off the power timeout settings."::: - To configure the tablet mode, configure welcome and shutdown screens, and set the power settings, select **Configure kiosk common settings**, and configure the following settings: + To configure the tablet mode, configure welcome and shutdown screens, and set the power settings, select **Configure kiosk common settings**, and configure the following settings: - **Set tablet mode** - **Customize user experience** - - **Configure power settings** + - **Configure power settings** -8. Finish: +8. Finish: - :::image type="content" source="images/finish-details.png" alt-text="In Windows Configuration Designer, protect your package with a password."::: + :::image type="content" source="images/finish-details.png" alt-text="In Windows Configuration Designer, protect your package with a password."::: - To complete the wizard, select **Finish**, and configure the following setting: + To complete the wizard, select **Finish**, and configure the following setting: - - **Protect your package**: Select **Yes** to password protect your provisioning package. When you apply the provisioning package to a device, you must enter this password. + - **Protect your package**: Select **Yes** to password protect your provisioning package. When you apply the provisioning package to a device, you must enter this password. >[!NOTE] ->If you want to use [the advanced editor in Windows Configuration Designer](provisioning-packages/provisioning-create-package.md#configure-settings), specify the user account and app (by AUMID) in **Runtime settings** > **AssignedAccess** > **AssignedAccessSettings** +>If you want to use [the advanced editor in Windows Configuration Designer](provisioning-packages/provisioning-create-package.md#configure-settings), specify the user account and app (by AUMID) in **Runtime settings** > **AssignedAccess** > **AssignedAccessSettings** >[!IMPORTANT] ->When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. +>When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. -[Learn how to apply a provisioning package.](provisioning-packages/provisioning-apply-package.md) +[Learn how to apply a provisioning package.](provisioning-packages/provisioning-apply-package.md) - + -## Set up a kiosk or digital sign using Microsoft Intune or other MDM service +## Set up a kiosk or digital sign using Microsoft Intune or other MDM service >App type: + > - UWP > >OS: + > - Windows 10 Pro version 1709+, Ent, Edu > - Windows 11 > >Account type: > - Local standard user -> - Microsoft Entra ID +> - Microsoft Entra ID -Microsoft Intune and other MDM services enable kiosk configuration through the [AssignedAccess configuration service provider (CSP)](/windows/client-management/mdm/assignedaccess-csp). Assigned Access has a `KioskModeApp` setting. In the `KioskModeApp` setting, you enter the user account name and the [AUMID](/windows-hardware/customize/enterprise/find-the-application-user-model-id-of-an-installed-app) for the app to run in kiosk mode. +Microsoft Intune and other MDM services enable kiosk configuration through the [AssignedAccess configuration service provider (CSP)](/windows/client-management/mdm/assignedaccess-csp). Assigned Access has a `KioskModeApp` setting. In the `KioskModeApp` setting, you enter the user account name and the [AUMID](/windows-hardware/customize/enterprise/find-the-application-user-model-id-of-an-installed-app) for the app to run in kiosk mode. >[!TIP] ->A ShellLauncher node has been added to the [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp). +>A ShellLauncher node has been added to the [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp). -To configure a kiosk in Microsoft Intune, see [Windows client and Windows Holographic for Business device settings to run as a dedicated kiosk using Intune](/intune/kiosk-settings). For other MDM services, see the documentation for your provider. +To configure a kiosk in Microsoft Intune, see [Windows client and Windows Holographic for Business device settings to run as a dedicated kiosk using Intune](/intune/kiosk-settings). For other MDM services, see the documentation for your provider. + +## Sign out of assigned access -## Sign out of assigned access +To exit the assigned access (kiosk) app, press **Ctrl + Alt + Del**, and then sign in using another account. When you press **Ctrl + Alt + Del** to sign out of assigned access, the kiosk app will exit automatically. If you sign in again as the assigned access account or wait for the sign in screen timeout, the kiosk app relaunches. The assigned access user will remain signed in until an admin account opens **Task Manager** > **Users** and signs out the user account. -To exit the assigned access (kiosk) app, press **Ctrl + Alt + Del**, and then sign in using another account. When you press **Ctrl + Alt + Del** to sign out of assigned access, the kiosk app will exit automatically. If you sign in again as the assigned access account or wait for the sign in screen timeout, the kiosk app relaunches. The assigned access user will remain signed in until an admin account opens **Task Manager** > **Users** and signs out the user account. +If you press **Ctrl + Alt + Del** and do not sign in to another account, after a set time, assigned access will resume. The default time is 30 seconds, but you can change that in the following registry key: -If you press **Ctrl + Alt + Del** and do not sign in to another account, after a set time, assigned access will resume. The default time is 30 seconds, but you can change that in the following registry key: +`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI` -`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI` - -To change the default time for assigned access to resume, add *IdleTimeOut* (DWORD) and enter the value data as milliseconds in hexadecimal. +To change the default time for assigned access to resume, add *IdleTimeOut* (DWORD) and enter the value data as milliseconds in hexadecimal. > [!NOTE] -> **IdleTimeOut** doesn't apply to the new Microsoft Edge kiosk mode. +> **IdleTimeOut** doesn't apply to the new Microsoft Edge kiosk mode. The Breakout Sequence of **Ctrl + Alt + Del** is the default, but this sequence can be configured to be a different sequence of keys. The breakout sequence uses the format **modifiers + keys**. An example breakout sequence would look something like **Shift + Alt + a**, where **Shift** and **Alt** are the modifiers and **a** is the key value. For more information, see [Microsoft Edge kiosk XML sample](/windows/configuration/kiosk-xml#microsoft-edge-kiosk-xml-sample). diff --git a/windows/configuration/kiosk-validate.md b/windows/configuration/kiosk/kiosk-validate.md similarity index 82% rename from windows/configuration/kiosk-validate.md rename to windows/configuration/kiosk/kiosk-validate.md index 7ab28c7741..8cafe39b58 100644 --- a/windows/configuration/kiosk-validate.md +++ b/windows/configuration/kiosk/kiosk-validate.md @@ -1,56 +1,55 @@ --- title: Validate kiosk configuration (Windows 10/11) -description: In this article, learn what to expect on a multi-app kiosk in Windows 10/11 Pro, Enterprise, and Education. -ms.reviewer: sybruckm -manager: aaroncz -ms.author: lizlong -ms.prod: windows-client -author: lizgt2000 -ms.localizationpriority: medium +description: In this article, learn what to expect on a multi-app kiosk in Windows 10/11 Pro, Enterprise, and Education. +ms.reviewer: sybruckm + ms.topic: article -ms.technology: itpro-configure ms.date: 12/31/2017 ---- +--- -# Validate kiosk configuration +# Validate kiosk configuration -**Applies to** +**Applies to** -- Windows 10 Pro, Enterprise, and Education -- Windows 11 +- Windows 10 Pro, Enterprise, and Education +- Windows 11 -To identify the provisioning packages applied to a device, go to **Settings** > **Accounts** > **Access work or school**, and then click **Add or remove a provisioning package**. You should see a list of packages that were applied to the device. +To identify the provisioning packages applied to a device, go to **Settings** > **Accounts** > **Access work or school**, and then click **Add or remove a provisioning package**. You should see a list of packages that were applied to the device. -Optionally, run Event Viewer (eventvwr.exe) and look through logs under **Applications and Services Logs** > **Microsoft** > **Windows** > **Provisioning-Diagnostics-Provider** > **Admin**. +Optionally, run Event Viewer (eventvwr.exe) and look through logs under **Applications and Services Logs** > **Microsoft** > **Windows** > **Provisioning-Diagnostics-Provider** > **Admin**. -To test the kiosk, sign in with the assigned access user account you specified in the configuration to check out the multi-app experience. +To test the kiosk, sign in with the assigned access user account you specified in the configuration to check out the multi-app experience. >[!NOTE] ->The kiosk configuration setting will take effect the next time the assigned access user signs in. If that user account is signed in when you apply the configuration, make sure the user signs out and signs back in to validate the experience. +>The kiosk configuration setting will take effect the next time the assigned access user signs in. If that user account is signed in when you apply the configuration, make sure the user signs out and signs back in to validate the experience. -The following sections explain what to expect on a multi-app kiosk. +The following sections explain what to expect on a multi-app kiosk. -### App launching and switching experience +### App launching and switching experience -In the multi-app mode, to maximize the user productivity and streamline the experience, an app will be always launched in full screen when the users click the tile on the Start. The users can minimize and close the app, but cannot resize the app window. +In the multi-app mode, to maximize the user productivity and streamline the experience, an app will be always launched in full screen when the users click the tile on the Start. The users can minimize and close the app, but cannot resize the app window. -The users can switch apps just as they do today in Windows. They can use the Task View button, Alt + Tab hotkey, and the swipe in from the left gesture to view all the open apps in task view. They can click the Windows button to show Start, from which they can open apps, and they can switch to an opened app by clicking it on the taskbar. +The users can switch apps just as they do today in Windows. They can use the Task View button, Alt + Tab hotkey, and the swipe in from the left gesture to view all the open apps in task view. They can click the Windows button to show Start, from which they can open apps, and they can switch to an opened app by clicking it on the taskbar. -### Start changes +### Start changes When the assigned access user signs in, you should see a restricted Start experience: - Start gets launched in full screen and prevents the end user from accessing the desktop. + - Start shows the layout aligned with what you defined in the multi-app configuration XML. + - Start prevents the end user from changing the tile layout. - The user cannot resize, reposition, and unpin the tiles. - The user cannot pin additional tiles on the start. - Start hides **All Apps** list. - Start hides all the folders on Start (including File Explorer, Settings, Documents, Downloads, Music, Pictures, Videos, HomeGroup, Network, and Personal folders). -- Only **User** and **Power** buttons are available. (You can control whether to show the **User/Power** buttons using [existing policies](/windows/client-management/mdm/policy-csp-start).) -- Start hides **Change account settings** option under **User** button. -### Taskbar changes +- Only **User** and **Power** buttons are available. (You can control whether to show the **User/Power** buttons using [existing policies](/windows/client-management/mdm/policy-csp-start).) + +- Start hides **Change account settings** option under **User** button. + +### Taskbar changes If the applied multi-app configuration enables taskbar, when the assigned access user signs in, you should see a restricted Taskbar experience: - Disables context menu of Start button (Quick Link) @@ -58,11 +57,11 @@ If the applied multi-app configuration enables taskbar, when the assigned access - Prevents the end user from changing the taskbar - Disables Cortana and Search Windows - Hides notification icons and system icons, e.g. Action Center, People, Windows Ink Workspace -- Allows the end user to view the status of the network connection and power state, but disables the flyout of **Network/Power** to prevent end user from changing the settings +- Allows the end user to view the status of the network connection and power state, but disables the flyout of **Network/Power** to prevent end user from changing the settings -### Blocked hotkeys +### Blocked hotkeys -The multi-app mode blocks the following hotkeys, which are not relevant for the lockdown experience. +The multi-app mode blocks the following hotkeys, which are not relevant for the lockdown experience. | Hotkey | Action | | --- | --- | @@ -81,14 +80,14 @@ The multi-app mode blocks the following hotkeys, which are not relevant for the | Windows logo key + S | Open search | | Windows logo key + X | Open the Quick Link menu | | Windows logo key + comma (,) | Temporarily peek at the desktop | -| Windows logo key + Ctrl + F | Search for PCs (if you're on a network) | +| Windows logo key + Ctrl + F | Search for PCs (if you're on a network) | + +### Locked-down Ctrl+Alt+Del screen -### Locked-down Ctrl+Alt+Del screen +The multi-app mode removes options (e.g. **Change a password**, **Task Manager**, **Network**) in the Ctrl+Alt+Del screen to ensure the users cannot access the functionalities that are not allowed in the lockdown experience. -The multi-app mode removes options (e.g. **Change a password**, **Task Manager**, **Network**) in the Ctrl+Alt+Del screen to ensure the users cannot access the functionalities that are not allowed in the lockdown experience. - -### Auto-trigger touch keyboard +### Auto-trigger touch keyboard In the multi-app mode, the touch keyboard will be automatically triggered when there is an input needed and no physical keyboard is attached on touch-enabled devices. You don’t need to configure any other setting to enforce this behavior. diff --git a/windows/configuration/kiosk-xml.md b/windows/configuration/kiosk/kiosk-xml.md similarity index 96% rename from windows/configuration/kiosk-xml.md rename to windows/configuration/kiosk/kiosk-xml.md index d4525a15f4..9d0a9191b3 100644 --- a/windows/configuration/kiosk-xml.md +++ b/windows/configuration/kiosk/kiosk-xml.md @@ -1,33 +1,29 @@ --- title: Assigned Access configuration kiosk XML reference (Windows 10/11) description: Learn about the assigned access configuration (kiosk) for XML and XSD for kiosk device configuration in Windows 10/11. -ms.reviewer: sybruckm -manager: aaroncz -ms.prod: windows-client -author: lizgt2000 -ms.localizationpriority: medium -ms.author: lizlong +ms.reviewer: sybruckm + ms.topic: article -ms.technology: itpro-configure ms.date: 12/31/2017 ---- +--- -# Assigned Access configuration (kiosk) XML reference +# Assigned Access configuration (kiosk) XML reference -**Applies to** +**Applies to** -- Windows 10 -- Windows 11 +- Windows 10 +- Windows 11 -## Full XML sample +## Full XML sample >[!NOTE] ->Updated for Windows 10, version 1903, 1909, and 2004. +>Updated for Windows 10, version 1903, 1909, and 2004. ```xml @@ -61,6 +57,7 @@ ms.date: 12/31/2017 @@ -140,7 +137,7 @@ ms.date: 12/31/2017 ``` -## Kiosk only sample XML +## Kiosk only sample XML ```xml @@ -160,11 +157,11 @@ ms.date: 12/31/2017 -``` +``` -## Auto Launch Sample XML +## Auto Launch Sample XML -This sample demonstrates that both UWP and Win32 apps can be configured to automatically launch, when assigned access account logs in. One profile can have at most one app configured for auto launch. AutoLaunchArguments are passed to the apps as is and the app needs to handle the arguments explicitly. +This sample demonstrates that both UWP and Win32 apps can be configured to automatically launch, when assigned access account logs in. One profile can have at most one app configured for auto launch. AutoLaunchArguments are passed to the apps as is and the app needs to handle the arguments explicitly. ```xml @@ -194,6 +191,7 @@ This sample demonstrates that both UWP and Win32 apps can be configured to autom @@ -247,9 +245,9 @@ This sample demonstrates that both UWP and Win32 apps can be configured to autom - + -``` +``` ## Microsoft Edge Kiosk XML Sample ```xml @@ -260,6 +258,7 @@ This sample demonstrates that both UWP and Win32 apps can be configured to autom > + @@ -271,18 +270,18 @@ This sample demonstrates that both UWP and Win32 apps can be configured to autom -``` +``` -## Global Profile Sample XML +## Global Profile Sample XML -Global Profile is supported on: +Global Profile is supported on: - Windows 11 -- Windows 10, version 2004 and later +- Windows 10, version 2004 and later -Global Profile is designed for scenarios where a user doesn't have a designated profile, yet you still want the user to run in lockdown mode. It's also used as mitigation when a profile can't be determined for a user. +Global Profile is designed for scenarios where a user doesn't have a designated profile, yet you still want the user to run in lockdown mode. It's also used as mitigation when a profile can't be determined for a user. -This sample demonstrates that only a global profile is used, with no active user configured. Global Profile will be applied when every non-admin account signs in. +This sample demonstrates that only a global profile is used, with no active user configured. Global Profile will be applied when every non-admin account signs in. ```xml @@ -313,6 +312,7 @@ This sample demonstrates that only a global profile is used, with no active user @@ -333,7 +333,7 @@ This sample demonstrates that only a global profile is used, with no active user -``` +``` Below sample shows dedicated profile and global profile mixed usage, a user would use one profile, everyone else that's non-admin will use another profile. ```xml @@ -365,6 +365,7 @@ Below sample shows dedicated profile and global profile mixed usage, a user woul @@ -415,14 +416,14 @@ Below sample shows dedicated profile and global profile mixed usage, a user woul - + -``` +``` ## Folder Access sample xml -Starting with Windows 10 version 1809 +, folder access is locked down so that when common file dialog is opened, IT Admin can specify if the user has access to the Downloads folder, or no access to any folder at all. This restriction has been redesigned for finer granularity and easier use, and is available in Windows 10 version 2009+. +Starting with Windows 10 version 1809 +, folder access is locked down so that when common file dialog is opened, IT Admin can specify if the user has access to the Downloads folder, or no access to any folder at all. This restriction has been redesigned for finer granularity and easier use, and is available in Windows 10 version 2009+. -IT Admin now can specify user access to Downloads folder, Removable drives, or no restrictions at all. Downloads and Removable Drives can be allowed at the same time. +IT Admin now can specify user access to Downloads folder, Removable drives, or no restrictions at all. Downloads and Removable Drives can be allowed at the same time. ```xml @@ -654,17 +655,17 @@ IT Admin now can specify user access to Downloads folder, Removable drives, or n - + -``` +``` -## XSD for AssignedAccess configuration XML +## XSD for AssignedAccess configuration XML > [!NOTE] -> Updated for Windows 10, version 1903 and later. +> Updated for Windows 10, version 1903 and later. -The following XML schema is for AssignedAccess Configuration up to Windows 10, version 1803 release: +The following XML schema is for AssignedAccess Configuration up to Windows 10, version 1803 release: ```xml + > - + - + - + - + @@ -722,7 +723,7 @@ The following XML schema is for AssignedAccess Configuration up to Windows 10, v - + @@ -737,7 +738,7 @@ The following XML schema is for AssignedAccess Configuration up to Windows 10, v - + @@ -748,7 +749,7 @@ The following XML schema is for AssignedAccess Configuration up to Windows 10, v - + @@ -756,31 +757,32 @@ The following XML schema is for AssignedAccess Configuration up to Windows 10, v + - + - + - + - + - + @@ -792,21 +794,21 @@ The following XML schema is for AssignedAccess Configuration up to Windows 10, v - + - + - + - + @@ -814,30 +816,30 @@ The following XML schema is for AssignedAccess Configuration up to Windows 10, v - + - + - + - + - + @@ -859,9 +861,9 @@ The following XML schema is for AssignedAccess Configuration up to Windows 10, v -``` +``` -The following XML is the schema for new features introduced in Windows 10 1809 release: +The following XML is the schema for new features introduced in Windows 10 1809 release: ```xml @@ -872,9 +874,9 @@ The following XML is the schema for new features introduced in Windows 10 1809 r xmlns:default="http://schemas.microsoft.com/AssignedAccess/201810/config" xmlns:v3="http://schemas.microsoft.com/AssignedAccess/2020/config" targetNamespace="http://schemas.microsoft.com/AssignedAccess/201810/config" - > + > - + @@ -884,30 +886,30 @@ The following XML is the schema for new features introduced in Windows 10 1809 r - + - + - + - + - + - + - + -``` +``` -The following XML is the schema for Windows 10 version 1909+: +The following XML is the schema for Windows 10 version 1909+: ```xml @@ -919,28 +921,29 @@ The following XML is the schema for Windows 10 version 1909+: xmlns:vc="http://www.w3.org/2007/XMLSchema-versioning" vc:minVersion="1.1" targetNamespace="http://schemas.microsoft.com/AssignedAccess/2020/config" - > + > - + + - + -``` +``` -To authorize a compatible configuration XML that includes elements and attributes from Windows 10 version 1809 or newer / Windows 11, always include the namespace of these add-on schemas, and decorate the attributes and elements accordingly with the namespace alias. +To authorize a compatible configuration XML that includes elements and attributes from Windows 10 version 1809 or newer / Windows 11, always include the namespace of these add-on schemas, and decorate the attributes and elements accordingly with the namespace alias. -For example, to configure the autolaunch feature that was added in Windows 10 version 1809 / Windows 11, use the following sample. Notice an alias r1809 is given to the 201810 namespace for Windows 10 version 1809 / Windows 11, and the alias is tagged on AutoLaunch and AutoLaunchArguments inline. +For example, to configure the autolaunch feature that was added in Windows 10 version 1809 / Windows 11, use the following sample. Notice an alias r1809 is given to the 201810 namespace for Windows 10 version 1809 / Windows 11, and the alias is tagged on AutoLaunch and AutoLaunchArguments inline. ```xml [!NOTE] ->For devices running Windows 10, version 1709, we recommend the [multi-app kiosk method](lock-down-windows-10-to-specific-apps.md). +>For devices running Windows 10, version 1709, we recommend the [multi-app kiosk method](lock-down-windows-10-to-specific-apps.md). -You can restrict users to a specific set of apps on a device running Windows 10 Enterprise or Windows 10 Education by using [AppLocker](/windows/device-security/applocker/applocker-overview). AppLocker rules specify which apps are allowed to run on the device. +You can restrict users to a specific set of apps on a device running Windows 10 Enterprise or Windows 10 Education by using [AppLocker](/windows/device-security/applocker/applocker-overview). AppLocker rules specify which apps are allowed to run on the device. -AppLocker rules are organized into collections based on file format. If no AppLocker rules for a specific rule collection exist, all files with that file format are allowed to run. However, when an AppLocker rule for a specific rule collection is created, only the files explicitly allowed in a rule are permitted to run. For more information, see [How AppLocker works](/windows/device-security/applocker/how-applocker-works-techref). +AppLocker rules are organized into collections based on file format. If no AppLocker rules for a specific rule collection exist, all files with that file format are allowed to run. However, when an AppLocker rule for a specific rule collection is created, only the files explicitly allowed in a rule are permitted to run. For more information, see [How AppLocker works](/windows/device-security/applocker/how-applocker-works-techref). -This topic describes how to lock down apps on a local device. You can also use AppLocker to set rules for applications in a domain by using Group Policy. +This topic describes how to lock down apps on a local device. You can also use AppLocker to set rules for applications in a domain by using Group Policy. -![install create lockdown customize.](images/lockdownapps.png) +![install create lockdown customize.](images/lockdownapps.png) -## Install apps +## Install apps -First, install the desired apps on the device for the target user account(s). This works for both Unified Windows Platform (UWP) apps and Windows desktop apps. For UWP apps, you must log on as that user for the app to install. For desktop apps, you can install an app for all users without logging on to the particular account. +First, install the desired apps on the device for the target user account(s). This works for both Unified Windows Platform (UWP) apps and Windows desktop apps. For UWP apps, you must log on as that user for the app to install. For desktop apps, you can install an app for all users without logging on to the particular account. -## Use AppLocker to set rules for apps +## Use AppLocker to set rules for apps -After you install the desired apps, set up AppLocker rules to only allow specific apps, and block everything else. +After you install the desired apps, set up AppLocker rules to only allow specific apps, and block everything else. -1. Run Local Security Policy (secpol.msc) as an administrator. +1. Run Local Security Policy (secpol.msc) as an administrator. -2. Go to **Security Settings** > **Application Control Policies** > **AppLocker**, and select **Configure rule enforcement**. +2. Go to **Security Settings** > **Application Control Policies** > **AppLocker**, and select **Configure rule enforcement**. - ![configure rule enforcement.](images/apprule.png) + ![configure rule enforcement.](images/apprule.png) -3. Check **Configured** under **Executable rules**, and then click **OK**. +3. Check **Configured** under **Executable rules**, and then click **OK**. -4. Right-click **Executable Rules** and then click **Automatically generate rules**. +4. Right-click **Executable Rules** and then click **Automatically generate rules**. - ![automatically generate rules.](images/genrule.png) + ![automatically generate rules.](images/genrule.png) -5. Select the folder that contains the apps that you want to permit, or select C:\\ to analyze all apps. +5. Select the folder that contains the apps that you want to permit, or select C:\\ to analyze all apps. -6. Type a name to identify this set of rules, and then click **Next**. +6. Type a name to identify this set of rules, and then click **Next**. -7. On the **Rule Preferences** page, click **Next**. Be patient, it might take awhile to generate the rules. +7. On the **Rule Preferences** page, click **Next**. Be patient, it might take awhile to generate the rules. -8. On the **Review Rules** page, click **Create**. The wizard will now create a set of rules allowing the installed set of apps. +8. On the **Review Rules** page, click **Create**. The wizard will now create a set of rules allowing the installed set of apps. -9. Read the message and click **Yes**. +9. Read the message and click **Yes**. - ![default rules warning.](images/appwarning.png) + ![default rules warning.](images/appwarning.png) -10. (optional) If you want a rule to apply to a specific set of users, right-click on the rule and select **Properties**. Then use the dialog to choose a different user or group of users. +10. (optional) If you want a rule to apply to a specific set of users, right-click on the rule and select **Properties**. Then use the dialog to choose a different user or group of users. -11. (optional) If rules were generated for apps that should not be run, you can delete them by right-clicking on the rule and selecting **Delete**. +11. (optional) If rules were generated for apps that should not be run, you can delete them by right-clicking on the rule and selecting **Delete**. -12. Before AppLocker will enforce rules, the **Application Identity** service must be turned on. To force the Application Identity service to automatically start on reset, open a command prompt and run: +12. Before AppLocker will enforce rules, the **Application Identity** service must be turned on. To force the Application Identity service to automatically start on reset, open a command prompt and run: ``` syntax sc config appidsvc start=auto - ``` + ``` -13. Restart the device. +13. Restart the device. -## Other settings to lock down +## Other settings to lock down -In addition to specifying the apps that users can run, you should also restrict some settings and functions on the device. For a more secure experience, we recommend that you make the following configuration changes to the device: +In addition to specifying the apps that users can run, you should also restrict some settings and functions on the device. For a more secure experience, we recommend that you make the following configuration changes to the device: -- Remove **All apps**. +- Remove **All apps**. - Go to **Group Policy Editor** > **User Configuration** > **Administrative Templates\\Start Menu and Taskbar\\Remove All Programs list from the Start menu**. + Go to **Group Policy Editor** > **User Configuration** > **Administrative Templates\\Start Menu and Taskbar\\Remove All Programs list from the Start menu**. -- Hide **Ease of access** feature on the logon screen. +- Hide **Ease of access** feature on the logon screen. - Go to **Control Panel** > **Ease of Access** > **Ease of Access Center**, and turn off all accessibility tools. + Go to **Control Panel** > **Ease of Access** > **Ease of Access Center**, and turn off all accessibility tools. -- Disable the hardware power button. +- Disable the hardware power button. - Go to **Power Options** > **Choose what the power button does**, change the setting to **Do nothing**, and then **Save changes**. + Go to **Power Options** > **Choose what the power button does**, change the setting to **Do nothing**, and then **Save changes**. -- Disable the camera. +- Disable the camera. - Go to **Settings** > **Privacy** > **Camera**, and turn off **Let apps use my camera**. + Go to **Settings** > **Privacy** > **Camera**, and turn off **Let apps use my camera**. -- Turn off app notifications on the lock screen. +- Turn off app notifications on the lock screen. - Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen**. + Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen**. -- Disable removable media. +- Disable removable media. - Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Device Installation\\Device Installation Restrictions**. Review the policy settings available in **Device Installation Restrictions** for the settings applicable to your situation. + Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Device Installation\\Device Installation Restrictions**. Review the policy settings available in **Device Installation Restrictions** for the settings applicable to your situation. - **Note**   - To prevent this policy from affecting a member of the Administrators group, in **Device Installation Restrictions**, enable **Allow administrators to override Device Installation Restriction policies**. + **Note** - + To prevent this policy from affecting a member of the Administrators group, in **Device Installation Restrictions**, enable **Allow administrators to override Device Installation Restriction policies**. -To learn more about locking down features, see [Customizations for Windows 10 Enterprise](/windows-hardware/customize/enterprise/enterprise-custom-portal). + -## Customize Start screen layout for the device (recommended) +To learn more about locking down features, see [Customizations for Windows 10 Enterprise](/windows-hardware/customize/enterprise/enterprise-custom-portal). + +## Customize Start screen layout for the device (recommended) Configure the Start menu on the device to only show tiles for the permitted apps. You will make the changes manually, export the layout to an .xml file, and then apply that file to devices to prevent users from making changes. For instructions, see [Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md). diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/kiosk/lock-down-windows-10-to-specific-apps.md similarity index 87% rename from windows/configuration/lock-down-windows-10-to-specific-apps.md rename to windows/configuration/kiosk/lock-down-windows-10-to-specific-apps.md index a32e707e87..014230e334 100644 --- a/windows/configuration/lock-down-windows-10-to-specific-apps.md +++ b/windows/configuration/kiosk/lock-down-windows-10-to-specific-apps.md @@ -1,87 +1,86 @@ --- title: Set up a multi-app kiosk on Windows 10 description: Learn how to configure a kiosk device running Windows 10 so that users can only run a few specific apps. -author: lizgt2000 -ms.author: lizlong ms.reviewer: sybruckm ms.topic: how-to ms.date: 11/08/2023 appliesto: + - ✅ Windows 10 Pro - ✅ Windows 10 Enterprise - ✅ Windows 10 Education ---- +--- -# Set up a multi-app kiosk on Windows 10 devices +# Set up a multi-app kiosk on Windows 10 devices > [!NOTE] -> The use of multiple monitors isn't supported for multi-app kiosk mode in Windows 10. +> The use of multiple monitors isn't supported for multi-app kiosk mode in Windows 10. -A [kiosk device](./kiosk-single-app.md) typically runs a single app, and users are prevented from accessing any features or functions on the device outside of the kiosk app. In Windows 10, version 1709, the [AssignedAccess configuration service provider (CSP)](/windows/client-management/mdm/assignedaccess-csp) was expanded to make it easy for administrators to create kiosks that run more than one app. The benefit of a kiosk that runs only one or more specified apps is to provide an easy-to-understand experience for individuals by putting in front of them only the things they need to use, and removing from their view the things they don't need to access. +A [kiosk device](./kiosk-single-app.md) typically runs a single app, and users are prevented from accessing any features or functions on the device outside of the kiosk app. In Windows 10, version 1709, the [AssignedAccess configuration service provider (CSP)](/windows/client-management/mdm/assignedaccess-csp) was expanded to make it easy for administrators to create kiosks that run more than one app. The benefit of a kiosk that runs only one or more specified apps is to provide an easy-to-understand experience for individuals by putting in front of them only the things they need to use, and removing from their view the things they don't need to access. -The following table lists changes to multi-app kiosk in recent updates. +The following table lists changes to multi-app kiosk in recent updates. | New features and improvements | In update | | --- | ---| | - Configure [a single-app kiosk profile](#profile) in your XML file

- Assign [group accounts to a config profile](#config-for-group-accounts)

- Configure [an account to sign in automatically](#config-for-autologon-account) | Windows 10, version 1803 | -| - Explicitly allow [some known folders when user opens file dialog box](#fileexplorernamespacerestrictions)

- [Automatically launch an app](#allowedapps) when the user signs in

- Configure a [display name for the autologon account](#config-for-autologon-account) | Windows 10, version 1809

**Important:** To use features released in Windows 10, version 1809, make sure that [your XML file](#create-xml-file) references `https://schemas.microsoft.com/AssignedAccess/201810/config`. | +| - Explicitly allow [some known folders when user opens file dialog box](#fileexplorernamespacerestrictions)

- [Automatically launch an app](#allowedapps) when the user signs in

- Configure a [display name for the autologon account](#config-for-autologon-account) | Windows 10, version 1809

**Important:** To use features released in Windows 10, version 1809, make sure that [your XML file](#create-xml-file) references `https://schemas.microsoft.com/AssignedAccess/201810/config`. | > [!WARNING] -> The assigned access feature is intended for corporate-owned fixed-purpose devices, like kiosks. When the multi-app assigned access configuration is applied on the device, [certain policies](kiosk-policies.md) are enforced system-wide, and will impact other users on the device. Deleting the kiosk configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all the enforced policies (such as Start layout). A factory reset is needed to clear all the policies enforced via assigned access. +> The assigned access feature is intended for corporate-owned fixed-purpose devices, like kiosks. When the multi-app assigned access configuration is applied on the device, [certain policies](kiosk-policies.md) are enforced system-wide, and will impact other users on the device. Deleting the kiosk configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all the enforced policies (such as Start layout). A factory reset is needed to clear all the policies enforced via assigned access. -You can configure multi-app kiosks using [Microsoft Intune](#intune) or a [provisioning package](#provision). +You can configure multi-app kiosks using [Microsoft Intune](#intune) or a [provisioning package](#provision). > [!TIP] -> Be sure to check the [configuration recommendations](kiosk-prepare.md) before you set up your kiosk. +> Be sure to check the [configuration recommendations](kiosk-prepare.md) before you set up your kiosk. - + -## Configure a kiosk in Microsoft Intune +## Configure a kiosk in Microsoft Intune -To configure a kiosk in Microsoft Intune, see: +To configure a kiosk in Microsoft Intune, see: - [Windows client and Windows Holographic for Business device settings to run as a dedicated kiosk using Intune](/intune/kiosk-settings) -- [Windows client device settings to run as a kiosk in Intune](/intune/kiosk-settings-windows) +- [Windows client device settings to run as a kiosk in Intune](/intune/kiosk-settings-windows) - + -## Configure a kiosk using a provisioning package +## Configure a kiosk using a provisioning package -Process: +Process: 1. [Create XML file](#create-xml-file) 2. [Add XML file to provisioning package](#add-xml) -3. [Apply provisioning package to device](#apply-ppkg) +3. [Apply provisioning package to device](#apply-ppkg) -Watch how to use a provisioning package to configure a multi-app kiosk. +Watch how to use a provisioning package to configure a multi-app kiosk. -> [!VIDEO https://www.microsoft.com/videoplayer/embed/fa125d0f-77e4-4f64-b03e-d634a4926884?autoplay=false] +> [!VIDEO https://www.microsoft.com/videoplayer/embed/fa125d0f-77e4-4f64-b03e-d634a4926884?autoplay=false] -If you don't want to use a provisioning package, you can deploy the configuration XML file using [mobile device management (MDM)](#use-mdm-to-deploy-the-multi-app-configuration), or you can configure assigned access using the [MDM Bridge WMI Provider](kiosk-mdm-bridge.md). +If you don't want to use a provisioning package, you can deploy the configuration XML file using [mobile device management (MDM)](#use-mdm-to-deploy-the-multi-app-configuration), or you can configure assigned access using the [MDM Bridge WMI Provider](kiosk-mdm-bridge.md). -### Prerequisites +### Prerequisites - Windows Configuration Designer (Windows 10, version 1709 or later) -- The kiosk device must be running Windows 10 (S, Pro, Enterprise, or Education), version 1709 or later +- The kiosk device must be running Windows 10 (S, Pro, Enterprise, or Education), version 1709 or later > [!NOTE] -> For devices running versions of Windows 10 earlier than version 1709, you can [create AppLocker rules](lock-down-windows-10-applocker.md) to configure a multi-app kiosk. +> For devices running versions of Windows 10 earlier than version 1709, you can [create AppLocker rules](lock-down-windows-10-applocker.md) to configure a multi-app kiosk. -### Create XML file +### Create XML file -Let's start by looking at the basic structure of the XML file. +Let's start by looking at the basic structure of the XML file. -- A configuration xml can define multiple *profiles*. Each profile has a unique **Id** and defines a set of applications that are allowed to run, whether the taskbar is visible, and can include a custom Start layout. +- A configuration xml can define multiple *profiles*. Each profile has a unique **Id** and defines a set of applications that are allowed to run, whether the taskbar is visible, and can include a custom Start layout. -- A configuration xml can have multiple *config* sections. Each config section associates a non-admin user account to a default profile **Id**. +- A configuration xml can have multiple *config* sections. Each config section associates a non-admin user account to a default profile **Id**. -- Multiple config sections can be associated to the same profile. +- Multiple config sections can be associated to the same profile. -- A profile has no effect if it's not associated to a config section. +- A profile has no effect if it's not associated to a config section. - ![profile = app and config = account.](images/profile-config.png) + ![profile = app and config = account.](images/profile-config.png) -You can start your file by pasting the following XML into an XML editor, and saving the file as *filename*.xml. Each section of this XML is explained in this article. You can see a full sample version in the [Assigned access XML reference.](kiosk-xml.md) +You can start your file by pasting the following XML into an XML editor, and saving the file as *filename*.xml. Each section of this XML is explained in this article. You can see a full sample version in the [Assigned access XML reference.](kiosk-xml.md) ```xml @@ -105,71 +104,71 @@ You can start your file by pasting the following XML into an XML editor, and sav -``` +``` -#### Profile +#### Profile -There are two types of profiles that you can specify in the XML: +There are two types of profiles that you can specify in the XML: - **Lockdown profile**: Users assigned a lockdown profile will see the desktop in tablet mode with the specific apps on the Start screen. -- **Kiosk profile**: Starting with Windows 10 version 1803, this profile replaces the KioskModeApp node of the [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp). Users assigned a kiosk profile won't see the desktop, but only the kiosk app running in full-screen mode. +- **Kiosk profile**: Starting with Windows 10 version 1803, this profile replaces the KioskModeApp node of the [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp). Users assigned a kiosk profile won't see the desktop, but only the kiosk app running in full-screen mode. -A lockdown profile section in the XML has the following entries: +A lockdown profile section in the XML has the following entries: -- [**Id**](#id) +- [**Id**](#id) -- [**AllowedApps**](#allowedapps) +- [**AllowedApps**](#allowedapps) -- [**FileExplorerNamespaceRestrictions**](#fileexplorernamespacerestrictions) +- [**FileExplorerNamespaceRestrictions**](#fileexplorernamespacerestrictions) -- [**StartLayout**](#startlayout) +- [**StartLayout**](#startlayout) -- [**Taskbar**](#taskbar) +- [**Taskbar**](#taskbar) -A kiosk profile in the XML has the following entries: +A kiosk profile in the XML has the following entries: -- [**Id**](#id) +- [**Id**](#id) -- [**KioskModeApp**](#kioskmodeapp) +- [**KioskModeApp**](#kioskmodeapp) -##### Id +##### Id -The profile **Id** is a GUID attribute to uniquely identify the profile. You can create a GUID using a GUID generator. The GUID just needs to be unique within this XML file. +The profile **Id** is a GUID attribute to uniquely identify the profile. You can create a GUID using a GUID generator. The GUID just needs to be unique within this XML file. ```xml -``` +``` -##### AllowedApps +##### AllowedApps -**AllowedApps** is a list of applications that are allowed to run. Apps can be Universal Windows Platform (UWP) apps or Windows desktop applications. Starting with Windows 10 version 1809, you can configure a single app in the **AllowedApps** list to run automatically when the assigned access user account signs in. +**AllowedApps** is a list of applications that are allowed to run. Apps can be Universal Windows Platform (UWP) apps or Windows desktop applications. Starting with Windows 10 version 1809, you can configure a single app in the **AllowedApps** list to run automatically when the assigned access user account signs in. - For UWP apps, you need to provide the App User Model ID (AUMID). [Learn how to get the AUMID](./find-the-application-user-model-id-of-an-installed-app.md), or [get the AUMID from the Start Layout XML](#startlayout). - For desktop apps, you need to specify the full path of the executable, which can contain one or more system environment variables in the form of `%variableName%`. For example, `%systemroot%` or `%windir%`. - If an app has a dependency on another app, both must be included in the allowed apps list. For example, Internet Explorer 64-bit has a dependency on Internet Explorer 32-bit, so you must allow both `"C:\Program Files\internet explorer\iexplore.exe"` and `"C:\Program Files (x86)\Internet Explorer\iexplore.exe"`. -- To configure a single app to launch automatically when the user signs in, include `rs5:AutoLaunch="true"` after the AUMID or path. You can also include arguments to be passed to the app. For an example, see [the AllowedApps sample XML](#apps-sample). +- To configure a single app to launch automatically when the user signs in, include `rs5:AutoLaunch="true"` after the AUMID or path. You can also include arguments to be passed to the app. For an example, see [the AllowedApps sample XML](#apps-sample). -When the multi-app kiosk configuration is applied to a device, AppLocker rules will be generated to allow the apps that are listed in the configuration. Here are the predefined assigned access AppLocker rules for **UWP apps**: +When the multi-app kiosk configuration is applied to a device, AppLocker rules will be generated to allow the apps that are listed in the configuration. Here are the predefined assigned access AppLocker rules for **UWP apps**: 1. Default rule is to allow all users to launch the signed package apps. -2. The package app blocklist is generated at runtime when the assigned access user signs in. Based on the installed/provisioned package apps available for the user account, assigned access generates the blocklist. This list will exclude the default allowed inbox package apps, which are critical for the system to function. It then excludes the allowed packages that enterprises defined in the assigned access configuration. If there are multiple apps within the same package, all these apps will be excluded. This blocklist will be used to prevent the user from accessing the apps that are currently available for the user but not in the allowed list. +2. The package app blocklist is generated at runtime when the assigned access user signs in. Based on the installed/provisioned package apps available for the user account, assigned access generates the blocklist. This list will exclude the default allowed inbox package apps, which are critical for the system to function. It then excludes the allowed packages that enterprises defined in the assigned access configuration. If there are multiple apps within the same package, all these apps will be excluded. This blocklist will be used to prevent the user from accessing the apps that are currently available for the user but not in the allowed list. > [!NOTE] > You can't manage AppLocker rules that are generated by the multi-app kiosk configuration in [MMC snap-ins](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh994629(v=ws.11)#BKMK_Using_Snapins). Avoid creating AppLocker rules that conflict with AppLocker rules that are generated by the multi-app kiosk configuration. > - > Multi-app kiosk mode doesn't block the enterprise or the users from installing UWP apps. When a new UWP app is installed during the current assigned access user session, this app will not be in the deny list. When the user signs out and signs in again, the app will be included in the blocklist. If this is an enterprise-deployed line-of-business app and you want to allow it to run, update the assigned access configuration to include it in the allowed app list. + > Multi-app kiosk mode doesn't block the enterprise or the users from installing UWP apps. When a new UWP app is installed during the current assigned access user session, this app will not be in the deny list. When the user signs out and signs in again, the app will be included in the blocklist. If this is an enterprise-deployed line-of-business app and you want to allow it to run, update the assigned access configuration to include it in the allowed app list. -Here are the predefined assigned access AppLocker rules for **desktop apps**: +Here are the predefined assigned access AppLocker rules for **desktop apps**: 1. Default rule is to allow all users to launch the desktop programs signed with Microsoft Certificate in order for the system to boot and function. The rule also allows the admin user group to launch all desktop programs. 2. There's a predefined inbox desktop app blocklist for the assigned access user account, and this blocklist is adjusted based on the desktop app allowlist that you defined in the multi-app configuration. -3. Enterprise-defined allowed desktop apps are added in the AppLocker allowlist. +3. Enterprise-defined allowed desktop apps are added in the AppLocker allowlist. -The following example allows Groove Music, Movies & TV, Photos, Weather, Calculator, Paint, and Notepad apps to run on the device, with Notepad configured to automatically launch and create a file called `123.text` when the user signs in. +The following example allows Groove Music, Movies & TV, Photos, Weather, Calculator, Paint, and Notepad apps to run on the device, with Notepad configured to automatically launch and create a file called `123.text` when the user signs in. - + ```xml @@ -183,16 +182,16 @@ The following example allows Groove Music, Movies & TV, Photos, Weather, Calcula -``` +``` -##### FileExplorerNamespaceRestrictions +##### FileExplorerNamespaceRestrictions -Starting in Windows 10 version 1809, you can explicitly allow some known folders to be accessed when the user tries to open the file dialog box in multi-app assigned access by including **FileExplorerNamespaceRestrictions** in your XML file. Currently, **Downloads** is the only folder supported. This behavior can also be set using Microsoft Intune. +Starting in Windows 10 version 1809, you can explicitly allow some known folders to be accessed when the user tries to open the file dialog box in multi-app assigned access by including **FileExplorerNamespaceRestrictions** in your XML file. Currently, **Downloads** is the only folder supported. This behavior can also be set using Microsoft Intune. -The following example shows how to allow user access to the Downloads folder in the common file dialog box. +The following example shows how to allow user access to the Downloads folder in the common file dialog box. > [!TIP] -> To grant access to the Downloads folder through File Explorer, add "Explorer.exe" to the list of allowed apps, and pin a file explorer shortcut to the kiosk start menu. +> To grant access to the Downloads folder through File Explorer, add "Explorer.exe" to the list of allowed apps, and pin a file explorer shortcut to the kiosk start menu. ```xml @@ -216,34 +215,34 @@ The following example shows how to allow user access to the Downloads folder in -``` +``` -`FileExplorerNamespaceRestriction` has been extended in current Windows 10 Prerelease for finer granularity and easier use. For more information and full samples, see [Assigned access XML reference](kiosk-xml.md). By using new elements, you can configure whether a user can access the Downloads folder or removable drives, or have no restrictions at all. +`FileExplorerNamespaceRestriction` has been extended in current Windows 10 Prerelease for finer granularity and easier use. For more information and full samples, see [Assigned access XML reference](kiosk-xml.md). By using new elements, you can configure whether a user can access the Downloads folder or removable drives, or have no restrictions at all. > [!NOTE] > - `FileExplorerNamespaceRestrictions` and `AllowedNamespace:Downloads` are available in namespace `https://schemas.microsoft.com/AssignedAccess/201810/config`. -> - `AllowRemovableDrives` and `NoRestriction` are defined in a new namespace `https://schemas.microsoft.com/AssignedAccess/2020/config`. +> - `AllowRemovableDrives` and `NoRestriction` are defined in a new namespace `https://schemas.microsoft.com/AssignedAccess/2020/config`. * When `FileExplorerNamespaceRestrictions` node isn't used, or used but left empty, the user won't be able to access any folder in a common dialog. For example, **Save As** in the Microsoft Edge browser. * When Downloads is mentioned in allowed namespace, user will be able to access Downloads folder. * When `AllowRemovableDrives` is used, user will be to access removable drives. * When `NoRestriction` is used, no restriction will be applied to the dialog. -* `AllowRemovableDrives` and `AllowedNamespace:Downloads` can be used at the same time. +* `AllowRemovableDrives` and `AllowedNamespace:Downloads` can be used at the same time. -##### StartLayout +##### StartLayout -After you define the list of allowed applications, you can customize the Start layout for your kiosk experience. You can choose to pin all the allowed apps on the Start screen or just a subset, depending on whether you want the end user to directly access them on the Start screen. +After you define the list of allowed applications, you can customize the Start layout for your kiosk experience. You can choose to pin all the allowed apps on the Start screen or just a subset, depending on whether you want the end user to directly access them on the Start screen. -The easiest way to create a customized Start layout to apply to other Windows client devices is to set up the Start screen on a test device and then export the layout. For detailed steps, see [Customize and export Start layout](customize-and-export-start-layout.md). +The easiest way to create a customized Start layout to apply to other Windows client devices is to set up the Start screen on a test device and then export the layout. For detailed steps, see [Customize and export Start layout](customize-and-export-start-layout.md). -A few things to note here: +A few things to note here: - The test device on which you customize the Start layout should have the same OS version that is installed on the device where you plan to deploy the multi-app assigned access configuration. - Since the multi-app assigned access experience is intended for fixed-purpose devices, to ensure the device experiences are consistent and predictable, use the *full* Start layout option instead of the *partial* Start layout. - There are no apps pinned on the taskbar in the multi-app mode, and it's not supported to configure Taskbar layout using the `` tag in a layout modification XML as part of the assigned access configuration. -- The following example uses `DesktopApplicationLinkPath` to pin the desktop app to start. When the desktop app doesn't have a shortcut link on the target device, [learn how to provision .lnk files using Windows Configuration Designer](#lnk-files). +- The following example uses `DesktopApplicationLinkPath` to pin the desktop app to start. When the desktop app doesn't have a shortcut link on the target device, [learn how to provision .lnk files using Windows Configuration Designer](#lnk-files). -The following example pins Groove Music, Movies & TV, Photos, Weather, Calculator, Paint, and Notepad apps on Start: +The following example pins Groove Music, Movies & TV, Photos, Weather, Calculator, Paint, and Notepad apps on Start: ```xml @@ -269,63 +268,63 @@ The following example pins Groove Music, Movies & TV, Photos, Weather, Calculato ]]> -``` +``` > [!NOTE] -> If an app isn't installed for the user, but is included in the Start layout XML, the app isn't shown on the Start screen. +> If an app isn't installed for the user, but is included in the Start layout XML, the app isn't shown on the Start screen. -![What the Start screen looks like when the XML sample is applied.](images/sample-start.png) +![What the Start screen looks like when the XML sample is applied.](images/sample-start.png) -##### Taskbar +##### Taskbar -Define whether you want to have the taskbar present in the kiosk device. For tablet-based or touch-enabled all-in-one kiosks, when you don't attach a keyboard and mouse, you can hide the taskbar as part of the multi-app experience if you want. +Define whether you want to have the taskbar present in the kiosk device. For tablet-based or touch-enabled all-in-one kiosks, when you don't attach a keyboard and mouse, you can hide the taskbar as part of the multi-app experience if you want. -The following example exposes the taskbar to the end user: +The following example exposes the taskbar to the end user: ```xml -``` +``` -The following example hides the taskbar: +The following example hides the taskbar: ```xml -``` +``` > [!NOTE] -> This is different from the **Automatically hide the taskbar** option in tablet mode, which shows the taskbar when swiping up from or moving the mouse pointer down to the bottom of the screen. Setting **ShowTaskbar** as **false** will always keep the taskbar hidden. +> This is different from the **Automatically hide the taskbar** option in tablet mode, which shows the taskbar when swiping up from or moving the mouse pointer down to the bottom of the screen. Setting **ShowTaskbar** as **false** will always keep the taskbar hidden. -##### KioskModeApp +##### KioskModeApp -**KioskModeApp** is used for a [kiosk profile](#profile) only. Enter the AUMID for a single app. You can only specify one kiosk profile in the XML. +**KioskModeApp** is used for a [kiosk profile](#profile) only. Enter the AUMID for a single app. You can only specify one kiosk profile in the XML. ```xml -``` +``` > [!IMPORTANT] -> The kiosk profile is designed for public-facing kiosk devices. We recommend that you use a local, non-administrator account. If the device is connected to your company network, using a domain or Microsoft Entra account could potentially compromise confidential information. +> The kiosk profile is designed for public-facing kiosk devices. We recommend that you use a local, non-administrator account. If the device is connected to your company network, using a domain or Microsoft Entra account could potentially compromise confidential information. -#### Configs +#### Configs -Under **Configs**, define which user account will be associated with the profile. When this user account signs in on the device, the associated assigned access profile will be enforced. This behavior includes the allowed apps, Start layout, taskbar configuration, and other local group policies or mobile device management (MDM) policies set as part of the multi-app experience. +Under **Configs**, define which user account will be associated with the profile. When this user account signs in on the device, the associated assigned access profile will be enforced. This behavior includes the allowed apps, Start layout, taskbar configuration, and other local group policies or mobile device management (MDM) policies set as part of the multi-app experience. -The full multi-app assigned access experience can only work for non-admin users. It's not supported to associate an admin user with the assigned access profile. Making this configuration in the XML file will result in unexpected or unsupported experiences when this admin user signs in. +The full multi-app assigned access experience can only work for non-admin users. It's not supported to associate an admin user with the assigned access profile. Making this configuration in the XML file will result in unexpected or unsupported experiences when this admin user signs in. -You can assign: +You can assign: - [A local standard user account that signs in automatically](#config-for-autologon-account) (Applies to Windows 10, version 1803 only) - [An individual account, which can be local, domain, or Microsoft Entra ID](#config-for-individual-accounts) -- [A group account, which can be local, Active Directory (domain), or Microsoft Entra ID](#config-for-group-accounts) (Applies to Windows 10, version 1803 only). +- [A group account, which can be local, Active Directory (domain), or Microsoft Entra ID](#config-for-group-accounts) (Applies to Windows 10, version 1803 only). > [!NOTE] -> Configs that specify group accounts cannot use a kiosk profile, only a lockdown profile. If a group is configured to a kiosk profile, the CSP will reject the request. +> Configs that specify group accounts cannot use a kiosk profile, only a lockdown profile. If a group is configured to a kiosk profile, the CSP will reject the request. -##### Config for AutoLogon Account +##### Config for AutoLogon Account -When you use `` and the configuration is applied to a device, the specified account (managed by Assigned Access) is created on the device as a local standard user account. The specified account is signed in automatically after restart. +When you use `` and the configuration is applied to a device, the specified account (managed by Assigned Access) is created on the device as a local standard user account. The specified account is signed in automatically after restart. -The following example shows how to specify an account to sign in automatically. +The following example shows how to specify an account to sign in automatically. ```xml @@ -334,9 +333,9 @@ The following example shows how to specify an account to sign in automatically. -``` +``` -Starting with Windows 10 version 1809, you can configure the display name that will be shown when the user signs in. The following example shows how to create an AutoLogon Account that shows the name "Hello World". +Starting with Windows 10 version 1809, you can configure the display name that will be shown when the user signs in. The following example shows how to create an AutoLogon Account that shows the name "Hello World". ```xml @@ -345,28 +344,28 @@ Starting with Windows 10 version 1809, you can configure the display name that w -``` +``` -On domain-joined devices, local user accounts aren't shown on the sign-in screen by default. To show the **AutoLogonAccount** on the sign-in screen, enable the following Group Policy setting: **Computer Configuration > Administrative Templates > System > Logon > Enumerate local users on domain-joined computers**. (The corresponding MDM policy setting is [WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers in the Policy CSP](/windows/client-management/mdm/policy-csp-windowslogon#windowslogon-enumeratelocalusersondomainjoinedcomputers).) +On domain-joined devices, local user accounts aren't shown on the sign-in screen by default. To show the **AutoLogonAccount** on the sign-in screen, enable the following Group Policy setting: **Computer Configuration > Administrative Templates > System > Logon > Enumerate local users on domain-joined computers**. (The corresponding MDM policy setting is [WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers in the Policy CSP](/windows/client-management/mdm/policy-csp-windowslogon#windowslogon-enumeratelocalusersondomainjoinedcomputers).) > [!IMPORTANT] -> When Exchange Active Sync (EAS) password restrictions are active on the device, the autologon feature does not work. This behavior is by design. For more informations, see [How to turn on automatic logon in Windows](/troubleshoot/windows-server/user-profiles-and-logon/turn-on-automatic-logon). +> When Exchange Active Sync (EAS) password restrictions are active on the device, the autologon feature does not work. This behavior is by design. For more informations, see [How to turn on automatic logon in Windows](/troubleshoot/windows-server/user-profiles-and-logon/turn-on-automatic-logon). -##### Config for individual accounts +##### Config for individual accounts -Individual accounts are specified using ``. +Individual accounts are specified using ``. - Local account can be entered as `machinename\account` or `.\account` or just `account`. - Domain account should be entered as `domain\account`. -- Microsoft Entra account must be specified in this format: `AzureAD\{email address}`. **AzureAD** must be provided _as is_, and consider it's a fixed domain name. Then follow with the Microsoft Entra ID email address. For example, `AzureAD\someone@contoso.onmicrosoft.com` +- Microsoft Entra account must be specified in this format: `AzureAD\{email address}`. **AzureAD** must be provided _as is_, and consider it's a fixed domain name. Then follow with the Microsoft Entra ID email address. For example, `AzureAD\someone@contoso.onmicrosoft.com` > [!WARNING] -> Assigned access can be configured via WMI or CSP to run its applications under a domain user or service account, rather than a local account. However, use of domain user or service accounts introduces risks that an attacker subverting the assigned access application might gain access to sensitive domain resources that have been inadvertently left accessible to any domain account. We recommend that customers proceed with caution when using domain accounts with assigned access, and consider the domain resources potentially exposed by the decision to do so. +> Assigned access can be configured via WMI or CSP to run its applications under a domain user or service account, rather than a local account. However, use of domain user or service accounts introduces risks that an attacker subverting the assigned access application might gain access to sensitive domain resources that have been inadvertently left accessible to any domain account. We recommend that customers proceed with caution when using domain accounts with assigned access, and consider the domain resources potentially exposed by the decision to do so. -Before applying the multi-app configuration, make sure the specified user account is available on the device, otherwise it will fail. +Before applying the multi-app configuration, make sure the specified user account is available on the device, otherwise it will fail. > [!NOTE] -> For both domain and Microsoft Entra accounts, it's not required that target account is explicitly added to the device. As long as the device is AD-joined or Microsoft Entra joined, the account can be discovered in the domain forest or tenant that the device is joined to. For local accounts, it is required that the account exist before you configure the account for assigned access. +> For both domain and Microsoft Entra accounts, it's not required that target account is explicitly added to the device. As long as the device is AD-joined or Microsoft Entra joined, the account can be discovered in the domain forest or tenant that the device is joined to. For local accounts, it is required that the account exist before you configure the account for assigned access. ```xml @@ -375,54 +374,54 @@ Before applying the multi-app configuration, make sure the specified user accoun -``` +``` -##### Config for group accounts +##### Config for group accounts -Group accounts are specified using ``. Nested groups aren't supported. For example, if user A is member of Group 1, Group 1 is member of Group 2, and Group 2 is used in ``, user A won't have the kiosk experience. +Group accounts are specified using ``. Nested groups aren't supported. For example, if user A is member of Group 1, Group 1 is member of Group 2, and Group 2 is used in ``, user A won't have the kiosk experience. -- Local group: Specify the group type as **LocalGroup** and put the group name in Name attribute. Any Microsoft Entra accounts that are added to the local group won't have the kiosk settings applied. +- Local group: Specify the group type as **LocalGroup** and put the group name in Name attribute. Any Microsoft Entra accounts that are added to the local group won't have the kiosk settings applied. ```xml - ``` + ``` -- Domain group: Both security and distribution groups are supported. Specify the group type as ActiveDirectoryGroup. Use the domain name as the prefix in the name attribute. +- Domain group: Both security and distribution groups are supported. Specify the group type as ActiveDirectoryGroup. Use the domain name as the prefix in the name attribute. ```xml - ``` + ``` -- Microsoft Entra group: Use the group object ID from the Azure portal to uniquely identify the group in the Name attribute. You can find the object ID on the overview page for the group in **Users and groups** > **All groups**. Specify the group type as **AzureActiveDirectoryGroup**. The kiosk device must have internet connectivity when users that belong to the group sign-in. +- Microsoft Entra group: Use the group object ID from the Azure portal to uniquely identify the group in the Name attribute. You can find the object ID on the overview page for the group in **Users and groups** > **All groups**. Specify the group type as **AzureActiveDirectoryGroup**. The kiosk device must have internet connectivity when users that belong to the group sign-in. ```xml - ``` + ``` > [!NOTE] - > If a Microsoft Entra group is configured with a lockdown profile on a device, a user in the Microsoft Entra group must change their password (after the account has been created with default password on the portal) before they can sign in to this device. If the user uses the default password to sign in to the device, the user will be immediately signed out. + > If a Microsoft Entra group is configured with a lockdown profile on a device, a user in the Microsoft Entra group must change their password (after the account has been created with default password on the portal) before they can sign in to this device. If the user uses the default password to sign in to the device, the user will be immediately signed out. - + -#### [Preview] Global profile +#### [Preview] Global profile -Global profile is available in Windows 10. If you want everyone who signs into a specific device to be assigned as an access user, even if there's no dedicated profile for that user. Alternatively, perhaps Assigned Access couldn't identify a profile for the user and you want to have a fallback profile. Global profile is designed for these scenarios. +Global profile is available in Windows 10. If you want everyone who signs into a specific device to be assigned as an access user, even if there's no dedicated profile for that user. Alternatively, perhaps Assigned Access couldn't identify a profile for the user and you want to have a fallback profile. Global profile is designed for these scenarios. -Usage is demonstrated below, by using the new XML namespace and specifying `GlobalProfile` from that namespace. When you configure `GlobalProfile`, a non-admin account logs in, if this user doesn't have a designated profile in Assigned Access, or Assigned Access fails to determine a profile for current user, a global profile is applied for the user. +Usage is demonstrated below, by using the new XML namespace and specifying `GlobalProfile` from that namespace. When you configure `GlobalProfile`, a non-admin account logs in, if this user doesn't have a designated profile in Assigned Access, or Assigned Access fails to determine a profile for current user, a global profile is applied for the user. > [!NOTE] > 1. `GlobalProfile` can only be a multi-app profile. > 2. Only one `GlobalProfile` can be used in one `AssignedAccess` configuration XML. -> 3. `GlobalProfile` can be used as the only config, or it can be used along with regular user or group config. +> 3. `GlobalProfile` can be used as the only config, or it can be used along with regular user or group config. ```xml @@ -453,6 +452,7 @@ Usage is demonstrated below, by using the new XML namespace and specifying `Glob @@ -473,115 +473,115 @@ Usage is demonstrated below, by using the new XML namespace and specifying `Glob -``` +``` -### Add XML file to provisioning package +### Add XML file to provisioning package -Before you add the XML file to a provisioning package, you can [validate your configuration XML against the XSD](kiosk-xml.md#xsd-for-assignedaccess-configuration-xml). +Before you add the XML file to a provisioning package, you can [validate your configuration XML against the XSD](kiosk-xml.md#xsd-for-assignedaccess-configuration-xml). -Use the Windows Configuration Designer tool to create a provisioning package. [Learn how to install Windows Configuration Designer.](provisioning-packages/provisioning-install-icd.md) +Use the Windows Configuration Designer tool to create a provisioning package. [Learn how to install Windows Configuration Designer.](provisioning-packages/provisioning-install-icd.md) > [!IMPORTANT] -> When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. +> When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. -1. Open Windows Configuration Designer. By default: `%systemdrive%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe`. +1. Open Windows Configuration Designer. By default: `%systemdrive%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe`. -2. Choose **Advanced provisioning**. +2. Choose **Advanced provisioning**. -3. Name your project, and select **Next**. +3. Name your project, and select **Next**. -4. Choose **All Windows desktop editions** and select **Next**. +4. Choose **All Windows desktop editions** and select **Next**. -5. On **New project**, select **Finish**. The workspace for your package opens. +5. On **New project**, select **Finish**. The workspace for your package opens. -6. Expand **Runtime settings** > **AssignedAccess** > **MultiAppAssignedAccessSettings**. +6. Expand **Runtime settings** > **AssignedAccess** > **MultiAppAssignedAccessSettings**. -7. In the center pane, select **Browse**. Locate and select the assigned access configuration XML file that you created. +7. In the center pane, select **Browse**. Locate and select the assigned access configuration XML file that you created. - ![Screenshot of the MultiAppAssignedAccessSettings field in Windows Configuration Designer.](images/multiappassignedaccesssettings.png) + ![Screenshot of the MultiAppAssignedAccessSettings field in Windows Configuration Designer.](images/multiappassignedaccesssettings.png) -8. _Optional: If you want to apply the provisioning package after device initial setup and there's an admin user already available on the kiosk device, skip this step._ Create an admin user account in **Runtime settings** > **Accounts** > **Users**. Provide a **UserName** and **Password**, and select **UserGroup** as **Administrators**. With this account, you can view the provisioning status and logs if needed. +8. _Optional: If you want to apply the provisioning package after device initial setup and there's an admin user already available on the kiosk device, skip this step._ Create an admin user account in **Runtime settings** > **Accounts** > **Users**. Provide a **UserName** and **Password**, and select **UserGroup** as **Administrators**. With this account, you can view the provisioning status and logs if needed. -9. _Optional: If you already have a non-admin account on the kiosk device, skip this step._ Create a local standard user account in **Runtime settings** > **Accounts** > **Users**. Make sure the **UserName** is the same as the account that you specify in the configuration XML. Select **UserGroup** as **Standard Users**. +9. _Optional: If you already have a non-admin account on the kiosk device, skip this step._ Create a local standard user account in **Runtime settings** > **Accounts** > **Users**. Make sure the **UserName** is the same as the account that you specify in the configuration XML. Select **UserGroup** as **Standard Users**. -10. On the **File** menu, select **Save.** +10. On the **File** menu, select **Save.** -11. On the **Export** menu, select **Provisioning package**. +11. On the **Export** menu, select **Provisioning package**. -12. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.** +12. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.** -13. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing. +13. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing. - - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen. + - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen. - - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Browse** and choosing the certificate you want to use to sign the package. + - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Browse** and choosing the certificate you want to use to sign the package. -14. Select **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows Imaging and Configuration Designer (ICD) uses the project folder as the output location. +14. Select **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows Imaging and Configuration Designer (ICD) uses the project folder as the output location. - Optionally, you can select **Browse** to change the default output location. + Optionally, you can select **Browse** to change the default output location. -15. Select **Next**. +15. Select **Next**. -16. Select **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status. +16. Select **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status. - If you need to cancel the build, select **Cancel**. This action cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**. + If you need to cancel the build, select **Cancel**. This action cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**. -17. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again. +17. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again. - If your build is successful, the name of the provisioning package, output directory, and project directory will be shown. + If your build is successful, the name of the provisioning package, output directory, and project directory will be shown. - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this action, select **Back** to change the output package name and path, and then select **Next** to start another build. - - If you're done, select **Finish** to close the wizard and go back to the **Customizations Page**. + - If you're done, select **Finish** to close the wizard and go back to the **Customizations Page**. -18. Copy the provisioning package to the root directory of a USB drive. +18. Copy the provisioning package to the root directory of a USB drive. - + -### Apply provisioning package to device +### Apply provisioning package to device -Provisioning packages can be applied to a device during initial setup (out-of-box experience or "OOBE") and after ("runtime"). For more information, see [Apply a provisioning package](./provisioning-packages/provisioning-apply-package.md). +Provisioning packages can be applied to a device during initial setup (out-of-box experience or "OOBE") and after ("runtime"). For more information, see [Apply a provisioning package](./provisioning-packages/provisioning-apply-package.md). > [!NOTE] -> If your provisioning package doesn't include the assigned access user account creation, make sure the account you specified in the multi-app configuration XML exists on the device. +> If your provisioning package doesn't include the assigned access user account creation, make sure the account you specified in the multi-app configuration XML exists on the device. -### Use MDM to deploy the multi-app configuration +### Use MDM to deploy the multi-app configuration -Multi-app kiosk mode is enabled by the [AssignedAccess configuration service provider (CSP)](/windows/client-management/mdm/assignedaccess-csp). Your MDM policy can contain the assigned access configuration XML. +Multi-app kiosk mode is enabled by the [AssignedAccess configuration service provider (CSP)](/windows/client-management/mdm/assignedaccess-csp). Your MDM policy can contain the assigned access configuration XML. -If your device is enrolled with an MDM service that supports applying the assigned access configuration, you can use it to apply the setting remotely. +If your device is enrolled with an MDM service that supports applying the assigned access configuration, you can use it to apply the setting remotely. -The OMA-URI for multi-app policy is `./Device/Vendor/MSFT/AssignedAccess/Configuration`. +The OMA-URI for multi-app policy is `./Device/Vendor/MSFT/AssignedAccess/Configuration`. -## Considerations for Windows Mixed Reality immersive headsets +## Considerations for Windows Mixed Reality immersive headsets -With the advent of [mixed reality devices (video link)](https://www.youtube.com/watch?v=u0jqNioU2Lo), you might want to create a kiosk that can run mixed reality apps. +With the advent of [mixed reality devices (video link)](https://www.youtube.com/watch?v=u0jqNioU2Lo), you might want to create a kiosk that can run mixed reality apps. -To create a multi-app kiosk that can run mixed reality apps, you must include the following apps in the [AllowedApps list](#allowedapps): +To create a multi-app kiosk that can run mixed reality apps, you must include the following apps in the [AllowedApps list](#allowedapps): ```xml -``` +``` -These apps are in addition to any mixed reality apps that you allow. +These apps are in addition to any mixed reality apps that you allow. -**Before your kiosk user signs in:** An admin user must sign in to the PC, connect a mixed reality device, and complete the guided setup for the Mixed Reality Portal. The first time that the Mixed Reality Portal is set up, some files and content are downloaded. A kiosk user wouldn't have permissions to download and so their setup of the Mixed Reality Portal would fail. +**Before your kiosk user signs in:** An admin user must sign in to the PC, connect a mixed reality device, and complete the guided setup for the Mixed Reality Portal. The first time that the Mixed Reality Portal is set up, some files and content are downloaded. A kiosk user wouldn't have permissions to download and so their setup of the Mixed Reality Portal would fail. -After the admin has completed setup, the kiosk account can sign in and repeat the setup. The admin user may want to complete the kiosk user setup before providing the PC to employees or customers. +After the admin has completed setup, the kiosk account can sign in and repeat the setup. The admin user may want to complete the kiosk user setup before providing the PC to employees or customers. -There's a difference between the mixed reality experiences for a kiosk user and other users. Typically, when a user connects a mixed reality device, they begin in the [Mixed Reality home](/windows/mixed-reality/discover/navigating-the-windows-mixed-reality-home). The Mixed Reality home is a shell that runs in "silent" mode when the PC is configured as a kiosk. When a kiosk user connects a mixed reality device, they'll see only a blank display in the device, and won't have access to the features and functionality available in the home. To run a mixed reality app, the kiosk user must launch the app from the PC Start screen. +There's a difference between the mixed reality experiences for a kiosk user and other users. Typically, when a user connects a mixed reality device, they begin in the [Mixed Reality home](/windows/mixed-reality/discover/navigating-the-windows-mixed-reality-home). The Mixed Reality home is a shell that runs in "silent" mode when the PC is configured as a kiosk. When a kiosk user connects a mixed reality device, they'll see only a blank display in the device, and won't have access to the features and functionality available in the home. To run a mixed reality app, the kiosk user must launch the app from the PC Start screen. -## Policies set by multi-app kiosk configuration +## Policies set by multi-app kiosk configuration -It's not recommended to set policies enforced in assigned access multi-app mode to different values using other channels, as the multi-app mode has been optimized to provide a locked-down experience. +It's not recommended to set policies enforced in assigned access multi-app mode to different values using other channels, as the multi-app mode has been optimized to provide a locked-down experience. -When the multi-app assigned access configuration is applied on the device, certain policies are enforced system-wide, and will affect other users on the device. +When the multi-app assigned access configuration is applied on the device, certain policies are enforced system-wide, and will affect other users on the device. -### Group policy +### Group policy -The following local policies affect all **non-administrator** users on the system, regardless whether the user is configured as an assigned access user or not. This list includes local users, domain users, and Microsoft Entra users. +The following local policies affect all **non-administrator** users on the system, regardless whether the user is configured as an assigned access user or not. This list includes local users, domain users, and Microsoft Entra users. | Setting | Value | | --- | --- | @@ -610,14 +610,14 @@ Remove Task Manager | Enabled Remove Change Password option in Security Options UI | Enabled Remove Sign Out option in Security Options UI | Enabled Remove All Programs list from the Start Menu | Enabled - Remove and disable setting -Prevent access to drives from My Computer | Enabled - Restrict all drivers +Prevent access to drives from My Computer | Enabled - Restrict all drivers > [!NOTE] -> When **Prevent access to drives from My Computer** is enabled, users can browse the directory structure in File Explorer, but they cannot open folders and access the contents. Also, they cannot use the **Run** dialog box or the **Map Network Drive** dialog box to view the directories on these drives. The icons representing the specified drives still appear in File Explorer, but if users double-click the icons, a message appears explaining that a setting prevents the action. This setting does not prevent users from using programs to access local and network drives. It does not prevent users from using the Disk Management snap-in to view and change drive characteristics. +> When **Prevent access to drives from My Computer** is enabled, users can browse the directory structure in File Explorer, but they cannot open folders and access the contents. Also, they cannot use the **Run** dialog box or the **Map Network Drive** dialog box to view the directories on these drives. The icons representing the specified drives still appear in File Explorer, but if users double-click the icons, a message appears explaining that a setting prevents the action. This setting does not prevent users from using programs to access local and network drives. It does not prevent users from using the Disk Management snap-in to view and change drive characteristics. -### MDM policy +### MDM policy -Some of the MDM policies based on the [Policy configuration service provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider) affect all users on the system. +Some of the MDM policies based on the [Policy configuration service provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider) affect all users on the system. Setting | Value | System-wide --- | --- | --- @@ -637,30 +637,30 @@ Start/DisableContextMenus | 1 - Context menus are hidden for Start apps | No [Start/HideChangeAccountSettings](/windows/client-management/mdm/policy-csp-start#start-hidechangeaccountsettings) | 1 - True (hide) | Yes [WindowsInkWorkspace/AllowWindowsInkWorkspace](/windows/client-management/mdm/policy-csp-windowsinkworkspace#windowsinkworkspace-allowwindowsinkworkspace) | 0 - Access to ink workspace is disabled and the feature is turned off | Yes [Start/StartLayout](/windows/client-management/mdm/policy-csp-start#start-startlayout) | Configuration dependent | No -[WindowsLogon/DontDisplayNetworkSelectionUI](/windows/client-management/mdm/policy-csp-windowslogon#windowslogon-dontdisplaynetworkselectionui) | <Enabled/> | Yes +[WindowsLogon/DontDisplayNetworkSelectionUI](/windows/client-management/mdm/policy-csp-windowslogon#windowslogon-dontdisplaynetworkselectionui) | <Enabled/> | Yes - + -## Provision .lnk files using Windows Configuration Designer +## Provision .lnk files using Windows Configuration Designer -First, create your desktop app's shortcut file by installing the app on a test device, using the default installation location. Right-click the installed application, and choose **Send to** > **Desktop (create shortcut)**. Rename the shortcut to `.lnk` +First, create your desktop app's shortcut file by installing the app on a test device, using the default installation location. Right-click the installed application, and choose **Send to** > **Desktop (create shortcut)**. Rename the shortcut to `.lnk` -Next, create a batch file with two commands. If the desktop app is already installed on the target device, skip the first command for MSI install. +Next, create a batch file with two commands. If the desktop app is already installed on the target device, skip the first command for MSI install. ```PowerShell msiexec /I ".msi" /qn /norestart copy .lnk "%AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\.lnk" -``` +``` -In Windows Configuration Designer, under **ProvisioningCommands** > **DeviceContext**: +In Windows Configuration Designer, under **ProvisioningCommands** > **DeviceContext**: -- Under **CommandFiles**, upload your batch file, your .lnk file, and your desktop app installation file. +- Under **CommandFiles**, upload your batch file, your .lnk file, and your desktop app installation file. > [!IMPORTANT] - > Paste the full file path to the .lnk file in the **CommandFiles** field. If you browse to and select the .lnk file, the file path will be changed to the path of the target of the .lnk. + > Paste the full file path to the .lnk file in the **CommandFiles** field. If you browse to and select the .lnk file, the file path will be changed to the path of the target of the .lnk. -- Under **CommandLine**, enter `cmd /c *FileName*.bat`. +- Under **CommandLine**, enter `cmd /c *FileName*.bat`. -## Other methods +## Other methods Environments that use WMI can use the [MDM Bridge WMI Provider to configure a kiosk](kiosk-mdm-bridge.md). diff --git a/windows/configuration/lock-down-windows-11-to-specific-apps.md b/windows/configuration/kiosk/lock-down-windows-11-to-specific-apps.md similarity index 87% rename from windows/configuration/lock-down-windows-11-to-specific-apps.md rename to windows/configuration/kiosk/lock-down-windows-11-to-specific-apps.md index e8f41d7572..50f4bcf2a2 100644 --- a/windows/configuration/lock-down-windows-11-to-specific-apps.md +++ b/windows/configuration/kiosk/lock-down-windows-11-to-specific-apps.md @@ -1,70 +1,67 @@ --- title: Set up a multi-app kiosk on Windows 11 description: Learn how to configure a kiosk device running Windows 11 so that users can only run a few specific apps. -ms.prod: windows-client -ms.technology: itpro-configure -author: lizgt2000 -ms.author: lizlong ms.date: 05/12/2023 -manager: aaroncz -ms.reviewer: sybruckm -ms.localizationpriority: medium +ms.reviewer: sybruckm + ms.topic: how-to --- -# Set up a multi-app kiosk on Windows 11 devices +# Set up a multi-app kiosk on Windows 11 devices -**Applies to** +**Applies to** -- Windows 11 Pro, Enterprise, IoT Enterprise and Education +- Windows 11 Pro, Enterprise, IoT Enterprise and Education > [!NOTE] -> The use of multiple monitors is supported for multi-app kiosk mode in Windows 11. +> The use of multiple monitors is supported for multi-app kiosk mode in Windows 11. -An assigned access multi-app kiosk runs one or more apps from the desktop. People using the kiosk see a customized Start that shows only the apps that are allowed. With this approach, you can configure a locked-down experience for different account types. A multi-app kiosk is appropriate for devices that are shared by multiple people. Here's a guide on how to set up a multi-app kiosk. +An assigned access multi-app kiosk runs one or more apps from the desktop. People using the kiosk see a customized Start that shows only the apps that are allowed. With this approach, you can configure a locked-down experience for different account types. A multi-app kiosk is appropriate for devices that are shared by multiple people. Here's a guide on how to set up a multi-app kiosk. > [!WARNING] -> The assigned access feature is intended for corporate-owned fixed-purpose devices, like kiosks. When the multi-app assigned access configuration is applied on the device, [certain policies](kiosk-policies.md) are enforced system-wide, and will impact other users on the device. Deleting the kiosk configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all the enforced policies (such as Start layout). A factory reset is needed to clear all the policies enforced via assigned access. +> The assigned access feature is intended for corporate-owned fixed-purpose devices, like kiosks. When the multi-app assigned access configuration is applied on the device, [certain policies](kiosk-policies.md) are enforced system-wide, and will impact other users on the device. Deleting the kiosk configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all the enforced policies (such as Start layout). A factory reset is needed to clear all the policies enforced via assigned access. > [!TIP] -> Be sure to check the [configuration recommendations](kiosk-prepare.md) before you set up your kiosk. +> Be sure to check the [configuration recommendations](kiosk-prepare.md) before you set up your kiosk. -## Configure a Multi-App Kiosk +## Configure a Multi-App Kiosk -See the table below for the different methods to configure a multi-app kiosk in Windows 11. +See the table below for the different methods to configure a multi-app kiosk in Windows 11. |Configuration Method|Availability| |--------------------|------------| -|[MDM WMI Bridge Provider](#configure-a-kiosk-using-wmi-bridge) | Available May 2023| +|[MDM WMI Bridge Provider](#configure-a-kiosk-using-wmi-bridge) | Available May 2023| +--> > [!NOTE] -> For WMI Bridge/PowerShell and Provisioning package methods, you will need to create your own multi-app kiosk XML file as specified below. +> For WMI Bridge/PowerShell and Provisioning package methods, you will need to create your own multi-app kiosk XML file as specified below. -## Create the XML file +## Create the XML file -Let's start by looking at the basic structure of the XML file. +Let's start by looking at the basic structure of the XML file. -- A configuration xml can define multiple *profiles*. Each profile has a unique **Id** and defines a set of applications that are allowed to run, whether the taskbar is visible, and can include a custom Start layout. +- A configuration xml can define multiple *profiles*. Each profile has a unique **Id** and defines a set of applications that are allowed to run, whether the taskbar is visible, and can include a custom Start layout. -- A configuration xml can have multiple *config* sections. Each config section associates a non-admin user account to a default profile **Id**. +- A configuration xml can have multiple *config* sections. Each config section associates a non-admin user account to a default profile **Id**. -- Multiple config sections can be associated to the same profile. +- Multiple config sections can be associated to the same profile. -- A profile has no effect if it's not associated to a config section. +- A profile has no effect if it's not associated to a config section. -You can start your file by pasting the following XML into an XML editor, and saving the file as *filename*.xml. Each section of this XML is explained in this article. +You can start your file by pasting the following XML into an XML editor, and saving the file as *filename*.xml. Each section of this XML is explained in this article. > [!NOTE] -> If you want to write a configuration file to be applied to both Windows 10 and Windows 11 devices, follow the [Windows 10 instructions](lock-down-windows-10-to-specific-apps.md) to add the StartLayout tag to your XML file, just above the StartPins tag. Windows will automatically ignore the sections that don't apply to the version running. +> If you want to write a configuration file to be applied to both Windows 10 and Windows 11 devices, follow the [Windows 10 instructions](lock-down-windows-10-to-specific-apps.md) to add the StartLayout tag to your XML file, just above the StartPins tag. Windows will automatically ignore the sections that don't apply to the version running. ```xml @@ -83,66 +80,66 @@ You can start your file by pasting the following XML into an XML editor, and sav ``` -#### Profile +#### Profile -There are two types of profiles that you can specify in the XML: +There are two types of profiles that you can specify in the XML: - **Lockdown profile**: Users assigned a lockdown profile will see the desktop in tablet mode with the specific apps on the Start screen. -- **Kiosk profile**: Starting with Windows 10 version 1803, this profile replaces the KioskModeApp node of the [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp). Users assigned a kiosk profile won't see the desktop, but only the kiosk app running in full-screen mode. +- **Kiosk profile**: Starting with Windows 10 version 1803, this profile replaces the KioskModeApp node of the [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp). Users assigned a kiosk profile won't see the desktop, but only the kiosk app running in full-screen mode. -A lockdown profile section in the XML has the following entries: +A lockdown profile section in the XML has the following entries: -- [**Id**](#id) +- [**Id**](#id) -- [**AllowedApps**](#allowedapps) +- [**AllowedApps**](#allowedapps) -- [**StartPins**](#startpins) +- [**StartPins**](#startpins) -- [**Taskbar**](#taskbar) +- [**Taskbar**](#taskbar) -A kiosk profile in the XML has the following entries: +A kiosk profile in the XML has the following entries: -- [**Id**](#id) +- [**Id**](#id) -- [**KioskModeApp**](#kioskmodeapp) +- [**KioskModeApp**](#kioskmodeapp) -##### Id +##### Id -The profile **Id** is a GUID attribute to uniquely identify the profile. You can create a GUID using a GUID generator. The GUID just needs to be unique within this XML file. +The profile **Id** is a GUID attribute to uniquely identify the profile. You can create a GUID using a GUID generator. The GUID just needs to be unique within this XML file. ```xml -``` +``` -##### AllowedApps +##### AllowedApps -**AllowedApps** is a list of applications that are allowed to run. Apps can be Universal Windows Platform (UWP) apps or Windows desktop applications. Starting with Windows 10 version 1809, you can configure a single app in the **AllowedApps** list to run automatically when the assigned access user account signs in. +**AllowedApps** is a list of applications that are allowed to run. Apps can be Universal Windows Platform (UWP) apps or Windows desktop applications. Starting with Windows 10 version 1809, you can configure a single app in the **AllowedApps** list to run automatically when the assigned access user account signs in. - For UWP apps, you need to provide the App User Model ID (AUMID). [Learn how to get the AUMID](./find-the-application-user-model-id-of-an-installed-app.md), or [get the AUMID from the Start Layout XML](#create-the-xml-file). - For desktop apps, you need to specify the full path of the executable, which can contain one or more system environment variables in the form of `%variableName%`. For example, `%systemroot%` or `%windir%`. - If an app has a dependency on another app, both must be included in the allowed apps list. For example, Internet Explorer 64-bit has a dependency on Internet Explorer 32-bit, so you must allow both `"C:\Program Files\internet explorer\iexplore.exe"` and `"C:\Program Files (x86)\Internet Explorer\iexplore.exe"`. -- To configure a single app to launch automatically when the user signs in, include `rs5:AutoLaunch="true"` after the AUMID or path. You can also include arguments to be passed to the app. For an example, see [the AllowedApps sample XML](#apps-sample). +- To configure a single app to launch automatically when the user signs in, include `rs5:AutoLaunch="true"` after the AUMID or path. You can also include arguments to be passed to the app. For an example, see [the AllowedApps sample XML](#apps-sample). -When the multi-app kiosk configuration is applied to a device, AppLocker rules will be generated to allow the apps that are listed in the configuration. Here are the predefined assigned access AppLocker rules for **UWP apps**: +When the multi-app kiosk configuration is applied to a device, AppLocker rules will be generated to allow the apps that are listed in the configuration. Here are the predefined assigned access AppLocker rules for **UWP apps**: 1. Default rule is to allow all users to launch the signed package apps. -2. The package app blocklist is generated at runtime when the assigned access user signs in. Based on the installed/provisioned package apps available for the user account, assigned access generates the blocklist. This list will exclude the default allowed inbox package apps, which are critical for the system to function. It then excludes the allowed packages that enterprises defined in the assigned access configuration. If there are multiple apps within the same package, all these apps will be excluded. This blocklist will be used to prevent the user from accessing the apps that are currently available for the user but not in the allowed list. +2. The package app blocklist is generated at runtime when the assigned access user signs in. Based on the installed/provisioned package apps available for the user account, assigned access generates the blocklist. This list will exclude the default allowed inbox package apps, which are critical for the system to function. It then excludes the allowed packages that enterprises defined in the assigned access configuration. If there are multiple apps within the same package, all these apps will be excluded. This blocklist will be used to prevent the user from accessing the apps that are currently available for the user but not in the allowed list. > [!NOTE] > You can't manage AppLocker rules that are generated by the multi-app kiosk configuration in [MMC snap-ins](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh994629(v=ws.11)#BKMK_Using_Snapins). Avoid creating AppLocker rules that conflict with AppLocker rules that are generated by the multi-app kiosk configuration. - > Multi-app kiosk mode doesn't block the enterprise or the users from installing UWP apps. When a new UWP app is installed during the current assigned access user session, this app will not be in the deny list. When the user signs out and signs in again, the app will be included in the blocklist. If this is an enterprise-deployed line-of-business app and you want to allow it to run, update the assigned access configuration to include it in the allowed app list. + > Multi-app kiosk mode doesn't block the enterprise or the users from installing UWP apps. When a new UWP app is installed during the current assigned access user session, this app will not be in the deny list. When the user signs out and signs in again, the app will be included in the blocklist. If this is an enterprise-deployed line-of-business app and you want to allow it to run, update the assigned access configuration to include it in the allowed app list. -Here are the predefined assigned access AppLocker rules for **desktop apps**: +Here are the predefined assigned access AppLocker rules for **desktop apps**: 1. Default rule is to allow all users to launch the desktop programs signed with Microsoft Certificate in order for the system to boot and function. The rule also allows the admin user group to launch all desktop programs. 2. There's a predefined inbox desktop app blocklist for the assigned access user account, and this blocklist is adjusted based on the desktop app allowlist that you defined in the multi-app configuration. -3. Enterprise-defined allowed desktop apps are added in the AppLocker allowlist. +3. Enterprise-defined allowed desktop apps are added in the AppLocker allowlist. -The following example allows Photos, Weather, Calculator, Paint, and Notepad apps to run on the device, with Notepad configured to automatically launch and create a file called `123.text` when the user signs in. +The following example allows Photos, Weather, Calculator, Paint, and Notepad apps to run on the device, with Notepad configured to automatically launch and create a file called `123.text` when the user signs in. - + ```xml @@ -154,17 +151,18 @@ The following example allows Photos, Weather, Calculator, Paint, and Notepad app -``` +``` -##### StartPins +##### StartPins -After you define the list of allowed applications, you can customize the Start layout for your kiosk experience. The easiest way to create a customized Start layout to apply to other Windows client devices is to set up the Start screen on a test device and then export the layout. Once you've decided, you can get the JSON needed for your kiosk configuration by following the steps to [Get the pinnedList JSON](customize-and-export-start-layout.md). If you opt to do this using the PowerShell command, make sure that the system you run the command on has the same file structure as the device on which you will apply the kiosk (the path to the allowed apps must be the same). At the end of this step, you should have a JSON pinnedList that looks something like the below. +After you define the list of allowed applications, you can customize the Start layout for your kiosk experience. The easiest way to create a customized Start layout to apply to other Windows client devices is to set up the Start screen on a test device and then export the layout. Once you've decided, you can get the JSON needed for your kiosk configuration by following the steps to [Get the pinnedList JSON](customize-and-export-start-layout.md). If you opt to do this using the PowerShell command, make sure that the system you run the command on has the same file structure as the device on which you will apply the kiosk (the path to the allowed apps must be the same). At the end of this step, you should have a JSON pinnedList that looks something like the below. -Add your pinnedList JSON into the StartPins tag in your XML file. +Add your pinnedList JSON into the StartPins tag in your XML file. ```xml -``` +``` > [!NOTE] -> If an app isn't installed for the user, but is included in the Start layout XML, the app isn't shown on the Start screen. +> If an app isn't installed for the user, but is included in the Start layout XML, the app isn't shown on the Start screen. -##### Taskbar +##### Taskbar -Define whether you want to have the taskbar present in the kiosk device. For tablet-based or touch-enabled all-in-one kiosks, when you don't attach a keyboard and mouse, you can hide the taskbar as part of the multi-app experience if you want. +Define whether you want to have the taskbar present in the kiosk device. For tablet-based or touch-enabled all-in-one kiosks, when you don't attach a keyboard and mouse, you can hide the taskbar as part of the multi-app experience if you want. -The following example exposes the taskbar to the end user: +The following example exposes the taskbar to the end user: ```xml -``` +``` -The following example hides the taskbar: +The following example hides the taskbar: ```xml -``` +``` > [!NOTE] -> This is different from the **Automatically hide the taskbar** option in tablet mode, which shows the taskbar when swiping up from or moving the mouse pointer down to the bottom of the screen. Setting **ShowTaskbar** as **false** will always keep the taskbar hidden. +> This is different from the **Automatically hide the taskbar** option in tablet mode, which shows the taskbar when swiping up from or moving the mouse pointer down to the bottom of the screen. Setting **ShowTaskbar** as **false** will always keep the taskbar hidden. -##### KioskModeApp +##### KioskModeApp -**KioskModeApp** is used for a [kiosk profile](#profile) only. Enter the AUMID for a single app. You can only specify one kiosk profile in the XML. +**KioskModeApp** is used for a [kiosk profile](#profile) only. Enter the AUMID for a single app. You can only specify one kiosk profile in the XML. ```xml -``` +``` > [!IMPORTANT] -> The kiosk profile is designed for public-facing kiosk devices. We recommend that you use a local, non-administrator account. If the device is connected to your company network, using a domain or Microsoft Entra account could potentially compromise confidential information. +> The kiosk profile is designed for public-facing kiosk devices. We recommend that you use a local, non-administrator account. If the device is connected to your company network, using a domain or Microsoft Entra account could potentially compromise confidential information. -#### Configs +#### Configs -Under **Configs**, define which user account will be associated with the profile. When this user account signs in on the device, the associated assigned access profile will be enforced. This behavior includes the allowed apps, Start layout, taskbar configuration, and other local group policies or mobile device management (MDM) policies set as part of the multi-app experience. +Under **Configs**, define which user account will be associated with the profile. When this user account signs in on the device, the associated assigned access profile will be enforced. This behavior includes the allowed apps, Start layout, taskbar configuration, and other local group policies or mobile device management (MDM) policies set as part of the multi-app experience. -The full multi-app assigned access experience can only work for non-admin users. It's not supported to associate an admin user with the assigned access profile. Making this configuration in the XML file will result in unexpected or unsupported experiences when this admin user signs in. +The full multi-app assigned access experience can only work for non-admin users. It's not supported to associate an admin user with the assigned access profile. Making this configuration in the XML file will result in unexpected or unsupported experiences when this admin user signs in. -You can assign: +You can assign: - [A local standard user account that signs in automatically](#config-for-autologon-account) (Applies to Windows 10, version 1803 only) - [An individual account, which can be local, domain, or Microsoft Entra ID](#config-for-individual-accounts) -- [A group account, which can be local, Active Directory (domain), or Microsoft Entra ID](#config-for-group-accounts) (Applies to Windows 10, version 1803 only). +- [A group account, which can be local, Active Directory (domain), or Microsoft Entra ID](#config-for-group-accounts) (Applies to Windows 10, version 1803 only). > [!NOTE] -> Configs that specify group accounts cannot use a kiosk profile, only a lockdown profile. If a group is configured to a kiosk profile, the CSP will reject the request. +> Configs that specify group accounts cannot use a kiosk profile, only a lockdown profile. If a group is configured to a kiosk profile, the CSP will reject the request. -##### Config for AutoLogon Account +##### Config for AutoLogon Account -When you use `` and the configuration is applied to a device, the specified account (managed by Assigned Access) is created on the device as a local standard user account. The specified account is signed in automatically after restart. +When you use `` and the configuration is applied to a device, the specified account (managed by Assigned Access) is created on the device as a local standard user account. The specified account is signed in automatically after restart. -The following example shows how to specify an account to sign in automatically. +The following example shows how to specify an account to sign in automatically. ```xml @@ -237,9 +235,9 @@ The following example shows how to specify an account to sign in automatically. -``` +``` -Starting with Windows 10 version 1809, you can configure the display name that will be shown when the user signs in. The following example shows how to create an AutoLogon Account that shows the name "Hello World". +Starting with Windows 10 version 1809, you can configure the display name that will be shown when the user signs in. The following example shows how to create an AutoLogon Account that shows the name "Hello World". ```xml @@ -248,28 +246,28 @@ Starting with Windows 10 version 1809, you can configure the display name that w -``` +``` -On domain-joined devices, local user accounts aren't shown on the sign-in screen by default. To show the **AutoLogonAccount** on the sign-in screen, enable the following Group Policy setting: **Computer Configuration > Administrative Templates > System > Logon > Enumerate local users on domain-joined computers**. (The corresponding MDM policy setting is [WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers in the Policy CSP](/windows/client-management/mdm/policy-csp-windowslogon#windowslogon-enumeratelocalusersondomainjoinedcomputers).) +On domain-joined devices, local user accounts aren't shown on the sign-in screen by default. To show the **AutoLogonAccount** on the sign-in screen, enable the following Group Policy setting: **Computer Configuration > Administrative Templates > System > Logon > Enumerate local users on domain-joined computers**. (The corresponding MDM policy setting is [WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers in the Policy CSP](/windows/client-management/mdm/policy-csp-windowslogon#windowslogon-enumeratelocalusersondomainjoinedcomputers).) >[!IMPORTANT] ->When Exchange Active Sync (EAS) password restrictions are active on the device, the autologon feature does not work. This behavior is by design. For more informations, see [How to turn on automatic logon in Windows](/troubleshoot/windows-server/user-profiles-and-logon/turn-on-automatic-logon). +>When Exchange Active Sync (EAS) password restrictions are active on the device, the autologon feature does not work. This behavior is by design. For more informations, see [How to turn on automatic logon in Windows](/troubleshoot/windows-server/user-profiles-and-logon/turn-on-automatic-logon). -##### Config for individual accounts +##### Config for individual accounts -Individual accounts are specified using ``. +Individual accounts are specified using ``. - Local account can be entered as `machinename\account` or `.\account` or just `account`. - Domain account should be entered as `domain\account`. -- Microsoft Entra account must be specified in this format: `AzureAD\{email address}`. **AzureAD** must be provided _as is_, and consider it's a fixed domain name. Then follow with the Microsoft Entra ID email address. For example, `AzureAD\someone@contoso.onmicrosoft.com` +- Microsoft Entra account must be specified in this format: `AzureAD\{email address}`. **AzureAD** must be provided _as is_, and consider it's a fixed domain name. Then follow with the Microsoft Entra ID email address. For example, `AzureAD\someone@contoso.onmicrosoft.com` > [!WARNING] -> Assigned access can be configured via WMI or CSP to run its applications under a domain user or service account, rather than a local account. However, use of domain user or service accounts introduces risks that an attacker subverting the assigned access application might gain access to sensitive domain resources that have been inadvertently left accessible to any domain account. We recommend that customers proceed with caution when using domain accounts with assigned access, and consider the domain resources potentially exposed by the decision to do so. +> Assigned access can be configured via WMI or CSP to run its applications under a domain user or service account, rather than a local account. However, use of domain user or service accounts introduces risks that an attacker subverting the assigned access application might gain access to sensitive domain resources that have been inadvertently left accessible to any domain account. We recommend that customers proceed with caution when using domain accounts with assigned access, and consider the domain resources potentially exposed by the decision to do so. -Before applying the multi-app configuration, make sure the specified user account is available on the device, otherwise it will fail. +Before applying the multi-app configuration, make sure the specified user account is available on the device, otherwise it will fail. > [!NOTE] -> For both domain and Microsoft Entra accounts, it's not required that target account is explicitly added to the device. As long as the device is AD-joined or Microsoft Entra joined, the account can be discovered in the domain forest or tenant that the device is joined to. For local accounts, it is required that the account exist before you configure the account for assigned access. +> For both domain and Microsoft Entra accounts, it's not required that target account is explicitly added to the device. As long as the device is AD-joined or Microsoft Entra joined, the account can be discovered in the domain forest or tenant that the device is joined to. For local accounts, it is required that the account exist before you configure the account for assigned access. ```xml @@ -278,74 +276,76 @@ Before applying the multi-app configuration, make sure the specified user accoun -``` +``` -##### Config for group accounts +##### Config for group accounts -Group accounts are specified using ``. Nested groups aren't supported. For example, if user A is member of Group 1, Group 1 is member of Group 2, and Group 2 is used in ``, user A won't have the kiosk experience. +Group accounts are specified using ``. Nested groups aren't supported. For example, if user A is member of Group 1, Group 1 is member of Group 2, and Group 2 is used in ``, user A won't have the kiosk experience. -- Local group: Specify the group type as **LocalGroup** and put the group name in Name attribute. Any Microsoft Entra accounts that are added to the local group won't have the kiosk settings applied. +- Local group: Specify the group type as **LocalGroup** and put the group name in Name attribute. Any Microsoft Entra accounts that are added to the local group won't have the kiosk settings applied. ```xml - ``` + ``` -- Domain group: Both security and distribution groups are supported. Specify the group type as ActiveDirectoryGroup. Use the domain name as the prefix in the name attribute. +- Domain group: Both security and distribution groups are supported. Specify the group type as ActiveDirectoryGroup. Use the domain name as the prefix in the name attribute. ```xml - ``` + ``` -- Microsoft Entra group: Use the group object ID from the Azure portal to uniquely identify the group in the Name attribute. You can find the object ID on the overview page for the group in **Users and groups** > **All groups**. Specify the group type as **AzureActiveDirectoryGroup**. The kiosk device must have internet connectivity when users that belong to the group sign-in. +- Microsoft Entra group: Use the group object ID from the Azure portal to uniquely identify the group in the Name attribute. You can find the object ID on the overview page for the group in **Users and groups** > **All groups**. Specify the group type as **AzureActiveDirectoryGroup**. The kiosk device must have internet connectivity when users that belong to the group sign-in. ```xml - ``` + ``` > [!NOTE] - > If a Microsoft Entra group is configured with a lockdown profile on a device, a user in the Microsoft Entra group must change their password (after the account has been created with default password on the portal) before they can sign in to this device. If the user uses the default password to sign in to the device, the user will be immediately signed out. + > If a Microsoft Entra group is configured with a lockdown profile on a device, a user in the Microsoft Entra group must change their password (after the account has been created with default password on the portal) before they can sign in to this device. If the user uses the default password to sign in to the device, the user will be immediately signed out. - + -## Configure a kiosk using WMI Bridge +## Configure a kiosk using WMI Bridge -Environments that use [Windows Management Instrumentation (WMI)](/windows/win32/wmisdk/wmi-start-page) can use the [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal) to configure the MDM_AssignedAccess class. +Environments that use [Windows Management Instrumentation (WMI)](/windows/win32/wmisdk/wmi-start-page) can use the [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal) to configure the MDM_AssignedAccess class. -Here's an example of how to set AssignedAccess configuration: +Here's an example of how to set AssignedAccess configuration: 1. Download the [psexec tool](/sysinternals/downloads/psexec). + 1. Using an elevated command prompt, run `psexec.exe -i -s cmd.exe`. 1. In the command prompt launched by psexec.exe, enter `powershell.exe` to open PowerShell. -1. Save the following Powershell excerpt as a PowerShell script (.ps1), replacing the placeholder "your XML here" with the [Sample Assigned Access XML](#sample-assigned-access-xml) then run the script at the Powershell prompt from the previous step. +1. Save the following Powershell excerpt as a PowerShell script (.ps1), replacing the placeholder "your XML here" with the [Sample Assigned Access XML](#sample-assigned-access-xml) then run the script at the Powershell prompt from the previous step. ```powershell $eventLogFilterHashTable = @{ ProviderName = "Microsoft-Windows-AssignedAccess"; StartTime = Get-Date -Millisecond 0 -} +} $namespaceName="root\cimv2\mdm\dmmap" $className="MDM_AssignedAccess" $obj = Get-CimInstance -Namespace $namespaceName -ClassName $className -$obj.Configuration = [System.Net.WebUtility]::HtmlEncode(@" +$obj.Configuration = [System.Net.WebUtility]::HtmlEncode(@" -"@) + +"@) $obj = Set-CimInstance -CimInstance $obj -ErrorVariable cimSetError -ErrorAction SilentlyContinue if($cimSetError) { Write-Output "An ERROR occurred. Displaying error record and attempting to retrieve error logs...`n" - Write-Error -ErrorRecord $cimSetError[0] + Write-Error -ErrorRecord $cimSetError[0] $timeout = New-TimeSpan -Seconds 30 $stopwatch = [System.Diagnostics.Stopwatch]::StartNew() @@ -353,43 +353,56 @@ if($cimSetError) { $events = Get-WinEvent -FilterHashtable $eventLogFilterHashTable -ErrorAction Ignore } until ($events.Count -or $stopwatch.Elapsed -gt $timeout) # wait for the log to be available + if($events.Count) { $events | ForEach-Object { + Write-Output "$($_.TimeCreated) [$($_.LevelDisplayName.ToUpper())] $($_.Message -replace "`n|`r")" + } } else { Write-Warning "Timed-out attempting to retrieve event logs..." - } + } Exit 1 -} +} Write-Output "Successfully applied Assigned Access configuration" -``` +``` -## Sample Assigned Access XML +## Sample Assigned Access XML -This section contains a predefined XML file which can be used as a quickstart to get familiar with the Assigned Access multi-app kiosk feature on Windows 11. +This section contains a predefined XML file which can be used as a quickstart to get familiar with the Assigned Access multi-app kiosk feature on Windows 11. ```xml + + + + + + + + @@ -410,4 +424,5 @@ This section contains a predefined XML file which can be used as a quickstart to + ``` diff --git a/windows/configuration/lockdown-features-windows-10.md b/windows/configuration/kiosk/lockdown-features-windows-10.md similarity index 58% rename from windows/configuration/lockdown-features-windows-10.md rename to windows/configuration/kiosk/lockdown-features-windows-10.md index 9a32f053b2..fc124c8ea3 100644 --- a/windows/configuration/lockdown-features-windows-10.md +++ b/windows/configuration/kiosk/lockdown-features-windows-10.md @@ -1,37 +1,31 @@ --- -title: Lockdown features from Windows Embedded 8.1 Industry (Windows 10) -description: Many of the lockdown features available in Windows Embedded 8.1 Industry have been modified in some form for Windows 10. -ms.reviewer: -manager: aaroncz -ms.prod: windows-client -author: lizgt2000 -ms.author: lizlong -ms.topic: article -ms.localizationpriority: medium -ms.technology: itpro-configure +title: Lockdown features from Windows Embedded 8.1 Industry +description: Many of the lockdown features available in Windows Embedded 8.1 Industry have been modified in some form for Windows 10. +ms.topic: article + ms.date: 12/31/2017 ---- +--- -# Lockdown features from Windows Embedded 8.1 Industry +# Lockdown features from Windows Embedded 8.1 Industry -**Applies to** +**Applies to** -- Windows 10 +- Windows 10 -Many of the lockdown features available in Windows Embedded 8.1 Industry have been modified in some form for Windows 10. This table maps Windows Embedded Industry 8.1 features to Windows 10 Enterprise features, along with links to documentation. +Many of the lockdown features available in Windows Embedded 8.1 Industry have been modified in some form for Windows 10. This table maps Windows Embedded Industry 8.1 features to Windows 10 Enterprise features, along with links to documentation. |Windows Embedded 8.1 Industry lockdown feature|Windows 10 feature|Changes| |--- |--- |--- | -|[Hibernate Once/Resume Many (HORM)](/previous-versions/windows/embedded/dn449302(v=winembedded.82)): Quick boot to device|[HORM](/windows-hardware/customize/enterprise/hibernate-once-resume-many-horm-)|HORM is supported in Windows 10, version 1607 and later.| -|[Unified Write Filter](/previous-versions/windows/embedded/dn449332(v=winembedded.82)): protect a device's physical storage media|[Unified Write Filter](/windows-hardware/customize/enterprise/unified-write-filter)|The Unified Write Filter is continued in Windows 10.| -|[Keyboard Filter](/previous-versions/windows/embedded/dn449298(v=winembedded.82)): block hotkeys and other key combinations|[Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter)|Keyboard filter is added in Windows 10, version 1511. As in Windows Embedded Industry 8.1, Keyboard Filter is an optional component that can be turned on via **Turn Windows Features On/Off**. Keyboard Filter (in addition to the WMI configuration previously available) will be configurable through Windows Imaging and Configuration Designer (ICD) in the SMISettings path.| -|[Shell Launcher](/previous-versions/windows/embedded/dn449423(v=winembedded.82)): launch a Windows desktop application on sign-on|[Shell Launcher](/windows-hardware/customize/enterprise/shell-launcher)|Shell Launcher continues in Windows 10. It is now configurable in Windows ICD under the **SMISettings** category.
Learn [how to use Shell Launcher to create a kiosk device](/windows/configuration/kiosk-single-app) that runs a Windows desktop application.| -|[Application Launcher](/previous-versions/windows/embedded/dn449251(v=winembedded.82)): launch a Universal Windows Platform (UWP) app on sign-on|[Assigned Access](/windows/client-management/mdm/assignedaccess-csp)|The Windows 8 Application Launcher has been consolidated into Assigned Access. Application Launcher enabled launching a Windows 8 app and holding focus on that app. Assigned Access offers a more robust solution for ensuring that apps retain focus.| -|[Dialog Filter](/previous-versions/windows/embedded/dn449395(v=winembedded.82)): suppress system dialogs and control which processes can run|[AppLocker](/windows/device-security/applocker/applocker-overview)|Dialog Filter has been deprecated for Windows 10. Dialog Filter provided two capabilities; the ability to control which processes were able to run, and the ability to prevent dialogs (in practice, system dialogs) from appearing.
  • Control over which processes are able to run will now be provided by AppLocker.
  • System dialogs in Windows 10 have been replaced with system toasts. To see more on blocking system toasts, see Toast Notification Filter below.| +|[Hibernate Once/Resume Many (HORM)](/previous-versions/windows/embedded/dn449302(v=winembedded.82)): Quick boot to device|[HORM](/windows-hardware/customize/enterprise/hibernate-once-resume-many-horm-)|HORM is supported in Windows 10, version 1607 and later.| +|[Unified Write Filter](/previous-versions/windows/embedded/dn449332(v=winembedded.82)): protect a device's physical storage media|[Unified Write Filter](/windows-hardware/customize/enterprise/unified-write-filter)|The Unified Write Filter is continued in Windows 10.| +|[Keyboard Filter](/previous-versions/windows/embedded/dn449298(v=winembedded.82)): block hotkeys and other key combinations|[Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter)|Keyboard filter is added in Windows 10, version 1511. As in Windows Embedded Industry 8.1, Keyboard Filter is an optional component that can be turned on via **Turn Windows Features On/Off**. Keyboard Filter (in addition to the WMI configuration previously available) will be configurable through Windows Imaging and Configuration Designer (ICD) in the SMISettings path.| +|[Shell Launcher](/previous-versions/windows/embedded/dn449423(v=winembedded.82)): launch a Windows desktop application on sign-on|[Shell Launcher](/windows-hardware/customize/enterprise/shell-launcher)|Shell Launcher continues in Windows 10. It is now configurable in Windows ICD under the **SMISettings** category.
    Learn [how to use Shell Launcher to create a kiosk device](/windows/configuration/kiosk-single-app) that runs a Windows desktop application.| +|[Application Launcher](/previous-versions/windows/embedded/dn449251(v=winembedded.82)): launch a Universal Windows Platform (UWP) app on sign-on|[Assigned Access](/windows/client-management/mdm/assignedaccess-csp)|The Windows 8 Application Launcher has been consolidated into Assigned Access. Application Launcher enabled launching a Windows 8 app and holding focus on that app. Assigned Access offers a more robust solution for ensuring that apps retain focus.| +|[Dialog Filter](/previous-versions/windows/embedded/dn449395(v=winembedded.82)): suppress system dialogs and control which processes can run|[AppLocker](/windows/device-security/applocker/applocker-overview)|Dialog Filter has been deprecated for Windows 10. Dialog Filter provided two capabilities; the ability to control which processes were able to run, and the ability to prevent dialogs (in practice, system dialogs) from appearing.
  • Control over which processes are able to run will now be provided by AppLocker.
  • System dialogs in Windows 10 have been replaced with system toasts. To see more on blocking system toasts, see Toast Notification Filter below.| |[Toast Notification Filter](/previous-versions/windows/embedded/dn449360(v=winembedded.82)): suppress toast notifications|Mobile device management (MDM) and Group Policy|Toast Notification Filter has been replaced by MDM and Group Policy settings for blocking the individual components of non-critical system toasts that may appear. For example, to prevent a toast from appearing when a USB drive is connected, ensure that USB connections have been blocked using the USB-related policies, and turn off notifications from apps.
    Group Policy: **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Notifications**
    MDM policy name may vary depending on your MDM service. In Microsoft Intune, use **Allow action center notifications** and a [custom OMA-URI setting](/mem/intune/configuration/custom-settings-windows-10) for **AboveLock/AllowActionCenterNotifications**.| -|[Embedded Lockdown Manager](/previous-versions/windows/embedded/dn449279(v=winembedded.82)): configure lockdown features|[Windows Imaging and Configuration Designer (ICD)](/windows/configuration/provisioning-packages/provisioning-install-icd)|The Embedded Lockdown Manager has been deprecated for Windows 10 and replaced by the Windows ICD. Windows ICD is the consolidated tool for Windows imaging and provisioning scenarios and enables configuration of all Windows settings, including the lockdown features previously configurable through Embedded Lockdown Manager.| +|[Embedded Lockdown Manager](/previous-versions/windows/embedded/dn449279(v=winembedded.82)): configure lockdown features|[Windows Imaging and Configuration Designer (ICD)](/windows/configuration/provisioning-packages/provisioning-install-icd)|The Embedded Lockdown Manager has been deprecated for Windows 10 and replaced by the Windows ICD. Windows ICD is the consolidated tool for Windows imaging and provisioning scenarios and enables configuration of all Windows settings, including the lockdown features previously configurable through Embedded Lockdown Manager.| |[USB Filter](/previous-versions/windows/embedded/dn449350(v=winembedded.82)): restrict USB devices and peripherals on system|MDM and Group Policy|The USB Filter driver has been replaced by MDM and Group Policy settings for blocking the connection of USB devices.

    Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Device Installation** > **Device Installation Restrictions**
    MDM policy name may vary depending on your MDM service. In Microsoft Intune, use **Removable storage**.| -|[Assigned Access](/previous-versions/windows/embedded/dn449303(v=winembedded.82)): launch a UWP app on sign-in and lock access to system|[Assigned Access](/windows/client-management/mdm/assignedaccess-csp)|Assigned Access has undergone significant improvement for Windows 10. In Windows 8.1, Assigned Access blocked system hotkeys and edge gestures, and non-critical system notifications, but it also applied some of these limitations to other accounts on the device.
    In Windows 10, Assigned Access no longer affects accounts other than the one being locked down. Assigned Access now restricts access to other apps or system components by locking the device when the selected user account logs in and launching the designated app above the lock screen, ensuring that no unintended functionality can be accessed.

    Learn [how to use Assigned Access to create a kiosk device](/windows/configuration/kiosk-single-app) that runs a Universal Windows app.| +|[Assigned Access](/previous-versions/windows/embedded/dn449303(v=winembedded.82)): launch a UWP app on sign-in and lock access to system|[Assigned Access](/windows/client-management/mdm/assignedaccess-csp)|Assigned Access has undergone significant improvement for Windows 10. In Windows 8.1, Assigned Access blocked system hotkeys and edge gestures, and non-critical system notifications, but it also applied some of these limitations to other accounts on the device.
    In Windows 10, Assigned Access no longer affects accounts other than the one being locked down. Assigned Access now restricts access to other apps or system components by locking the device when the selected user account logs in and launching the designated app above the lock screen, ensuring that no unintended functionality can be accessed.

    Learn [how to use Assigned Access to create a kiosk device](/windows/configuration/kiosk-single-app) that runs a Universal Windows app.| |[Gesture Filter](/previous-versions/windows/embedded/dn449374(v=winembedded.82)): block swipes from top, left, and right edges of screen|MDM and Group Policy|In Windows 8.1, gestures provided the ability to close an app, to switch apps, and to reach the Charms. In Windows 10, Charms have been removed. In Windows 10, version 1607, you can block swipes using the [Allow edge swipe](/windows/client-management/mdm/policy-configuration-service-provider#LockDown_AllowEdgeSwipe) policy.| -|[Custom Logon](/previous-versions/windows/embedded/dn449309(v=winembedded.82)): suppress Windows UI elements during Windows sign-on, sign-off, and shutdown|[Embedded Logon](/windows-hardware/customize/desktop/unattend/microsoft-windows-embedded-embeddedlogon)|No changes. Applies only to Windows 10 Enterprise and Windows 10 Education.| -|[Unbranded Boot](/previous-versions/windows/embedded/dn449249(v=winembedded.82)): custom brand a device by removing or replacing Windows boot UI elements|[Unbranded Boot](/windows-hardware/customize/enterprise/unbranded-boot)|No changes. Applies only to Windows 10 Enterprise and Windows 10 Education.| +|[Custom Logon](/previous-versions/windows/embedded/dn449309(v=winembedded.82)): suppress Windows UI elements during Windows sign-on, sign-off, and shutdown|[Embedded Logon](/windows-hardware/customize/desktop/unattend/microsoft-windows-embedded-embeddedlogon)|No changes. Applies only to Windows 10 Enterprise and Windows 10 Education.| +|[Unbranded Boot](/previous-versions/windows/embedded/dn449249(v=winembedded.82)): custom brand a device by removing or replacing Windows boot UI elements|[Unbranded Boot](/windows-hardware/customize/enterprise/unbranded-boot)|No changes. Applies only to Windows 10 Enterprise and Windows 10 Education.| diff --git a/windows/configuration/setup-digital-signage.md b/windows/configuration/kiosk/setup-digital-signage.md similarity index 87% rename from windows/configuration/setup-digital-signage.md rename to windows/configuration/kiosk/setup-digital-signage.md index b5761ada29..61b5f99dbf 100644 --- a/windows/configuration/setup-digital-signage.md +++ b/windows/configuration/kiosk/setup-digital-signage.md @@ -1,39 +1,35 @@ --- title: Set up digital signs on Windows 10/11 -description: A single-use device such as a digital sign is easy to set up in Windows 10 and Windows 11 (Pro, Enterprise, and Education). -ms.reviewer: sybruckm -manager: aaroncz -ms.author: lizlong -ms.prod: windows-client -author: lizgt2000 -ms.localizationpriority: medium +description: A single-use device such as a digital sign is easy to set up in Windows 10 and Windows 11 (Pro, Enterprise, and Education). +ms.reviewer: sybruckm + ms.date: 09/20/2021 ms.topic: article -ms.technology: itpro-configure ---- +--- -# Set up digital signs on Windows 10/11 +# Set up digital signs on Windows 10/11 -**Applies to** +**Applies to** -- Windows 10 Pro, Enterprise, and Education -- Windows 11 +- Windows 10 Pro, Enterprise, and Education +- Windows 11 -Digital signage can be a useful and exciting business tool. Use digital signs to showcase your products and services, to display testimonials, or to advertise promotions and campaigns. A digital sign can be a static display, such as a building directory or menu, or it can be dynamic, such as repeating videos or a social media feed. +Digital signage can be a useful and exciting business tool. Use digital signs to showcase your products and services, to display testimonials, or to advertise promotions and campaigns. A digital sign can be a static display, such as a building directory or menu, or it can be dynamic, such as repeating videos or a social media feed. -For digital signage, simply select a digital sign player as your kiosk app. You can also use [Microsoft Edge in kiosk mode](/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy) or the Kiosk Browser app, and configure it to show your online content. +For digital signage, simply select a digital sign player as your kiosk app. You can also use [Microsoft Edge in kiosk mode](/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy) or the Kiosk Browser app, and configure it to show your online content. >[!TIP] ->Kiosk Browser can also be used in [single-app kiosks](kiosk-single-app.md) and [multi-app kiosk](lock-down-windows-10-to-specific-apps.md) as a web browser. For more information, see [Guidelines for web browsers](guidelines-for-assigned-access-app.md#guidelines-for-web-browsers). +>Kiosk Browser can also be used in [single-app kiosks](kiosk-single-app.md) and [multi-app kiosk](lock-down-windows-10-to-specific-apps.md) as a web browser. For more information, see [Guidelines for web browsers](guidelines-for-assigned-access-app.md#guidelines-for-web-browsers). -Kiosk Browser must be downloaded for offline licensing using Microsoft Store for Business. You can deploy Kiosk Browser to devices running Windows 11, and Windows 10 version 1803+. +Kiosk Browser must be downloaded for offline licensing using Microsoft Store for Business. You can deploy Kiosk Browser to devices running Windows 11, and Windows 10 version 1803+. >[!NOTE] ->If you haven't set up your Microsoft Store for Business yet, check out [the prerequisites](/microsoft-store/prerequisites-microsoft-store-for-business) and then [sign up](/microsoft-store/sign-up-microsoft-store-for-business). +>If you haven't set up your Microsoft Store for Business yet, check out [the prerequisites](/microsoft-store/prerequisites-microsoft-store-for-business) and then [sign up](/microsoft-store/sign-up-microsoft-store-for-business). -This procedure explains how to configure digital signage using Kiosk Browser on a device running Windows client that has already been set up (completed the first-run experience). +This procedure explains how to configure digital signage using Kiosk Browser on a device running Windows client that has already been set up (completed the first-run experience). 1. [Get **Kiosk Browser** in Microsoft Store for Business with offline, unencoded license type.](/microsoft-store/acquire-apps-microsoft-store-for-business#acquire-apps) + 2. [Download the **Kiosk Browser** package, license file, and all required frameworks.](/microsoft-store/distribute-offline-apps#download-an-offline-licensed-app) 2. [Install Windows Configuration Designer.](~/provisioning-packages/provisioning-install-icd.md) 3. Open Windows Configuration Designer and select **Provision kiosk devices**. @@ -41,6 +37,7 @@ This procedure explains how to configure digital signage using Kiosk Browser on 5. On **Set up device**, select **Disabled**, and select **Next**. 6. On **Set up network**, enable network setup: - Toggle **On** wireless network connectivity. + - Enter the SSID, the network type (**Open** or **WPA2-Personal**), and (if **WPA2-Personal**) the password for the wireless network. 7. On **Account management**, select **Disabled**, and select **Next**. 8. On **Add applications**, select **Add an application**: @@ -56,14 +53,15 @@ This procedure explains how to configure digital signage using Kiosk Browser on - For **App type**, select **Universal Windows App**. - In **Enter the AUMID for the app**, enter `Microsoft.KioskBrowser_8wekyb3d8bbwe!App`. 11. In the bottom left corner of Windows Configuration Designer, select **Switch to advanced editor**. + 12. Go to **Runtime settings** > **Policies** > **KioskBrowser**. Let's assume that the URL for your digital signage content is contoso.com/menu: - In **BlockedUrlExceptions**, enter `https://www.contoso.com/menu`. - In **BlockedUrl**, enter `*`. - In **DefaultUrl**, enter `https://www.contoso.com/menu`. - - Set **EnableEndSessionButton**, **EnableHomeButton**, and **EnableNavigationButtons** to **No**. + - Set **EnableEndSessionButton**, **EnableHomeButton**, and **EnableNavigationButtons** to **No**. >[!TIP] - >For more information on kiosk browser settings, see [Guidelines for web browsers](guidelines-for-assigned-access-app.md#guidelines-for-web-browsers). + >For more information on kiosk browser settings, see [Guidelines for web browsers](guidelines-for-assigned-access-app.md#guidelines-for-web-browsers). 13. On the **File** menu, select **Save**, and select **OK** in the **Keep your info secure** dialog box. 14. On the **Export** menu, select **Provisioning package**. diff --git a/windows/configuration/images/lockscreen.png b/windows/configuration/lock-screen/lockscreen.png similarity index 100% rename from windows/configuration/images/lockscreen.png rename to windows/configuration/lock-screen/lockscreen.png diff --git a/windows/configuration/images/lockscreenpolicy.png b/windows/configuration/lock-screen/lockscreenpolicy.png similarity index 100% rename from windows/configuration/images/lockscreenpolicy.png rename to windows/configuration/lock-screen/lockscreenpolicy.png diff --git a/windows/configuration/windows-spotlight.md b/windows/configuration/lock-screen/windows-spotlight.md similarity index 83% rename from windows/configuration/windows-spotlight.md rename to windows/configuration/lock-screen/windows-spotlight.md index b80b7b3a66..2578087d2b 100644 --- a/windows/configuration/windows-spotlight.md +++ b/windows/configuration/lock-screen/windows-spotlight.md @@ -1,97 +1,97 @@ --- title: Configure Windows Spotlight on the lock screen description: Windows Spotlight is an option for the lock screen background that displays different background images on the lock screen. -author: lizgt2000 -ms.author: lizlong ms.topic: article ms.date: 04/30/2018 -ms.technology: itpro-configure ---- +--- -# Configure Windows Spotlight on the lock screen +# Configure Windows Spotlight on the lock screen -**Applies to** +**Applies to** -- Windows 10 +- Windows 10 -Windows Spotlight is an option for the lock screen background that displays different background images and occasionally offers suggestions on the lock screen. Windows Spotlight is available in all desktop editions of Windows 10. +Windows Spotlight is an option for the lock screen background that displays different background images and occasionally offers suggestions on the lock screen. Windows Spotlight is available in all desktop editions of Windows 10. -For managed devices running Windows 10 Enterprise and Windows 10 Education, enterprise administrators can configure a mobile device management (MDM) or Group Policy setting to prevent users from using the Windows Spotlight background. For managed devices running Windows 10 Pro, version 1607, administrators can disable suggestions for third party apps. +For managed devices running Windows 10 Enterprise and Windows 10 Education, enterprise administrators can configure a mobile device management (MDM) or Group Policy setting to prevent users from using the Windows Spotlight background. For managed devices running Windows 10 Pro, version 1607, administrators can disable suggestions for third party apps. >[!NOTE] >In Windows 10, version 1607, the lock screen background does not display if you disable the **Animate windows when minimizing and maximizing** setting in **This PC** > **Properties** > **Advanced system settings** > **Performance settings** > **Visual Effects**, or if you enable the Group Policy setting **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Desktop Windows Manager** > **Do not allow windows animations**. > ->In Windows 10, version 1703, you can use the [Personalization CSP](/windows/client-management/mdm/personalization-csp) settings to set lock screen and desktop background images. +>In Windows 10, version 1703, you can use the [Personalization CSP](/windows/client-management/mdm/personalization-csp) settings to set lock screen and desktop background images. -## What does Windows Spotlight include? +## What does Windows Spotlight include? -- **Background image** +- **Background image** - The Windows Spotlight displays a new image on the lock screen each day. The initial background image is included during installation. More images are downloaded on ongoing basis. + The Windows Spotlight displays a new image on the lock screen each day. The initial background image is included during installation. More images are downloaded on ongoing basis. - ![lock screen image.](images/lockscreen.png) + ![lock screen image.](images/lockscreen.png) -- **Feature suggestions, fun facts, tips** +- **Feature suggestions, fun facts, tips** The lock screen background will occasionally make recommendations on how to enhance your productivity and enjoyment of Microsoft products including suggesting other relevant Microsoft products and services. - ![fun facts.](images/funfacts.png) -## How do you turn off Windows Spotlight locally? + ![fun facts.](images/funfacts.png) + +## How do you turn off Windows Spotlight locally? -To turn off Windows Spotlight locally, go to **Settings** > **Personalization** > **Lock screen** > **Background** > **Windows spotlight** > select a different lock screen background +To turn off Windows Spotlight locally, go to **Settings** > **Personalization** > **Lock screen** > **Background** > **Windows spotlight** > select a different lock screen background -![personalization background.](images/spotlight.png) +![personalization background.](images/spotlight.png) -## How do you disable Windows Spotlight for managed devices? +## How do you disable Windows Spotlight for managed devices? -Windows Spotlight is enabled by default. Windows 10 provides Group Policy and mobile device management (MDM) settings to help you manage Windows Spotlight on enterprise computers. +Windows Spotlight is enabled by default. Windows 10 provides Group Policy and mobile device management (MDM) settings to help you manage Windows Spotlight on enterprise computers. >[!NOTE] ->These policies are in the **User Configuration \Policies\Administrative Templates\Windows Components\Cloud Content** path in the Group Policy Management Console, and in the **User Configuration \Administrative Templates\Windows Components\Cloud Content** path in the Local Group Policy Editor. +>These policies are in the **User Configuration \Policies\Administrative Templates\Windows Components\Cloud Content** path in the Group Policy Management Console, and in the **User Configuration \Administrative Templates\Windows Components\Cloud Content** path in the Local Group Policy Editor. | Group Policy | MDM | Description | Applies to | | --- | --- | --- | --- | | **Do not suggest third-party content in Windows spotlight** | **Experience/Allow ThirdParty Suggestions In Windows Spotlight** | Enables enterprises to restrict suggestions to Microsoft apps and services | Windows 10 Pro, Enterprise, and Education, version 1607 and later | | **Turn off all Windows Spotlight features** | **Experience/Allow Windows Spotlight** | Enables enterprises to completely disable all Windows Spotlight features in a single setting | Windows 10 Enterprise and Education, version 1607 and later | | **Configure Spotlight on lock screen** | **Experience/Configure Windows Spotlight On Lock Screen** | Specifically controls the use of the dynamic Windows Spotlight image on the lock screen, and can be enabled or disabled | Windows 10 Enterprise and Education, version 1607 and later | + | **Turn off the Windows Spotlight on Action Center** | **Experience/Allow Windows Spotlight On Action Center** | Turn off Suggestions from Microsoft that show after each clean install, upgrade, or on an on-going basis to introduce users to what is new or changed | Windows 10 Enterprise and Education, version 1703 | | **Do not use diagnostic data for tailored experiences** | **Experience/Allow Tailored Experiences With Diagnostic Data** | Prevent Windows from using diagnostic data to provide tailored experiences to the user | Windows 10 Pro, Enterprise, and Education, version 1703 | | **Turn off the Windows Welcome Experience** | **Experience/Allow Windows Spotlight Windows Welcome Experience** | Turn off the Windows Spotlight Windows Welcome experience that helps introduce users to Windows, such as launching Microsoft Edge with a web page highlighting new features | Windows 10 Enterprise and Education, version 1703 | -**Turn off the Windows Spotlight on Settings** | **Experience/Allow Windows Spotlight on Settings** | Turn off the Windows Spotlight in the Settings app. | Windows 10 Enterprise and Education, version 1803 | +**Turn off the Windows Spotlight on Settings** | **Experience/Allow Windows Spotlight on Settings** | Turn off the Windows Spotlight in the Settings app. | Windows 10 Enterprise and Education, version 1803 | + - - In addition to the specific policy settings for Windows Spotlight, administrators can replace Windows Spotlight with a selected image using the Group Policy setting **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Force a specific default lock screen image** (Windows 10 Enterprise and Education). + In addition to the specific policy settings for Windows Spotlight, administrators can replace Windows Spotlight with a selected image using the Group Policy setting **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Force a specific default lock screen image** (Windows 10 Enterprise and Education). >[!TIP] - >If you want to use a custom lock screen image that contains text, see [Resolution for custom lock screen image](#resolution-for-custom-lock-screen-image). + >If you want to use a custom lock screen image that contains text, see [Resolution for custom lock screen image](#resolution-for-custom-lock-screen-image). -![lockscreen policy details.](images/lockscreenpolicy.png) +![lockscreen policy details.](images/lockscreenpolicy.png) -Pay attention to the checkbox in **Options**. In addition to providing the path to the lock screen image, administrators can choose to allow or **Turn off fun facts, tips, tricks, and more on lock screen**. If the checkbox isn't selected, users will see the lock screen image that is defined in the policy setting, and will also see occasional messages. +Pay attention to the checkbox in **Options**. In addition to providing the path to the lock screen image, administrators can choose to allow or **Turn off fun facts, tips, tricks, and more on lock screen**. If the checkbox isn't selected, users will see the lock screen image that is defined in the policy setting, and will also see occasional messages. -## Resolution for custom lock screen image +## Resolution for custom lock screen image -A concern with custom lock screen images is how they'll appear on different screen sizes and resolutions. +A concern with custom lock screen images is how they'll appear on different screen sizes and resolutions. -A custom lock screen image created in 16:9 aspect ratio (1600x900) will scale properly on devices using a 16:9 resolution, such as 1280x720 or 1920x1080. On devices using other aspect ratios, such as 4:3 (1024x768) or 16:10 (1280x800), height scales correctly and width is cropped to a size equal to the aspect ratio. The image will remain centered on the screen +A custom lock screen image created in 16:9 aspect ratio (1600x900) will scale properly on devices using a 16:9 resolution, such as 1280x720 or 1920x1080. On devices using other aspect ratios, such as 4:3 (1024x768) or 16:10 (1280x800), height scales correctly and width is cropped to a size equal to the aspect ratio. The image will remain centered on the screen -Lock screen images created at other aspect ratios may scale and center unpredictably on your device when changing aspect ratios. +Lock screen images created at other aspect ratios may scale and center unpredictably on your device when changing aspect ratios. -The recommendation for custom lock screen images that include text (such as a legal statement) is to create the lock screen image in 16:9 resolution with text contained in the 4:3 region, allowing the text to remain visible at any aspect ratio. +The recommendation for custom lock screen images that include text (such as a legal statement) is to create the lock screen image in 16:9 resolution with text contained in the 4:3 region, allowing the text to remain visible at any aspect ratio. -## Related topics +## Related topics -[Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md) +[Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md) + diff --git a/windows/configuration/provisioning-packages/diagnose-provisioning-packages.md b/windows/configuration/provisioning-packages/diagnose-provisioning-packages.md index e5fbf3eb4f..6cd55dcf24 100644 --- a/windows/configuration/provisioning-packages/diagnose-provisioning-packages.md +++ b/windows/configuration/provisioning-packages/diagnose-provisioning-packages.md @@ -1,41 +1,39 @@ --- title: Diagnose Provisioning Packages description: Diagnose general failures in provisioning. -manager: aaroncz ms.author: lizlong + ms.topic: article -ms.prod: windows-client ms.technology: itpro-manage -author: lizgt2000 ms.date: 01/18/2023 ---- +--- -# Diagnose Provisioning Packages +# Diagnose Provisioning Packages -This article helps diagnose common issues with applying provisioning packages. You can use the [MdmDiagnosticsTool](/windows/client-management/diagnose-mdm-failures-in-windows-10) to diagnose general provisioning failures. +This article helps diagnose common issues with applying provisioning packages. You can use the [MdmDiagnosticsTool](/windows/client-management/diagnose-mdm-failures-in-windows-10) to diagnose general provisioning failures. -## Unable to apply power settings +## Unable to apply power settings -When applying a provisioning package (PPKG) containing power settings, elevated permissions are required. Because elevated permissions are required, power settings applied using the user context after the [initial setup](/windows/configuration/provisioning-packages/provisioning-apply-package#after-initial-setup) results in the error `STATUS_PRIVILEGE_NOT_HELD (HRESULT=0xc0000061)` because an incorrect security context was used. +When applying a provisioning package (PPKG) containing power settings, elevated permissions are required. Because elevated permissions are required, power settings applied using the user context after the [initial setup](/windows/configuration/provisioning-packages/provisioning-apply-package#after-initial-setup) results in the error `STATUS_PRIVILEGE_NOT_HELD (HRESULT=0xc0000061)` because an incorrect security context was used. -To apply the power settings successfully with the [correct security context](/windows/win32/services/localsystem-account), place the PPKG in `%WINDIR%/Provisioning/Packages` directory, and reboot the device. For more information, see [Configure power settings](/windows-hardware/customize/power-settings/configure-power-settings). +To apply the power settings successfully with the [correct security context](/windows/win32/services/localsystem-account), place the PPKG in `%WINDIR%/Provisioning/Packages` directory, and reboot the device. For more information, see [Configure power settings](/windows-hardware/customize/power-settings/configure-power-settings). - + -## Unable to perform bulk enrollment in Microsoft Entra ID +## Unable to perform bulk enrollment in Microsoft Entra ID -When [enrolling devices into Microsoft Entra ID using provisioning packages](https://techcommunity.microsoft.com/t5/intune-customer-success/bulk-join-a-windows-device-to-azure-ad-and-microsoft-endpoint/ba-p/2381400), the bulk token request is rejected, if the user requesting a bulk token isn't authorized to grant application consent. For more information, see [Configure how users consent to applications](/azure/active-directory/manage-apps/configure-user-consent). +When [enrolling devices into Microsoft Entra ID using provisioning packages](https://techcommunity.microsoft.com/t5/intune-customer-success/bulk-join-a-windows-device-to-azure-ad-and-microsoft-endpoint/ba-p/2381400), the bulk token request is rejected, if the user requesting a bulk token isn't authorized to grant application consent. For more information, see [Configure how users consent to applications](/azure/active-directory/manage-apps/configure-user-consent). > [!NOTE] -> When obtaining the bulk token, you should select "No, sign in to this app only" when prompted for authentication. If you select "OK" instead without also selecting "Allow my organization to manage my device", the bulk token request might be rejected. +> When obtaining the bulk token, you should select "No, sign in to this app only" when prompted for authentication. If you select "OK" instead without also selecting "Allow my organization to manage my device", the bulk token request might be rejected. -## Unable to apply a multivariant provisioning package +## Unable to apply a multivariant provisioning package -When applying a [multivariant package](/windows/configuration/provisioning-packages/provisioning-multivariant), it might be difficult to diagnose why a certain target didn't get applied. There may have been improperly authored conditions that didn't evaluate as expected. +When applying a [multivariant package](/windows/configuration/provisioning-packages/provisioning-multivariant), it might be difficult to diagnose why a certain target didn't get applied. There may have been improperly authored conditions that didn't evaluate as expected. -Starting in Windows 11, version 22H2, [MdmDiagnosticsTool](/windows/client-management/diagnose-mdm-failures-in-windows-10) includes multivariant condition values to diagnose problems with multivariant packages to determine why the package wasn't applied. +Starting in Windows 11, version 22H2, [MdmDiagnosticsTool](/windows/client-management/diagnose-mdm-failures-in-windows-10) includes multivariant condition values to diagnose problems with multivariant packages to determine why the package wasn't applied. -You can use the following PowerShell example to review the multivariant conditions in the `MDMDiagReport.xml` report: +You can use the following PowerShell example to review the multivariant conditions in the `MDMDiagReport.xml` report: ```powershell ([XML](Get-Content MDMDiagReport.xml)).SelectNodes('//Multivariant') | Select -ExpandProperty Condition diff --git a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md index e6fe7659b1..5e2ce4c248 100644 --- a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md +++ b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md @@ -2,185 +2,180 @@ title: Configuration service providers for IT pros (Windows 10/11) description: Describes how IT pros and system administrators can use configuration service providers (CSPs) to configure devices. ms.reviewer: gkomatsu -manager: aaroncz -ms.prod: windows-client -author: lizgt2000 -ms.author: lizlong -ms.topic: article -ms.localizationpriority: medium -ms.technology: itpro-configure +ms.topic: article + ms.date: 12/31/2017 ---- +--- -# Configuration service providers for IT pros +# Configuration service providers for IT pros -**Applies to** +**Applies to** - Windows 10 -- Windows 11 +- Windows 11 -This article explains how IT pros and system administrators can take advantage of many settings available through configuration service providers (CSPs) to configure devices running Windows client in their organizations. CSPs expose device configuration settings in Windows client. The CSPs are used by mobile device management (MDM) service providers and are documented in the [Hardware Dev Center](/windows/client-management/mdm/configuration-service-provider-reference). +This article explains how IT pros and system administrators can take advantage of many settings available through configuration service providers (CSPs) to configure devices running Windows client in their organizations. CSPs expose device configuration settings in Windows client. The CSPs are used by mobile device management (MDM) service providers and are documented in the [Hardware Dev Center](/windows/client-management/mdm/configuration-service-provider-reference). -## What is a CSP? +## What is a CSP? -In the client operating system, a CSP is the interface between configuration settings that are specified in a provisioning document and configuration settings that are on the device. CSPs are similar to Group Policy client-side extensions in that they provide an interface to read, set, modify, or delete configuration settings for a given feature. Typically, these settings map to registry keys, files, or permissions. Some of these settings are configurable, and some are read-only. +In the client operating system, a CSP is the interface between configuration settings that are specified in a provisioning document and configuration settings that are on the device. CSPs are similar to Group Policy client-side extensions in that they provide an interface to read, set, modify, or delete configuration settings for a given feature. Typically, these settings map to registry keys, files, or permissions. Some of these settings are configurable, and some are read-only. -On the Windows client platform, the management approach for desktop uses CSPs to configure and manage all devices running Windows client. +On the Windows client platform, the management approach for desktop uses CSPs to configure and manage all devices running Windows client. -Each CSP provides access to specific settings. For example, the [Wi-Fi CSP](/windows/client-management/mdm/wifi-csp) contains the settings to create a Wi-Fi profile. +Each CSP provides access to specific settings. For example, the [Wi-Fi CSP](/windows/client-management/mdm/wifi-csp) contains the settings to create a Wi-Fi profile. -CSPs are behind many of the management tasks and policies for Windows client, both in Microsoft Intune and in non-Microsoft MDM service providers. For example, in Intune, the policy to allow search suggestions in the Microsoft Edge address bar uses **Browser/AllowSearchSuggestionsinAddressBar** in the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider). +CSPs are behind many of the management tasks and policies for Windows client, both in Microsoft Intune and in non-Microsoft MDM service providers. For example, in Intune, the policy to allow search suggestions in the Microsoft Edge address bar uses **Browser/AllowSearchSuggestionsinAddressBar** in the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider). -:::image type="content" source="../images/policytocsp.png" alt-text="How intune maps to CSP"::: +:::image type="content" source="../images/policytocsp.png" alt-text="How intune maps to CSP"::: -CSPs receive configuration policies in the XML-based Synchronization Markup Language (SyncML) format, pushed from an MDM-compliant management server, such as Microsoft Intune. Traditional enterprise management systems, such as Microsoft Configuration Manager, can also target CSPs, by using a client-side Windows Management Instrumentation (WMI)-to-CSP Bridge. +CSPs receive configuration policies in the XML-based Synchronization Markup Language (SyncML) format, pushed from an MDM-compliant management server, such as Microsoft Intune. Traditional enterprise management systems, such as Microsoft Configuration Manager, can also target CSPs, by using a client-side Windows Management Instrumentation (WMI)-to-CSP Bridge. -### Synchronization Markup Language (SyncML) +### Synchronization Markup Language (SyncML) -The Open Mobile Alliance Device Management (OMA-DM) protocol uses the XML-based SyncML for data exchange between compliant servers and clients. SyncML offers an open standard to use as an alternative to vendor-specific management solutions (such as WMI). The value for enterprises adopting industry standard management protocols is that it allows the management of a broader set of vendor devices using a single platform (such as Microsoft Intune). Device policies, including VPN connection profiles, are delivered to client devices formatted as in SyncML. The target CSP reads this information and applies the necessary configurations. +The Open Mobile Alliance Device Management (OMA-DM) protocol uses the XML-based SyncML for data exchange between compliant servers and clients. SyncML offers an open standard to use as an alternative to vendor-specific management solutions (such as WMI). The value for enterprises adopting industry standard management protocols is that it allows the management of a broader set of vendor devices using a single platform (such as Microsoft Intune). Device policies, including VPN connection profiles, are delivered to client devices formatted as in SyncML. The target CSP reads this information and applies the necessary configurations. -### The WMI-to-CSP Bridge +### The WMI-to-CSP Bridge -The WMI-to-CSP Bridge is a component allowing configuration of Windows client CSPs using scripts and traditional enterprise management software, such as Configuration Manager using WMI. The bridge is responsible for reading WMI commands and through a component called the common device configurator pass them to a CSP for application on the device. +The WMI-to-CSP Bridge is a component allowing configuration of Windows client CSPs using scripts and traditional enterprise management software, such as Configuration Manager using WMI. The bridge is responsible for reading WMI commands and through a component called the common device configurator pass them to a CSP for application on the device. -[Learn how to use the WMI Bridge Provider with PowerShell.](/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider) +[Learn how to use the WMI Bridge Provider with PowerShell.](/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider) -## Why should you learn about CSPs? +## Why should you learn about CSPs? -Generally, enterprises rely on Group Policy or MDM to configure and manage devices. For devices running Windows, MDM services use CSPs to configure your devices. +Generally, enterprises rely on Group Policy or MDM to configure and manage devices. For devices running Windows, MDM services use CSPs to configure your devices. -In addition, you may have unmanaged devices, or a large number of devices that you want to configure before enrolling them in management. You may also want to apply custom settings that aren't available through your MDM service. The [CSP documentation](#bkmk-csp-doc) can help you understand the settings that can be configured or queried. You can also learn about all of the available configuration settings. +In addition, you may have unmanaged devices, or a large number of devices that you want to configure before enrolling them in management. You may also want to apply custom settings that aren't available through your MDM service. The [CSP documentation](#bkmk-csp-doc) can help you understand the settings that can be configured or queried. You can also learn about all of the available configuration settings. -### CSPs in Windows Configuration Designer +### CSPs in Windows Configuration Designer -You can use Windows Configuration Designer to create [provisioning packages](./provisioning-packages.md) to apply settings to devices during the out-of-box-experience (OOBE), and after the devices are set up. You can also use provisioning packages to configure a device's connectivity and enroll the device in MDM. Many of the runtime settings in Windows Configuration Designer are based on CSPs. +You can use Windows Configuration Designer to create [provisioning packages](./provisioning-packages.md) to apply settings to devices during the out-of-box-experience (OOBE), and after the devices are set up. You can also use provisioning packages to configure a device's connectivity and enroll the device in MDM. Many of the runtime settings in Windows Configuration Designer are based on CSPs. -Many settings in Windows Configuration Designer will display documentation for that setting in the center pane, and will include a reference to the CSP if the setting uses one, as shown in the following image. +Many settings in Windows Configuration Designer will display documentation for that setting in the center pane, and will include a reference to the CSP if the setting uses one, as shown in the following image. -:::image type="content" source="../images/cspinicd.png" alt-text="In Windows Configuration Designer, how help content appears in ICD."::: +:::image type="content" source="../images/cspinicd.png" alt-text="In Windows Configuration Designer, how help content appears in ICD."::: -[Provisioning packages in Windows client](provisioning-packages.md) explains how to use the Windows Configuration Designer tool to create a runtime provisioning package. +[Provisioning packages in Windows client](provisioning-packages.md) explains how to use the Windows Configuration Designer tool to create a runtime provisioning package. -### CSPs in MDM +### CSPs in MDM -Most, if not all, CSPs are surfaced through your MDM service. If you see a CSP that provides a capability that you want to make use of and cannot find that capability in your MDM service, contact your MDM provider for assistance. It might be named differently than you expected. You can see the CSPs supported by MDM in the [Configuration service provider reference](/windows/client-management/mdm/configuration-service-provider-reference). +Most, if not all, CSPs are surfaced through your MDM service. If you see a CSP that provides a capability that you want to make use of and cannot find that capability in your MDM service, contact your MDM provider for assistance. It might be named differently than you expected. You can see the CSPs supported by MDM in the [Configuration service provider reference](/windows/client-management/mdm/configuration-service-provider-reference). -When a CSP is available but is not explicitly included in your MDM solution, you may be able to make use of the CSP by using OMA-URI settings. In Intune, for example, you can use [custom policy settings](/mem/intune/configuration/custom-settings-configure) to deploy settings. Intune documents [a partial list of settings](/mem/intune/configuration/custom-settings-windows-10) that you can enter in the **OMA-URI Settings** section of a custom policy, if your MDM service provides that extension. You'll notice that the list doesn't explain the meanings of the allowed and default values, so use the [CSP reference documentation](/windows/client-management/mdm/configuration-service-provider-reference) to locate that information. +When a CSP is available but is not explicitly included in your MDM solution, you may be able to make use of the CSP by using OMA-URI settings. In Intune, for example, you can use [custom policy settings](/mem/intune/configuration/custom-settings-configure) to deploy settings. Intune documents [a partial list of settings](/mem/intune/configuration/custom-settings-windows-10) that you can enter in the **OMA-URI Settings** section of a custom policy, if your MDM service provides that extension. You'll notice that the list doesn't explain the meanings of the allowed and default values, so use the [CSP reference documentation](/windows/client-management/mdm/configuration-service-provider-reference) to locate that information. -### CSPs in Lockdown XML +### CSPs in Lockdown XML -## How do you use the CSP documentation? +## How do you use the CSP documentation? -All CSPs are documented in the [Configuration service provider reference](/windows/client-management/mdm/configuration-service-provider-reference). +All CSPs are documented in the [Configuration service provider reference](/windows/client-management/mdm/configuration-service-provider-reference). -The [CSP reference](/windows/client-management/mdm/configuration-service-provider-reference) tells you which CSPs are supported on each edition of Windows, and links to the documentation for each individual CSP. +The [CSP reference](/windows/client-management/mdm/configuration-service-provider-reference) tells you which CSPs are supported on each edition of Windows, and links to the documentation for each individual CSP. -:::image type="content" source="../images/csptable.png" alt-text="The CSP reference shows the supported Windows editions"::: +:::image type="content" source="../images/csptable.png" alt-text="The CSP reference shows the supported Windows editions"::: -The documentation for each CSP follows the same structure. After an introduction that explains the purpose of the CSP, a diagram shows the parts of the CSP in tree format. +The documentation for each CSP follows the same structure. After an introduction that explains the purpose of the CSP, a diagram shows the parts of the CSP in tree format. -The full path to a specific configuration setting is represented by its Open Mobile Alliance - Uniform Resource Identifier (OMA-URI). The URI is relative to the devices’ root node (MSFT, for example). Features supported by a particular CSP can be set by addressing the complete OMA-URI path. +The full path to a specific configuration setting is represented by its Open Mobile Alliance - Uniform Resource Identifier (OMA-URI). The URI is relative to the devices’ root node (MSFT, for example). Features supported by a particular CSP can be set by addressing the complete OMA-URI path. -The following example shows the diagram for the [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp). The diagram maps to the XML for that CSP. Notice the different shapes in the diagram: rounded elements are nodes, and rectangular elements are settings or policies for which a value must be supplied. +The following example shows the diagram for the [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp). The diagram maps to the XML for that CSP. Notice the different shapes in the diagram: rounded elements are nodes, and rectangular elements are settings or policies for which a value must be supplied. -:::image type="content" source="../images/provisioning-csp-assignedaccess.png" alt-text="The CSP reference shows the assigned access CSP tree."::: +:::image type="content" source="../images/provisioning-csp-assignedaccess.png" alt-text="The CSP reference shows the assigned access CSP tree."::: -The element in the tree diagram after the root node tells you the name of the CSP. Knowing this structure, you would recognize in XML the parts of the URI path for that CSP and, if you saw it in XML, you would know which CSP reference to look up. For example, in the following OMS-URI path for the kiosk mode app settings, you can see that it uses the [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp). +The element in the tree diagram after the root node tells you the name of the CSP. Knowing this structure, you would recognize in XML the parts of the URI path for that CSP and, if you saw it in XML, you would know which CSP reference to look up. For example, in the following OMS-URI path for the kiosk mode app settings, you can see that it uses the [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp). ```XML ./Vendor/MSFT/AssignedAccess/KioskModeApp -``` +``` -When an element in the diagram uses _italic_ font, it indicates a placeholder for specific information, such as the tenant ID in the following example. +When an element in the diagram uses _italic_ font, it indicates a placeholder for specific information, such as the tenant ID in the following example. -:::image type="content" source="../images/csp-placeholder.png" alt-text="The placeholder in the CSP tree"::: +:::image type="content" source="../images/csp-placeholder.png" alt-text="The placeholder in the CSP tree"::: -After the diagram, the documentation describes each element. For each policy or setting, the valid values are listed. +After the diagram, the documentation describes each element. For each policy or setting, the valid values are listed. -For example, in the [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp), the setting is **KioskModeApp**. The documentation tells you that the value for **KioskModeApp** is a JSON string that contains the user account name and Application User Model ID (AUMID) of the Kiosk mode app. +For example, in the [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp), the setting is **KioskModeApp**. The documentation tells you that the value for **KioskModeApp** is a JSON string that contains the user account name and Application User Model ID (AUMID) of the Kiosk mode app. -The documentation for most CSPs will also include an XML example. +The documentation for most CSPs will also include an XML example. -## CSP examples +## CSP examples -CSPs provide access to many settings useful to enterprises. This section introduces the CSPs that an enterprise might find useful. +CSPs provide access to many settings useful to enterprises. This section introduces the CSPs that an enterprise might find useful. -- [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider) +- [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider) - The Policy CSP enables the enterprise to configure policies on Windows client. Some of these policy settings can also be applied using Group Policy, and the CSP documentation lists the equivalent Group Policy settings. + The Policy CSP enables the enterprise to configure policies on Windows client. Some of these policy settings can also be applied using Group Policy, and the CSP documentation lists the equivalent Group Policy settings. - Some of the settings available in the Policy CSP include the following: + Some of the settings available in the Policy CSP include the following: - - **Accounts**, such as whether a non-Microsoft account can be added to the device. - - **Application management**, such as whether only Microsoft Store apps are allowed. - - **Bluetooth**, such as the services allowed to use it. - - **Browser**, such as restricting InPrivate browsing. - - **Connectivity**, such as whether the device can be connected to a computer by USB. - - **Defender** (for desktop only), such as day and time to scan. - - **Device lock**, such as the type of PIN or password required to unlock the device. - - **Experience**, such as allowing Cortana. - - **Security**, such as whether provisioning packages are allowed. - - **Settings**, such as enabling the user to change VPN settings. - - **Start**, such as applying a standard Start layout. - - **System**, such as allowing the user to reset the device. - - **Text input**, such as allowing the device to send anonymized user text input data samples to Microsoft. - - **Update**, such as whether the device can use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Store. - - **WiFi**, such as whether Internet sharing is enabled. + - **Accounts**, such as whether a non-Microsoft account can be added to the device. + - **Application management**, such as whether only Microsoft Store apps are allowed. + - **Bluetooth**, such as the services allowed to use it. + - **Browser**, such as restricting InPrivate browsing. + - **Connectivity**, such as whether the device can be connected to a computer by USB. + - **Defender** (for desktop only), such as day and time to scan. + - **Device lock**, such as the type of PIN or password required to unlock the device. + - **Experience**, such as allowing Cortana. + - **Security**, such as whether provisioning packages are allowed. + - **Settings**, such as enabling the user to change VPN settings. + - **Start**, such as applying a standard Start layout. + - **System**, such as allowing the user to reset the device. + - **Text input**, such as allowing the device to send anonymized user text input data samples to Microsoft. + - **Update**, such as whether the device can use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Store. + - **WiFi**, such as whether Internet sharing is enabled. -Here is a list of CSPs supported on Windows 10 Enterprise: +Here is a list of CSPs supported on Windows 10 Enterprise: -- [ActiveSync CSP](/windows/client-management/mdm/activesync-csp) -- [Application CSP](/windows/client-management/mdm/application-csp) -- [AppLocker CSP](/windows/client-management/mdm/applocker-csp) -- [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp) -- [Bootstrap CSP](/windows/client-management/mdm/bootstrap-csp) -- [BrowserFavorite CSP](/windows/client-management/mdm/browserfavorite-csp) -- [CellularSettings CSP](/windows/client-management/mdm/cellularsettings-csp) -- [CertificateStore CSP](/windows/client-management/mdm/certificatestore-csp) -- [ClientCertificateInstall CSP](/windows/client-management/mdm/clientcertificateinstall-csp) -- [CM\_CellularEntries CSP](/windows/client-management/mdm/cm-cellularentries-csp) -- [CM\_ProxyEntries CSP](/windows/client-management/mdm/cm-proxyentries-csp) -- [CMPolicy CSP](/windows/client-management/mdm/cmpolicy-csp) -- [Defender CSP](/windows/client-management/mdm/defender-csp) -- [DevDetail CSP](/windows/client-management/mdm/devdetail-csp) -- [DeviceInstanceService CSP](/windows/client-management/mdm/deviceinstanceservice-csp) -- [DeviceLock CSP](/windows/client-management/mdm/devicelock-csp) -- [DeviceStatus CSP](/windows/client-management/mdm/devicestatus-csp) -- [DevInfo CSP](/windows/client-management/mdm/devinfo-csp) -- [DiagnosticLog CSP](/windows/client-management/mdm/diagnosticlog-csp) -- [DMAcc CSP](/windows/client-management/mdm/dmacc-csp) -- [DMClient CSP](/windows/client-management/mdm/dmclient-csp) -- [Email2 CSP](/windows/client-management/mdm/email2-csp) -- [EnterpriseAPN CSP](/windows/client-management/mdm/enterpriseapn-csp) -- [EnterpriseAssignedAccess CSP](/windows/client-management/mdm/enterpriseassignedaccess-csp) -- [EnterpriseDesktopAppManagement CSP](/windows/client-management/mdm/enterprisedesktopappmanagement-csp) -- [EnterpriseExt CSP](/windows/client-management/mdm/enterpriseext-csp) -- [EnterpriseModernAppManagement CSP](/windows/client-management/mdm/enterprisemodernappmanagement-csp) -- [FileSystem CSP](/windows/client-management/mdm/filesystem-csp) -- [HealthAttestation CSP](/windows/client-management/mdm/healthattestation-csp) -- [HotSpot CSP](/windows/client-management/mdm/hotspot-csp) -- [Maps CSP](/windows/client-management/mdm/maps-csp) -- [NAP CSP](/windows/client-management/mdm/filesystem-csp) -- [NAPDEF CSP](/windows/client-management/mdm/napdef-csp) -- [NodeCache CSP](https://go.microsoft.com/fwlink/p/?LinkId=723265) -- [PassportForWork CSP](/windows/client-management/mdm/passportforwork-csp) -- [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider) -- [PolicyManager CSP](https://go.microsoft.com/fwlink/p/?LinkId=723418) -- [Provisioning CSP](/windows/client-management/mdm/provisioning-csp) -- [Proxy CSP](https://go.microsoft.com/fwlink/p/?LinkId=723372) -- [PXLOGICAL CSP](/windows/client-management/mdm/pxlogical-csp) -- [Registry CSP](/windows/client-management/mdm/registry-csp) -- [RemoteFind CSP](/windows/client-management/mdm/remotefind-csp) -- [RemoteWipe CSP](/windows/client-management/mdm/remotewipe-csp) -- [Reporting CSP](/windows/client-management/mdm/reporting-csp) -- [RootCATrustedCertificates CSP](/windows/client-management/mdm/rootcacertificates-csp) -- [SecurityPolicy CSP](/windows/client-management/mdm/securitypolicy-csp) -- [Storage CSP](/windows/client-management/mdm/storage-csp) -- [SUPL CSP](/windows/client-management/mdm/supl-csp) -- [UnifiedWriteFilter CSP](/windows/client-management/mdm/unifiedwritefilter-csp) -- [Update CSP](/windows/client-management/mdm/update-csp) -- [VPN CSP](/windows/client-management/mdm/vpn-csp) -- [VPNv2 CSP](/windows/client-management/mdm/vpnv2-csp) -- [Wi-Fi CSP](/windows/client-management/mdm/wifi-csp) -- [WindowsLicensing CSP](/windows/client-management/mdm/windowslicensing-csp) -- [WindowsSecurityAuditing CSP](/windows/client-management/mdm/windowssecurityauditing-csp) +- [ActiveSync CSP](/windows/client-management/mdm/activesync-csp) +- [Application CSP](/windows/client-management/mdm/application-csp) +- [AppLocker CSP](/windows/client-management/mdm/applocker-csp) +- [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp) +- [Bootstrap CSP](/windows/client-management/mdm/bootstrap-csp) +- [BrowserFavorite CSP](/windows/client-management/mdm/browserfavorite-csp) +- [CellularSettings CSP](/windows/client-management/mdm/cellularsettings-csp) +- [CertificateStore CSP](/windows/client-management/mdm/certificatestore-csp) +- [ClientCertificateInstall CSP](/windows/client-management/mdm/clientcertificateinstall-csp) +- [CM\_CellularEntries CSP](/windows/client-management/mdm/cm-cellularentries-csp) +- [CM\_ProxyEntries CSP](/windows/client-management/mdm/cm-proxyentries-csp) +- [CMPolicy CSP](/windows/client-management/mdm/cmpolicy-csp) +- [Defender CSP](/windows/client-management/mdm/defender-csp) +- [DevDetail CSP](/windows/client-management/mdm/devdetail-csp) +- [DeviceInstanceService CSP](/windows/client-management/mdm/deviceinstanceservice-csp) +- [DeviceLock CSP](/windows/client-management/mdm/devicelock-csp) +- [DeviceStatus CSP](/windows/client-management/mdm/devicestatus-csp) +- [DevInfo CSP](/windows/client-management/mdm/devinfo-csp) +- [DiagnosticLog CSP](/windows/client-management/mdm/diagnosticlog-csp) +- [DMAcc CSP](/windows/client-management/mdm/dmacc-csp) +- [DMClient CSP](/windows/client-management/mdm/dmclient-csp) +- [Email2 CSP](/windows/client-management/mdm/email2-csp) +- [EnterpriseAPN CSP](/windows/client-management/mdm/enterpriseapn-csp) +- [EnterpriseAssignedAccess CSP](/windows/client-management/mdm/enterpriseassignedaccess-csp) +- [EnterpriseDesktopAppManagement CSP](/windows/client-management/mdm/enterprisedesktopappmanagement-csp) +- [EnterpriseExt CSP](/windows/client-management/mdm/enterpriseext-csp) +- [EnterpriseModernAppManagement CSP](/windows/client-management/mdm/enterprisemodernappmanagement-csp) +- [FileSystem CSP](/windows/client-management/mdm/filesystem-csp) +- [HealthAttestation CSP](/windows/client-management/mdm/healthattestation-csp) +- [HotSpot CSP](/windows/client-management/mdm/hotspot-csp) +- [Maps CSP](/windows/client-management/mdm/maps-csp) +- [NAP CSP](/windows/client-management/mdm/filesystem-csp) +- [NAPDEF CSP](/windows/client-management/mdm/napdef-csp) +- [NodeCache CSP](https://go.microsoft.com/fwlink/p/?LinkId=723265) +- [PassportForWork CSP](/windows/client-management/mdm/passportforwork-csp) +- [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider) +- [PolicyManager CSP](https://go.microsoft.com/fwlink/p/?LinkId=723418) +- [Provisioning CSP](/windows/client-management/mdm/provisioning-csp) +- [Proxy CSP](https://go.microsoft.com/fwlink/p/?LinkId=723372) +- [PXLOGICAL CSP](/windows/client-management/mdm/pxlogical-csp) +- [Registry CSP](/windows/client-management/mdm/registry-csp) +- [RemoteFind CSP](/windows/client-management/mdm/remotefind-csp) +- [RemoteWipe CSP](/windows/client-management/mdm/remotewipe-csp) +- [Reporting CSP](/windows/client-management/mdm/reporting-csp) +- [RootCATrustedCertificates CSP](/windows/client-management/mdm/rootcacertificates-csp) +- [SecurityPolicy CSP](/windows/client-management/mdm/securitypolicy-csp) +- [Storage CSP](/windows/client-management/mdm/storage-csp) +- [SUPL CSP](/windows/client-management/mdm/supl-csp) +- [UnifiedWriteFilter CSP](/windows/client-management/mdm/unifiedwritefilter-csp) +- [Update CSP](/windows/client-management/mdm/update-csp) +- [VPN CSP](/windows/client-management/mdm/vpn-csp) +- [VPNv2 CSP](/windows/client-management/mdm/vpnv2-csp) +- [Wi-Fi CSP](/windows/client-management/mdm/wifi-csp) +- [WindowsLicensing CSP](/windows/client-management/mdm/windowslicensing-csp) +- [WindowsSecurityAuditing CSP](/windows/client-management/mdm/windowssecurityauditing-csp) diff --git a/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md b/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md index 46ddabb9da..7a4fda4dd0 100644 --- a/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md +++ b/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md @@ -1,147 +1,146 @@ --- title: Provision PCs with common settings (Windows 10/11) -description: Create a provisioning package to apply common settings to a PC running Windows 10. +description: Create a provisioning package to apply common settings to a PC running Windows 10. ms.reviewer: gkomatsu -manager: aaroncz -ms.prod: windows-client -author: lizgt2000 -ms.author: lizlong -ms.topic: article -ms.localizationpriority: medium -ms.technology: itpro-configure +ms.topic: article + ms.date: 12/31/2017 ---- +--- -# Provision PCs with common settings for initial deployment (desktop wizard) +# Provision PCs with common settings for initial deployment (desktop wizard) -**Applies to** +**Applies to** -- Windows 10 -- Windows 11 +- Windows 10 +- Windows 11 -This topic explains how to create and apply a provisioning package that contains common enterprise settings to a device running all desktop editions of Windows client except Home. +This topic explains how to create and apply a provisioning package that contains common enterprise settings to a device running all desktop editions of Windows client except Home. -You can apply a provisioning package on a USB drive to off-the-shelf devices during setup, making it fast and easy to configure new devices. +You can apply a provisioning package on a USB drive to off-the-shelf devices during setup, making it fast and easy to configure new devices. ## Advantages -- You can configure new devices without reimaging. +- You can configure new devices without reimaging. -- Works on desktop devices. +- Works on desktop devices. -- No network connectivity required. +- No network connectivity required. -- Simple to apply. +- Simple to apply. -[Learn more about the benefits and uses of provisioning packages.](provisioning-packages.md) +[Learn more about the benefits and uses of provisioning packages.](provisioning-packages.md) -## What does the desktop wizard do? +## What does the desktop wizard do? -The desktop wizard helps you configure the following settings in a provisioning package: +The desktop wizard helps you configure the following settings in a provisioning package: - Set device name - Upgrade product edition - Configure the device for shared use - Remove pre-installed software - Configure Wi-Fi network + - Enroll device in Active Directory or Microsoft Entra ID + - Create local administrator account -- Add applications and certificates + +- Add applications and certificates >[!WARNING] ->You must run Windows Configuration Designer on Windows client to configure Microsoft Entra enrollment using any of the wizards. +>You must run Windows Configuration Designer on Windows client to configure Microsoft Entra enrollment using any of the wizards. -Provisioning packages can include management instructions and policies, installation of specific apps, customization of network connections and policies, and more. +Provisioning packages can include management instructions and policies, installation of specific apps, customization of network connections and policies, and more. > [!TIP] > Use the desktop wizard to create a package with the common settings, then switch to the advanced editor to add other settings, apps, policies, etc. > -> :::image type="content" source="../images/icd-simple-edit.png" alt-text="In the desktop wizard, open the advanced editor."::: +> :::image type="content" source="../images/icd-simple-edit.png" alt-text="In the desktop wizard, open the advanced editor."::: -## Create the provisioning package +## Create the provisioning package -Use the Windows Configuration Designer tool to create a provisioning package. [Learn how to install Windows Configuration Designer.](provisioning-install-icd.md) +Use the Windows Configuration Designer tool to create a provisioning package. [Learn how to install Windows Configuration Designer.](provisioning-install-icd.md) -1. Open Windows Configuration Designer (by default, %windir%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe). +1. Open Windows Configuration Designer (by default, %windir%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe). -2. Click **Provision desktop devices**. +2. Click **Provision desktop devices**. - :::image type="content" source="../images/icd-create-options-1703.png" alt-text="In Windows Configuration Designer, see the ICD start options."::: + :::image type="content" source="../images/icd-create-options-1703.png" alt-text="In Windows Configuration Designer, see the ICD start options."::: -3. Name your project and click **Finish**. The pages for desktop provisioning will walk you through the following steps. +3. Name your project and click **Finish**. The pages for desktop provisioning will walk you through the following steps. :::image type="content" source="../images/icd-desktop-1703.png" alt-text="In Windows Configuration Designer, select Finish, and see the ICD desktop provisioning."::: + > [!IMPORTANT] -> When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. +> When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. -## Configure settings +## Configure settings -1. Enable device setup: +1. Enable device setup: - :::image type="content" source="../images/set-up-device-details-desktop.png" alt-text="In Windows Configuration Designer, enable device setup, enter the device name, the product key to upgrade, turn off shared use, and remove preinstalled software."::: + :::image type="content" source="../images/set-up-device-details-desktop.png" alt-text="In Windows Configuration Designer, enable device setup, enter the device name, the product key to upgrade, turn off shared use, and remove preinstalled software."::: - If you want to enable device setup, select **Set up device**, and configure the following settings: + If you want to enable device setup, select **Set up device**, and configure the following settings: - **Device name**: Required. Enter a unique 15-character name for the device. You can use variables to add unique characters to the name, such as `Contoso-%SERIAL%` and `Contoso-%RAND:5%`. - **Enter product key**: Optional. Select a license file to upgrade Windows client to a different edition. For more information, see [the permitted upgrades](/windows/deployment/upgrade/windows-10-edition-upgrades). - **Configure devices for shared use**: Select **Yes** or **No** to optimize the Windows client for shared use scenarios. - - **Remove pre-installed software**: Optional. Select **Yes** if you want to remove preinstalled software. + - **Remove pre-installed software**: Optional. Select **Yes** if you want to remove preinstalled software. -2. Set up the network: +2. Set up the network: - :::image type="content" source="../images/set-up-network-details-desktop.png" alt-text="In Windows Configuration Designer, turn on wireless connectivity, enter the network SSID, and network type."::: + :::image type="content" source="../images/set-up-network-details-desktop.png" alt-text="In Windows Configuration Designer, turn on wireless connectivity, enter the network SSID, and network type."::: - If you want to enable network setup, select **Set up network**, and configure the following settings: + If you want to enable network setup, select **Set up network**, and configure the following settings: - **Set up network**: To enable wireless connectivity, select **On**. - **Network SSID**: Enter the Service Set IDentifier (SSID) of the network. - - **Network type**: Select **Open** or **WPA2-Personal**. If you select **WPA2-Personal**, enter the password for the wireless network. + - **Network type**: Select **Open** or **WPA2-Personal**. If you select **WPA2-Personal**, enter the password for the wireless network. -3. Enable account management: +3. Enable account management: - :::image type="content" source="../images/account-management-details.png" alt-text="In Windows Configuration Designer, join Active Directory, Microsoft Entra ID, or create a local admin account."::: + :::image type="content" source="../images/account-management-details.png" alt-text="In Windows Configuration Designer, join Active Directory, Microsoft Entra ID, or create a local admin account."::: - If you want to enable account management, select **Account Management**, and configure the following settings: + If you want to enable account management, select **Account Management**, and configure the following settings: - **Manage organization/school accounts**: Choose how devices are enrolled. Your options: - **Active Directory**: Enter the credentials for a least-privileged user account to join the device to the domain. - - **Microsoft Entra ID**: Before you use a Windows Configuration Designer wizard to configure bulk Microsoft Entra enrollment, [set up Microsoft Entra join in your organization](/azure/active-directory/active-directory-azureadjoin-setup). In your Microsoft Entra tenant, the **maximum number of devices per user** setting determines how many times the bulk token in the wizard can be used. + - **Microsoft Entra ID**: Before you use a Windows Configuration Designer wizard to configure bulk Microsoft Entra enrollment, [set up Microsoft Entra join in your organization](/azure/active-directory/active-directory-azureadjoin-setup). In your Microsoft Entra tenant, the **maximum number of devices per user** setting determines how many times the bulk token in the wizard can be used. - If you select this option, enter a friendly name for the bulk token you get using the wizard. Set an expiration date for the token. The maximum is 180 days from the date you get the token. Select **Get bulk token**. In **Let's get you signed in**, enter an account that has permissions to join a device to Microsoft Entra ID, and then the password. Select **Accept** to give Windows Configuration Designer the necessary permissions. + If you select this option, enter a friendly name for the bulk token you get using the wizard. Set an expiration date for the token. The maximum is 180 days from the date you get the token. Select **Get bulk token**. In **Let's get you signed in**, enter an account that has permissions to join a device to Microsoft Entra ID, and then the password. Select **Accept** to give Windows Configuration Designer the necessary permissions. - You must run Windows Configuration Designer on Windows client to configure Microsoft Entra enrollment using any of the wizards. + You must run Windows Configuration Designer on Windows client to configure Microsoft Entra enrollment using any of the wizards. - - **Local administrator**: If you select this option, enter a user name and password. If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password isn't changed during that period, the account might be locked out, and unable to sign in. + - **Local administrator**: If you select this option, enter a user name and password. If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password isn't changed during that period, the account might be locked out, and unable to sign in. -4. Add applications: +4. Add applications: - :::image type="content" source="../images/add-applications-details.png" alt-text="In Windows Configuration Designer, add an application."::: + :::image type="content" source="../images/add-applications-details.png" alt-text="In Windows Configuration Designer, add an application."::: - To add applications to the devices, select **Add applications**. You can install multiple applications, including Windows desktop applications (Win32) and Universal Windows Platform (UWP) apps. The settings in this step vary depending on the application you select. For help with the settings, see [Provision PCs with apps](provision-pcs-with-apps.md). + To add applications to the devices, select **Add applications**. You can install multiple applications, including Windows desktop applications (Win32) and Universal Windows Platform (UWP) apps. The settings in this step vary depending on the application you select. For help with the settings, see [Provision PCs with apps](provision-pcs-with-apps.md). -5. Add certificates: +5. Add certificates: - :::image type="content" source="../images/add-certificates-details.png" alt-text="In Windows Configuration Designer, add a certificate."::: + :::image type="content" source="../images/add-certificates-details.png" alt-text="In Windows Configuration Designer, add a certificate."::: - To add a certificate to the devices, select **Add certificates**, and configure the following settings: + To add a certificate to the devices, select **Add certificates**, and configure the following settings: - **Certificate name**: Enter a name for the certificate. - - **Certificate path**: Browse and select the certificate you want to add. + - **Certificate path**: Browse and select the certificate you want to add. -6. Finish: +6. Finish: - :::image type="content" source="../images/finish-details.png" alt-text="In Windows Configuration Designer, protect your package with a password."::: + :::image type="content" source="../images/finish-details.png" alt-text="In Windows Configuration Designer, protect your package with a password."::: - To complete the wizard, select **Finish**, and configure the following setting: + To complete the wizard, select **Finish**, and configure the following setting: - - **Protect your package**: Select **Yes** or **No** to password protect your provisioning package. When you apply the provisioning package to a device, you must enter this password. + - **Protect your package**: Select **Yes** or **No** to password protect your provisioning package. When you apply the provisioning package to a device, you must enter this password. -After you're done, click **Create**. It only takes a few seconds. When the package is built, the location where the package is stored is displayed as a hyperlink at the bottom of the page. +After you're done, click **Create**. It only takes a few seconds. When the package is built, the location where the package is stored is displayed as a hyperlink at the bottom of the page. - **Next step**: [How to apply a provisioning package](provisioning-apply-package.md) + **Next step**: [How to apply a provisioning package](provisioning-apply-package.md) -## Related articles +## Related articles - [Provisioning packages for Windows client](provisioning-packages.md) - [How provisioning works in Windows client](provisioning-how-it-works.md) diff --git a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md index 8efef893cd..290927af87 100644 --- a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md +++ b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md @@ -1,187 +1,186 @@ --- title: Provision PCs with apps (Windows 10/11) -description: Learn how to install multiple Universal Windows Platform (UWP) apps and Windows desktop applications (Win32) in a provisioning package. -ms.prod: windows-client -author: lizgt2000 -ms.localizationpriority: medium -ms.author: lizlong +description: Learn how to install multiple Universal Windows Platform (UWP) apps and Windows desktop applications (Win32) in a provisioning package. + ms.topic: article ms.reviewer: gkomatsu -manager: aaroncz -ms.technology: itpro-configure ms.date: 12/31/2017 ---- +--- -# Provision PCs with apps +# Provision PCs with apps -**Applies to** +**Applies to** -- Windows 10 -- Windows 11 +- Windows 10 +- Windows 11 -You can install multiple Universal Windows Platform (UWP) apps and Windows desktop applications (Win32) in a provisioning package. This article explains the various settings in [Windows Configuration Designer](provisioning-install-icd.md) for app install. +You can install multiple Universal Windows Platform (UWP) apps and Windows desktop applications (Win32) in a provisioning package. This article explains the various settings in [Windows Configuration Designer](provisioning-install-icd.md) for app install. -When you add an app in a Windows Configuration Designer wizard, the appropriate settings are displayed based on the app that you select. For instructions on adding an app using the advanced editor in Windows Configuration Designer, see [Add an app using advanced editor](#adv). +When you add an app in a Windows Configuration Designer wizard, the appropriate settings are displayed based on the app that you select. For instructions on adding an app using the advanced editor in Windows Configuration Designer, see [Add an app using advanced editor](#adv). >[!IMPORTANT] ->If you plan to use Intune to manage your devices, we recommend using Intune to install Microsoft 365 Apps for enterprise 2016 apps (Access, Excel, OneDrive for Business, OneNote, Outlook, PowerPoint, Publisher, Skype for Business, Word, Project Desktop Client, and Visio Pro for Microsoft 365 Apps for enterprise). Apps that are installed using a provisioning package cannot be managed or modified using Intune. [Learn how to assign Microsoft 365 Apps for enterprise 2016 apps using Microsoft Intune.](/intune/apps-add-office365) +>If you plan to use Intune to manage your devices, we recommend using Intune to install Microsoft 365 Apps for enterprise 2016 apps (Access, Excel, OneDrive for Business, OneNote, Outlook, PowerPoint, Publisher, Skype for Business, Word, Project Desktop Client, and Visio Pro for Microsoft 365 Apps for enterprise). Apps that are installed using a provisioning package cannot be managed or modified using Intune. [Learn how to assign Microsoft 365 Apps for enterprise 2016 apps using Microsoft Intune.](/intune/apps-add-office365) -## Settings for UWP apps +## Settings for UWP apps -- **License Path**: Specify the license file if it is an app from the Microsoft Store. This is optional if you have a certificate for the app. +- **License Path**: Specify the license file if it is an app from the Microsoft Store. This is optional if you have a certificate for the app. -- **Package family name**: Specify the package family name if you don’t specify a license. This field will be autopopulated after you specify a license. +- **Package family name**: Specify the package family name if you don’t specify a license. This field will be autopopulated after you specify a license. -- **Required appx dependencies**: Specify the appx dependency packages that are required for the installation of the app +- **Required appx dependencies**: Specify the appx dependency packages that are required for the installation of the app -## Settings for Windows desktop applications +## Settings for Windows desktop applications -### MSI installer +### MSI installer > [!NOTE] -> You can find more information about command-line options for Msiexec.exe [here](/windows/win32/msi/command-line-options). +> You can find more information about command-line options for Msiexec.exe [here](/windows/win32/msi/command-line-options). -- **Command line arguments**: Optionally, append more command arguments. The silent flag is appended for you. Example: PROPERTY=VALUE +- **Command line arguments**: Optionally, append more command arguments. The silent flag is appended for you. Example: PROPERTY=VALUE -- **Continue installations after failure**: Optionally, specify if you want to continue installing more apps if this app fails to install +- **Continue installations after failure**: Optionally, specify if you want to continue installing more apps if this app fails to install -- **Restart required**: Optionally, specify if you want to reboot after a successful install of this app +- **Restart required**: Optionally, specify if you want to reboot after a successful install of this app -- **Required win32 app dependencies**: Optionally, specify more files that are required for the installation of the app. For installers that have multiple file dependencies or have directory structures, [create a cab file of the assets](provisioning-script-to-install-app.md#cab-the-application-assets). The installation script should [include expansion of the .cab file](provisioning-script-to-install-app.md#cab-extract). +- **Required win32 app dependencies**: Optionally, specify more files that are required for the installation of the app. For installers that have multiple file dependencies or have directory structures, [create a cab file of the assets](provisioning-script-to-install-app.md#cab-the-application-assets). The installation script should [include expansion of the .cab file](provisioning-script-to-install-app.md#cab-extract). -### Exe or other installer +### Exe or other installer -- **Command line arguments**: Append the command line arguments with a silent flag (required). Optionally, append more flags +- **Command line arguments**: Append the command line arguments with a silent flag (required). Optionally, append more flags -- **Return Codes**: Specify the return codes for success and success with restart (0 and 3010 by default respectively) Any return code that is not listed will be interpreted as failure. The text boxes are space delimited. +- **Return Codes**: Specify the return codes for success and success with restart (0 and 3010 by default respectively) Any return code that is not listed will be interpreted as failure. The text boxes are space delimited. -- **Continue installations after failure**: Optionally, specify if you want to continue installing more apps if this app fails to install +- **Continue installations after failure**: Optionally, specify if you want to continue installing more apps if this app fails to install -- **Restart required**: Optionally, specify if you want to reboot after a successful install of this app +- **Restart required**: Optionally, specify if you want to reboot after a successful install of this app -- **Required win32 app dependencies**: Optionally, specify more files that are required for the installation of the app. For installers that have multiple file dependencies or have directory structures, [create a cab file of the assets](provisioning-script-to-install-app.md#cab-the-application-assets). The installation script should [include expansion of the .cab file](provisioning-script-to-install-app.md#cab-extract). +- **Required win32 app dependencies**: Optionally, specify more files that are required for the installation of the app. For installers that have multiple file dependencies or have directory structures, [create a cab file of the assets](provisioning-script-to-install-app.md#cab-the-application-assets). The installation script should [include expansion of the .cab file](provisioning-script-to-install-app.md#cab-extract). - + -## Add a Windows desktop application using advanced editor in Windows Configuration Designer +## Add a Windows desktop application using advanced editor in Windows Configuration Designer -1. In the **Available customizations** pane, go to **Runtime settings** > **ProvisioningCommands** > **PrimaryContext** > **Command**. +1. In the **Available customizations** pane, go to **Runtime settings** > **ProvisioningCommands** > **PrimaryContext** > **Command**. -2. Enter a name for the first app, and then select **Add**. +2. Enter a name for the first app, and then select **Add**. - ![enter name for first app.](../images/wcd-app-name.png) + ![enter name for first app.](../images/wcd-app-name.png) -3. Configure the settings for the appropriate installer type. +3. Configure the settings for the appropriate installer type. - ![enter settings for first app.](../images/wcd-app-commands.png) + ![enter settings for first app.](../images/wcd-app-commands.png) -## Add a universal app to your package +## Add a universal app to your package -Universal apps that you can distribute in the provisioning package can be line-of-business (LOB) apps developed by your organization, Microsoft Store for Business apps that you acquire with [offline licensing](/microsoft-store/acquire-apps-windows-store-for-business), or third-party apps. This procedure will assume you are distributing apps from the Microsoft Store for Business. For other apps, obtain the necessary information (such as the package family name) from the app developer. +Universal apps that you can distribute in the provisioning package can be line-of-business (LOB) apps developed by your organization, Microsoft Store for Business apps that you acquire with [offline licensing](/microsoft-store/acquire-apps-windows-store-for-business), or third-party apps. This procedure will assume you are distributing apps from the Microsoft Store for Business. For other apps, obtain the necessary information (such as the package family name) from the app developer. -1. In the **Available customizations** pane, go to **Runtime settings** > **UniversalAppInstall**. +1. In the **Available customizations** pane, go to **Runtime settings** > **UniversalAppInstall**. -2. For **DeviceContextApp**, specify the **PackageFamilyName** for the app. In Microsoft Store for Business, the package family name is listed in the **Package details** section of the download page. +2. For **DeviceContextApp**, specify the **PackageFamilyName** for the app. In Microsoft Store for Business, the package family name is listed in the **Package details** section of the download page. -3. For **ApplicationFile**, select **Browse** to find and select the target app (either an \*.appx or \*.appxbundle). +3. For **ApplicationFile**, select **Browse** to find and select the target app (either an \*.appx or \*.appxbundle). -4. For **DependencyAppxFiles**, select **Browse** to find and add any dependencies for the app. In Microsoft Store for Business, any dependencies for the app are listed in the **Required frameworks** section of the download page. +4. For **DependencyAppxFiles**, select **Browse** to find and add any dependencies for the app. In Microsoft Store for Business, any dependencies for the app are listed in the **Required frameworks** section of the download page. -5. For **DeviceContextAppLicense**, enter the **LicenseProductID**. +5. For **DeviceContextAppLicense**, enter the **LicenseProductID**. - In Microsoft Store for Business, generate the unencoded license for the app on the app's download page. + + - Open the license file and search for **LicenseID=** to get the GUID, enter the GUID in the **LicenseProductID** field and select **Add**. -6. In the **Available customizations** pane, select the **LicenseProductId** that you just added. -7. For **LicenseInstall**, select **Browse**, navigate to the license file that you renamed *\*.**ms-windows-store-license**, and select the license file. +6. In the **Available customizations** pane, select the **LicenseProductId** that you just added. -[Learn more about distributing offline apps from the Microsoft Store for Business.](/microsoft-store/distribute-offline-apps) +7. For **LicenseInstall**, select **Browse**, navigate to the license file that you renamed *\*.**ms-windows-store-license**, and select the license file. + +[Learn more about distributing offline apps from the Microsoft Store for Business.](/microsoft-store/distribute-offline-apps) > [!NOTE] -> Removing a provisioning package will not remove any apps installed by device context in that provisioning package. +> Removing a provisioning package will not remove any apps installed by device context in that provisioning package. + + + +## Add a certificate to your package + +1. In the **Available customizations** pane, go to **Runtime settings** > **Certificates** > **ClientCertificates**. + +2. Enter a **CertificateName** and then select **Add**. + +2. Enter the **CertificatePassword**. + +3. For **CertificatePath**, browse and select the certificate to be used. + +4. Set **ExportCertificate** to **False**. + +5. For **KeyLocation**, select **Software only**. +## Add other settings to your package -## Add a certificate to your package +For details about the settings you can customize in provisioning packages, see [Windows Provisioning settings reference]( https://go.microsoft.com/fwlink/p/?LinkId=619012). -1. In the **Available customizations** pane, go to **Runtime settings** > **Certificates** > **ClientCertificates**. +## Build your package -2. Enter a **CertificateName** and then select **Add**. +1. When you are done configuring the provisioning package, on the **File** menu, select **Save**. -2. Enter the **CertificatePassword**. +2. Read the warning that project files may contain sensitive information, and select **OK**. -3. For **CertificatePath**, browse and select the certificate to be used. + When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location, and delete the project files when they're no longer needed. -4. Set **ExportCertificate** to **False**. +3. On the **Export** menu, select **Provisioning package**. -5. For **KeyLocation**, select **Software only**. +4. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.** - -## Add other settings to your package - -For details about the settings you can customize in provisioning packages, see [Windows Provisioning settings reference]( https://go.microsoft.com/fwlink/p/?LinkId=619012). - -## Build your package - -1. When you are done configuring the provisioning package, on the **File** menu, select **Save**. - -2. Read the warning that project files may contain sensitive information, and select **OK**. - - When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location, and delete the project files when they're no longer needed. - -3. On the **Export** menu, select **Provisioning package**. - -4. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.** - -5. Set a value for **Package Version**. +5. Set a value for **Package Version**. > [!TIP] - > You can make changes to existing packages and change the version number to update previously applied packages. + > You can make changes to existing packages and change the version number to update previously applied packages. -6. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing. +6. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing. - - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen. + - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen. - - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by selecting **Select...** and choosing the certificate you want to use to sign the package. + - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by selecting **Select...** and choosing the certificate you want to use to sign the package. > [!TIP] - > We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store. Any package signed with that certificate can be applied silently. + > We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store. Any package signed with that certificate can be applied silently. 7. Select **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location.

    - Optionally, you can select **Browse** to change the default output location. + Optionally, you can select **Browse** to change the default output location. -8. Select **Next**. +8. Select **Next**. 9. Select **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.

    - If you need to cancel the build, select **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**. + If you need to cancel the build, select **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**. 10. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.

    - If your build is successful, the name of the provisioning package, output directory, and project directory will be shown. + If your build is successful, the name of the provisioning package, output directory, and project directory will be shown. - - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, select **Back** to change the output package name and path, and then select **Next** to start another build. + - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, select **Back** to change the output package name and path, and then select **Next** to start another build. - - If you are done, select **Finish** to close the wizard and go back to the **Customizations Page**. -11. Select the **output location** link to go to the location of the package. You can provide that .ppkg to others through any of the following methods: + - If you are done, select **Finish** to close the wizard and go back to the **Customizations Page**. - - Shared network folder +11. Select the **output location** link to go to the location of the package. You can provide that .ppkg to others through any of the following methods: - - SharePoint site + - Shared network folder - - Removable media (USB/SD) + - SharePoint site - - Email + - Removable media (USB/SD) -**Next step**: [How to apply a provisioning package](provisioning-apply-package.md) + - Email -## Related articles +**Next step**: [How to apply a provisioning package](provisioning-apply-package.md) + +## Related articles - [Provisioning packages for Windows client](provisioning-packages.md) - [How provisioning works in Windows client](provisioning-how-it-works.md) diff --git a/windows/configuration/provisioning-packages/provisioning-apply-package.md b/windows/configuration/provisioning-packages/provisioning-apply-package.md index 400e2a7863..b015e76b55 100644 --- a/windows/configuration/provisioning-packages/provisioning-apply-package.md +++ b/windows/configuration/provisioning-packages/provisioning-apply-package.md @@ -1,103 +1,98 @@ --- title: Apply a provisioning package (Windows 10/11) description: Provisioning packages can be applied to a device during initial setup (OOBE) and after (runtime). -ms.prod: windows-client -author: lizgt2000 -ms.author: lizlong -ms.topic: article -ms.localizationpriority: medium +ms.topic: article + ms.reviewer: gkomatsu -manager: aaroncz -ms.technology: itpro-configure ms.date: 12/31/2017 ---- +--- -# Apply a provisioning package +# Apply a provisioning package -**Applies to** +**Applies to** -- Windows 10 -- Windows 11 +- Windows 10 +- Windows 11 -Provisioning packages can be applied to a device during initial setup (out-of-box experience or "OOBE") and after ("runtime"). +Provisioning packages can be applied to a device during initial setup (out-of-box experience or "OOBE") and after ("runtime"). > [!NOTE] > > - Applying a provisioning package to a desktop device requires administrator privileges on the device. -> - You can interrupt a long-running provisioning process by pressing ESC. +> - You can interrupt a long-running provisioning process by pressing ESC. > [!TIP] -> In addition to the following methods, you can use the PowerShell cmdlet [Install-ProvisioningPackage](/powershell/module/provisioning/Install-ProvisioningPackage) with `-LogsDirectoryPath` to get logs for the operation. +> In addition to the following methods, you can use the PowerShell cmdlet [Install-ProvisioningPackage](/powershell/module/provisioning/Install-ProvisioningPackage) with `-LogsDirectoryPath` to get logs for the operation. -## During initial setup +## During initial setup -To apply a provisioning package from a USB drive during initial setup: +To apply a provisioning package from a USB drive during initial setup: -1. Start with a device on the initial setup screen. If the device has gone past this screen, reset the device to start over. To reset, go to **Settings** > **System** > [**Recovery**](ms-settings:recovery) > **Reset this PC**. +1. Start with a device on the initial setup screen. If the device has gone past this screen, reset the device to start over. To reset, go to **Settings** > **System** > [**Recovery**](ms-settings:recovery) > **Reset this PC**. - :::image type="content" source="../images/oobe.png" alt-text="The first screen when setting up a new PC."::: + :::image type="content" source="../images/oobe.png" alt-text="The first screen when setting up a new PC."::: -2. Insert the USB drive. If nothing happens when you insert the USB drive, press the Windows key five times. +2. Insert the USB drive. If nothing happens when you insert the USB drive, press the Windows key five times. - If there is only one provisioning package on the USB drive, the provisioning package is applied. See step 5. - - If there is more than one provisioning package on the USB drive, Windows setup will recognize the drive and ask how you want to provision the device. Select **Install provisioning package** and select **Next**. + - If there is more than one provisioning package on the USB drive, Windows setup will recognize the drive and ask how you want to provision the device. Select **Install provisioning package** and select **Next**. - :::image type="content" source="../images/provisioning-oobe-choice.png" alt-text="What would you like to do?"::: + :::image type="content" source="../images/provisioning-oobe-choice.png" alt-text="What would you like to do?"::: -3. Select the provisioning package (`.ppkg`) that you want to apply, and select **Yes**. +3. Select the provisioning package (`.ppkg`) that you want to apply, and select **Yes**. - :::image type="content" source="../images/provisioning-oobe-choose-package.png" alt-text="Choose a package."::: + :::image type="content" source="../images/provisioning-oobe-choose-package.png" alt-text="Choose a package."::: -4. The selected provisioning package will install and apply to the device. +4. The selected provisioning package will install and apply to the device. - :::image type="content" source="../images/provisioning-oobe-installing.png" alt-text="Setting up your PC."::: + :::image type="content" source="../images/provisioning-oobe-installing.png" alt-text="Setting up your PC."::: -5. Wait for the device to load and begin applying the provisioning package. Once you see "You can remove your removable media now!" you can remove your USB drive. Windows will continue provisioning the device. +5. Wait for the device to load and begin applying the provisioning package. Once you see "You can remove your removable media now!" you can remove your USB drive. Windows will continue provisioning the device. -## After initial setup +## After initial setup -Provisioning packages can be applied after initial setup through Windows settings or by simply double-clicking a provisioning package. +Provisioning packages can be applied after initial setup through Windows settings or by simply double-clicking a provisioning package. -### Windows Settings +### Windows Settings -1. Insert the USB drive, then navigate to **Settings** > **Accounts** > [**Access work or school**](ms-settings:workplace) > **Add or remove a provisioning package** > **Add a package**. +1. Insert the USB drive, then navigate to **Settings** > **Accounts** > [**Access work or school**](ms-settings:workplace) > **Add or remove a provisioning package** > **Add a package**. - :::image type="content" source="../images/provisioning-runtime-manage-packages.png" alt-text="Add or remove a provisioning package."::: + :::image type="content" source="../images/provisioning-runtime-manage-packages.png" alt-text="Add or remove a provisioning package."::: -2. Choose the method you want to use, such as **Removable Media**. +2. Choose the method you want to use, such as **Removable Media**. - :::image type="content" source="../images/provisioning-runtime-choose-package.png" alt-text="Choose a method."::: + :::image type="content" source="../images/provisioning-runtime-choose-package.png" alt-text="Choose a method."::: -3. Select the provisioning package (`.ppkg`) that you want to apply, and select **Add**. +3. Select the provisioning package (`.ppkg`) that you want to apply, and select **Add**. - :::image type="content" source="../images/provisioning-runtime-add-package.png" alt-text="Select and add a package."::: + :::image type="content" source="../images/provisioning-runtime-add-package.png" alt-text="Select and add a package."::: -4. Provisioning packages require administrator privileges as they can modify system policies and run scripts at the system level. Ensure you trust the package you are installing before accepting the UAC prompt. Select **Yes**. +4. Provisioning packages require administrator privileges as they can modify system policies and run scripts at the system level. Ensure you trust the package you are installing before accepting the UAC prompt. Select **Yes**. - :::image type="content" source="../images/provisioning-runtime-UAC.png" alt-text="Do you want to allow changes to your device?"::: + :::image type="content" source="../images/provisioning-runtime-UAC.png" alt-text="Do you want to allow changes to your device?"::: -5. The provisioning runtime will ask if the package is from a source you trust. Verify that you are applying the correct package and that it is trusted. Select **Yes, add it**. +5. The provisioning runtime will ask if the package is from a source you trust. Verify that you are applying the correct package and that it is trusted. Select **Yes, add it**. - :::image type="content" source="../images/provisioning-runtime-trust.png" alt-text="Do you trust this package?"::: + :::image type="content" source="../images/provisioning-runtime-trust.png" alt-text="Do you trust this package?"::: -### Apply Directly +### Apply Directly -To apply a provisioning package directly, such as from a USB drive, folder, network, or SharePoint site: +To apply a provisioning package directly, such as from a USB drive, folder, network, or SharePoint site: -1. Navigate to the provisioning package and double-click it to begin the installation. +1. Navigate to the provisioning package and double-click it to begin the installation. - :::image type="content" source="../images/provisioning-runtime-click-to-install.png" alt-text="Double-click package to being installation."::: + :::image type="content" source="../images/provisioning-runtime-click-to-install.png" alt-text="Double-click package to being installation."::: -2. Provisioning packages require administrator privileges as they can modify system policies and run scripts at the system level. Ensure you trust the package you are installing before accepting the UAC prompt. Select **Yes**. +2. Provisioning packages require administrator privileges as they can modify system policies and run scripts at the system level. Ensure you trust the package you are installing before accepting the UAC prompt. Select **Yes**. - :::image type="content" source="../images/provisioning-runtime-UAC.png" alt-text="Do you want to allow changes to your device?"::: + :::image type="content" source="../images/provisioning-runtime-UAC.png" alt-text="Do you want to allow changes to your device?"::: -3. The provisioning runtime will ask if the package is from a source you trust. Verify that you are applying the correct package and that it is trusted. Select **Yes, add it**. +3. The provisioning runtime will ask if the package is from a source you trust. Verify that you are applying the correct package and that it is trusted. Select **Yes, add it**. - :::image type="content" source="../images/provisioning-runtime-trust.png" alt-text="Do you trust this package?"::: + :::image type="content" source="../images/provisioning-runtime-trust.png" alt-text="Do you trust this package?"::: -## Related articles +## Related articles - [Provisioning packages for Windows client](provisioning-packages.md) - [How provisioning works in Windows client](provisioning-how-it-works.md) diff --git a/windows/configuration/provisioning-packages/provisioning-command-line.md b/windows/configuration/provisioning-packages/provisioning-command-line.md index 05e6a1da83..98aff52052 100644 --- a/windows/configuration/provisioning-packages/provisioning-command-line.md +++ b/windows/configuration/provisioning-packages/provisioning-command-line.md @@ -1,42 +1,38 @@ --- title: Windows Configuration Designer command-line interface (Windows 10/11) description: Learn more about the ICD syntax, switches, and arguments that you can use in the Windows Configuration Designer command-line interface for Windows10/11 client devices. -ms.prod: windows-client -author: lizgt2000 -ms.author: lizlong -ms.topic: article -ms.localizationpriority: medium +ms.topic: article + ms.reviewer: gkomatsu -manager: aaroncz -ms.technology: itpro-configure ms.date: 12/31/2017 ---- +--- -# Windows Configuration Designer command-line interface (reference) +# Windows Configuration Designer command-line interface (reference) -**Applies to** +**Applies to** - Windows 10 -- Windows 11 +- Windows 11 -You can use the Windows Configuration Designer command-line interface (CLI) to automate the building of provisioning packages. +You can use the Windows Configuration Designer command-line interface (CLI) to automate the building of provisioning packages. -- IT pros can use the Windows Configuration Designer CLI to require less retooling of existing processes. You must run the Windows Configuration Designer CLI from a command window with administrator privileges. +- IT pros can use the Windows Configuration Designer CLI to require less retooling of existing processes. You must run the Windows Configuration Designer CLI from a command window with administrator privileges. -- You must use the Windows Configuration Designer CLI and edit the customizations.xml sources to create a provisioning package with multivariant support. You need the customizations.xml file as one of the inputs to the Windows Configuration Designer CLI to build a provisioning package. For more information, see [Create a provisioning package with multivariant settings](provisioning-multivariant.md). +- You must use the Windows Configuration Designer CLI and edit the customizations.xml sources to create a provisioning package with multivariant support. You need the customizations.xml file as one of the inputs to the Windows Configuration Designer CLI to build a provisioning package. For more information, see [Create a provisioning package with multivariant settings](provisioning-multivariant.md). + - -## Syntax +## Syntax ``` cmd icd.exe /Build-ProvisioningPackage /CustomizationXML: /PackagePath: + [/StoreFile:] [/MSPackageRoot:] [/OEMInputXML:] [/ProductName:] [/Variables::] [[+|-]Encrypted] [[+|-]Overwrite] [/?] -``` +``` -## Switches and arguments +## Switches and arguments | Switch | Required? | Arguments | | --- | --- | --- | @@ -48,7 +44,8 @@ icd.exe /Build-ProvisioningPackage /CustomizationXML: /PackagePath: | Overwrite | No | Denotes whether to overwrite an existing provisioning package.


    Precede with + to overwrite an existing package or - if you don't want to overwrite an existing package. The default is false (don't overwrite). | | /? | No | Lists the switches and their descriptions for the command-line tool or for certain commands. | -## Related articles + +## Related articles - [Provisioning packages for Windows client](provisioning-packages.md) - [How provisioning works in Windows client](provisioning-how-it-works.md) @@ -60,4 +57,5 @@ icd.exe /Build-ProvisioningPackage /CustomizationXML: /PackagePath: - [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) - [PowerShell cmdlets for provisioning Windows client (reference)](provisioning-powershell.md) - [Create a provisioning package with multivariant settings](provisioning-multivariant.md) -  + + diff --git a/windows/configuration/provisioning-packages/provisioning-create-package.md b/windows/configuration/provisioning-packages/provisioning-create-package.md index 62d2d239ae..cb8967800a 100644 --- a/windows/configuration/provisioning-packages/provisioning-create-package.md +++ b/windows/configuration/provisioning-packages/provisioning-create-package.md @@ -1,62 +1,58 @@ --- title: Create a provisioning package (Windows 10/11) description: Learn how to create a provisioning package for Windows 10/11, which lets you quickly configure a device without having to install a new image. -ms.prod: windows-client -author: lizgt2000 -ms.author: lizlong -ms.topic: article -ms.localizationpriority: medium +ms.topic: article + ms.reviewer: gkomatsu -manager: aaroncz -ms.technology: itpro-configure ms.date: 12/31/2017 ---- +--- -# Create a provisioning package +# Create a provisioning package -**Applies to** +**Applies to** -- Windows 10 -- Windows 11 +- Windows 10 +- Windows 11 -You can use Windows Configuration Designer to create a provisioning package (`.ppkg`) that contains customization settings, and then apply the provisioning package to a device running Windows client. +You can use Windows Configuration Designer to create a provisioning package (`.ppkg`) that contains customization settings, and then apply the provisioning package to a device running Windows client. ->[Learn how to install Windows Configuration Designer.](provisioning-install-icd.md) +>[Learn how to install Windows Configuration Designer.](provisioning-install-icd.md) > [!TIP] -> We recommend creating a local admin account when you develop and test your provisioning package. We also recommend using a *least privileged* domain user account to join devices to the Active Directory domain. +> We recommend creating a local admin account when you develop and test your provisioning package. We also recommend using a *least privileged* domain user account to join devices to the Active Directory domain. -## Start a new project +## Start a new project -1. Open Windows Configuration Designer: From either the Start menu or Start menu search, type **Windows Configuration Designer**, and then select the **Windows Configuration Designer** shortcut. +1. Open Windows Configuration Designer: From either the Start menu or Start menu search, type **Windows Configuration Designer**, and then select the **Windows Configuration Designer** shortcut. -2. Select your desired option on the **Start** page, which offers multiple options for creating a provisioning package, as shown in the following image: +2. Select your desired option on the **Start** page, which offers multiple options for creating a provisioning package, as shown in the following image: - ![Configuration Designer wizards.](../images/icd-create-options-1703.png) + ![Configuration Designer wizards.](../images/icd-create-options-1703.png) - - The following wizard options provide a simple interface for configuring common settings for desktop and kiosk devices: + - The following wizard options provide a simple interface for configuring common settings for desktop and kiosk devices: - [Instructions for the desktop wizard](provision-pcs-for-initial-deployment.md) - [Instructions for the kiosk wizard](../kiosk-single-app.md#wizard) - [Instructions for HoloLens wizard](/hololens/hololens-provisioning) - - [Instructions for Surface Hub wizard](/surface-hub/provisioning-packages-for-surface-hub) + - [Instructions for Surface Hub wizard](/surface-hub/provisioning-packages-for-surface-hub) Wizards are also available for creating provisioning packages for Microsoft Surface Hub and Microsoft HoloLens devices. For a summary of the settings available in the desktop and kiosk devices, see [What you can configure using Configuration Designer wizards](provisioning-packages.md#configuration-designer-wizards). - >[!NOTE] - >To target devices running versions earlier than Windows 10, version 2004, ComputerName customization must be defined from the setting path: `Accounts/ComputerAccount/ComputerName` from the advanced editor. The default path from the simple editor uses a new CSP that isn't available on older systems. - - The **Advanced provisioning** option opens a new project with all the runtime settings available. (The rest of this procedure uses advanced provisioning.) + >[!NOTE] + >To target devices running versions earlier than Windows 10, version 2004, ComputerName customization must be defined from the setting path: `Accounts/ComputerAccount/ComputerName` from the advanced editor. The default path from the simple editor uses a new CSP that isn't available on older systems. + + - The **Advanced provisioning** option opens a new project with all the runtime settings available. (The rest of this procedure uses advanced provisioning.) >[!TIP] > You can start a project in the simple wizard editor and then switch the project to the advanced editor. > - > ![Switch to advanced editor.](../images/icd-switch.png) + > ![Switch to advanced editor.](../images/icd-switch.png) -3. Enter a name for your project, and then select **Next**. +3. Enter a name for your project, and then select **Next**. -4. Select the settings you want to configure, based on the type of device, and then select **Next**. The following table describes the options. +4. Select the settings you want to configure, based on the type of device, and then select **Next**. The following table describes the options. | Windows edition | Settings available for customization | Provisioning package can apply to | @@ -65,94 +61,96 @@ You can use Windows Configuration Designer to create a provisioning package (`.p | All Windows desktop editions | Common settings and settings specific to desktop devices | All Windows client desktop editions (Home, Pro, Enterprise, Pro Education, Enterprise Education) | | Windows 10 IoT Core | Common settings and settings specific to Windows 10 IoT Core | All Windows 10 IoT Core devices | | Windows 10 Holographic | Common settings and settings specific to Windows 10 Holographic | [Microsoft HoloLens](/hololens/hololens-provisioning) | - | Common to Windows 10 Team edition | Common settings and settings specific to Windows 10 Team | [Microsoft Surface Hub](/surface-hub/provisioning-packages-for-surface-hub) | + | Common to Windows 10 Team edition | Common settings and settings specific to Windows 10 Team | [Microsoft Surface Hub](/surface-hub/provisioning-packages-for-surface-hub) | -5. On the **Import a provisioning package (optional)** page, you can select **Finish** to create your project, or browse to and select an existing provisioning package to import to your project, and then select **Finish**. +5. On the **Import a provisioning package (optional)** page, you can select **Finish** to create your project, or browse to and select an existing provisioning package to import to your project, and then select **Finish**. >[!TIP] - >**Import a provisioning package** can make it easier to create different provisioning packages that all have certain settings in common. For example, you could create a provisioning package that includes the settings for your organization's network. Then, import that package into other packages that you create so you don't have to reconfigure those common settings repeatedly. + >**Import a provisioning package** can make it easier to create different provisioning packages that all have certain settings in common. For example, you could create a provisioning package that includes the settings for your organization's network. Then, import that package into other packages that you create so you don't have to reconfigure those common settings repeatedly. -6. In the **Available customizations** pane, you can now configure settings for the package. +6. In the **Available customizations** pane, you can now configure settings for the package. -## Configure settings +## Configure settings -For an advanced provisioning project, Windows Configuration Designer opens the **Available customizations** pane. The example in the following image is based on **All Windows desktop editions** settings. +For an advanced provisioning project, Windows Configuration Designer opens the **Available customizations** pane. The example in the following image is based on **All Windows desktop editions** settings. -![What the ICD interface looks like.](../images/icd-runtime.png) +![What the ICD interface looks like.](../images/icd-runtime.png) -The settings in Windows Configuration Designer are based on Windows client configuration service providers (CSPs). To learn more about CSPs, see [Introduction to configuration service providers (CSPs) for IT pros](./how-it-pros-can-use-configuration-service-providers.md). +The settings in Windows Configuration Designer are based on Windows client configuration service providers (CSPs). To learn more about CSPs, see [Introduction to configuration service providers (CSPs) for IT pros](./how-it-pros-can-use-configuration-service-providers.md). -The process for configuring settings is similar for all settings. The following table shows an example. +The process for configuring settings is similar for all settings. The following table shows an example. -1. Expand a category: +1. Expand a category: - :::image type="content" source="../images/icd-step1.png" alt-text="In Windows Configuration Designer, expand the Certificates category."::: + :::image type="content" source="../images/icd-step1.png" alt-text="In Windows Configuration Designer, expand the Certificates category."::: -2. Select a setting: +2. Select a setting: - :::image type="content" source="../images/icd-step2.png" alt-text="In Windows Configuration Designer, select ClientCertificates."::: + :::image type="content" source="../images/icd-step2.png" alt-text="In Windows Configuration Designer, select ClientCertificates."::: -3. Enter a value for the setting. Select **Add** if the button is displayed: +3. Enter a value for the setting. Select **Add** if the button is displayed: - :::image type="content" source="../images/icd-step3.png" alt-text="In Windows Configuration Designer, enter a name for the certificate."::: + :::image type="content" source="../images/icd-step3.png" alt-text="In Windows Configuration Designer, enter a name for the certificate."::: -4. Some settings, such as this example, require additional information. In **Available customizations**, select the value you just created, and more settings are displayed: +4. Some settings, such as this example, require additional information. In **Available customizations**, select the value you just created, and more settings are displayed: - :::image type="content" source="../images/icd-step4.png" alt-text="In Windows Configuration Designer, additional settings for client certificate are available."::: + :::image type="content" source="../images/icd-step4.png" alt-text="In Windows Configuration Designer, additional settings for client certificate are available."::: -5. When the setting is configured, it is displayed in the **Selected customizations** pane: +5. When the setting is configured, it is displayed in the **Selected customizations** pane: - :::image type="content" source="../images/icd-step5.png" alt-text="In Windows Configuration Designer, the selected customizations pane shows your settings."::: + :::image type="content" source="../images/icd-step5.png" alt-text="In Windows Configuration Designer, the selected customizations pane shows your settings."::: -For details on each specific setting, see [Windows Provisioning settings reference](../wcd/wcd.md). The reference article for a setting is also displayed in Windows Configuration Designer when you select the setting, as shown in the following image. +For details on each specific setting, see [Windows Provisioning settings reference](../wcd/wcd.md). The reference article for a setting is also displayed in Windows Configuration Designer when you select the setting, as shown in the following image. -![Windows Configuration Designer opens the reference topic when you select a setting.](../images/icd-setting-help.png) +![Windows Configuration Designer opens the reference topic when you select a setting.](../images/icd-setting-help.png) - ## Build package + ## Build package -1. After you're done configuring your customizations, select **Export**, and then select **Provisioning Package**. +1. After you're done configuring your customizations, select **Export**, and then select **Provisioning Package**. - ![Export on top bar.](../images/icd-export-menu.png) + ![Export on top bar.](../images/icd-export-menu.png) 2. In the **Describe the provisioning package** window, enter the following information, and then select **Next**: - **Name** - This field is pre-populated with the project name. You can change this value by entering a different name in the **Name** field. - **Version (in Major.Minor format** - Optional. You can change the default package version by specifying a new value in the **Version** field. - - **Owner** - Select **IT Admin**. For more information, see [Precedence for provisioning packages](provisioning-how-it-works.md#precedence-for-provisioning-packages). - - **Rank (between 0-99)** - Optional. You can select a value between 0 and 99, inclusive. The default package rank is 0. -3. In the **Select security details for the provisioning package** window, you can select to encrypt and/or sign a provisioning package with a selected certificate, and then select **Next**. Both selections are optional: + - **Owner** - Select **IT Admin**. For more information, see [Precedence for provisioning packages](provisioning-how-it-works.md#precedence-for-provisioning-packages). + - **Rank (between 0-99)** - Optional. You can select a value between 0 and 99, inclusive. The default package rank is 0. + +3. In the **Select security details for the provisioning package** window, you can select to encrypt and/or sign a provisioning package with a selected certificate, and then select **Next**. Both selections are optional: - **Encrypt package** - If you select this option, an autogenerated password will be shown on the screen. - - **Sign package** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by selecting **Select** and choosing the certificate you want to use to sign the package. + - **Sign package** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by selecting **Select** and choosing the certificate you want to use to sign the package. >[!NOTE] >You should only configure provisioning package security when the package is used for device provisioning and when the package has content with sensitive security data, such as certificates or credentials that should be prevented from being compromised. When applying an encrypted and/or signed provisioning package, either during OOBE or through the setting UI, the package can be decrypted, and if signed, be trusted without explicit user consent. An IT administrator can set policy on a user device to restrict the removal of required packages from the device, or the provisioning of potentially harmful packages on the device. + > - >If a provisioning package is signed by a trusted provisioner, it can be installed on a device without a prompt for user consent. In order to enable trusted provider certificates, you must set the **TrustedProvisioners** setting prior to installing the trusted provisioning package. This is the only way to install a package without user consent. To provide additional security, you can also set **RequireProvisioningPackageSignature**, which prevents users from installing provisioning packages that are not signed by a trusted provisioner. + >If a provisioning package is signed by a trusted provisioner, it can be installed on a device without a prompt for user consent. In order to enable trusted provider certificates, you must set the **TrustedProvisioners** setting prior to installing the trusted provisioning package. This is the only way to install a package without user consent. To provide additional security, you can also set **RequireProvisioningPackageSignature**, which prevents users from installing provisioning packages that are not signed by a trusted provisioner. -4. In the **Select where to save the provisioning package** window, specify the output location where you want the provisioning package to go once it's built, and then select **Next**. By default, Windows Configuration Designer uses the project folder as the output location. +4. In the **Select where to save the provisioning package** window, specify the output location where you want the provisioning package to go once it's built, and then select **Next**. By default, Windows Configuration Designer uses the project folder as the output location. -5. In the **Build the provisioning package** window, select **Build**. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status. +5. In the **Build the provisioning package** window, select **Build**. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status. - If you need to cancel the build, select **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations** page. + If you need to cancel the build, select **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations** page. -6. If your build fails, an error message will appear that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again. +6. If your build fails, an error message will appear that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again. - If your build is successful, the name of the provisioning package, output directory, and project directory will be shown. + If your build is successful, the name of the provisioning package, output directory, and project directory will be shown. - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, select **Back** to change the output package name and path, and then select **Next** to start another build. + If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, select **Back** to change the output package name and path, and then select **Next** to start another build. -7. When you are done, select **Finish** to close the wizard and go back to the **Customizations** page. +7. When you are done, select **Finish** to close the wizard and go back to the **Customizations** page. -**Next step**: [How to apply a provisioning package](provisioning-apply-package.md) +**Next step**: [How to apply a provisioning package](provisioning-apply-package.md) -## Learn more +## Learn more -- [How to bulk-enroll devices with On-premises Mobile Device Management in Microsoft Configuration Manager](/configmgr/mdm/deploy-use/bulk-enroll-devices-on-premises-mdm) +- [How to bulk-enroll devices with On-premises Mobile Device Management in Microsoft Configuration Manager](/configmgr/mdm/deploy-use/bulk-enroll-devices-on-premises-mdm) -## Related articles +## Related articles - [Provisioning packages for Windows client](provisioning-packages.md) - [How provisioning works in Windows client](provisioning-how-it-works.md) diff --git a/windows/configuration/provisioning-packages/provisioning-how-it-works.md b/windows/configuration/provisioning-packages/provisioning-how-it-works.md index 4f93bfc292..89e2bc9fab 100644 --- a/windows/configuration/provisioning-packages/provisioning-how-it-works.md +++ b/windows/configuration/provisioning-packages/provisioning-how-it-works.md @@ -1,121 +1,117 @@ --- title: How provisioning works in Windows 10/11 description: Learn more about how provisioning package work on Windows client devices. A provisioning package (.ppkg) is a container for a collection of configuration settings. -ms.prod: windows-client -author: lizgt2000 -ms.author: lizlong -ms.topic: article -ms.localizationpriority: medium +ms.topic: article + ms.reviewer: gkomatsu -manager: aaroncz -ms.technology: itpro-configure ms.date: 12/31/2017 ---- +--- -# How provisioning works in Windows +# How provisioning works in Windows -**Applies to** +**Applies to** -- Windows 10 -- Windows 11 +- Windows 10 +- Windows 11 -Provisioning packages in Windows client provide IT administrators with a simplified way to apply configuration settings to Windows client devices. Windows Configuration Designer is a tool that makes it easy to create a provisioning package. Windows Configuration Designer can be installed from Microsoft Store. +Provisioning packages in Windows client provide IT administrators with a simplified way to apply configuration settings to Windows client devices. Windows Configuration Designer is a tool that makes it easy to create a provisioning package. Windows Configuration Designer can be installed from Microsoft Store. -## Provisioning packages +## Provisioning packages -A provisioning package contains specific configurations/settings and assets that can be provided through a removable media or downloaded to the device. +A provisioning package contains specific configurations/settings and assets that can be provided through a removable media or downloaded to the device. -To enable adding multiple sets of settings or configurations, the configuration data used by the provisioning engine is built out of multiple configuration sources that consist of separate provisioning packages. Each provisioning package contains the provisioning data from a different source. +To enable adding multiple sets of settings or configurations, the configuration data used by the provisioning engine is built out of multiple configuration sources that consist of separate provisioning packages. Each provisioning package contains the provisioning data from a different source. -A provisioning package (.ppkg) is a container for a collection of configuration settings. The package has the following format: +A provisioning package (.ppkg) is a container for a collection of configuration settings. The package has the following format: -- Package metadata – The metadata contains basic information about the package such as package name, description, version, ranking, and so on. +- Package metadata - The metadata contains basic information about the package such as package name, description, version, ranking, and so on. -- XML descriptors – Each descriptor defines a customization asset or configuration setting included in the package. +- XML descriptors - Each descriptor defines a customization asset or configuration setting included in the package. -- Asset payloads – The payloads of a customization asset or a configuration setting associated with an app or data asset. +- Asset payloads - The payloads of a customization asset or a configuration setting associated with an app or data asset. -You can use provisioning packages for runtime device provisioning by accessing the package on a removable media attached to the device, through near field communication (NFC), or by downloading from a remote source location. +You can use provisioning packages for runtime device provisioning by accessing the package on a removable media attached to the device, through near field communication (NFC), or by downloading from a remote source location. -## Precedence for provisioning packages +## Precedence for provisioning packages -When multiple provisioning packages are available for device provisioning, the combination of package owner type and package rank level defined in the package manifest is used to resolve setting conflicts. The pre-defined package owner types are listed below in the order of lowest to highest owner type precedence: +When multiple provisioning packages are available for device provisioning, the combination of package owner type and package rank level defined in the package manifest is used to resolve setting conflicts. The pre-defined package owner types are listed below in the order of lowest to highest owner type precedence: -1. Microsoft +1. Microsoft -2. Silicon Vendor +2. Silicon Vendor -3. OEM +3. OEM -4. System Integrator +4. System Integrator -5. Mobile Operator +5. Mobile Operator -6. IT Admin +6. IT Admin -The valid value range of package rank level is 0 to 99. +The valid value range of package rank level is 0 to 99. -When setting conflicts are encountered, the final values provisioned on the device are determined by the owner type precedence and the rank level of the packages containing the settings. For packages with the same owner type, the package rank level determines the package from which the setting values get provisioned on the device. +When setting conflicts are encountered, the final values provisioned on the device are determined by the owner type precedence and the rank level of the packages containing the settings. For packages with the same owner type, the package rank level determines the package from which the setting values get provisioned on the device. -## Windows provisioning XML +## Windows provisioning XML -Windows provisioning XML is the framework that allows Microsoft and OEM components to declare end-user configurable settings and the on-device infrastructure for applying the settings with minimal work by the component owner. +Windows provisioning XML is the framework that allows Microsoft and OEM components to declare end-user configurable settings and the on-device infrastructure for applying the settings with minimal work by the component owner. -Settings for each component can be declared within that component's package manifest file. These declarations are turned into settings schema that are used by Windows Configuration Designer to expose the potential settings to users to create customizations in the image or in provisioning packages. Windows Configuration Designer translates the user configuration, which is declared through Windows provisioning answer file(s), into the on-device provisioning format. +Settings for each component can be declared within that component's package manifest file. These declarations are turned into settings schema that are used by Windows Configuration Designer to expose the potential settings to users to create customizations in the image or in provisioning packages. Windows Configuration Designer translates the user configuration, which is declared through Windows provisioning answer file(s), into the on-device provisioning format. -When the provisioning engine selects a configuration, the Windows provisioning XML is contained within the selected provisioning data and is passed through the configuration manager and then to the [Windows provisioning CSP](/windows/client-management/mdm/provisioning-csp). The Windows provisioning CSP then takes and applies the provisioning to the proper location for the actual component to use. +When the provisioning engine selects a configuration, the Windows provisioning XML is contained within the selected provisioning data and is passed through the configuration manager and then to the [Windows provisioning CSP](/windows/client-management/mdm/provisioning-csp). The Windows provisioning CSP then takes and applies the provisioning to the proper location for the actual component to use. -## Provisioning engine +## Provisioning engine -The provisioning engine is the core component for managing provisioning and configuration at runtime in a device running Windows 10/11. +The provisioning engine is the core component for managing provisioning and configuration at runtime in a device running Windows 10/11. -The provisioning engine provides the following functionality: +The provisioning engine provides the following functionality: - Provisioning configuration at any time when the device is running including first boot and setup or OOBE. It is also extensible to other points during the run-time of the device. - Reading and combining settings from multiple sources of configuration that may be added to an image by Microsoft, the OEM, or system integrator, or added by IT/education administrators or users to the device at run-time. Configuration sources may be built into the image or from provisioning packages added to the device. - Responding to triggers or events and initiating a provisioning stage. - Authenticating the provisioning packages. - Selecting a set of configuration based on the stage and a set of keys—such as the SIM, MCC/MNC, IMSI range, and so on—that map to a specific configuration then passing this configuration to the configuration management infrastructure to be applied. -- Working with OOBE and the control panel UI to allow user selection of configuration when a specific match cannot be determined. +- Working with OOBE and the control panel UI to allow user selection of configuration when a specific match cannot be determined. -## Configuration manager +## Configuration manager -The configuration manager provides the unified way of managing Windows 10/11 devices. Configuration is mainly done through the Open Mobile Alliance (OMA) Device Management (DM) and Client Provisioning (CP) protocols. The configuration manager handles and parses these protocol requests from different channels and passes them down to [Configuration Service Providers (CSPs)](/windows/client-management/mdm/configuration-service-provider-reference) to perform the specific management requests and settings. +The configuration manager provides the unified way of managing Windows 10/11 devices. Configuration is mainly done through the Open Mobile Alliance (OMA) Device Management (DM) and Client Provisioning (CP) protocols. The configuration manager handles and parses these protocol requests from different channels and passes them down to [Configuration Service Providers (CSPs)](/windows/client-management/mdm/configuration-service-provider-reference) to perform the specific management requests and settings. -The provisioning engine relies on configuration manager for all of the actual processing and application of a chosen configuration. The provisioning engine determines the stage of provisioning and, based on a set of keys, determines the set of configuration to send to the configuration manager. The configuration manager in turn parses and calls into the CSPs for the setting to be applied. +The provisioning engine relies on configuration manager for all of the actual processing and application of a chosen configuration. The provisioning engine determines the stage of provisioning and, based on a set of keys, determines the set of configuration to send to the configuration manager. The configuration manager in turn parses and calls into the CSPs for the setting to be applied. -Underneath the configuration manager are the CSPs. Each section of configuration translates to a particular CSP to handle interpreting into an action on the device. Each CSP translates the instructions in the configuration and calls into the appropriate APIs and components to perform the requested provisioning actions. +Underneath the configuration manager are the CSPs. Each section of configuration translates to a particular CSP to handle interpreting into an action on the device. Each CSP translates the instructions in the configuration and calls into the appropriate APIs and components to perform the requested provisioning actions. -## Policy and resource manager +## Policy and resource manager -The policy, resource, and context manager components manage the enrollment and unenrollment of devices into enterprise environments. The enrollment process into an enterprise is essentially the provisioning of configuration and device management policies that the enterprise wants to enforce on the device. This is usually done through the explicit signing up of the device to an enterprise's device management server over a network connection. This provides the user with the ability to access the enterprise's resources through the device and the enterprise with a means to manage and control access and manage and control the device itself. +The policy, resource, and context manager components manage the enrollment and unenrollment of devices into enterprise environments. The enrollment process into an enterprise is essentially the provisioning of configuration and device management policies that the enterprise wants to enforce on the device. This is usually done through the explicit signing up of the device to an enterprise's device management server over a network connection. This provides the user with the ability to access the enterprise's resources through the device and the enterprise with a means to manage and control access and manage and control the device itself. The key differences between enterprise enrollment and the configuration performed by the provisioning engine are: + - Enrollment enforces a limited and controlled set of policies on the device that the user may not have full control over. The provisioning engine exposes a larger set of settings that configure more aspects of the device and are generally user adjustable. - The policy manager manages policy settings from multiple entities and performs a selection of the setting based on priority of the entities. The provisioning engine applies the settings and does not offer a means of prioritizing settings from different sources. The more specific provisioning is the last one applied and the one that is used. -- Individual policy settings applied from different enrollment entities are stored so they can be removed later during unenrollment. This enables the user to remove enterprise policy and return the device to a state without the enterprise restrictions and any sensitive data. The provisioning engine does not maintain individual provisioning settings or a means to roll back all applied settings. +- Individual policy settings applied from different enrollment entities are stored so they can be removed later during unenrollment. This enables the user to remove enterprise policy and return the device to a state without the enterprise restrictions and any sensitive data. The provisioning engine does not maintain individual provisioning settings or a means to roll back all applied settings. -In Windows 10, the application of policy and enrollment through provisioning is required to support cases where an enterprise or educational institution does not have a DM server for full device management. The provisioning engine supports provisioning enrollment and policy through its configuration and integrates with the existing policy and resource manager components directly or through the configuration manager. +In Windows 10, the application of policy and enrollment through provisioning is required to support cases where an enterprise or educational institution does not have a DM server for full device management. The provisioning engine supports provisioning enrollment and policy through its configuration and integrates with the existing policy and resource manager components directly or through the configuration manager. -## Triggers and stages +## Triggers and stages -Triggers are events during the lifetime of the system that start a provisioning stage. Some examples of triggers are: boot, OOBE, SIM change, user added, administrator added, user login, device update, and various manual triggers (such as deployment over USB or launched from an email attachment or USB flash drive). +Triggers are events during the lifetime of the system that start a provisioning stage. Some examples of triggers are: boot, OOBE, SIM change, user added, administrator added, user login, device update, and various manual triggers (such as deployment over USB or launched from an email attachment or USB flash drive). When a trigger occurs, provisioning is initiated for a particular provisioning stage. The stages are grouped into sets based on the scope of the settings: - **Static**: First stage run for provisioning to apply configuration settings to the system to set up OOBE or apply device-wide settings that cannot be done when the image is being created. - **System**: Run during OOBE and configure system-wide settings. - **UICC**: UICC stages run for each new UICC in a device to handle configuration and branding based on the identity of the UICC or SIM card. This enables the runtime configuration scenarios where an OEM can maintain one image that can be configured for multiple operators. - **Update**: Runs after an update to apply potential updated settings changes. -- **User**: runs during a user account first run to configure per-user settings. +- **User**: runs during a user account first run to configure per-user settings. -## Device provisioning during OOBE +## Device provisioning during OOBE -The provisioning engine always applies provisioning packages persisted in the `C:\Recovery\Customizations` folder on the OS partition. When the provisioning engine applies provisioning packages in the `%ProgramData%\Microsoft\Provisioning` folder, certain runtime setting applications, such as the setting to install and configure Windows apps, may be extended past the OOBE pass and continually be processed in the background when the device gets to the desktop. Settings for configuring policies and certain crucial system configurations are always be completed before the first point at which they must take effect. +The provisioning engine always applies provisioning packages persisted in the `C:\Recovery\Customizations` folder on the OS partition. When the provisioning engine applies provisioning packages in the `%ProgramData%\Microsoft\Provisioning` folder, certain runtime setting applications, such as the setting to install and configure Windows apps, may be extended past the OOBE pass and continually be processed in the background when the device gets to the desktop. Settings for configuring policies and certain crucial system configurations are always be completed before the first point at which they must take effect. -Device users can apply a provisioning package from a remote source when the device first boots to OOBE. The device provisioning during OOBE is only triggered after the language, locale, time zone, and other settings on the first OOBE UI page are configured. When device provisioning is triggered, the provisioning UI is displayed in the OOBE page. The provisioning UI allows users to select a provisioning package acquired from a remote source, such as through NFC or a removable media. +Device users can apply a provisioning package from a remote source when the device first boots to OOBE. The device provisioning during OOBE is only triggered after the language, locale, time zone, and other settings on the first OOBE UI page are configured. When device provisioning is triggered, the provisioning UI is displayed in the OOBE page. The provisioning UI allows users to select a provisioning package acquired from a remote source, such as through NFC or a removable media. -The following table shows how device provisioning can be initiated when a user first boots to OOBE. +The following table shows how device provisioning can be initiated when a user first boots to OOBE. | Package delivery | Initiation method | Supported device | @@ -123,27 +119,28 @@ The following table shows how device provisioning can be initiated when a user f | Removable media - USB drive or SD card
    (Packages must be placed at media root) | Five fast taps on the Windows key to launch the provisioning UI |All Windows devices | | From an administrator device through machine-to-machine NFC or NFC tag
    (The administrator device must run an app that can transfer the package over NFC) | Five fast taps on the Windows key to launch the provisioning UI | Windows IoT Core devices | -The provisioning engine always copies the acquired provisioning packages to the `%ProgramData%\Microsoft\Provisioning` folder before processing them during OOBE. The provisioning engine always applies provisioning packages embedded in the installed Windows image during Windows Setup OOBE pass regardless of whether the package is signed and trusted. When the provisioning engine applies an encrypted provisioning package on an end-user device during OOBE, users must first provide a valid password to decrypt the package. The provisioning engine also checks whether a provisioning package is signed and trusted; if it's not, the user must provide consent before the package is applied to the device. -When the provisioning engine applies provisioning packages during OOBE, it applies only the runtime settings from the package to the device. Runtime settings can be system-wide configuration settings, including security policy, Windows app install/uninstall, network configuration, bootstrapping MDM enrollment, provisioning of file assets, account and domain configuration, Windows edition upgrade, and more. The provisioning engine also checks for the configuration settings on the device, such as region/locale or SIM card, and applies the multivariant settings with matching condition(s). +The provisioning engine always copies the acquired provisioning packages to the `%ProgramData%\Microsoft\Provisioning` folder before processing them during OOBE. The provisioning engine always applies provisioning packages embedded in the installed Windows image during Windows Setup OOBE pass regardless of whether the package is signed and trusted. When the provisioning engine applies an encrypted provisioning package on an end-user device during OOBE, users must first provide a valid password to decrypt the package. The provisioning engine also checks whether a provisioning package is signed and trusted; if it's not, the user must provide consent before the package is applied to the device. -## Device provisioning at runtime +When the provisioning engine applies provisioning packages during OOBE, it applies only the runtime settings from the package to the device. Runtime settings can be system-wide configuration settings, including security policy, Windows app install/uninstall, network configuration, bootstrapping MDM enrollment, provisioning of file assets, account and domain configuration, Windows edition upgrade, and more. The provisioning engine also checks for the configuration settings on the device, such as region/locale or SIM card, and applies the multivariant settings with matching condition(s). -At device runtime, stand-alone provisioning packages can be applied by user initiation. The following table shows when provisioning at device runtime can be initiated. +## Device provisioning at runtime + +At device runtime, stand-alone provisioning packages can be applied by user initiation. The following table shows when provisioning at device runtime can be initiated. | Package delivery | Initiation method | Supported device | | --- | --- | --- | | Removable media - USB drive or SD card
    (Packages must be placed at media root) | **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** | All Windows devices | | Downloaded from a network connection and copied to a local folder | Double-click the package file | Windows client for desktop editions devices | -| From an administrator device connected to the target device through USB tethering | Drag and drop the package file onto the target device | Windows IoT Core devices | +| From an administrator device connected to the target device through USB tethering | Drag and drop the package file onto the target device | Windows IoT Core devices | -When applying provisioning packages from a removable media attached to the device, the Settings UI allows viewing contents of a package before selecting the package for provisioning. To minimize the risk of the device being spammed by applying provisioning packages from unknown sources, a provisioning package can be signed and encrypted. Partners can also set policies to limit the application of provisioning packages at device runtime. Applying provisioning packages at device runtime requires administrator privilege. If the package is not signed or trusted, a user must provide consent before the package is applied to the device. If the package is encrypted, a valid password is needed to decrypt the package before it can be applied to the device. +When applying provisioning packages from a removable media attached to the device, the Settings UI allows viewing contents of a package before selecting the package for provisioning. To minimize the risk of the device being spammed by applying provisioning packages from unknown sources, a provisioning package can be signed and encrypted. Partners can also set policies to limit the application of provisioning packages at device runtime. Applying provisioning packages at device runtime requires administrator privilege. If the package is not signed or trusted, a user must provide consent before the package is applied to the device. If the package is encrypted, a valid password is needed to decrypt the package before it can be applied to the device. -When applying multiple provisioning packages to a device, the provisioning engine resolves settings with conflicting configuration values from different packages by evaluating the package ranking using the combination of package owner type and package rank level defined in the package metadata. A configuration setting applied from a provisioning package with the highest package ranking will be the final value applied to the device. +When applying multiple provisioning packages to a device, the provisioning engine resolves settings with conflicting configuration values from different packages by evaluating the package ranking using the combination of package owner type and package rank level defined in the package metadata. A configuration setting applied from a provisioning package with the highest package ranking will be the final value applied to the device. -After a stand-alone provisioning package is applied to the device, the package is persisted in the `%ProgramData%\Microsoft\Provisioning` folder on the device. Provisioning packages can be removed by an administrator by using the **Add or remove a provisioning package** available under **Settings** > **Accounts** > **Access work or school**. +After a stand-alone provisioning package is applied to the device, the package is persisted in the `%ProgramData%\Microsoft\Provisioning` folder on the device. Provisioning packages can be removed by an administrator by using the **Add or remove a provisioning package** available under **Settings** > **Accounts** > **Access work or school**. -## Related articles +## Related articles - [Provisioning packages for Windows client](provisioning-packages.md) - [Install Windows Configuration Designer](provisioning-install-icd.md) diff --git a/windows/configuration/provisioning-packages/provisioning-install-icd.md b/windows/configuration/provisioning-packages/provisioning-install-icd.md index 2f6782646c..c5318fcbc6 100644 --- a/windows/configuration/provisioning-packages/provisioning-install-icd.md +++ b/windows/configuration/provisioning-packages/provisioning-install-icd.md @@ -1,83 +1,82 @@ --- title: Install Windows Configuration Designer description: Learn how to install and use Windows Configuration Designer so you can easily configure devices running Windows 10/11. -author: lizgt2000 -ms.author: lizlong ms.topic: article ms.reviewer: kevinsheehan ms.date: 12/31/2017 ---- +--- -# Install Windows Configuration Designer, and learn about any limitations +# Install Windows Configuration Designer, and learn about any limitations -**Applies to** +**Applies to** - Windows 10 -- Windows 11 +- Windows 11 -Use the Windows Configuration Designer tool to create provisioning packages to easily configure devices running Windows client. Windows Configuration Designer is primarily used by IT departments for business and educational institutions who need to provision bring-your-own-device (BYOD) and business-supplied devices. +Use the Windows Configuration Designer tool to create provisioning packages to easily configure devices running Windows client. Windows Configuration Designer is primarily used by IT departments for business and educational institutions who need to provision bring-your-own-device (BYOD) and business-supplied devices. -## Supported platforms +## Supported platforms -Windows Configuration Designer can create provisioning packages for Windows client desktop, including Windows IoT Core, Microsoft Surface Hub, and Microsoft HoloLens. You can run Windows Configuration Designer on the following operating systems: +Windows Configuration Designer can create provisioning packages for Windows client desktop, including Windows IoT Core, Microsoft Surface Hub, and Microsoft HoloLens. You can run Windows Configuration Designer on the following operating systems: -**Client OS**: +**Client OS**: - Windows 11 - Windows 10 - x86 and amd64 - Windows 8.1 Update - x86 and amd64 - Windows 8.1 - x86 and amd64 - Windows 8 - x86 and amd64 -- Windows 7 - x86 and amd64 +- Windows 7 - x86 and amd64 -**Server OS**: +**Server OS**: - Windows Server 2016 - Windows Server 2012 R2 Update - Windows Server 2012 R2 - Windows Server 2012 -- Windows Server 2008 R2 +- Windows Server 2008 R2 >[!WARNING] ->You must run Windows Configuration Designer on Windows client to configure Microsoft Entra enrollment using any of the wizards. +>You must run Windows Configuration Designer on Windows client to configure Microsoft Entra enrollment using any of the wizards. -## Install Windows Configuration Designer +## Install Windows Configuration Designer -On devices running Windows client, you can install [the Windows Configuration Designer app](https://www.microsoft.com/store/apps/9nblggh4tx22) from the Microsoft Store. +On devices running Windows client, you can install [the Windows Configuration Designer app](https://www.microsoft.com/store/apps/9nblggh4tx22) from the Microsoft Store. -## Current Windows Configuration Designer limitations +## Current Windows Configuration Designer limitations - When running Windows Configuration Designer on Windows releases earlier than Windows 10, version 2004 you might need to enable TLS 1.2, especially if using Bulk Enrollment Tokens. You may see the error message in the `icd.log` file: `Error: AADSTS1002016: You are using TLS version 1.0, 1.1 and/or 3DES cipher which are deprecated to improve the security posture of Azure AD` For more information, see [Enable TLS 1.2 on client or server operating systems](/troubleshoot/azure/active-directory/enable-support-tls-environment#enable-tls-12-on-client-or-server-operating-systems-). -- Windows Configuration Designer doesn't work properly when the Group Policy setting **Policies** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Security Zones: Use only machine settings** is enabled. When this policy is set, each step will display oversized buttons that fill the **Windows Configuration Designer** window. Additionally, the various options and descriptions that are normally to the right of the buttons won't be displayed because the buttons take up all of the space in the **Windows Configuration Designer** window. To resolve the problem, run Windows Configuration Designer on a device that doesn't have this policy enabled. -- You can only run one instance of Windows Configuration Designer on your computer at a time. +- Windows Configuration Designer doesn't work properly when the Group Policy setting **Policies** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Security Zones: Use only machine settings** is enabled. When this policy is set, each step will display oversized buttons that fill the **Windows Configuration Designer** window. Additionally, the various options and descriptions that are normally to the right of the buttons won't be displayed because the buttons take up all of the space in the **Windows Configuration Designer** window. To resolve the problem, run Windows Configuration Designer on a device that doesn't have this policy enabled. -- When adding apps and drivers, all files stored in the same folder are imported, and may cause errors during the build process. +- You can only run one instance of Windows Configuration Designer on your computer at a time. -- The Windows Configuration Designer UI doesn't support multivariant configurations. Instead, you must use the Windows Configuration Designer command-line interface to configure multivariant settings. For more information, see [Create a provisioning package with multivariant settings](provisioning-multivariant.md). +- When adding apps and drivers, all files stored in the same folder are imported, and may cause errors during the build process. -- In Windows Configuration Designer, you can only build one project at a time. You can open multiple projects at the same time, but you can only build one at a time. +- The Windows Configuration Designer UI doesn't support multivariant configurations. Instead, you must use the Windows Configuration Designer command-line interface to configure multivariant settings. For more information, see [Create a provisioning package with multivariant settings](provisioning-multivariant.md). -- To enable the simplified authoring jscripts to work on a server SKU running Windows Configuration Designer, you must enable **Allow websites to prompt for information using scripted windows**: +- In Windows Configuration Designer, you can only build one project at a time. You can open multiple projects at the same time, but you can only build one at a time. + +- To enable the simplified authoring jscripts to work on a server SKU running Windows Configuration Designer, you must enable **Allow websites to prompt for information using scripted windows**: 1. Open Internet Explorer. 2. Go to **Settings** > **Internet Options** > **Security** > **Custom level**. - 3. Select **Allow websites to prompt for information using scripted windows** > **Enable**. + 3. Select **Allow websites to prompt for information using scripted windows** > **Enable**. -- If you copy a Windows Configuration Designer project from one PC to another PC, then: +- If you copy a Windows Configuration Designer project from one PC to another PC, then: - Copy all the associated files for the deployment assets with the project, including apps and drivers. - - Copy all the files to the same path as the original PC. + - Copy all the files to the same path as the original PC. - For example, when you add a driver to a provisioned package, you must copy the `.INF` file to a local directory on the PC that's running Windows Configuration Designer. If you don't copy the `.INF` file, and use a copied version of this project on a different PC, then Windows Configuration Designer might resolve the file paths to the original PC. + For example, when you add a driver to a provisioned package, you must copy the `.INF` file to a local directory on the PC that's running Windows Configuration Designer. If you don't copy the `.INF` file, and use a copied version of this project on a different PC, then Windows Configuration Designer might resolve the file paths to the original PC. -- **Recommended**: Before starting, copy all source files to the PC running Windows Configuration Designer. Don't use external sources, like network shares or removable drives. Using local files reduces the risk of interrupting the build process from a network issue, or from disconnecting the USB device. +- **Recommended**: Before starting, copy all source files to the PC running Windows Configuration Designer. Don't use external sources, like network shares or removable drives. Using local files reduces the risk of interrupting the build process from a network issue, or from disconnecting the USB device. -**Next step**: [How to create a provisioning package](provisioning-create-package.md) +**Next step**: [How to create a provisioning package](provisioning-create-package.md) -## Related articles +## Related articles - [Provisioning packages for Windows client](provisioning-packages.md) - [How provisioning works in Windows client](provisioning-how-it-works.md) diff --git a/windows/configuration/provisioning-packages/provisioning-multivariant.md b/windows/configuration/provisioning-packages/provisioning-multivariant.md index f6bda1fbba..79cf698297 100644 --- a/windows/configuration/provisioning-packages/provisioning-multivariant.md +++ b/windows/configuration/provisioning-packages/provisioning-multivariant.md @@ -1,54 +1,49 @@ --- title: Create a provisioning package with multivariant settings (Windows 10/11) description: Create a provisioning package with multivariant settings to customize the provisioned settings for defined conditions. -ms.prod: windows-client -author: lizgt2000 -ms.topic: article -ms.localizationpriority: medium +ms.topic: article + ms.reviewer: gkomatsu -manager: aaroncz -ms.author: lizlong -ms.technology: itpro-configure ms.date: 12/31/2017 ---- +--- -# Create a provisioning package with multivariant settings +# Create a provisioning package with multivariant settings -**Applies to** +**Applies to** -- Windows 10 -- Windows 11 +- Windows 10 +- Windows 11 -In your organization, you might have different configuration requirements for devices that you manage. You can create separate provisioning packages for each group of devices in your organization that have different requirements. Or, you can create a multivariant provisioning package, a single provisioning package that can work for multiple conditions. For example, in a single provisioning package, you can define one set of customization settings that will apply to devices set up for French and a different set of customization settings for devices set up for Japanese. +In your organization, you might have different configuration requirements for devices that you manage. You can create separate provisioning packages for each group of devices in your organization that have different requirements. Or, you can create a multivariant provisioning package, a single provisioning package that can work for multiple conditions. For example, in a single provisioning package, you can define one set of customization settings that will apply to devices set up for French and a different set of customization settings for devices set up for Japanese. -To provision multivariant settings, you use Windows Configuration Designer to create a provisioning package that contains all of the customization settings that you want to apply to any of your devices. Next, you manually edit the .XML file for that project to define each set of devices (a **Target**). For each **Target**, you specify at least one **Condition** with a value, which identifies the devices to receive the configuration. Finally, for each **Target**, you provide the customization settings to be applied to those devices. +To provision multivariant settings, you use Windows Configuration Designer to create a provisioning package that contains all of the customization settings that you want to apply to any of your devices. Next, you manually edit the .XML file for that project to define each set of devices (a **Target**). For each **Target**, you specify at least one **Condition** with a value, which identifies the devices to receive the configuration. Finally, for each **Target**, you provide the customization settings to be applied to those devices. -Let's begin by learning how to define a **Target**. +Let's begin by learning how to define a **Target**. -## Define a target +## Define a target -In the XML file, you provide an **Id**, or friendly name, for each **Target**. Each **Target** is defined by at least one **TargetState** which contains at least one **Condition**. A **Condition** element defines the matching type between the condition and the specified value. +In the XML file, you provide an **Id**, or friendly name, for each **Target**. Each **Target** is defined by at least one **TargetState** which contains at least one **Condition**. A **Condition** element defines the matching type between the condition and the specified value. -A **Target** can have more than one **TargetState**, and a **TargetState** can have more than one **Condition**. +A **Target** can have more than one **TargetState**, and a **TargetState** can have more than one **Condition**. -![Target with multiple target states and conditions.](../images/multi-target.png) +![Target with multiple target states and conditions.](../images/multi-target.png) -The following information describes the logic for the target definition: +The following information describes the logic for the target definition: -- When all **Condition** elements are TRUE, **TargetState** is TRUE: +- When all **Condition** elements are TRUE, **TargetState** is TRUE: - :::image type="content" source="../images/icd-multi-targetstate-true.png" alt-text="Target state is true when all conditions are true."::: + :::image type="content" source="../images/icd-multi-targetstate-true.png" alt-text="Target state is true when all conditions are true."::: -- If any of the **TargetState** elements is TRUE, **Target** is TRUE, and the **ID** can be used for setting customizations: +- If any of the **TargetState** elements is TRUE, **Target** is TRUE, and the **ID** can be used for setting customizations: - :::image type="content" source="../images/icd-multi-target-true.png" alt-text="Target is true if any target state is true"::: + :::image type="content" source="../images/icd-multi-target-true.png" alt-text="Target is true if any target state is true"::: -### Conditions +### Conditions -The following table shows the conditions supported in Windows client provisioning for a **TargetState**: +The following table shows the conditions supported in Windows client provisioning for a **TargetState**: | Condition Name | Condition priority | Windows client for desktop editions | Value type | Value description | @@ -60,6 +55,7 @@ The following table shows the conditions supported in Windows client provisionin | GID1 | P0 | Supported | Digit string | Use to target settings based on the Group Identifier (level 1) value. | | ICCID | P0 | Supported | Digit string | Use to target settings based on the Integrated Circuit Card Identifier (ICCID) value. | | Roaming | P0 | N/A | Boolean | Use to specify roaming. Set the value to **1** (roaming) or **0** (non-roaming). | + | UICC | P0 | N/A | Enumeration | Use to specify the Universal Integrated Circuit Card (UICC) state. Set the value to one of the following:


    - 0 - Empty
    - 1 - Ready
    - 2 - Locked | | UICCSLOT | P0 | N/A | Digit string | Use to specify the UICC slot. Set the value one of the following:


    - 0 - Slot 0
    - 1 - Slot 1 | | ProcessorType | P1 | Supported | String | Use to target settings based on the processor type. | @@ -70,56 +66,56 @@ The following table shows the conditions supported in Windows client provisionin | Architecture | P1 | Supported | String | Matches the PROCESSOR_ARCHITECTURE environment variable. | | Server | P1 | Supported | Boolean | Set the value to **0** (false) or **1** (true) to identify a server. | | Region | P1 | Supported | Enumeration | Use to target settings based on country/region, using the 2-digit alpha ISO code per [ISO 3166-1 alpha-2](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2). | -| Lang | P1 | Supported | Enumeration | Use to target settings based on language code, using the 2-digit [ISO 639 alpha-2 code](https://en.wikipedia.org/wiki/ISO_639). | +| Lang | P1 | Supported | Enumeration | Use to target settings based on language code, using the 2-digit [ISO 639 alpha-2 code](https://en.wikipedia.org/wiki/ISO_639). | -The matching types supported in Windows client are: +The matching types supported in Windows client are: | Matching type | Syntax | Example | | --- | --- | --- | | Straight match | Matching type is specified as-is | <Condition Name="ProcessorName" Value="Barton" /> | | Regular expression (Regex) match | Matching type is prefixed by "Pattern:" | <Condition Name="ProcessorName" Value="Pattern:.*Celeron.*" /> | | Numeric range match | Matching type is prefixed by "!Range:" | <Condition Name="MNC" Value="!Range:400, 550" /> | + + +### TargetState priorities + +You can define more than one **TargetState** within a provisioning package to apply settings to devices that match device conditions. When the provisioning engine evaluates each **TargetState**, more than one **TargetState** may fit current device conditions. To determine the order in which the settings are applied, the system assigns a priority to every **TargetState**. + +A setting that matches a **TargetState** with a lower priority is applied before the setting that matches a **TargetState** with a higher priority. This means that a setting for the **TargetState** with the higher priority can overwrite a setting for the **TargetState** with the lower priority. + +Settings that match more than one **TargetState** with equal priority are applied according to the order that each **TargetState** is defined in the provisioning package. + +The **TargetState** priority is assigned based on the condition's priority (see the [Conditions table](#conditions) for priorities). The priority evaluation rules are as followed: + +1. A **TargetState** with P0 conditions is higher than a **TargetState** without P0 conditions. + +2. A **TargetState** with both P0 and P1 conditions is higher than a **TargetState** with only P0 conditions. + +2. A **TargetState** with a greater number of matched P0 conditions is higher than **TargetState** with fewer matched P0 conditions, regardless of the number of P1 conditions matched. + +2. If the number of P0 conditions matched are equivalent, then the **TargetState** with the most matched P1 conditions has higher priority. + +3. If both P0 and P1 conditions are equally matched, then the **TargetState** with the greatest total number of matched conditions has highest priority. + -### TargetState priorities +## Create a provisioning package with multivariant settings -You can define more than one **TargetState** within a provisioning package to apply settings to devices that match device conditions. When the provisioning engine evaluates each **TargetState**, more than one **TargetState** may fit current device conditions. To determine the order in which the settings are applied, the system assigns a priority to every **TargetState**. - -A setting that matches a **TargetState** with a lower priority is applied before the setting that matches a **TargetState** with a higher priority. This means that a setting for the **TargetState** with the higher priority can overwrite a setting for the **TargetState** with the lower priority. - -Settings that match more than one **TargetState** with equal priority are applied according to the order that each **TargetState** is defined in the provisioning package. - -The **TargetState** priority is assigned based on the condition's priority (see the [Conditions table](#conditions) for priorities). The priority evaluation rules are as followed: - -1. A **TargetState** with P0 conditions is higher than a **TargetState** without P0 conditions. - -2. A **TargetState** with both P0 and P1 conditions is higher than a **TargetState** with only P0 conditions. - -2. A **TargetState** with a greater number of matched P0 conditions is higher than **TargetState** with fewer matched P0 conditions, regardless of the number of P1 conditions matched. - -2. If the number of P0 conditions matched are equivalent, then the **TargetState** with the most matched P1 conditions has higher priority. - -3. If both P0 and P1 conditions are equally matched, then the **TargetState** with the greatest total number of matched conditions has highest priority. +Follow these steps to create a provisioning package with multivariant capabilities. +1. Build a provisioning package and configure the customizations you want to apply during certain conditions. For more information, see [Create a provisioning package](provisioning-create-package.md). -## Create a provisioning package with multivariant settings +2. After you've [configured the settings](provisioning-create-package.md#configure-settings), save the project. -Follow these steps to create a provisioning package with multivariant capabilities. +3. Open the project folder and copy the customizations.xml file to any local location. +4. Use an XML or text editor to open the customizations.xml file. -1. Build a provisioning package and configure the customizations you want to apply during certain conditions. For more information, see [Create a provisioning package](provisioning-create-package.md). + The customizations.xml file holds the package metadata (including the package owner and rank) and the settings that you configured when you created your provisioning package. The **Customizations** node of the file contains a **Common** section, which contains the customization settings. -2. After you've [configured the settings](provisioning-create-package.md#configure-settings), save the project. - -3. Open the project folder and copy the customizations.xml file to any local location. - -4. Use an XML or text editor to open the customizations.xml file. - - The customizations.xml file holds the package metadata (including the package owner and rank) and the settings that you configured when you created your provisioning package. The **Customizations** node of the file contains a **Common** section, which contains the customization settings. - - The following example shows the contents of a sample customizations.xml file. + The following example shows the contents of a sample customizations.xml file. ```XML @@ -146,12 +142,14 @@ Follow these steps to create a provisioning package with multivariant capabiliti - ``` -5. Edit the customizations.xml file to create a **Targets** section to describe the conditions that will handle your multivariant settings. + ``` + +5. Edit the customizations.xml file to create a **Targets** section to describe the conditions that will handle your multivariant settings. The following example shows the customizations.xml, which has been modified to include several conditions including **ProcessorName**, **ProcessorType**, **MCC**, and **MNC**. + ```XML @@ -195,22 +193,24 @@ Follow these steps to create a provisioning package with multivariant capabiliti - ``` -6. In the customizations.xml file, create a **Variant** section for the settings you need to customize. To do this: + ``` + +6. In the customizations.xml file, create a **Variant** section for the settings you need to customize. To do this: a. Define a child **TargetRefs** element. - b. Within the **TargetRefs** element, define a **TargetRef** element. You can define multiple **TargetRef** elements for each **Id** that you need to apply to customized settings. - c. Move compliant settings from the **Common** section to the **Variant** section. + b. Within the **TargetRefs** element, define a **TargetRef** element. You can define multiple **TargetRef** elements for each **Id** that you need to apply to customized settings. - If any of the **TargetRef** elements matches the **Target**, all settings in the **Variant** are applied. + c. Move compliant settings from the **Common** section to the **Variant** section. + + If any of the **TargetRef** elements matches the **Target**, all settings in the **Variant** are applied. >[!NOTE] - >You can define multiple **Variant** sections. Settings that reside in the **Common** section are applied unconditionally on every triggering event. + >You can define multiple **Variant** sections. Settings that reside in the **Common** section are applied unconditionally on every triggering event. - The following example shows the customizations.xml updated to include a **Variant** section and the moved settings that will be applied if the conditions for the variant are met. + The following example shows the customizations.xml updated to include a **Variant** section and the moved settings that will be applied if the conditions for the variant are met. ```XML @@ -263,35 +263,37 @@ Follow these steps to create a provisioning package with multivariant capabiliti - ``` -7. Save the updated customizations.xml file and note the path to this updated file. You will need the path as one of the values for the next step. + ``` + +7. Save the updated customizations.xml file and note the path to this updated file. You will need the path as one of the values for the next step. -8. Use the [Windows Configuration Designer command-line interface](provisioning-command-line.md) to create a provisioning package using the updated customizations.xml. +8. Use the [Windows Configuration Designer command-line interface](provisioning-command-line.md) to create a provisioning package using the updated customizations.xml. - For example: + For example: ``` icd.exe /Build-ProvisioningPackage /CustomizationXML:"C:\CustomProject\customizations.xml" /PackagePath:"C:\CustomProject\output.ppkg" /StoreFile:C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\Microsoft-Common-Provisioning.dat" ``` - + -In this example, the **StoreFile** corresponds to the location of the settings store that will be used to create the package for the required Windows edition. +In this example, the **StoreFile** corresponds to the location of the settings store that will be used to create the package for the required Windows edition. >[!NOTE] ->The provisioning package created during this step will contain the multivariant settings. You can use this package either as a standalone package that you can apply to a Windows device or use it as the base when starting another project. +>The provisioning package created during this step will contain the multivariant settings. You can use this package either as a standalone package that you can apply to a Windows device or use it as the base when starting another project. - + -## Events that trigger provisioning +## Events that trigger provisioning -When you install the multivariant provisioning package on a Windows client device, the provisioning engine applies the matching condition settings at every event and triggers provisioning. +When you install the multivariant provisioning package on a Windows client device, the provisioning engine applies the matching condition settings at every event and triggers provisioning. -The following events trigger provisioning on Windows client devices: +The following events trigger provisioning on Windows client devices: | Event | Windows client for desktop editions | | --- | --- | + | System boot | Supported | | Operating system update | Planned | | Package installation during device first run experience | Supported | @@ -299,7 +301,8 @@ The following events trigger provisioning on Windows client devices: | Package installation at runtime | Supported | | Roaming detected | Not supported | -## Related articles + +## Related articles - [Provisioning packages for Windows client](provisioning-packages.md) - [How provisioning works in Windows client](provisioning-how-it-works.md) @@ -310,5 +313,5 @@ The following events trigger provisioning on Windows client devices: - [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) - [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) - [PowerShell cmdlets for provisioning Windows client (reference)](provisioning-powershell.md) -- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md) +- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md) diff --git a/windows/configuration/provisioning-packages/provisioning-packages.md b/windows/configuration/provisioning-packages/provisioning-packages.md index aed5ec0d4a..5e87c3d5d5 100644 --- a/windows/configuration/provisioning-packages/provisioning-packages.md +++ b/windows/configuration/provisioning-packages/provisioning-packages.md @@ -2,29 +2,28 @@ title: Provisioning packages overview description: With Windows 10 and Windows 11, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. Learn about what provisioning packages, are and what they do. ms.reviewer: kevinsheehan -author: lizgt2000 -ms.author: lizlong ms.topic: article ms.date: 12/31/2017 ---- +--- -# Provisioning packages for Windows +# Provisioning packages for Windows -**Applies to** +**Applies to** - Windows 10 -- Windows 11 +- Windows 11 -Windows provisioning makes it easy for IT administrators to configure end-user devices without imaging. When you use Windows provisioning, an IT administrator can easily specify the desired configuration and settings required to enroll the devices into management. Then, apply that configuration to target devices in a matter of minutes. It's best suited for small- to medium-sized businesses with deployments that range from tens to a few hundred computers. +Windows provisioning makes it easy for IT administrators to configure end-user devices without imaging. When you use Windows provisioning, an IT administrator can easily specify the desired configuration and settings required to enroll the devices into management. Then, apply that configuration to target devices in a matter of minutes. It's best suited for small- to medium-sized businesses with deployments that range from tens to a few hundred computers. -A provisioning package (.ppkg) is a container for a collection of configuration settings. With Windows client, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. +A provisioning package (.ppkg) is a container for a collection of configuration settings. With Windows client, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. -Provisioning packages are simple enough that with a short set of written instructions, a student, or non-technical employee can use them to configure their device. It can result in a significant reduction in the time required to configure multiple devices in your organization. +Provisioning packages are simple enough that with a short set of written instructions, a student, or non-technical employee can use them to configure their device. It can result in a significant reduction in the time required to configure multiple devices in your organization. -Windows Configuration Designer is available as an [app in the Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4tx22). - +Windows Configuration Designer is available as an [app in the Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4tx22). + + @@ -32,35 +31,35 @@ Windows Configuration Designer is available as an [app in the Microsoft Store](h - + -## Benefits of provisioning packages +## Benefits of provisioning packages -Provisioning packages let you: +Provisioning packages let you: -- Quickly configure a new device without going through the process of installing a new image. +- Quickly configure a new device without going through the process of installing a new image. -- Save time by configuring multiple devices using one provisioning package. +- Save time by configuring multiple devices using one provisioning package. -- Quickly configure employee-owned devices in an organization without a mobile device management (MDM) infrastructure. +- Quickly configure employee-owned devices in an organization without a mobile device management (MDM) infrastructure. -- Set up a device without the device having network connectivity. +- Set up a device without the device having network connectivity. -Provisioning packages can be: +Provisioning packages can be: -- Installed using removable media such as an SD card or USB flash drive. +- Installed using removable media such as an SD card or USB flash drive. -- Attached to an email. +- Attached to an email. -- Downloaded from a network share. +- Downloaded from a network share. -- Deployed in NFC tags or barcodes. +- Deployed in NFC tags or barcodes. -## What you can configure +## What you can configure -### Configuration Designer wizards +### Configuration Designer wizards -The following table describes settings that you can configure using the wizards in Windows Configuration Designer to create provisioning packages. +The following table describes settings that you can configure using the wizards in Windows Configuration Designer to create provisioning packages. | Step | Description | Desktop wizard | Kiosk wizard | HoloLens wizard | | --- | --- | --- | --- | --- | @@ -72,18 +71,18 @@ The following table describes settings that you can configure using the wizards | Add certificates | Include a certificate file in the provisioning package. | ✔️ | ✔️ | ✔️ | | Configure kiosk account and app | Create local account to run the kiosk mode app, specify the app to run in kiosk mode | ❌ | ✔️ | ❌ | | Configure kiosk common settings | Set tablet mode, configure welcome and shutdown screens, turn off timeout settings | ❌ | ✔️ | ❌ | -| Developer Setup | Enable Developer Mode | ❌ | ❌ | ✔️ | +| Developer Setup | Enable Developer Mode | ❌ | ❌ | ✔️ | - [Instructions for the desktop wizard](provision-pcs-for-initial-deployment.md) - [Instructions for the kiosk wizard](../kiosk-single-app.md#wizard) -- [Instructions for the HoloLens wizard](/hololens/hololens-provisioning#wizard) +- [Instructions for the HoloLens wizard](/hololens/hololens-provisioning#wizard) >[!NOTE] ->After you start a project using a Windows Configuration Designer wizard, you can switch to the advanced editor to configure additional settings in the provisioning package. +>After you start a project using a Windows Configuration Designer wizard, you can switch to the advanced editor to configure additional settings in the provisioning package. -### Configuration Designer advanced editor +### Configuration Designer advanced editor -The following table provides some examples of settings that you can configure using the Windows Configuration Designer advanced editor to create provisioning packages. +The following table provides some examples of settings that you can configure using the Windows Configuration Designer advanced editor to create provisioning packages. | Customization options | Examples | |---|---| @@ -95,38 +94,41 @@ The following table provides some examples of settings that you can configure us | Enterprise policies | Security restrictions (password, device lock, camera, and so on), encryption, update settings | | Data assets | Documents, music, videos, pictures | | Start menu customization | Start menu layout, application pinning | -| Other | Home and lock screen wallpaper, computer name, domain join, DNS settings, and so on | +| Other | Home and lock screen wallpaper, computer name, domain join, DNS settings, and so on | -For details about the settings you can customize in provisioning packages, see [Windows Provisioning settings reference]( https://go.microsoft.com/fwlink/p/?LinkId=619012). +For details about the settings you can customize in provisioning packages, see [Windows Provisioning settings reference]( https://go.microsoft.com/fwlink/p/?LinkId=619012). - + - + -WCD, simplified common provisioning scenarios. +WCD, simplified common provisioning scenarios. -:::image type="content" source="../images/icd.png" alt-text="Configuration Designer options"::: +:::image type="content" source="../images/icd.png" alt-text="Configuration Designer options"::: -WCD supports the following scenarios for IT administrators: +WCD supports the following scenarios for IT administrators: -* **Simple provisioning** – Enables IT administrators to define a desired configuration in WCD and then apply that configuration on target devices. The simple provisioning wizard makes the entire process quick and easy by guiding an IT administrator through common configuration settings in a step-by-step manner. +* **Simple provisioning** - Enables IT administrators to define a desired configuration in WCD and then apply that configuration on target devices. The simple provisioning wizard makes the entire process quick and easy by guiding an IT administrator through common configuration settings in a step-by-step manner. - [Learn how to use simple provisioning to configure Windows computers.](provision-pcs-for-initial-deployment.md) + [Learn how to use simple provisioning to configure Windows computers.](provision-pcs-for-initial-deployment.md) -* **Advanced provisioning (deployment of classic (Win32) and Universal Windows Platform (UWP) apps, and certificates)** – Allows an IT administrator to use WCD to open provisioning packages in the advanced settings editor and include apps for deployment on end-user devices. +* **Advanced provisioning (deployment of classic (Win32) and Universal Windows Platform (UWP) apps, and certificates)** - Allows an IT administrator to use WCD to open provisioning packages in the advanced settings editor and include apps for deployment on end-user devices. -* **Mobile device enrollment into management** - Enables IT administrators to purchase off-the-shelf retail Windows devices and enroll them into mobile device management (MDM) before handing them to end users in the organization. IT administrators can use WCD to specify the management endpoint and apply the configuration on target devices by connecting them to a Windows PC (tethered deployment) or through an SD card. Supported management end-points include: +* **Mobile device enrollment into management** - Enables IT administrators to purchase off-the-shelf retail Windows devices and enroll them into mobile device management (MDM) before handing them to end users in the organization. IT administrators can use WCD to specify the management endpoint and apply the configuration on target devices by connecting them to a Windows PC (tethered deployment) or through an SD card. Supported management end-points include: - Microsoft Intune (certificate-based enrollment) + - AirWatch (password-string based enrollment) + - MobileIron (password-string based enrollment) - - Other MDMs (cert-based enrollment) + + - Other MDMs (cert-based enrollment) - + -## Related articles +## Related articles - [How provisioning works in Windows client](provisioning-how-it-works.md) - [Install Windows Configuration Designer](provisioning-install-icd.md) diff --git a/windows/configuration/provisioning-packages/provisioning-powershell.md b/windows/configuration/provisioning-packages/provisioning-powershell.md index 074f0168f1..12f901538f 100644 --- a/windows/configuration/provisioning-packages/provisioning-powershell.md +++ b/windows/configuration/provisioning-packages/provisioning-powershell.md @@ -1,93 +1,88 @@ --- title: PowerShell cmdlets for provisioning Windows 10/11 (Windows 10/11) description: Learn more about the Windows PowerShell cmdlets that you can use with Provisioning packages on Windows10/11 client desktop devices. -ms.prod: windows-client -author: lizgt2000 -ms.author: lizlong -ms.topic: article -ms.localizationpriority: medium +ms.topic: article + ms.reviewer: gkomatsu -manager: aaroncz -ms.technology: itpro-configure ms.date: 12/31/2017 ---- +--- -# PowerShell cmdlets for provisioning Windows client (reference) +# PowerShell cmdlets for provisioning Windows client (reference) -**Applies to** +**Applies to** -- Windows 10 -- Windows 11 +- Windows 10 +- Windows 11 -Windows client includes Provisioning PowerShell cmdlets. These cmdlets make it easy to script the following functions. +Windows client includes Provisioning PowerShell cmdlets. These cmdlets make it easy to script the following functions. -## cmdlets +## cmdlets -- **Add-ProvisioningPackage**: Applies a provisioning package. +- **Add-ProvisioningPackage**: Applies a provisioning package. - Syntax: + Syntax: - - `Add-ProvisioningPackage [-Path] [-ForceInstall] [-LogsFolder ] [-QuietInstall] [-WprpFile ] []` + - `Add-ProvisioningPackage [-Path] [-ForceInstall] [-LogsFolder ] [-QuietInstall] [-WprpFile ] []` -- **Remove-ProvisioningPackage**: Removes a provisioning package. +- **Remove-ProvisioningPackage**: Removes a provisioning package. - Syntax: + Syntax: - `Remove-ProvisioningPackage -PackageId [-LogsFolder ] [-WprpFile ] []` - `Remove-ProvisioningPackage -Path [-LogsFolder ] [-WprpFile ] []` - - `Remove-ProvisioningPackage -AllInstalledPackages [-LogsFolder ] [-WprpFile ] []` + - `Remove-ProvisioningPackage -AllInstalledPackages [-LogsFolder ] [-WprpFile ] []` -- **Get-ProvisioningPackage**: Gets information about an installed provisioning package. +- **Get-ProvisioningPackage**: Gets information about an installed provisioning package. - Syntax: + Syntax: - `Get-ProvisioningPackage -PackageId [-LogsFolder ] [-WprpFile ] []` - `Get-ProvisioningPackage -Path [-LogsFolder ] [-WprpFile ] []` - - `Get-ProvisioningPackage -AllInstalledPackages [-LogsFolder ] [-WprpFile ] []` + - `Get-ProvisioningPackage -AllInstalledPackages [-LogsFolder ] [-WprpFile ] []` -- **Export-ProvisioningPackage**: Extracts the contents of a provisioning package. +- **Export-ProvisioningPackage**: Extracts the contents of a provisioning package. - Syntax: + Syntax: - `Export-ProvisioningPackage -PackageId -OutputFolder [-Overwrite] [-AnswerFileOnly] [-LogsFolder ] [-WprpFile ] []` - - `Export-ProvisioningPackage -Path -OutputFolder [-Overwrite] [-AnswerFileOnly] [-LogsFolder ] [-WprpFile ] []` + - `Export-ProvisioningPackage -Path -OutputFolder [-Overwrite] [-AnswerFileOnly] [-LogsFolder ] [-WprpFile ] []` -- **Install-TrustedProvisioningCertificate**: Adds a certificate to the Trusted Certificate store. +- **Install-TrustedProvisioningCertificate**: Adds a certificate to the Trusted Certificate store. - Syntax: + Syntax: - - `Install-TrustedProvisioningCertificate ` + - `Install-TrustedProvisioningCertificate ` -- **Get-TrustedProvisioningCertificate**: Lists all installed trusted provisioning certificates. Use this cmdlet to get the certificate thumbprint to use with the `Uninstall-TrustedProvisioningCertificate` cmdlet. +- **Get-TrustedProvisioningCertificate**: Lists all installed trusted provisioning certificates. Use this cmdlet to get the certificate thumbprint to use with the `Uninstall-TrustedProvisioningCertificate` cmdlet. - Syntax: + Syntax: - - `Get-TrustedProvisioningCertificate` + - `Get-TrustedProvisioningCertificate` -- **Uninstall-TrustedProvisioningCertificate**: Removes a previously installed provisioning certificate. +- **Uninstall-TrustedProvisioningCertificate**: Removes a previously installed provisioning certificate. - Syntax: + Syntax: - - `Uninstall-TrustedProvisioningCertificate ` + - `Uninstall-TrustedProvisioningCertificate ` >[!NOTE] -> You can use Get-Help to get usage help on any command. For example: `Get-Help Add-ProvisioningPackage` +> You can use Get-Help to get usage help on any command. For example: `Get-Help Add-ProvisioningPackage` -Trace logs are captured when using cmdlets. The following logs are available in the logs folder after the cmdlet completes: +Trace logs are captured when using cmdlets. The following logs are available in the logs folder after the cmdlet completes: - ProvTrace.<timestamp>.ETL - ETL trace file, unfiltered - ProvTrace.<timestamp>.XML - ETL trace file converted into raw trace events, unfiltered - ProvTrace.<timestamp>.TXT - TEXT file containing trace output formatted for easy reading, filtered to only show events logged by providers in the WPRP file -- ProvLogReport.<timestamp>.XLS - Excel file containing trace output, filtered to only show events logged by providers in WPRP file - +- ProvLogReport.<timestamp>.XLS - Excel file containing trace output, filtered to only show events logged by providers in WPRP file + >[!NOTE] ->When applying provisioning packages using Powershell cmdlets, the default behavior is to suppress the prompt that appears when applying an unsigned provisioning package. This is by design so that provisioning packages can be applied as part of existing scripts. +>When applying provisioning packages using Powershell cmdlets, the default behavior is to suppress the prompt that appears when applying an unsigned provisioning package. This is by design so that provisioning packages can be applied as part of existing scripts. -## Related articles +## Related articles - [How provisioning works in Windows client](provisioning-how-it-works.md) - [Install Windows Configuration Designer](provisioning-install-icd.md) @@ -97,5 +92,5 @@ Trace logs are captured when using cmdlets. The following logs are available in - [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) - [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) - [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md) -- [Create a provisioning package with multivariant settings](provisioning-multivariant.md) +- [Create a provisioning package with multivariant settings](provisioning-multivariant.md) diff --git a/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md b/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md index e766825729..55921ffd19 100644 --- a/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md +++ b/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md @@ -1,136 +1,155 @@ --- title: Use a script to install a desktop app in provisioning packages (Windows 10/11) -description: With Windows 10/11, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. -ms.prod: windows-client -author: lizgt2000 -ms.author: lizlong -ms.topic: article -ms.localizationpriority: medium +description: With Windows 10/11, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. +ms.topic: article + ms.reviewer: gkomatsu -manager: aaroncz -ms.technology: itpro-configure ms.date: 12/31/2017 ---- +--- -# Use a script to install a desktop app in provisioning packages +# Use a script to install a desktop app in provisioning packages -**Applies to** +**Applies to** -- Windows 10 -- Windows 11 +- Windows 10 +- Windows 11 -This walkthrough describes how to include scripts in a Windows client provisioning package to install Win32 applications. Scripted operations other than installing apps can also be performed. However, some care is needed to avoid unintended behavior during script execution (see [Remarks](#remarks) below). +This walkthrough describes how to include scripts in a Windows client provisioning package to install Win32 applications. Scripted operations other than installing apps can also be performed. However, some care is needed to avoid unintended behavior during script execution (see [Remarks](#remarks) below). -## Assemble the application assets +## Assemble the application assets -1. On the device where you’re authoring the package, place all of your assets in a known location. Each asset must have a unique filename, because all files will be copied to the same temp directory on the device. It’s common for many apps to have an installer called ‘install.exe’ or similar, and there may be name overlap because of that. To fix this, you can use the technique described in the next step to include a complete directory structure that is then expanded into the temp directory on the device. The most common use for this would be to include a subdirectory for each application. +1. On the device where you’re authoring the package, place all of your assets in a known location. Each asset must have a unique filename, because all files will be copied to the same temp directory on the device. It’s common for many apps to have an installer called ‘install.exe’ or similar, and there may be name overlap because of that. To fix this, you can use the technique described in the next step to include a complete directory structure that is then expanded into the temp directory on the device. The most common use for this would be to include a subdirectory for each application. -2. If you need to include a directory structure of files, you will need to cab the assets for easy inclusion in the provisioning packages. +2. If you need to include a directory structure of files, you will need to cab the assets for easy inclusion in the provisioning packages. -## Cab the application assets +## Cab the application assets -1. Create a `.DDF` file as below, replacing *file1* and *file2* with the files you want to package, and adding the name of file/directory. +1. Create a `.DDF` file as below, replacing *file1* and *file2* with the files you want to package, and adding the name of file/directory. ```ddf ;*** MSDN Sample Source Code MakeCAB Directive file example + ; + .OPTION EXPLICIT ; Generate errors on variable typos + .set DiskDirectoryTemplate=CDROM ; All cabinets go in a single directory + .Set MaxDiskFileCount=1000; Limit file count per cabinet, so that + ; scanning is not too slow + .Set FolderSizeThreshold=200000 ; Aim for ~200K per folder + .Set CompressionType=MSZIP + ;** All files are compressed in cabinet files + .Set Cabinet=on + .Set Compress=on + ;------------------------------------------------------------------- + ;** CabinetNameTemplate = name of cab + ;** DiskDirectory1 = output directory where cab will be created + ;------------------------------------------------------------------- + .Set CabinetNameTemplate=tt.cab + .Set DiskDirectory1=. + ;------------------------------------------------------------------- + ; Replace with actual files you want to package + ;------------------------------------------------------------------- + + - ;*** - ``` -2. Use makecab to create the cab files. + ;*** + + ``` + +2. Use makecab to create the cab files. ```makecab Makecab -f - ``` + ``` -## Create the script to install the application +## Create the script to install the application -Create a script to perform whatever work is needed to install the application(s). The following examples are provided to help get started authoring the orchestrator script that will execute the required installers. In practice, the orchestrator script may reference many more assets than those in these examples. +Create a script to perform whatever work is needed to install the application(s). The following examples are provided to help get started authoring the orchestrator script that will execute the required installers. In practice, the orchestrator script may reference many more assets than those in these examples. -You don’t need to create an orchestrator script. You can have one command line per app. If necessary, you can create a script that logs the output per app, as mentioned below (rather than one orchestrator script for the entire provisioning package). +You don’t need to create an orchestrator script. You can have one command line per app. If necessary, you can create a script that logs the output per app, as mentioned below (rather than one orchestrator script for the entire provisioning package). >[!NOTE] >All actions performed by the script must happen silently, showing no UI and requiring no user interaction. > ->The scripts will be run on the device in system context. +>The scripts will be run on the device in system context. -### Debugging example +### Debugging example -Granular logging is not built in, so the logging must be built into the script itself. Here is an example script that logs ‘Hello World’ to a logfile. When run on the device, the logfile will be available after provisioning is completed. As you will see in the following examples, it’s recommended that you log each action that your script performs. +Granular logging is not built in, so the logging must be built into the script itself. Here is an example script that logs ‘Hello World’ to a logfile. When run on the device, the logfile will be available after provisioning is completed. As you will see in the following examples, it’s recommended that you log each action that your script performs. ```log set LOGFILE=%SystemDrive%\HelloWorld.log echo Hello, World >> %LOGFILE% -``` -### .exe example +``` -This example script shows how to create a log output file on the system drive, install an app from an `.exe` installer, and echo the results to the log file. +### .exe example + +This example script shows how to create a log output file on the system drive, install an app from an `.exe` installer, and echo the results to the log file. ```exe set LOGFILE=%SystemDrive%\Fiddler_install.log echo Installing Fiddler.exe >> %LOGFILE% fiddler4setup.exe /S >> %LOGFILE% echo result: %ERRORLEVEL% >> %LOGFILE% -``` +``` -### .msi example +### .msi example -This is the same as the previous installer, but installs the app from an MSI installer. Notice that msiexec is called with the /quiet flag in order to meet the silent requirement of scripts run from within a provisioning package. +This is the same as the previous installer, but installs the app from an MSI installer. Notice that msiexec is called with the /quiet flag in order to meet the silent requirement of scripts run from within a provisioning package. ```msi set LOGFILE=%SystemDrive%\IPOverUsb_install.log echo Installing IpOverUsbInstaller.msi >> %LOGFILE% msiexec /i IpOverUsbInstaller.msi /quiet >> %LOGFILE% echo result: %ERRORLEVEL% >> %LOGFILE% -``` +``` -### PowerShell example +### PowerShell example -This is an example script with logging that shows how to run a PowerShell script from the provisioning commands setting. The PowerShell script referenced from this example must also be included in the package, and obey the same requirements as all scripts run from within the provisioning package: it must execute silently, with no user interaction. +This is an example script with logging that shows how to run a PowerShell script from the provisioning commands setting. The PowerShell script referenced from this example must also be included in the package, and obey the same requirements as all scripts run from within the provisioning package: it must execute silently, with no user interaction. ```powershell set LOGFILE=%SystemDrive%\my_powershell_script.log @@ -138,13 +157,13 @@ echo Running my_powershell_script.ps1 in system context >> %LOGFILE% echo Executing "PsExec.exe -accepteula -i -s cmd.exe /c powershell.exe my_powershell_script.ps1" >> %LOGFILE% PsExec.exe -accepteula -i -s cmd.exe /c 'powershell.exe my_powershell_script.ps1' >> %LOGFILE% echo result: %ERRORLEVEL% >> %LOGFILE% -``` +``` - + -### Extract from a .CAB example +### Extract from a .CAB example -This example script shows expansion of a .cab from the provisioning commands script, and installation of the expanded setup.exe +This example script shows expansion of a .cab from the provisioning commands script, and installation of the expanded setup.exe ```cab set LOGFILE=%SystemDrive%\install_my_app.log @@ -154,49 +173,50 @@ echo result: %ERRORLEVEL% >> %LOGFILE% echo Installing MyApp >> %LOGFILE% setup.exe >> %LOGFILE% echo result: %ERRORLEVEL% >> %LOGFILE% -``` +``` -### Calling multiple scripts in the package +### Calling multiple scripts in the package -Your provisioning package can include multiple **CommandFiles**. +Your provisioning package can include multiple **CommandFiles**. -You are allowed one **CommandLine** per provisioning package. The batch files shown above are orchestrator scripts that manage the installation and call any other scripts included in the provisioning package. The orchestrator script is what should be invoked from the **CommandLine** specified in the package. - -Here’s a table describing this relationship, using the PowerShell example from above: +You are allowed one **CommandLine** per provisioning package. The batch files shown above are orchestrator scripts that manage the installation and call any other scripts included in the provisioning package. The orchestrator script is what should be invoked from the **CommandLine** specified in the package. +Here’s a table describing this relationship, using the PowerShell example from above: + |ICD Setting | Value | Description | | --- | --- | --- | | ProvisioningCommands/DeviceContext/CommandLine | cmd /c PowerShell_Example.bat | The command line needed to invoke the orchestrator script. | | ProvisioningCommands/DeviceContext/CommandFiles | PowerShell_Example.bat | The single orchestrator script referenced by the command line that handles calling into the required installers or performing any other actions such as expanding cab files. This script must do the required logging. | -| ProvisioningCommands/DeviceContext/CommandFiles | my_powershell_script.ps1 | Other assets referenced by the orchestrator script. In this example, there is only one, but there could be many assets referenced here. One common use case is using the orchestrator to call a series of install.exe or setup.exe installers to install several applications. Each of those installers must be included as an asset here. | +| ProvisioningCommands/DeviceContext/CommandFiles | my_powershell_script.ps1 | Other assets referenced by the orchestrator script. In this example, there is only one, but there could be many assets referenced here. One common use case is using the orchestrator to call a series of install.exe or setup.exe installers to install several applications. Each of those installers must be included as an asset here. | -### Add script to provisioning package +### Add script to provisioning package -When you have the batch file written and the referenced assets ready to include, you can add them to a provisioning package in the Windows Configuration Designer. +When you have the batch file written and the referenced assets ready to include, you can add them to a provisioning package in the Windows Configuration Designer. -Using Windows Configuration Designer, specify the full details of how the script should be run in the CommandLine setting in the provisioning package. This includes flags or any other parameters that you would normally type on the command line. So for example if the package contained an app installer called install.exe and a script used to automate the install called InstallMyApp.bat, the `ProvisioningCommands/DeviceContext/CommandLine` setting should be configured to: +Using Windows Configuration Designer, specify the full details of how the script should be run in the CommandLine setting in the provisioning package. This includes flags or any other parameters that you would normally type on the command line. So for example if the package contained an app installer called install.exe and a script used to automate the install called InstallMyApp.bat, the `ProvisioningCommands/DeviceContext/CommandLine` setting should be configured to: ```bat cmd /c InstallMyApp.bat -``` +``` -In Windows Configuration Designer, this looks like: +In Windows Configuration Designer, this looks like: -![Command line in Selected customizations.](../images/icd-script1.png) +![Command line in Selected customizations.](../images/icd-script1.png) -You also need to add the relevant assets for that command line including the orchestrator script and any other assets it references such as installers or .cab files. +You also need to add the relevant assets for that command line including the orchestrator script and any other assets it references such as installers or .cab files. -In Windows Configuration Designer, that is done by adding files under the `ProvisioningCommands/DeviceContext/CommandFiles` setting. +In Windows Configuration Designer, that is done by adding files under the `ProvisioningCommands/DeviceContext/CommandFiles` setting. -![Command files in Selected customizations.](../images/icd-script2.png) +![Command files in Selected customizations.](../images/icd-script2.png) When you are done, [build the package](provisioning-create-package.md#build-package). - + + -### Remarks +### Remarks 1. No user interaction or console output is supported via ProvisioningCommands. All work needs to be silent. If your script attempts to do any of the following it will cause undefined behavior, and could put the device in an unrecoverable state if executed during setup or the Out of Box Experience: a. Echo to console @@ -204,22 +224,23 @@ When you are done, [build the package](provisioning-create-package.md#build-pack c. Prompt the user with a dialog or install wizard 2. When applied at first boot, provisioning runs early in the boot sequence and before a user context has been established; care must be taken to only include installers that can run at this time. Other installers can be provisioned via a management tool. 3. If the device is put into an unrecoverable state because of a bad script, you can reset it using [recovery options in Windows client](https://support.microsoft.com/help/12415/windows-10-recovery-options). -4. The CommandFile assets are deployed on the device to a temporary folder unique to each package. +4. The CommandFile assets are deployed on the device to a temporary folder unique to each package. - 1. For packages added during the out of box experience, this is usually in `%WINDIR%\system32\config\systemprofile\appdata\local\Temp\ProvisioningPkgTmp\<{PackageIdGuid}>\Commands\0` + 1. For packages added during the out of box experience, this is usually in `%WINDIR%\system32\config\systemprofile\appdata\local\Temp\ProvisioningPkgTmp\<{PackageIdGuid}>\Commands\0` - The `0` after `Commands\` refers to the installation order and indicates the first app to be installed. The number will increment for each app in the package. + The `0` after `Commands\` refers to the installation order and indicates the first app to be installed. The number will increment for each app in the package. - 2. For packages added by double-clicking on an already deployed device, this will be in the temp folder for the user executing the provisioning package: `%TMP%\ProvisioningPkgTmp\<{PackageIdGuid}>\Commands\0` + 2. For packages added by double-clicking on an already deployed device, this will be in the temp folder for the user executing the provisioning package: `%TMP%\ProvisioningPkgTmp\<{PackageIdGuid}>\Commands\0` 5. The command line will be executed with the directory the CommandFiles were deployed to as the working directory. This means you do not need to specific the full path to assets in the command line or from within any script. -6. The runtime provisioning component will attempt to run the scripts from the provisioning package at the earliest point possible, depending on the stage when the PPKG was added. For example, if the package was added during the Out-of-Box Experience, it will be run immediately after the package is applied, while the out of box experience is still happening. This is before the user account configuration options are presented to the user. A spinning progress dialog will appear and “please wait” will be displayed on the screen. +6. The runtime provisioning component will attempt to run the scripts from the provisioning package at the earliest point possible, depending on the stage when the PPKG was added. For example, if the package was added during the Out-of-Box Experience, it will be run immediately after the package is applied, while the out of box experience is still happening. This is before the user account configuration options are presented to the user. A spinning progress dialog will appear and “please wait” will be displayed on the screen. >[!NOTE] >There is a timeout of 30 minutes for the provisioning process at this point. All scripts and installs need to complete within this time. -7. The scripts are executed in the background as the rest of provisioning continues to run. For packages added on existing systems using the double-click to install, there is no notification that provisioning or script execution has completed -## Related articles +7. The scripts are executed in the background as the rest of provisioning continues to run. For packages added on existing systems using the double-click to install, there is no notification that provisioning or script execution has completed + +## Related articles - [Provisioning packages for Windows client](provisioning-packages.md) - [How provisioning works in Windows client](provisioning-how-it-works.md) @@ -230,6 +251,6 @@ When you are done, [build the package](provisioning-create-package.md#build-pack - [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) - [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md) - [PowerShell cmdlets for provisioning Windows client (reference)](provisioning-powershell.md) -- [Create a provisioning package with multivariant settings](provisioning-multivariant.md) +- [Create a provisioning package with multivariant settings](provisioning-multivariant.md) diff --git a/windows/configuration/provisioning-packages/provisioning-uninstall-package.md b/windows/configuration/provisioning-packages/provisioning-uninstall-package.md index 1ae2f42140..30810671b9 100644 --- a/windows/configuration/provisioning-packages/provisioning-uninstall-package.md +++ b/windows/configuration/provisioning-packages/provisioning-uninstall-package.md @@ -1,37 +1,32 @@ --- title: Uninstall a provisioning package - reverted settings (Windows 10/11) description: This article lists the settings that are reverted when you uninstall a provisioning package on Windows 10/11 desktop client devices. -ms.prod: windows-client -author: lizgt2000 -ms.author: lizlong -ms.topic: article -ms.localizationpriority: medium +ms.topic: article + ms.reviewer: gkomatsu -manager: aaroncz -ms.technology: itpro-configure ms.date: 12/31/2017 ---- +--- -# Settings changed when you uninstall a provisioning package +# Settings changed when you uninstall a provisioning package -**Applies to** +**Applies to** -- Windows 10 -- Windows 11 +- Windows 10 +- Windows 11 -When you uninstall a provisioning package, only certain settings are revertible. This article lists the settings that are reverted when you uninstall a provisioning package. +When you uninstall a provisioning package, only certain settings are revertible. This article lists the settings that are reverted when you uninstall a provisioning package. -As an administrator, you can uninstall by using the **Add or remove a package for work or school** option available under **Settings** > **Accounts** > **Access work or school**. +As an administrator, you can uninstall by using the **Add or remove a package for work or school** option available under **Settings** > **Accounts** > **Access work or school**. -When a provisioning package is uninstalled, some of its settings are reverted, which means the value for the setting is changed to the next available or default value. Not all settings, however, are revertible. +When a provisioning package is uninstalled, some of its settings are reverted, which means the value for the setting is changed to the next available or default value. Not all settings, however, are revertible. -Only settings in the following lists are revertible. +Only settings in the following lists are revertible. -## Registry-based settings +## Registry-based settings -The registry-based settings that are revertible when a provisioning package is uninstalled all fall under these categories, which you can find in the Windows Configuration Designer. +The registry-based settings that are revertible when a provisioning package is uninstalled all fall under these categories, which you can find in the Windows Configuration Designer. - [Wi-Fi Sense](../wcd/wcd-connectivityprofiles.md#wifisense) @@ -40,43 +35,67 @@ The registry-based settings that are revertible when a provisioning package is u - UniversalAppInstall / LaunchAppAtLogin - [Power](/previous-versions//dn953704(v=vs.85)) - [TabletMode](../wcd/wcd-tabletmode.md) + - [Maps](../wcd/wcd-maps.md) + - [Browser](../wcd/wcd-browser.md) - [DeviceFormFactor](../wcd/wcd-deviceformfactor.md) + - [USBErrorsOEMOverride](/previous-versions/windows/hardware/previsioning-framework/mt769908(v=vs.85)) -- [WeakCharger](../wcd/wcd-weakcharger.md) +- [WeakCharger](../wcd/wcd-weakcharger.md) + -## CSP-based settings +## CSP-based settings -Here is the list of revertible settings based on configuration service providers (CSPs). +Here is the list of revertible settings based on configuration service providers (CSPs). [ActiveSync CSP](/windows/client-management/mdm/activesync-csp) + [AppLocker CSP](/windows/client-management/mdm/applocker-csp) + [BrowserFavorite CSP](/windows/client-management/mdm/browserfavorite-csp) + [CertificateStore CSP](/windows/client-management/mdm/certificatestore-csp) + [ClientCertificateInstall CSP](/windows/client-management/mdm/clientcertificateinstall-csp) + [RootCATrustedCertificates CSP](/windows/client-management/mdm/rootcacertificates-csp) + [CM_CellularEntries CSP](/windows/client-management/mdm/cm-cellularentries-csp) + [CM_ProxyEntries CSP](/windows/client-management/mdm/cm-proxyentries-csp) + [CMPolicy CSP](/windows/client-management/mdm/cmpolicy-csp) + [CMPolicyEnterprise CSP](/windows/client-management/mdm/cmpolicyenterprise-csp) + [EMAIL2 CSP](/windows/client-management/mdm/email2-csp) + [EnterpriseAPN CSP](/windows/client-management/mdm/enterpriseapn-csp) + [EnterpriseDesktopAppManagement CSP](/windows/client-management/mdm/enterprisedesktopappmanagement-csp) + [EnterpriseModernAppManagement CSP](/windows/client-management/mdm/enterprisemodernappmanagement-csp) + [NAP CSP](/windows/client-management/mdm/nap-csp) + [PassportForWork CSP](/windows/client-management/mdm/passportforwork-csp) + [Provisioning CSP](/windows/client-management/mdm/provisioning-csp) + [SecureAssessment CSP](/windows/client-management/mdm/secureassessment-csp) + [VPN CSP](/windows/client-management/mdm/vpn-csp) + [VPNv2 CSP](/windows/client-management/mdm/vpnv2-csp) -[WiFi CSP](/windows/client-management/mdm/wifi-csp) +[WiFi CSP](/windows/client-management/mdm/wifi-csp) + -## Related articles +## Related articles - [Provisioning packages for Windows client](provisioning-packages.md) - [How provisioning works in Windows client](provisioning-how-it-works.md) diff --git a/windows/configuration/screenshot1.png b/windows/configuration/screenshot1.png deleted file mode 100644 index ed62740e92..0000000000 Binary files a/windows/configuration/screenshot1.png and /dev/null differ diff --git a/windows/configuration/images/shared-pc-intune.png b/windows/configuration/shared-pc/images/shared-pc-intune.png similarity index 100% rename from windows/configuration/images/shared-pc-intune.png rename to windows/configuration/shared-pc/images/shared-pc-intune.png diff --git a/windows/configuration/images/shared-pc-wcd.png b/windows/configuration/shared-pc/images/shared-pc-wcd.png similarity index 100% rename from windows/configuration/images/shared-pc-wcd.png rename to windows/configuration/shared-pc/images/shared-pc-wcd.png diff --git a/windows/configuration/images/sharedpc-guest-win11.png b/windows/configuration/shared-pc/images/sharedpc-guest-win11.png similarity index 100% rename from windows/configuration/images/sharedpc-guest-win11.png rename to windows/configuration/shared-pc/images/sharedpc-guest-win11.png diff --git a/windows/configuration/images/sharedpc-kiosk-win11se.png b/windows/configuration/shared-pc/images/sharedpc-kiosk-win11se.png similarity index 100% rename from windows/configuration/images/sharedpc-kiosk-win11se.png rename to windows/configuration/shared-pc/images/sharedpc-kiosk-win11se.png diff --git a/windows/configuration/set-up-shared-or-guest-pc.md b/windows/configuration/shared-pc/set-up-shared-or-guest-pc.md similarity index 88% rename from windows/configuration/set-up-shared-or-guest-pc.md rename to windows/configuration/shared-pc/set-up-shared-or-guest-pc.md index 37d205a15f..d2c272d271 100644 --- a/windows/configuration/set-up-shared-or-guest-pc.md +++ b/windows/configuration/shared-pc/set-up-shared-or-guest-pc.md @@ -2,63 +2,62 @@ title: Set up a shared or guest Windows device description: Description of how to configured Shared PC mode, which is a Windows feature that optimizes devices for shared use scenarios. ms.date: 11/08/2023 -ms.prod: windows-client -ms.technology: itpro-configure ms.topic: how-to author: paolomatarazzo ms.author: paoloma appliesto: + - ✅ Windows 10 - ✅ Windows 11 - ✅ Windows 11 SE ---- +--- -# Set up a shared or guest Windows device +# Set up a shared or guest Windows device -**Shared PC** offers options to facilitate the management and optimization of shared devices. The customizations offered by Shared PC are listed in the following table. +**Shared PC** offers options to facilitate the management and optimization of shared devices. The customizations offered by Shared PC are listed in the following table. | Area Name | Setting name and description| |---|---| |Shared PC mode | **EnableSharedPCMode** or **EnableSharedPCModeWithOneDriveSync**: when enabled, **Shared PC mode** is turned on and different settings are configured in the local group policy object (LGPO). For a detailed list of settings enabled by Shared PC Mode in the LGPO, see the [Shared PC technical reference](shared-pc-technical.md#enablesharedpcmode-and-enablesharedpcmodewithonedrivesync).

    • This setting controls the API: [IsEnabled][UWP-1]
    | | Account management | **EnableAccountManager**: when enabled, automatic account management is turned on. The following settings define the behavior of *account manager*:
    • **DeletionPolicy**
    • **DiskLevelDeletion**
    • **DiskLevelCaching**
    • **InactiveThreshold**
    For more information, see the [Shared PC CSP documentation][WIN-3].

    **AccountModel**: this option controls which types of users can sign-in to the device, and can be used to enable the Guest and Kiosk accounts. For more information, see the [Shared PC CSP documentation][WIN-3].

    **KioskModeAUMID**: configures an application (referred as Application User Model ID - AUMID) to automatically execute when the kiosk account is used to sign in. A new account will be created and will use assigned access to only run the app specified by the AUMID. [Find the Application User Model ID of an installed app][WIN-7].

    **KioskModeUserTileDisplayText**: sets the display text on the kiosk account if **KioskModeAUMID** has been set.| -| Advanced customizations | **SetEduPolicies**: when enabled, specific settings designed for education devices are configured in the LGPO. For a detailed list of settings enabled by SetEduPolicies in the LGPO, see [Shared PC technical reference](shared-pc-technical.md#setedupolicy).
    • This setting controls the API: [IsEducationEnvironment][UWP-2]
    **SetPowerPolicies**: when enabled, different power settings optimized for shared devices are configured in the LGPO. For a detailed list of settings enabled by SetPowerPolicies in the LGPO, see [Shared PC technical reference](shared-pc-technical.md#setpowerpolicies).

    **SleepTimeout**: specifies all timeouts for when the PC should sleep.

    **SignInOnResume**: if enabled, specifies if the user is required to sign in with a password when the PC wakes from sleep.

    **MaintenanceStartTime**: by default, the maintenance start time (which is when automatic maintenance tasks run, such as Windows Update or Search indexing) is midnight. You can adjust the start time in this setting by entering a new start time in minutes from midnight. For a detailed list of settings enabled by MaintenanceStartTime, see [Shared PC technical reference](shared-pc-technical.md#maintenancestarttime).

    **MaxPageFileSizeMB**: adjusts the maximum page file size in MB. This can be used to fine-tune page file behavior, especially on low end PCs.

    **RestrictLocalStorage**: when enabled, users are prevented from saving or viewing local storage while using File Explorer.
    • This setting controls the API: [ShouldAvoidLocalStorage][UWP-3]
    | +| Advanced customizations | **SetEduPolicies**: when enabled, specific settings designed for education devices are configured in the LGPO. For a detailed list of settings enabled by SetEduPolicies in the LGPO, see [Shared PC technical reference](shared-pc-technical.md#setedupolicy).
    • This setting controls the API: [IsEducationEnvironment][UWP-2]
    **SetPowerPolicies**: when enabled, different power settings optimized for shared devices are configured in the LGPO. For a detailed list of settings enabled by SetPowerPolicies in the LGPO, see [Shared PC technical reference](shared-pc-technical.md#setpowerpolicies).

    **SleepTimeout**: specifies all timeouts for when the PC should sleep.

    **SignInOnResume**: if enabled, specifies if the user is required to sign in with a password when the PC wakes from sleep.

    **MaintenanceStartTime**: by default, the maintenance start time (which is when automatic maintenance tasks run, such as Windows Update or Search indexing) is midnight. You can adjust the start time in this setting by entering a new start time in minutes from midnight. For a detailed list of settings enabled by MaintenanceStartTime, see [Shared PC technical reference](shared-pc-technical.md#maintenancestarttime).

    **MaxPageFileSizeMB**: adjusts the maximum page file size in MB. This can be used to fine-tune page file behavior, especially on low end PCs.

    **RestrictLocalStorage**: when enabled, users are prevented from saving or viewing local storage while using File Explorer.
    • This setting controls the API: [ShouldAvoidLocalStorage][UWP-3]
    | -## Configure Shared PC +## Configure Shared PC -Shared PC can be configured using the following methods: +Shared PC can be configured using the following methods: - Microsoft Intune/MDM - Provisioning package (PPKG) -- PowerShell script +- PowerShell script -Follow the instructions below to configure your devices, selecting the option that best suits your needs. +Follow the instructions below to configure your devices, selecting the option that best suits your needs. -#### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune) +#### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune) -To configure devices using Microsoft Intune, [create a **Settings catalog** policy][MEM-2], and use the settings listed under the category **`Shared PC`**: +To configure devices using Microsoft Intune, [create a **Settings catalog** policy][MEM-2], and use the settings listed under the category **`Shared PC`**: -:::image type="content" source="./images/shared-pc-intune.png" alt-text="Screenshot that shows the Shared PC policies in the Intune settings catalog." lightbox="./images/shared-pc-intune.png" border="True"::: +:::image type="content" source="./images/shared-pc-intune.png" alt-text="Screenshot that shows the Shared PC policies in the Intune settings catalog." lightbox="./images/shared-pc-intune.png" border="True"::: -Assign the policy to a security group that contains as members the devices or users that you want to configure. +Assign the policy to a security group that contains as members the devices or users that you want to configure. -Alternatively, you can configure devices using a [custom policy][MEM-1] with the [SharedPC CSP][WIN-3]. +Alternatively, you can configure devices using a [custom policy][MEM-1] with the [SharedPC CSP][WIN-3]. -#### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg) +#### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg) -To configure devices using a provisioning package, [create a provisioning package][WIN-1] using WCD, and use the settings listed under the category **`SharedPC`**: +To configure devices using a provisioning package, [create a provisioning package][WIN-1] using WCD, and use the settings listed under the category **`SharedPC`**: -:::image type="content" source="./images/shared-pc-wcd.png" alt-text="Screenshot that shows the Shared PC policies in WCD." lightbox="./images/shared-pc-wcd.png" border="False"::: +:::image type="content" source="./images/shared-pc-wcd.png" alt-text="Screenshot that shows the Shared PC policies in WCD." lightbox="./images/shared-pc-wcd.png" border="False"::: -For a list and description of CSP settings exposed in Windows Configuration Designer, see the [SharedPC WCD reference][WIN-4]. +For a list and description of CSP settings exposed in Windows Configuration Designer, see the [SharedPC WCD reference][WIN-4]. -Follow the steps in [Apply a provisioning package][WIN-2] to apply the package that you created. +Follow the steps in [Apply a provisioning package][WIN-2] to apply the package that you created. -#### [:::image type="icon" source="images/icons/powershell.svg"::: **PowerShell**](#tab/powershell) +#### [:::image type="icon" source="images/icons/powershell.svg"::: **PowerShell**](#tab/powershell) -To configure devices using a PowerShell script, you can use the [MDM Bridge WMI Provider][WIN-6]. +To configure devices using a PowerShell script, you can use the [MDM Bridge WMI Provider][WIN-6]. > [!TIP] -> PowerShell scripts can be executed as scheduled tasks via Group Policy. +> PowerShell scripts can be executed as scheduled tasks via Group Policy. > [!IMPORTANT] > For all device settings, the WMI Bridge client must be executed as SYSTEM (LocalSystem) account. @@ -66,7 +65,7 @@ To configure devices using a PowerShell script, you can use the [MDM Bridge WMI > To test a PowerShell script, you can: > 1. [Download the psexec tool](/sysinternals/downloads/psexec) > 1. Open an elevated command prompt and run: `psexec.exe -i -s powershell.exe` -> 1. Run the script in the PowerShell session +> 1. Run the script in the PowerShell session Edit the following sample PowerShell script to customize the settings that you want to configure: ```powershell @@ -93,45 +92,47 @@ $cimObject.KioskModeAUMID = "" $cimObject.KioskModeUserTileDisplayText = "" $cimObject.InactiveThreshold = 0 Set-CimInstance -CimInstance $cimObject -``` +``` -For more information, see [Using PowerShell scripting with the WMI Bridge Provider][WIN-5]. +For more information, see [Using PowerShell scripting with the WMI Bridge Provider][WIN-5]. ---- +--- -## Guidance for accounts on shared PCs +## Guidance for accounts on shared PCs -- When a device is configured in *shared PC mode* with the default deletion policy, accounts will be cached automatically until disk space is low. Then, accounts will be deleted to reclaim disk space. This account management happens automatically. Both Microsoft Entra ID and Active Directory domain accounts are managed in this way. Any accounts created through **Guest** and **Kiosk** will be deleted automatically at sign out. +- When a device is configured in *shared PC mode* with the default deletion policy, accounts will be cached automatically until disk space is low. Then, accounts will be deleted to reclaim disk space. This account management happens automatically. Both Microsoft Entra ID and Active Directory domain accounts are managed in this way. Any accounts created through **Guest** and **Kiosk** will be deleted automatically at sign out. -- Local accounts that already exist on a PC won't be deleted when turning on shared PC mode. New local accounts that are created using **Settings > Accounts > Other people > Add someone else to this PC** after shared PC mode is turned on won't be deleted. However, any new guest accounts created by the **Guest** and **Kiosk** options on the sign-in screen (if enabled) will automatically be deleted at sign out. To set a general policy on all local accounts, you can configure the following local Group Policy setting: **Computer Configuration** > **Administrative Templates** > **System** > **User Profiles**: **Delete User Profiles Older Than A Specified Number Of Days On System Restart**. +- Local accounts that already exist on a PC won't be deleted when turning on shared PC mode. New local accounts that are created using **Settings > Accounts > Other people > Add someone else to this PC** after shared PC mode is turned on won't be deleted. However, any new guest accounts created by the **Guest** and **Kiosk** options on the sign-in screen (if enabled) will automatically be deleted at sign out. To set a general policy on all local accounts, you can configure the following local Group Policy setting: **Computer Configuration** > **Administrative Templates** > **System** > **User Profiles**: **Delete User Profiles Older Than A Specified Number Of Days On System Restart**. -- The account management service supports accounts that are exempt from deletion. An account can be marked exempt from deletion by adding the account SID to the registry key: `HKEY_LOCAL_MACHINE\SOFTARE\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\`. To add the account SID to the registry key using PowerShell, use the following example as a reference: +- The account management service supports accounts that are exempt from deletion. An account can be marked exempt from deletion by adding the account SID to the registry key: `HKEY_LOCAL_MACHINE\SOFTARE\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\`. To add the account SID to the registry key using PowerShell, use the following example as a reference: ```powershell $adminName = "LocalAdmin" $adminPass = 'Pa$$word123' invoke-expression "net user /add $adminName $adminPass" $user = New-Object System.Security.Principal.NTAccount($adminName) + $sid = $user.Translate([System.Security.Principal.SecurityIdentifier]) + $sid = $sid.Value; New-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\$sid" -Force - ``` + ``` -## Troubleshooting Shared PC +## Troubleshooting Shared PC To troubleshoot Shared PC, you can use the following tools: - Check the log `C:\Windows\SharedPCSetup.log` - Check the registry keys under `HKLM\Software\Microsoft\Windows\CurrentVersion\SharedPC` - `AccountManagement` key contains settings on how profiles are managed - - `NodeValues` contains what values are set for the features managed by Shared PC + - `NodeValues` contains what values are set for the features managed by Shared PC -## Technical reference +## Technical reference - For a list of settings configured by the different options offered by Shared PC mode, see the [Shared PC technical reference](shared-pc-technical.md). - For a list of settings exposed by the SharedPC configuration service provider, see [SharedPC CSP][WIN-3]. -- For a list of settings exposed by Windows Configuration Designer, see [SharedPC CSP][WIN-4]. +- For a list of settings exposed by Windows Configuration Designer, see [SharedPC CSP][WIN-4]. ------------ +----------- [WIN-1]: /windows/configuration/provisioning-packages/provisioning-create-package [WIN-2]: /windows/configuration/provisioning-packages/provisioning-apply-package @@ -139,10 +140,10 @@ To troubleshoot Shared PC, you can use the following tools: [WIN-4]: /windows/configuration/wcd/wcd-sharedpc [WIN-5]: /windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider [WIN-6]: /windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal -[WIN-7]: /previous-versions/windows/embedded/dn449300(v=winembedded.82) +[WIN-7]: /previous-versions/windows/embedded/dn449300(v=winembedded.82) [MEM-1]: /mem/intune/configuration/custom-settings-windows-10 -[MEM-2]: /mem/intune/configuration/settings-catalog +[MEM-2]: /mem/intune/configuration/settings-catalog [UWP-1]: /uwp/api/windows.system.profile.sharedmodesettings [UWP-2]: /uwp/api/windows.system.profile.educationsettings diff --git a/windows/configuration/shared-devices-concepts.md b/windows/configuration/shared-pc/shared-devices-concepts.md similarity index 83% rename from windows/configuration/shared-devices-concepts.md rename to windows/configuration/shared-pc/shared-devices-concepts.md index 2fdab61b30..37192c9596 100644 --- a/windows/configuration/shared-devices-concepts.md +++ b/windows/configuration/shared-pc/shared-devices-concepts.md @@ -6,61 +6,62 @@ ms.topic: concept-article author: paolomatarazzo ms.author: paoloma appliesto: + - ✅ Windows 10 - ✅ Windows 11 - ✅ Windows 11 SE ---- +--- -# Manage multi-user and guest Windows devices with Shared PC +# Manage multi-user and guest Windows devices with Shared PC Windows allows multiple users to sign in and use the same device, which is useful in scenarios like touchdown spaces in an enterprise, temporary customer use in retail or shared devices in a school. -As more users access the same device, more resources on the devices are used. This can lead to performance issues and a degraded user experience. +As more users access the same device, more resources on the devices are used. This can lead to performance issues and a degraded user experience. -To optimize multi-user and guest devices, Windows provides options through a feature called *Shared PC*. These settings are designed to improve the experience for all users on the device, and to reduce the administrative overhead caused by the maintenance of multiple user profiles. +To optimize multi-user and guest devices, Windows provides options through a feature called *Shared PC*. These settings are designed to improve the experience for all users on the device, and to reduce the administrative overhead caused by the maintenance of multiple user profiles. -This article describes the different options available in Shared PC. +This article describes the different options available in Shared PC. -## Shared PC mode +## Shared PC mode -A Windows device enabled for *Shared PC mode* is designed to be maintenance-free with high reliability. Devices configured in Shared PC mode have different settings designed to improve the experience for all users accessing a shared device. +A Windows device enabled for *Shared PC mode* is designed to be maintenance-free with high reliability. Devices configured in Shared PC mode have different settings designed to improve the experience for all users accessing a shared device. -## Account management +## Account management -When *Account management* is configured, user profiles are automatically deleted to free up disk space and resources. Account management is performed both at sign-out time and during system maintenance time periods. Shared PC mode can be configured to delete accounts immediately at sign-out, based on disk space thresholds, or based on inactivity thresholds. +When *Account management* is configured, user profiles are automatically deleted to free up disk space and resources. Account management is performed both at sign-out time and during system maintenance time periods. Shared PC mode can be configured to delete accounts immediately at sign-out, based on disk space thresholds, or based on inactivity thresholds. > [!IMPORTANT] -> Shared PC is designed to take advantage of maintenance time periods, which run while the device is not in use. Therefore, devices should be put to **sleep** instead of shut down, so that they can wake up to perform maintenance tasks. +> Shared PC is designed to take advantage of maintenance time periods, which run while the device is not in use. Therefore, devices should be put to **sleep** instead of shut down, so that they can wake up to perform maintenance tasks. > [!TIP] -> While Shared PC does not configure the Windows Update client, it is recommended to configure Windows Update to automatically install updates and reboot during maintenance hours. This will help ensure the device is always up to date without interrupting users when the device is in use. +> While Shared PC does not configure the Windows Update client, it is recommended to configure Windows Update to automatically install updates and reboot during maintenance hours. This will help ensure the device is always up to date without interrupting users when the device is in use. -### Account models +### Account models -Shared PC offers the possibility to enable a **Guest** option on the sign-in screen. The Guest option doesn't require any user credentials or authentication, and creates a new local account each time it's used with access to the desktop. A **Guest button** is shown on the sign-in screen that a user can select. +Shared PC offers the possibility to enable a **Guest** option on the sign-in screen. The Guest option doesn't require any user credentials or authentication, and creates a new local account each time it's used with access to the desktop. A **Guest button** is shown on the sign-in screen that a user can select. -:::image type="content" source="./images/sharedpc-guest-win11.png" alt-text="Windows 11 sign-in screen with Guest option enabled." border="True"::: +:::image type="content" source="./images/sharedpc-guest-win11.png" alt-text="Windows 11 sign-in screen with Guest option enabled." border="True"::: -Shared PC also offers a **Kiosk** mode, which automatically executes a specific application when the kiosk account signs-in. This is useful in scenarios where the device is accessed for a specific purpose, such as test taking in a school. +Shared PC also offers a **Kiosk** mode, which automatically executes a specific application when the kiosk account signs-in. This is useful in scenarios where the device is accessed for a specific purpose, such as test taking in a school. -:::image type="content" source="./images/sharedpc-kiosk-win11se.png" alt-text="Windows 11 sign-in screen with Guest and Kiosk options enabled." border="True"::: +:::image type="content" source="./images/sharedpc-kiosk-win11se.png" alt-text="Windows 11 sign-in screen with Guest and Kiosk options enabled." border="True"::: -## Advanced customizations +## Advanced customizations -Shared PC offers advanced customizations for shared devices, such as specific settings for education devices, low end devices, and more. +Shared PC offers advanced customizations for shared devices, such as specific settings for education devices, low end devices, and more. -Shared devices require special considerations regarding power settings. Shared PC makes it easy to configure power settings for shared devices. The power settings are configured in the local group policy object (LGPO). +Shared devices require special considerations regarding power settings. Shared PC makes it easy to configure power settings for shared devices. The power settings are configured in the local group policy object (LGPO). > [!NOTE] -> For devices without Advanced Configuration and Power Interface (ACPI) wake alarms, Shared PC will override real-time clock (RTC) wake alarms to be allowed to wake the PC from sleep (by default, RTC wake alarms are off). This ensures that the widest variety of hardware will take advantage of maintenance periods. +> For devices without Advanced Configuration and Power Interface (ACPI) wake alarms, Shared PC will override real-time clock (RTC) wake alarms to be allowed to wake the PC from sleep (by default, RTC wake alarms are off). This ensures that the widest variety of hardware will take advantage of maintenance periods. -## Additional information +## Additional information - To learn how to configure Shared PC, see [Set up a shared or guest Windows device](set-up-shared-or-guest-pc.md). - For a list of settings configured by the different options offered by Shared PC, see the [Shared PC technical reference](shared-pc-technical.md). - For a list of settings exposed by the SharedPC configuration service provider, see [SharedPC CSP][WIN-1]. -- For a list of settings exposed by Windows Configuration Designer, see [SharedPC CSP][WIN-2]. +- For a list of settings exposed by Windows Configuration Designer, see [SharedPC CSP][WIN-2]. - + [WIN-1]: /windows/client-management/mdm/sharedpc-csp [WIN-2]: /windows/configuration/wcd/wcd-sharedpc \ No newline at end of file diff --git a/windows/configuration/shared-pc-technical.md b/windows/configuration/shared-pc/shared-pc-technical.md similarity index 89% rename from windows/configuration/shared-pc-technical.md rename to windows/configuration/shared-pc/shared-pc-technical.md index 652336403e..367f472378 100644 --- a/windows/configuration/shared-pc-technical.md +++ b/windows/configuration/shared-pc/shared-pc-technical.md @@ -6,23 +6,24 @@ ms.topic: reference author: paolomatarazzo ms.author: paoloma appliesto: + - ✅ Windows 10 - ✅ Windows 11 - ✅ Windows 11 SE ---- +--- -# Shared PC technical reference +# Shared PC technical reference -This article details the settings configured by the different options of Shared PC. +This article details the settings configured by the different options of Shared PC. > [!IMPORTANT] -> The behavior of some options have changed over time. This article describes the current settings applied by Shared PC. +> The behavior of some options have changed over time. This article describes the current settings applied by Shared PC. -## EnableSharedPCMode and EnableSharedPCModeWithOneDriveSync +## EnableSharedPCMode and EnableSharedPCModeWithOneDriveSync -EnableSharedPCMode and EnableSharedPCModeWithOneDriveSync are the two policies that enable **Shared PC mode**. The only difference between the two is that EnableSharedPCModeWithOneDriveSync enables OneDrive synchronization, while EnableSharedPCMode disables it. +EnableSharedPCMode and EnableSharedPCModeWithOneDriveSync are the two policies that enable **Shared PC mode**. The only difference between the two is that EnableSharedPCModeWithOneDriveSync enables OneDrive synchronization, while EnableSharedPCMode disables it. -When enabling Shared PC mode, the following settings in the local GPO are configured: +When enabling Shared PC mode, the following settings in the local GPO are configured: | Policy setting | Status | |--|--| @@ -48,26 +49,26 @@ When enabling Shared PC mode, the following settings in the local GPO are config | Windows Components/OneDrive/Prevent the usage of OneDrive for file storage |**Enabled** if using EnableSharedPCMode

    **Disabled** is using EnableSharedPCModeWithOneDriveSync | | Windows Components/Windows Hello for Business/Use biometrics | Disabled | | Windows Components/Windows Hello for Business/Use Windows Hello for Business | Disabled | -| Windows Components/Windows Logon Options/Sign-in and lock last interactive user automatically after a restart | Disabled | +| Windows Components/Windows Logon Options/Sign-in and lock last interactive user automatically after a restart | Disabled | | Extra registry setting | Status | |-------------------------------------------------------------------------------------------------------------------|----------| | Software\Policies\Microsoft\PassportForWork\Remote\Enabled (Phone sign-in/Use phone sign-in) | 0 | -| Software\Policies\Microsoft\Windows\PreviewBuilds\AllowBuildPreview () | 0 | +| Software\Policies\Microsoft\Windows\PreviewBuilds\AllowBuildPreview () | 0 | -## SetEDUPolicy +## SetEDUPolicy -By enabling SetEDUPolicy, the following settings in the local GPO are configured: +By enabling SetEDUPolicy, the following settings in the local GPO are configured: | Policy setting | Status | |--|--| | System/User Profiles/Turn off the advertising ID | Enabled | | Windows Components/Cloud Content/Do not show Windows tips | Enabled | -| Windows Components/Cloud Content/Turn off Microsoft consumer experiences | Enabled | +| Windows Components/Cloud Content/Turn off Microsoft consumer experiences | Enabled | -## SetPowerPolicies +## SetPowerPolicies -By enabling SetPowerPolicies, the following settings in the local GPO are configured: +By enabling SetPowerPolicies, the following settings in the local GPO are configured: | Policy setting | Status| |--|--| @@ -83,41 +84,42 @@ By enabling SetPowerPolicies, the following settings in the local GPO are config | System/Power Management/Sleep Settings/Specify the system hibernate timeout (on battery) | 0 (Hibernation disabled) | | System/Power Management/Sleep Settings/Specify the system hibernate timeout (plugged in) | 0 (Hibernation disabled) | | System/Power Management/Sleep Settings/Turn off hybrid sleep (on battery) | Enabled | -| System/Power Management/Sleep Settings/Turn off hybrid sleep (plugged in) | Enabled | +| System/Power Management/Sleep Settings/Turn off hybrid sleep (plugged in) | Enabled | -## MaintenanceStartTime +## MaintenanceStartTime -By enabling MaintenanceStartTime, the following settings in the local GPO are configured: +By enabling MaintenanceStartTime, the following settings in the local GPO are configured: | Policy setting | Status| |--------------------------------------------------------------------------------------|--------------------------------| | Windows Components/Maintenance Scheduler/Automatic Maintenance Activation Boundary | 2000-01-01T00:00:00 (midnight) | | Windows Components/Maintenance Scheduler/Automatic Maintenance Random Delay | Enabled PT2H (2 hours) | -| Windows Components/Maintenance Scheduler/Automatic Maintenance WakeUp Policy | Enabled | +| Windows Components/Maintenance Scheduler/Automatic Maintenance WakeUp Policy | Enabled | -## SignInOnResume +## SignInOnResume -By enabling SignInOnResume, the following settings in the local GPO are configured: +By enabling SignInOnResume, the following settings in the local GPO are configured: | Policy setting | Status| |--|--| | System/Logon/Allow users to select when a password is required when resuming from connected standby | Disabled | | System/Power Management/Sleep Settings/Require a password when a computer wakes (on battery) | Enabled | -| System/Power Management/Sleep Settings/Require a password when a computer wakes (plugged in) | Enabled | +| System/Power Management/Sleep Settings/Require a password when a computer wakes (plugged in) | Enabled | -## EnableAccountManager +## EnableAccountManager -By enabling Enableaccountmanager, the following schedule task is turned on: `\Microsoft\Windows\SharedPC\Account Cleanup`. +By enabling Enableaccountmanager, the following schedule task is turned on: `\Microsoft\Windows\SharedPC\Account Cleanup`. -## Shared PC APIs and app behavior +## Shared PC APIs and app behavior -Applications can take advantage of Shared PC mode with the following three APIs: +Applications can take advantage of Shared PC mode with the following three APIs: - [**IsEnabled**][API-1] - This API informs applications when the device is configured for shared use scenarios. For example, an app might only download content on demand on a device in shared PC mode, or might skip first run experiences. - [**ShouldAvoidLocalStorage**][API-2] - This API informs applications when the PC has been configured to not allow the user to save to the local storage of the PC. Instead, only cloud save locations should be offered by the app or saved automatically by the app. -- [**IsEducationEnvironment**][API-3] - This API informs applications when the PC is used in an education environment. Apps may want to handle diagnostic data differently or hide advertising functionality. ------------ +- [**IsEducationEnvironment**][API-3] - This API informs applications when the PC is used in an education environment. Apps may want to handle diagnostic data differently or hide advertising functionality. + +----------- [API-1]: /uwp/api/windows.system.profile.sharedmodesettings.isenabled [API-2]: /uwp/api/windows.system.profile.sharedmodesettings.shouldavoidlocalstorage diff --git a/windows/configuration/manage-tips-and-suggestions.md b/windows/configuration/spotlight/manage-tips-and-suggestions.md similarity index 81% rename from windows/configuration/manage-tips-and-suggestions.md rename to windows/configuration/spotlight/manage-tips-and-suggestions.md index c4f9b5a850..41b3189146 100644 --- a/windows/configuration/manage-tips-and-suggestions.md +++ b/windows/configuration/spotlight/manage-tips-and-suggestions.md @@ -1,61 +1,57 @@ --- -title: Manage Windows 10 and Microsoft Store tips, fun facts, and suggestions (Windows 10) +title: Manage Windows 10 and Microsoft Store tips, fun facts, and suggestions description: Windows 10 provides organizations with various options to manage user experiences to provide a consistent and predictable experience for employees. -ms.prod: windows-client -author: lizgt2000 -ms.author: lizlong -ms.topic: article -ms.localizationpriority: medium -ms.date: 09/20/2017 -ms.reviewer: -manager: aaroncz -ms.technology: itpro-configure ---- +ms.topic: article -# Manage Windows 10 and Microsoft Store tips, "fun facts", and suggestions +ms.date: 09/20/2017 + +--- + +# Manage Windows 10 and Microsoft Store tips, "fun facts", and suggestions -**Applies to** +**Applies to** -- Windows 10 +- Windows 10 -Since its inception, Windows 10 has included a number of user experience features that provide useful tips, "fun facts", and suggestions as you use Windows, as well as app suggestions from the Microsoft Store. These features are designed to help people get the most out of their Windows 10 experience by, for example, sharing new features, providing more details on the features they use, or sharing content available in the Microsoft Store. Examples of such user experiences include: +Since its inception, Windows 10 has included a number of user experience features that provide useful tips, "fun facts", and suggestions as you use Windows, as well as app suggestions from the Microsoft Store. These features are designed to help people get the most out of their Windows 10 experience by, for example, sharing new features, providing more details on the features they use, or sharing content available in the Microsoft Store. Examples of such user experiences include: -* **Windows Spotlight on the lock screen**. Daily updated images on the lock screen that can include additional facts and tips in “hotspots” that are revealed on hover. +* **Windows Spotlight on the lock screen**. Daily updated images on the lock screen that can include additional facts and tips in “hotspots” that are revealed on hover. -* **Start menu app suggestions**. App suggestions in Start that recommend productivity tool or utilities from the Microsoft Store. +* **Start menu app suggestions**. App suggestions in Start that recommend productivity tool or utilities from the Microsoft Store. -* **Additional apps on Start**. Additional apps pre-installed on the Start screen which can enhance the user’s experience. +* **Additional apps on Start**. Additional apps pre-installed on the Start screen which can enhance the user’s experience. -* **Windows tips**. Contextual tips that appear based on specific user actions to reveal related Windows features or help users complete a scenario. +* **Windows tips**. Contextual tips that appear based on specific user actions to reveal related Windows features or help users complete a scenario. -* **Microsoft account notifications**. For users who have a connected Microsoft account, toast notifications about their account like parental control notifications or subscription expiration. +* **Microsoft account notifications**. For users who have a connected Microsoft account, toast notifications about their account like parental control notifications or subscription expiration. >[!TIP] -> On all Windows desktop editions, users can directly enable and disable Windows 10 tips, "fun facts", and suggestions and Microsoft Store suggestions. For example, users are able to select personal photos for the lock screen as opposed to the images provided by Microsoft, or turn off tips, "fun facts", or suggestions as they use Windows. +> On all Windows desktop editions, users can directly enable and disable Windows 10 tips, "fun facts", and suggestions and Microsoft Store suggestions. For example, users are able to select personal photos for the lock screen as opposed to the images provided by Microsoft, or turn off tips, "fun facts", or suggestions as they use Windows. -Windows 10 provides organizations the ability to centrally manage the type of content provided by these features through Group Policy or mobile device management (MDM). The following table describes how administrators can manage suggestions and tips in Windows 10 commercial and education editions. +Windows 10 provides organizations the ability to centrally manage the type of content provided by these features through Group Policy or mobile device management (MDM). The following table describes how administrators can manage suggestions and tips in Windows 10 commercial and education editions. -## Options available to manage Windows 10 tips and "fun facts" and Microsoft Store suggestions +## Options available to manage Windows 10 tips and "fun facts" and Microsoft Store suggestions | Windows 10 edition | Disable |Show Microsoft apps only | Show Microsoft and popular third-party apps | | --- | --- | --- | --- | | Windows 10 Pro | No | Yes | Yes (default) | | Windows 10 Enterprise | Yes | Yes | Yes (default) | | Windows 10 Pro Education | Yes (default) | Yes | No (setting cannot be changed) | -| Windows 10 Education | Yes (default) | Yes | No (setting cannot be changed) | +| Windows 10 Education | Yes (default) | Yes | No (setting cannot be changed) | -[Learn more about policy settings for Windows Spotlight.](windows-spotlight.md) +[Learn more about policy settings for Windows Spotlight.](windows-spotlight.md) -## Related topics +## Related topics - [Manage Windows 10 Start layout](windows-10-start-layout-options-and-policies.md) - [Cortana integration in your business or enterprise](cortana-at-work/cortana-at-work-overview.md) - [Windows spotlight on the lock screen](windows-spotlight.md) -- [Windows 10 editions for education customers](/education/windows/windows-editions-for-education-customers) +- [Windows 10 editions for education customers](/education/windows/windows-editions-for-education-customers) -  + + + -  diff --git a/windows/configuration/changes-to-start-policies-in-windows-10.md b/windows/configuration/start/changes-to-start-policies-in-windows-10.md similarity index 61% rename from windows/configuration/changes-to-start-policies-in-windows-10.md rename to windows/configuration/start/changes-to-start-policies-in-windows-10.md index c8a911f8a2..3a692f1da5 100644 --- a/windows/configuration/changes-to-start-policies-in-windows-10.md +++ b/windows/configuration/start/changes-to-start-policies-in-windows-10.md @@ -1,29 +1,21 @@ --- -title: Changes to Group Policy settings for Windows 10 Start menu (Windows 10) +title: Changes to Group Policy settings for Windows 10 Start menu description: Learn about changes to Group Policy settings for the Windows 10 Start menu. Also, learn about the new Windows 10 Start experience. -ms.reviewer: -manager: aaroncz -ms.prod: windows-client -author: lizgt2000 -ms.author: lizlong ms.topic: whats-new -ms.localizationpriority: medium +appliesto: +- ✅ Windows 10 ms.date: 08/18/2023 -ms.technology: itpro-configure ---- +--- -# Changes to Group Policy settings for Windows 10 Start - -**Applies to**: - -- Windows 10 - -Windows 10 has a brand new Start experience. As a result, there are changes to the Group Policy settings that you can use to manage Start. Some policy settings are new or changed, and some old Start policy settings still apply. Other Start policy settings no longer apply and are deprecated. - -## Start policy settings supported for Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education +# Changes to Group Policy settings for Windows 10 Start -These policy settings are available in **Administrative Templates\\Start Menu and Taskbar** under **User Configuration**. +Windows 10 has a brand new Start experience. As a result, there are changes to the Group Policy settings that you can use to manage Start. Some policy settings are new or changed, and some old Start policy settings still apply. Other Start policy settings no longer apply and are deprecated. + +## Start policy settings supported for Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education + + +These policy settings are available in **Administrative Templates\\Start Menu and Taskbar** under **User Configuration**. |Policy|Notes| |--- |--- | @@ -31,55 +23,55 @@ These policy settings are available in **Administrative Templates\\Start Menu an |Don't allow pinning items in Jump Lists|Jump Lists are lists of recently opened items, such as files, folders, or websites, organized by the program that you use to open them. This policy prevents users from pinning items to any Jump List.| |Don't display or track items in Jump Lists from remote locations|When this policy is applied, only items local on the computer are shown in Jump Lists.| |Don't keep history of recently opened documents|Documents that the user opens aren't tracked during the session.| -|Prevent changes to Taskbar and Start Menu Settings|In Windows 10, this policy disables all of the settings in **Settings** > **Personalization** > **Start** and the options in dialog available via right-click Taskbar > **Properties**| +|Prevent changes to Taskbar and Start Menu Settings|In Windows 10, this policy disables all of the settings in **Settings** > **Personalization** > **Start** and the options in dialog available via right-click Taskbar > **Properties**| |Prevent users from customizing their Start Screen|Use this policy with a [customized Start layout](windows-10-start-layout-options-and-policies.md) to prevent users from changing it| -|Prevent users from uninstalling applications from Start|In Windows 10, this policy removes the uninstall button in the context menu. It doesn't prevent users from uninstalling the app through other entry points (for example, PowerShell)| -|Remove All Programs list from the Start menu|In Windows 10, this policy removes the **All apps** button.| +|Prevent users from uninstalling applications from Start|In Windows 10, this policy removes the uninstall button in the context menu. It doesn't prevent users from uninstalling the app through other entry points (for example, PowerShell)| +|Remove All Programs list from the Start menu|In Windows 10, this policy removes the **All apps** button.| |Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands|This policy removes the Shut Down, Restart, Sleep, and Hibernate commands from the Start Menu, Start Menu power button, CTRL+ALT+DEL screen, and Alt+F4 Shut Down Windows menu.| |Remove common program groups from Start Menu|As in earlier versions of Windows, this policy removes apps specified in the All Users profile from Start| -|Remove frequent programs list from the Start Menu|In Windows 10, this policy removes the top left **Most used** group of apps.| +|Remove frequent programs list from the Start Menu|In Windows 10, this policy removes the top left **Most used** group of apps.| |Remove Logoff on the Start Menu|**Logoff** has been changed to **Sign Out** in the user interface, however the functionality is the same.| -|Remove pinned programs list from the Start Menu|In Windows 10, this policy removes the bottom left group of apps (by default, only File Explorer and Settings are pinned).| +|Remove pinned programs list from the Start Menu|In Windows 10, this policy removes the bottom left group of apps (by default, only File Explorer and Settings are pinned).| |Show "Run as different user" command on Start|This policy enables the **Run as different user** option in the right-click menu for apps.| |Start Layout|This policy applies a specific Start layout, and it also prevents users from changing the layout. This policy can be configured in **User Configuration** or **Computer Configuration**.| -|Force Start to be either full screen size or menu size|This policy applies a specific size for Start.| +|Force Start to be either full screen size or menu size|This policy applies a specific size for Start.| -## Deprecated Group Policy settings for Start +## Deprecated Group Policy settings for Start -The Start policy settings listed in the following table don't work on Windows 10. Most of them were deprecated in Windows 8 however a few more were deprecated in Windows 10. Deprecation in this case means that the policy setting won't work on Windows 10. The “Supported on” text for a policy setting won't list Windows 10. The policy settings are still in the Group Policy Management Console and can be used on the operating systems that they apply to. +The Start policy settings listed in the following table don't work on Windows 10. Most of them were deprecated in Windows 8 however a few more were deprecated in Windows 10. Deprecation in this case means that the policy setting won't work on Windows 10. The "Supported on" text for a policy setting won't list Windows 10. The policy settings are still in the Group Policy Management Console and can be used on the operating systems that they apply to. | Policy | When deprecated | |----------------------------------------------------------------------------------|-----------------| -| Go to the desktop instead of Start when signing in | Windows 10 | -| List desktop apps first in the Apps view | Windows 10 | -| Pin Apps to Start when installed (User or Computer) | Windows 10 | -| Remove Default Programs link from the Start menu. | Windows 10 | -| Remove Documents icon from Start Menu | Windows 10 | -| Remove programs on Settings menu | Windows 10 | -| Remove Run menu from Start Menu | Windows 10 | -| Remove the "Undock PC" button from the Start Menu | Windows 10 | -| Search just apps from the Apps view | Windows 10 | -| Show Start on the display the user is using when they press the Windows logo key | Windows 10 | -| Show the Apps view automatically when the user goes to Start | Windows 10 | -| Add the Run command to the Start Menu | Windows 8 | -| Change Start Menu power button | Windows 8 | -| Gray unavailable Windows Installer programs Start Menu shortcuts | Windows 8 | -| Remove Downloads link from Start Menu | Windows 8 | -| Remove Favorites menu from Start Menu | Windows 8 | -| Remove Games link from Start Menu | Windows 8 | -| Remove Help menu from Start Menu | Windows 8 | -| Remove Homegroup link from Start Menu | Windows 8 | -| Remove Music icon from Start Menu | Windows 8 | -| Remove Network icon from Start Menu | Windows 8 | -| Remove Pictures icon from Start Menu | Windows 8 | -| Remove Recent Items menu from Start Menu | Windows 8 | -| Remove Recorded TV link from Start Menu | Windows 8 | -| Remove user folder link from Start Menu | Windows 8 | -| Remove Videos link from Start Menu | Windows 8 | +| Go to the desktop instead of Start when signing in | Windows 10 | +| List desktop apps first in the Apps view | Windows 10 | +| Pin Apps to Start when installed (User or Computer) | Windows 10 | +| Remove Default Programs link from the Start menu. | Windows 10 | +| Remove Documents icon from Start Menu | Windows 10 | +| Remove programs on Settings menu | Windows 10 | +| Remove Run menu from Start Menu | Windows 10 | +| Remove the "Undock PC" button from the Start Menu | Windows 10 | +| Search just apps from the Apps view | Windows 10 | +| Show Start on the display the user is using when they press the Windows logo key | Windows 10 | +| Show the Apps view automatically when the user goes to Start | Windows 10 | +| Add the Run command to the Start Menu | Windows 8 | +| Change Start Menu power button | Windows 8 | +| Gray unavailable Windows Installer programs Start Menu shortcuts | Windows 8 | +| Remove Downloads link from Start Menu | Windows 8 | +| Remove Favorites menu from Start Menu | Windows 8 | +| Remove Games link from Start Menu | Windows 8 | +| Remove Help menu from Start Menu | Windows 8 | +| Remove Homegroup link from Start Menu | Windows 8 | +| Remove Music icon from Start Menu | Windows 8 | +| Remove Network icon from Start Menu | Windows 8 | +| Remove Pictures icon from Start Menu | Windows 8 | +| Remove Recent Items menu from Start Menu | Windows 8 | +| Remove Recorded TV link from Start Menu | Windows 8 | +| Remove user folder link from Start Menu | Windows 8 | +| Remove Videos link from Start Menu | Windows 8 | - + -## Related topics +## Related topics - [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md) - [Configure Windows 10 taskbar](configure-windows-10-taskbar.md) diff --git a/windows/configuration/customize-and-export-start-layout.md b/windows/configuration/start/customize-and-export-start-layout.md similarity index 81% rename from windows/configuration/customize-and-export-start-layout.md rename to windows/configuration/start/customize-and-export-start-layout.md index 2173e2ee20..ca8904f3f8 100644 --- a/windows/configuration/customize-and-export-start-layout.md +++ b/windows/configuration/start/customize-and-export-start-layout.md @@ -1,105 +1,99 @@ --- title: Customize and export Start layout description: The easiest method for creating a customized Start layout is to set up the Start screen and export the layout. -ms.reviewer: -manager: aaroncz -ms.prod: windows-client -author: lizgt2000 -ms.author: lizlong -ms.topic: how-to -ms.localizationpriority: medium +ms.topic: how-to + ms.date: 08/18/2023 ms.collection: - tier1 -ms.technology: itpro-configure ---- +--- -# Customize and export Start layout +# Customize and export Start layout -**Applies to**: +**Applies to**: -- Windows 10 +- Windows 10 ->**Looking for consumer information?** See [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630) +>**Looking for consumer information?** See [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630) -The easiest method for creating a customized Start layout to apply to other Windows 10 devices is to set up the Start screen on a test computer and then export the layout. +The easiest method for creating a customized Start layout to apply to other Windows 10 devices is to set up the Start screen on a test computer and then export the layout. -After you export the layout, decide whether you want to apply a *full* Start layout or a *partial* Start layout. +After you export the layout, decide whether you want to apply a *full* Start layout or a *partial* Start layout. -When a full Start layout is applied, the users can't pin, unpin, or uninstall apps from Start. Users can view and open all apps in the **All Apps** view, but they can't pin any apps to Start. +When a full Start layout is applied, the users can't pin, unpin, or uninstall apps from Start. Users can view and open all apps in the **All Apps** view, but they can't pin any apps to Start. -When [a partial Start layout](#configure-a-partial-start-layout) is applied, the contents of the specified tile groups can't be changed, but users can move those groups, and can also create and customize their own groups. +When [a partial Start layout](#configure-a-partial-start-layout) is applied, the contents of the specified tile groups can't be changed, but users can move those groups, and can also create and customize their own groups. > [!NOTE] -> Partial Start layout is only supported on Windows 10, version 1511 and later. +> Partial Start layout is only supported on Windows 10, version 1511 and later. -You can deploy the resulting .xml file to devices using one of the following methods: +You can deploy the resulting .xml file to devices using one of the following methods: -- [Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) +- [Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) -- [Windows Configuration Designer provisioning package](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) +- [Windows Configuration Designer provisioning package](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) -- [Mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) +- [Mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) -### Customize the Start screen on your test computer +### Customize the Start screen on your test computer -To prepare a Start layout for export, you simply customize the Start layout on a test computer. +To prepare a Start layout for export, you simply customize the Start layout on a test computer. -**To prepare a test computer** +**To prepare a test computer** -1. Set up a test computer on which to customize the Start layout. Your test computer should have the operating system that is installed on the users' computers (Windows 10 Pro, Enterprise, or Education). Install all apps and services that the Start layout should display. +1. Set up a test computer on which to customize the Start layout. Your test computer should have the operating system that is installed on the users' computers (Windows 10 Pro, Enterprise, or Education). Install all apps and services that the Start layout should display. -1. Create a new user account that you'll use to customize the Start layout. +1. Create a new user account that you'll use to customize the Start layout. -**To customize Start** +**To customize Start** -1. Sign in to your test computer with the user account that you created. +1. Sign in to your test computer with the user account that you created. -1. Customize the Start layout as you want users to see it by using the following techniques: +1. Customize the Start layout as you want users to see it by using the following techniques: - - **Pin apps to Start**. From Start, type the name of the app. When the app appears in the search results, right-click the app, and then select **Pin to Start**. + - **Pin apps to Start**. From Start, type the name of the app. When the app appears in the search results, right-click the app, and then select **Pin to Start**. - To view all apps, select **All apps** in the bottom-left corner of Start. Right-click any app, and pin or unpin it from Start. + To view all apps, select **All apps** in the bottom-left corner of Start. Right-click any app, and pin or unpin it from Start. - - **Unpin apps** that you don't want to display. To unpin an app, right-click the app, and then select **Unpin from Start**. + - **Unpin apps** that you don't want to display. To unpin an app, right-click the app, and then select **Unpin from Start**. - - **Drag tiles** on Start to reorder or group apps. + - **Drag tiles** on Start to reorder or group apps. - - **Resize tiles**. To resize tiles, right-click the tile and then select **Resize.** + - **Resize tiles**. To resize tiles, right-click the tile and then select **Resize.** - - **Create your own app groups**. Drag the apps to an empty area. To name a group, select above the group of tiles and then type the name in the **Name group** field that appears above the group. + - **Create your own app groups**. Drag the apps to an empty area. To name a group, select above the group of tiles and then type the name in the **Name group** field that appears above the group. > [!IMPORTANT] > In Windows 10, version 1703, if the Start layout includes tiles for apps that are not installed on the device that the layout is later applied to, the tiles for those apps will be blank. The blank tiles will persist until the next time the user signs in, at which time the blank tiles are removed. Some system events may cause the blank tiles to be removed before the next sign-in. > -> In earlier versions of Windows 10, no tile would be pinned. +> In earlier versions of Windows 10, no tile would be pinned. -### Export the Start layout +### Export the Start layout -When you have the Start layout that you want your users to see, use the [Export-StartLayout](/powershell/module/startlayout/export-startlayout) cmdlet in Windows PowerShell to export the Start layout to an .xml file. Start layout is located by default at C:\Users\username\AppData\Local\Microsoft\Windows\Shell\ +When you have the Start layout that you want your users to see, use the [Export-StartLayout](/powershell/module/startlayout/export-startlayout) cmdlet in Windows PowerShell to export the Start layout to an .xml file. Start layout is located by default at C:\Users\username\AppData\Local\Microsoft\Windows\Shell\ > [!IMPORTANT] -> If you include secondary Microsoft Edge tiles (tiles that link to specific websites in Microsoft Edge), see [Add custom images to Microsoft Edge secondary tiles](start-secondary-tiles.md) for instructions. +> If you include secondary Microsoft Edge tiles (tiles that link to specific websites in Microsoft Edge), see [Add custom images to Microsoft Edge secondary tiles](start-secondary-tiles.md) for instructions. -**To export the Start layout to an .xml file** +**To export the Start layout to an .xml file** -1. While signed in with the same account that you used to customize Start, right-click Start, and select **Windows PowerShell**. +1. While signed in with the same account that you used to customize Start, right-click Start, and select **Windows PowerShell**. -1. On a device running Windows 10, version 1607, 1703, or 1803, at the Windows PowerShell command prompt, enter the following command: +1. On a device running Windows 10, version 1607, 1703, or 1803, at the Windows PowerShell command prompt, enter the following command: - `Export-StartLayout -path .xml` + `Export-StartLayout -path .xml` - On a device running Windows 10, version 1809 or higher, run the **Export-StartLayout** with the switch **-UseDesktopApplicationID**. For example: + On a device running Windows 10, version 1809 or higher, run the **Export-StartLayout** with the switch **-UseDesktopApplicationID**. For example: ```PowerShell Export-StartLayout -UseDesktopApplicationID -Path layout.xml - ``` + ``` - In the previous command, `-path` is a required parameter that specifies the path and file name for the export file. You can specify a local path or a UNC path (for example, \\\\FileServer01\\StartLayouts\\StartLayoutMarketing.xml). + In the previous command, `-path` is a required parameter that specifies the path and file name for the export file. You can specify a local path or a UNC path (for example, \\\\FileServer01\\StartLayouts\\StartLayoutMarketing.xml). - Use a file name of your choice—for example, StartLayoutMarketing.xml. Include the .xml file name extension. The [Export-StartLayout](/powershell/module/startlayout/export-startlayout) cmdlet doesn't append the file name extension, and the policy settings require the extension. + Use a file name of your choice—for example, StartLayoutMarketing.xml. Include the .xml file name extension. The [Export-StartLayout](/powershell/module/startlayout/export-startlayout) cmdlet doesn't append the file name extension, and the policy settings require the extension. - Example of a layout file produced by `Export-StartLayout`: + Example of a layout file produced by `Export-StartLayout`: ```xml @@ -111,16 +105,17 @@ When you have the Start layout that you want your users to see, use the [Export- + - ``` + ``` -1. (Optional) Edit the .xml file to add [a taskbar configuration](configure-windows-10-taskbar.md) or to [modify the exported layout](start-layout-xml-desktop.md). When you make changes to the exported layout, be aware that [the order of the elements in the .xml file is critical.](start-layout-xml-desktop.md#required-order) +1. (Optional) Edit the .xml file to add [a taskbar configuration](configure-windows-10-taskbar.md) or to [modify the exported layout](start-layout-xml-desktop.md). When you make changes to the exported layout, be aware that [the order of the elements in the .xml file is critical.](start-layout-xml-desktop.md#required-order) > [!IMPORTANT] -> If the Start layout that you export contains tiles for desktop (Win32) apps or .url links, **Export-StartLayout** will use **DesktopApplicationLinkPath** in the resulting file. Use a text or XML editor to change **DesktopApplicationLinkPath** to **DesktopApplicationID**. See [Specify Start tiles](start-layout-xml-desktop.md#specify-start-tiles) for details on using the app ID in place of the link path. +> If the Start layout that you export contains tiles for desktop (Win32) apps or .url links, **Export-StartLayout** will use **DesktopApplicationLinkPath** in the resulting file. Use a text or XML editor to change **DesktopApplicationLinkPath** to **DesktopApplicationID**. See [Specify Start tiles](start-layout-xml-desktop.md#specify-start-tiles) for details on using the app ID in place of the link path. > [!NOTE] > All clients that the start layout applies to must have the apps and other shortcuts present on the local system in the same location as the source for the Start layout. @@ -130,55 +125,56 @@ When you have the Start layout that you want your users to see, use the [Export- >* Executable files and scripts should be listed in \Program Files or wherever the installer of the app places them. > >* Shortcuts that will pinned to Start should be placed in \ProgramData\Microsoft\Windows\Start Menu\Programs. + > >* If you place executable files or scripts in the \ProgramData\Microsoft\Windows\Start Menu\Programs folder, they will not pin to Start. > >* Start on Windows 10 does not support subfolders. We only support one folder. For example, \ProgramData\Microsoft\Windows\Start Menu\Programs\Folder. If you go any deeper than one folder, Start will compress the contents of all the subfolder to the top level. > ->* Three additional shortcuts are pinned to the start menu after the export. These are shortcuts to %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs, %APPDATA%\Microsoft\Windows\Start Menu\Programs, and %APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools\. +>* Three additional shortcuts are pinned to the start menu after the export. These are shortcuts to %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs, %APPDATA%\Microsoft\Windows\Start Menu\Programs, and %APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools\. -### Configure a partial Start layout +### Configure a partial Start layout -A partial Start layout enables you to add one or more customized tile groups to users' Start screens or menus, while still allowing users to make changes to other parts of the Start layout. All groups that you add are *locked*, meaning users can't change the contents of those tile groups, however users can change the location of those groups. Locked groups are identified with an icon, as shown in the following image. +A partial Start layout enables you to add one or more customized tile groups to users' Start screens or menus, while still allowing users to make changes to other parts of the Start layout. All groups that you add are *locked*, meaning users can't change the contents of those tile groups, however users can change the location of those groups. Locked groups are identified with an icon, as shown in the following image. -![locked tile group.](images/start-pinned-app.png) +![locked tile group.](images/start-pinned-app.png) -When a partial Start layout is applied for the first time, the new groups are added to the users' existing Start layouts. If an app tile is in both an existing group and in a new locked group, the duplicate app tile is removed from the existing (unlocked) group. +When a partial Start layout is applied for the first time, the new groups are added to the users' existing Start layouts. If an app tile is in both an existing group and in a new locked group, the duplicate app tile is removed from the existing (unlocked) group. -When a partial Start layout is applied to a device that already has a StartLayout.xml applied, groups that were added previously are removed and the groups in the new layout are added. +When a partial Start layout is applied to a device that already has a StartLayout.xml applied, groups that were added previously are removed and the groups in the new layout are added. -If the Start layout is applied by Group Policy or MDM, and the policy is removed, the groups remain on the devices but become unlocked. +If the Start layout is applied by Group Policy or MDM, and the policy is removed, the groups remain on the devices but become unlocked. -**To configure a partial Start screen layout** +**To configure a partial Start screen layout** -1. [Customize the Start layout](#customize-the-start-screen-on-your-test-computer). +1. [Customize the Start layout](#customize-the-start-screen-on-your-test-computer). 1. [Export the Start layout](#export-the-start-layout). -1. Open the layout .xml file. There is a `` element. Add `LayoutCustomizationRestrictionType="OnlySpecifiedGroups"` to the **DefaultLayoutOverride** element as follows: +1. Open the layout .xml file. There is a `` element. Add `LayoutCustomizationRestrictionType="OnlySpecifiedGroups"` to the **DefaultLayoutOverride** element as follows: ```xml - ``` + ``` -1. Save the file and apply using any of the deployment methods. +1. Save the file and apply using any of the deployment methods. > [!NOTE] -> Office 2019 tiles might be removed from the Start menu when you upgrade Office 2019. This only occurs if Office 2019 app tiles are in a custom group in the Start menu and only contains the Office 2019 app tiles. To avoid this problem, place another app tile in the Office 2019 group prior to the upgrade. For example, add Notepad.exe or calc.exe to the group. This issue occurs because Office 2019 removes and reinstalls the apps when they are upgraded. Start removes empty groups when it detects that all apps for that group have been removed. +> Office 2019 tiles might be removed from the Start menu when you upgrade Office 2019. This only occurs if Office 2019 app tiles are in a custom group in the Start menu and only contains the Office 2019 app tiles. To avoid this problem, place another app tile in the Office 2019 group prior to the upgrade. For example, add Notepad.exe or calc.exe to the group. This issue occurs because Office 2019 removes and reinstalls the apps when they are upgraded. Start removes empty groups when it detects that all apps for that group have been removed. -## Related articles +## Related articles -[Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md) +[Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md) -[Configure Windows 10 taskbar](configure-windows-10-taskbar.md) +[Configure Windows 10 taskbar](configure-windows-10-taskbar.md) -[Add image for secondary tiles](start-secondary-tiles.md) +[Add image for secondary tiles](start-secondary-tiles.md) -[Start layout XML for desktop editions of Windows 10 (reference)](start-layout-xml-desktop.md) +[Start layout XML for desktop editions of Windows 10 (reference)](start-layout-xml-desktop.md) -[Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) +[Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) -[Customize Windows 10 Start and taskbar with provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) +[Customize Windows 10 Start and taskbar with provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) -[Customize Windows 10 Start and taskbar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) +[Customize Windows 10 Start and taskbar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md) diff --git a/windows/configuration/customize-start-menu-layout-windows-11.md b/windows/configuration/start/customize-start-menu-layout-windows-11.md similarity index 80% rename from windows/configuration/customize-start-menu-layout-windows-11.md rename to windows/configuration/start/customize-start-menu-layout-windows-11.md index 2e959a035a..193aea9509 100644 --- a/windows/configuration/customize-start-menu-layout-windows-11.md +++ b/windows/configuration/start/customize-start-menu-layout-windows-11.md @@ -1,174 +1,189 @@ --- title: Add or remove pinned apps on the Start menu in Windows 11 description: Export Start layout to LayoutModification.json with pinned apps, and add or remove pinned apps. Use the JSON text in an MDM policy to deploy a custom Start menu layout to Windows 11 devices. -author: lizgt2000 -ms.author: lizlong ms.reviewer: ericpapa ms.date: 01/10/2023 ms.topic: article ---- +--- -# Customize the Start menu layout on Windows 11 +# Customize the Start menu layout on Windows 11 -**Applies to**: +**Applies to**: -- Windows 11 +- Windows 11 -> **Looking for OEM information?** See [Customize the Taskbar](/windows-hardware/customize/desktop/customize-the-windows-11-taskbar) and [Customize the Start layout](/windows-hardware/customize/desktop/customize-the-windows-11-start-menu). +> **Looking for OEM information?** See [Customize the Taskbar](/windows-hardware/customize/desktop/customize-the-windows-11-taskbar) and [Customize the Start layout](/windows-hardware/customize/desktop/customize-the-windows-11-start-menu). -Your organization can deploy a customized Start layout to your Windows 11 devices. Customizing the Start layout is common when you have similar devices used by many users, or you want to pin specific apps. +Your organization can deploy a customized Start layout to your Windows 11 devices. Customizing the Start layout is common when you have similar devices used by many users, or you want to pin specific apps. -For example, you can override the default set of apps with your own a set of pinned apps, and in the order you choose. As an administrator, use this feature to pin apps, remove default pinned apps, order the apps, and more. +For example, you can override the default set of apps with your own a set of pinned apps, and in the order you choose. As an administrator, use this feature to pin apps, remove default pinned apps, order the apps, and more. -To add apps you want pinned to the Start menu, you use a JSON file. In previous Windows versions, IT administrators used an XML file to customize the Start menu. The XML file isn't available on Windows 11 and later ***unless*** [you're an OEM](/windows-hardware/customize/desktop/customize-the-windows-11-start-menu). +To add apps you want pinned to the Start menu, you use a JSON file. In previous Windows versions, IT administrators used an XML file to customize the Start menu. The XML file isn't available on Windows 11 and later ***unless*** [you're an OEM](/windows-hardware/customize/desktop/customize-the-windows-11-start-menu). -This article shows you how to export an existing Start menu layout, and use the JSON in a Microsoft Intune policy. +This article shows you how to export an existing Start menu layout, and use the JSON in a Microsoft Intune policy. -## Before you begin +## Before you begin -- When you customize the Start layout, you overwrite the entire full layout. A partial Start layout isn't available. Users can pin and unpin apps, and uninstall apps from Start. When a user signs in or Explorer restarts, Windows reapplies the MDM policy. This action restores the specified layout and doesn't retain any user changes. +- When you customize the Start layout, you overwrite the entire full layout. A partial Start layout isn't available. Users can pin and unpin apps, and uninstall apps from Start. When a user signs in or Explorer restarts, Windows reapplies the MDM policy. This action restores the specified layout and doesn't retain any user changes. - To prevent users from making any changes to the Start menu layout, see the [NoChangeStartMenu](/windows/client-management/mdm/policy-csp-admx-startmenu#admx-startmenu-nochangestartmenu) policy. + To prevent users from making any changes to the Start menu layout, see the [NoChangeStartMenu](/windows/client-management/mdm/policy-csp-admx-startmenu#admx-startmenu-nochangestartmenu) policy. -- It's recommended to use a mobile device management (MDM) provider. MDM providers help manage your devices, and help manage apps on your devices. You can use Microsoft Intune. Intune is a family of products that include Microsoft Intune, which is a cloud service, and Configuration Manager, which is on-premises. +- It's recommended to use a mobile device management (MDM) provider. MDM providers help manage your devices, and help manage apps on your devices. You can use Microsoft Intune. Intune is a family of products that include Microsoft Intune, which is a cloud service, and Configuration Manager, which is on-premises. - In this article, we mention these services. If you're not managing your devices using an MDM provider, the following resources may help you get started: + In this article, we mention these services. If you're not managing your devices using an MDM provider, the following resources may help you get started: - [Endpoint Management at Microsoft](/mem/endpoint-manager-overview) - [What is Microsoft Intune](/mem/intune/fundamentals/what-is-intune) and [Microsoft Intune planning guide](/mem/intune/fundamentals/intune-planning-guide) - - [What is Configuration Manager?](/mem/configmgr/core/understand/introduction) + - [What is Configuration Manager?](/mem/configmgr/core/understand/introduction) -## Start menu features and areas +## Start menu features and areas -In Windows 11, the Start menu is redesigned with a simplified set of apps that are arranged in a grid of pages. There aren't folders, groups, or different-sized app icons: +In Windows 11, the Start menu is redesigned with a simplified set of apps that are arranged in a grid of pages. There aren't folders, groups, or different-sized app icons: -:::image type="content" source="./images/customize-start-menu-layout-windows-11/start-menu-layout.png" alt-text="Sample start menu layout on Windows 11 devices that shows pinned apps, access to all apps, and shows recommended files."::: +:::image type="content" source="./images/customize-start-menu-layout-windows-11/start-menu-layout.png" alt-text="Sample start menu layout on Windows 11 devices that shows pinned apps, access to all apps, and shows recommended files."::: -Start has the following areas: +Start has the following areas: -- **Pinned**: Shows pinned apps, or a subset of all of the apps installed on the device. You can create a list of pinned apps you want on the devices using the **ConfigureStartPins** policy. **ConfigureStartPins** overrides the entire layout, which also removes apps that are pinned by default. +- **Pinned**: Shows pinned apps, or a subset of all of the apps installed on the device. You can create a list of pinned apps you want on the devices using the **ConfigureStartPins** policy. **ConfigureStartPins** overrides the entire layout, which also removes apps that are pinned by default. - This article shows you [how to use the **ConfigureStartPins** policy](#get-the-pinnedlist-json). + This article shows you [how to use the **ConfigureStartPins** policy](#get-the-pinnedlist-json). -- **All apps**: Users select this option to see an alphabetical list of all the apps on the device. This section can't be customized using the JSON file. +- **All apps**: Users select this option to see an alphabetical list of all the apps on the device. This section can't be customized using the JSON file. - The [Start/HideFrequentlyUsedApps CSP](/windows/client-management/mdm/policy-csp-start#start-hidefrequentlyusedapps) exposes settings that configure the "Most used" section, which is at the top of the all apps list. + The [Start/HideFrequentlyUsedApps CSP](/windows/client-management/mdm/policy-csp-start#start-hidefrequentlyusedapps) exposes settings that configure the "Most used" section, which is at the top of the all apps list. - In **Intune**, you can configure this Start menu layout feature, and more. For more information on the Start menu settings you can configure in an Intune policy, see [Windows 10/11 device settings to allow or restrict features](/mem/intune/configuration/device-restrictions-windows-10#start). + In **Intune**, you can configure this Start menu layout feature, and more. For more information on the Start menu settings you can configure in an Intune policy, see [Windows 10/11 device settings to allow or restrict features](/mem/intune/configuration/device-restrictions-windows-10#start). - In **Group Policy**, there are policies that include settings that control the Start menu layout. Some policies may not work as expected. Be sure to test your policies before broadly deploying them across your devices: + In **Group Policy**, there are policies that include settings that control the Start menu layout. Some policies may not work as expected. Be sure to test your policies before broadly deploying them across your devices: - `Computer Configuration\Administrative Templates\Start Menu and Taskbar` - - `User Configuration\Administrative Templates\Start Menu and Taskbar` + - `User Configuration\Administrative Templates\Start Menu and Taskbar` -- **Recommended**: Shows recently opened files and recently installed apps. This section can only be customized in Windows 11 SE using the following policy. +- **Recommended**: Shows recently opened files and recently installed apps. This section can only be customized in Windows 11 SE using the following policy. - - `Computer Configuration\Administrative Templates\Start Menu and Taskbar\Remove Recommended section from Start Menu` + - `Computer Configuration\Administrative Templates\Start Menu and Taskbar\Remove Recommended section from Start Menu` -## Create the JSON file +## Create the JSON file -On an existing Windows 11 device, set up your own Start layout with the pinned apps you want users to see. Then, use the [Windows PowerShell Export-StartLayout](/powershell/module/startlayout/export-startlayout) cmdlet to export the existing layout to a `LayoutModification.json` file. +On an existing Windows 11 device, set up your own Start layout with the pinned apps you want users to see. Then, use the [Windows PowerShell Export-StartLayout](/powershell/module/startlayout/export-startlayout) cmdlet to export the existing layout to a `LayoutModification.json` file. -The JSON file controls the Start menu layout, and lists all the apps that are pinned. You can update the JSON file to: +The JSON file controls the Start menu layout, and lists all the apps that are pinned. You can update the JSON file to: - Change the order of existing apps. The apps in the JSON file are shown on Start in the same order. -- Add more apps by entering the app ID. For more information, see [Get the pinnedList JSON](#get-the-pinnedlist-json) (in this article). +- Add more apps by entering the app ID. For more information, see [Get the pinnedList JSON](#get-the-pinnedlist-json) (in this article). -If you're familiar with creating JSON files, you can create your own `LayoutModification.json` file. But, it's easier and faster to export the layout from an existing device. +If you're familiar with creating JSON files, you can create your own `LayoutModification.json` file. But, it's easier and faster to export the layout from an existing device. -### Export an existing Start layout +### Export an existing Start layout 1. Create a folder to save the `.json` file. For example, create the `C:\Layouts` folder. 2. On a Windows 11 device, open the Windows PowerShell app. -3. Run the following cmdlet. Name the file `LayoutModification.json`. +3. Run the following cmdlet. Name the file `LayoutModification.json`. ```powershell Export-StartLayout -Path "C:\Layouts\LayoutModification.json" - ``` -### Get the pinnedList JSON + ``` + +### Get the pinnedList JSON 1. Open the `LayoutModification.json` file in a JSON editor, such as Visual Studio Code or Notepad. For more information, see [edit JSON with Visual Studio Code](https://code.visualstudio.com/docs/languages/json). -2. In the file, you see the `pinnedList` section. This section includes all of the pinned apps. Copy the `pinnedList` content in the JSON file. You'll use it in the next section. +2. In the file, you see the `pinnedList` section. This section includes all of the pinned apps. Copy the `pinnedList` content in the JSON file. You'll use it in the next section. - In the following example, you see that Microsoft Edge, Microsoft Word, the Microsoft Store app, and Notepad are pinned: + In the following example, you see that Microsoft Edge, Microsoft Word, the Microsoft Store app, and Notepad are pinned: ```json { - "pinnedList": [ - { "desktopAppId": "MSEdge" }, - { "desktopAppId": "Microsoft.Office.WINWORD.EXE.15" }, - { "packagedAppId": "Microsoft.WindowsStore_8wekyb3d8bbwe!App" }, - { "packagedAppId": "Microsoft.WindowsNotepad_8wekyb3d8bbwe!App" } - ] - } - ``` -3. Starting with Windows 11, the **ConfigureStartPins** policy is available. This policy uses the `LayoutModification.json` file to add apps to the Pinned section. In your JSON file, you can add more apps to this section using the following keys: + "pinnedList": [ + + { "desktopAppId": "MSEdge" }, + + { "desktopAppId": "Microsoft.Office.WINWORD.EXE.15" }, + + { "packagedAppId": "Microsoft.WindowsStore_8wekyb3d8bbwe!App" }, + + { "packagedAppId": "Microsoft.WindowsNotepad_8wekyb3d8bbwe!App" } + + ] + + } + + ``` + +3. Starting with Windows 11, the **ConfigureStartPins** policy is available. This policy uses the `LayoutModification.json` file to add apps to the Pinned section. In your JSON file, you can add more apps to this section using the following keys: --- | Key | Description | | --- | --- | | packagedAppID | Use this option for Universal Windows Platform apps. To pin a UWP app, use the app's AUMID.| | desktopAppID | Use this option for unpackaged Win32 apps. To pin a Win32 app, use the app's AUMID. If the app doesn't have an AUMID, then enter the `desktopAppLink` instead. | - | desktopAppLink | Use this option for unpackaged Win32 apps that don't have an associated AUMID. To pin this type of app, use the path to the `.lnk` shortcut that points to the app. | + | desktopAppLink | Use this option for unpackaged Win32 apps that don't have an associated AUMID. To pin this type of app, use the path to the `.lnk` shortcut that points to the app. | -## Use MDM to create and deploy a pinned list policy +## Use MDM to create and deploy a pinned list policy -Now that you have the JSON syntax, you're ready to deploy your customized Start layout to devices in your organization. +Now that you have the JSON syntax, you're ready to deploy your customized Start layout to devices in your organization. -MDM providers can deploy policies to devices managed by the organization, including organization-owned devices, and personal or bring your own device (BYOD). Using an MDM provider, such as Microsoft Intune, you can deploy a policy that configures the pinned list. +MDM providers can deploy policies to devices managed by the organization, including organization-owned devices, and personal or bring your own device (BYOD). Using an MDM provider, such as Microsoft Intune, you can deploy a policy that configures the pinned list. -This section shows you how to create a pinned list policy in Intune. There isn't a Group Policy to create a pinned list. +This section shows you how to create a pinned list policy in Intune. There isn't a Group Policy to create a pinned list. -### Create a pinned list using an Intune policy +### Create a pinned list using an Intune policy -To deploy this policy, the devices must be enrolled, and managed by your organization. For more information, see [What is device enrollment?](/mem/intune/enrollment/device-enrollment). +To deploy this policy, the devices must be enrolled, and managed by your organization. For more information, see [What is device enrollment?](/mem/intune/enrollment/device-enrollment). 1. Sign in to the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 2. Select **Devices** > **Configuration profiles** > **Create profile**. -3. Enter the following properties: +3. Enter the following properties: - **Platform**: Select **Windows 10 and later**. - - **Profile**: Select **Templates** > **Custom**. + - **Profile**: Select **Templates** > **Custom**. 4. Select **Create**. -5. In **Basics**, enter the following properties: +5. In **Basics**, enter the following properties: - **Name**: Enter a descriptive name for the profile. Name your profiles so you can easily identify them later. For example, a good profile name is **Win11: Custom Start layout**. - - **Description**: Enter a description for the profile. This setting is optional, and recommended. + - **Description**: Enter a description for the profile. This setting is optional, and recommended. 6. Select **Next**. -7. In **Configuration settings** > **OMA-URI**, select **Add**. Add the following properties: +7. In **Configuration settings** > **OMA-URI**, select **Add**. Add the following properties: - **Name**: Enter something like **Configure Start pins**. - **Description**: Enter a description for the row. This setting is optional, and recommended. - **OMA-URI**: Enter `./Vendor/MSFT/Policy/Config/Start/ConfigureStartPins`. - **Data type**: Select **String**. - - **Value**: Paste the JSON you created or updated in the previous section. For example, enter the following text: + - **Value**: Paste the JSON you created or updated in the previous section. For example, enter the following text: ```json { + "pinnedList": [ + { "desktopAppId": "MSEdge" }, + { "desktopAppId": "Microsoft.Office.WINWORD.EXE.15" }, + { "packagedAppId": "Microsoft.WindowsStore_8wekyb3d8bbwe!App" }, + { "packagedAppId": "Microsoft.WindowsNotepad_8wekyb3d8bbwe!App" } + ] + } - ``` - Your settings look similar to the following settings: + ``` - :::image type="content" source="./images/customize-start-menu-layout-windows-11/endpoint-manager-admin-center-custom-oma-uri-start-layout.png" alt-text="Custom OMA-URI settings to customize Start menu layout using pinnedList"::: + Your settings look similar to the following settings: + + :::image type="content" source="./images/customize-start-menu-layout-windows-11/endpoint-manager-admin-center-custom-oma-uri-start-layout.png" alt-text="Custom OMA-URI settings to customize Start menu layout using pinnedList"::: 8. Select **Save** > **Next** to save your changes. -9. Configure the rest of the policy settings. For more specific information, see [Create a profile with custom settings](/mem/intune/configuration/custom-settings-configure). +9. Configure the rest of the policy settings. For more specific information, see [Create a profile with custom settings](/mem/intune/configuration/custom-settings-configure). -The Windows OS exposes many CSPs that apply to the Start menu. For a list, see [Supported CSP policies for Windows 11 Start menu](supported-csp-start-menu-layout-windows.md). +The Windows OS exposes many CSPs that apply to the Start menu. For a list, see [Supported CSP policies for Windows 11 Start menu](supported-csp-start-menu-layout-windows.md). -### Deploy the policy using Intune +### Deploy the policy using Intune -When the policy is created, you can deploy it now, or deploy it later. Since this policy is a customized Start layout, the policy can be deployed anytime, including before users sign in the first time. +When the policy is created, you can deploy it now, or deploy it later. Since this policy is a customized Start layout, the policy can be deployed anytime, including before users sign in the first time. For more information and guidance on assigning policies to devices in your organization, see [Assign user and device profiles](/mem/intune/configuration/device-profile-assign). diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md b/windows/configuration/start/customize-windows-10-start-screens-by-using-group-policy.md similarity index 78% rename from windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md rename to windows/configuration/start/customize-windows-10-start-screens-by-using-group-policy.md index 94641458ae..25d05349a1 100644 --- a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md +++ b/windows/configuration/start/customize-windows-10-start-screens-by-using-group-policy.md @@ -1,120 +1,117 @@ --- title: Customize Windows 10 Start and taskbar with group policy description: In Windows 10, you can use a Group Policy Object (GPO) to deploy a customized Start layout to users in a domain. -ms.reviewer: -manager: aaroncz -author: lizgt2000 -ms.author: lizlong ms.date: 12/31/2017 ---- +--- -# Customize Windows 10 Start and taskbar with Group Policy +# Customize Windows 10 Start and taskbar with Group Policy -**Applies to** +**Applies to** -- Windows 10 +- Windows 10 ->**Looking for consumer information?** See [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630) +>**Looking for consumer information?** See [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630) -In Windows 10 Pro, Enterprise, and Education, you can use a Group Policy Object (GPO) to deploy a customized Start and taskbar layout to users in a domain. No reimaging is required, and the layout can be updated simply by overwriting the .xml file that contains the layout. This enables you to customize Start and taskbar layouts for different departments or organizations, with minimal management overhead. +In Windows 10 Pro, Enterprise, and Education, you can use a Group Policy Object (GPO) to deploy a customized Start and taskbar layout to users in a domain. No reimaging is required, and the layout can be updated simply by overwriting the .xml file that contains the layout. This enables you to customize Start and taskbar layouts for different departments or organizations, with minimal management overhead. -This topic describes how to update Group Policy settings to display a customized Start and taskbar layout when the users sign in. By creating a domain-based GPO with these settings, you can deploy a customized Start and taskbar layout to users in a domain. +This topic describes how to update Group Policy settings to display a customized Start and taskbar layout when the users sign in. By creating a domain-based GPO with these settings, you can deploy a customized Start and taskbar layout to users in a domain. >[!WARNING] ->When a full Start layout is applied with this method, the users cannot pin, unpin, or uninstall apps from Start. Users can view and open all apps in the **All Apps** view, but they cannot pin any apps to Start. When a partial Start layout is applied, the contents of the specified tile groups cannot be changed, but users can move those groups, and can also create and customize their own groups. When you apply a taskbar layout, users will still be able to pin and unpin apps, and change the order of pinned apps. +>When a full Start layout is applied with this method, the users cannot pin, unpin, or uninstall apps from Start. Users can view and open all apps in the **All Apps** view, but they cannot pin any apps to Start. When a partial Start layout is applied, the contents of the specified tile groups cannot be changed, but users can move those groups, and can also create and customize their own groups. When you apply a taskbar layout, users will still be able to pin and unpin apps, and change the order of pinned apps. - + -**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md) +**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md) -## Operating system requirements +## Operating system requirements -In Windows 10, version 1607, Start and taskbar layout control using Group Policy is supported in Windows 10 Enterprise and Windows 10 Education. In Windows 10, version 1703, Start and taskbar layout control using Group Policy is also supported in Windows 10 Pro. +In Windows 10, version 1607, Start and taskbar layout control using Group Policy is supported in Windows 10 Enterprise and Windows 10 Education. In Windows 10, version 1703, Start and taskbar layout control using Group Policy is also supported in Windows 10 Pro. -The GPO can be configured from any computer on which the necessary ADMX and ADML files (StartMenu.admx and StartMenu.adml) for Windows 10 are installed. In Group Policy, ADMX files are used to define Registry-based policy settings in the Administrative Templates category. To find out how to create a central store for Administrative Templates files, see [article 929841, written for Windows Vista and still applicable](/troubleshoot/windows-server/group-policy/create-central-store-domain-controller) in the Microsoft Knowledge Base. +The GPO can be configured from any computer on which the necessary ADMX and ADML files (StartMenu.admx and StartMenu.adml) for Windows 10 are installed. In Group Policy, ADMX files are used to define Registry-based policy settings in the Administrative Templates category. To find out how to create a central store for Administrative Templates files, see [article 929841, written for Windows Vista and still applicable](/troubleshoot/windows-server/group-policy/create-central-store-domain-controller) in the Microsoft Knowledge Base. -## How Start layout control works +## How Start layout control works -Three features enable Start and taskbar layout control: +Three features enable Start and taskbar layout control: -- The [Export-StartLayout](/powershell/module/startlayout/export-startlayout) cmdlet in Windows PowerShell exports a description of the current Start layout in .xml file format. +- The [Export-StartLayout](/powershell/module/startlayout/export-startlayout) cmdlet in Windows PowerShell exports a description of the current Start layout in .xml file format. >[!NOTE] - >To import the layout of Start to a mounted Windows image, use the [Import-StartLayout](/powershell/module/startlayout/import-startlayout) cmdlet. + >To import the layout of Start to a mounted Windows image, use the [Import-StartLayout](/powershell/module/startlayout/import-startlayout) cmdlet. -- [You can modify the Start .xml file](configure-windows-10-taskbar.md) to include `` or create an .xml file just for the taskbar configuration. +- [You can modify the Start .xml file](configure-windows-10-taskbar.md) to include `` or create an .xml file just for the taskbar configuration. -- In Group Policy, you use the **Start Layout** settings for the **Start Menu and Taskbar** administrative template to set a Start and taskbar layout from an .xml file when the policy is applied. The Group Policy object doesn't support an empty tile layout, so the default tile layout for Windows is loaded in that case. +- In Group Policy, you use the **Start Layout** settings for the **Start Menu and Taskbar** administrative template to set a Start and taskbar layout from an .xml file when the policy is applied. The Group Policy object doesn't support an empty tile layout, so the default tile layout for Windows is loaded in that case. >[!NOTE] ->To learn how customize Start to include your line-of-business apps when you deploy Windows 10, see [Customize the Windows 10 Start layout]( https://go.microsoft.com/fwlink/p/?LinkId=620863). +>To learn how customize Start to include your line-of-business apps when you deploy Windows 10, see [Customize the Windows 10 Start layout]( https://go.microsoft.com/fwlink/p/?LinkId=620863). - + -## Use Group Policy to apply a customized Start layout in a domain +## Use Group Policy to apply a customized Start layout in a domain -To apply the Start and taskbar layout to users in a domain, use the Group Policy Management Console (GPMC) to configure a domain-based Group Policy Object (GPO) that sets **Start Layout** policy settings in the **Start Menu and Taskbar** administrative template for users in a domain. +To apply the Start and taskbar layout to users in a domain, use the Group Policy Management Console (GPMC) to configure a domain-based Group Policy Object (GPO) that sets **Start Layout** policy settings in the **Start Menu and Taskbar** administrative template for users in a domain. -The GPO applies the Start and taskbar layout at the next user sign-in. Each time the user signs in, the timestamp of the .xml file with the Start and taskbar layout is checked and if a newer version of the file is available, the settings in the latest version of the file are applied. +The GPO applies the Start and taskbar layout at the next user sign-in. Each time the user signs in, the timestamp of the .xml file with the Start and taskbar layout is checked and if a newer version of the file is available, the settings in the latest version of the file are applied. -The GPO can be configured from any computer on which the necessary ADMX and ADML files (StartMenu.admx and StartMenu.adml) for Windows 10 are installed. +The GPO can be configured from any computer on which the necessary ADMX and ADML files (StartMenu.admx and StartMenu.adml) for Windows 10 are installed. -The .xml file with the Start and taskbar layout must be located on shared network storage that is available to the users' computers when they sign in and the users must have Read-only access to the file. If the file is not available when the first user signs in, Start and the taskbar are not customized during the session, but the user will be prevented from making changes to Start. On subsequent sign-ins, if the file is available at sign-in, the layout it contains will be applied to the user's Start and taskbar. +The .xml file with the Start and taskbar layout must be located on shared network storage that is available to the users' computers when they sign in and the users must have Read-only access to the file. If the file is not available when the first user signs in, Start and the taskbar are not customized during the session, but the user will be prevented from making changes to Start. On subsequent sign-ins, if the file is available at sign-in, the layout it contains will be applied to the user's Start and taskbar. -For information about deploying GPOs in a domain, see [Working with Group Policy Objects](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)). +For information about deploying GPOs in a domain, see [Working with Group Policy Objects](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)). -## Use Group Policy to apply a customized Start layout on the local computer +## Use Group Policy to apply a customized Start layout on the local computer -You can use the Local Group Policy Editor to provide a customized Start and taskbar layout for any user who signs in on the local computer. To display the customized Start and taskbar layout for any user who signs in, configure **Start Layout** policy settings for the **Start Menu and Taskbar** administrative template. You can use the **Start Menu and Taskbar** administrative template in **User Configuration** or **Computer Configuration**. +You can use the Local Group Policy Editor to provide a customized Start and taskbar layout for any user who signs in on the local computer. To display the customized Start and taskbar layout for any user who signs in, configure **Start Layout** policy settings for the **Start Menu and Taskbar** administrative template. You can use the **Start Menu and Taskbar** administrative template in **User Configuration** or **Computer Configuration**. >[!NOTE] >This procedure applies the policy settings on the local computer only. For information about deploying the Start and taskbar layout to users in a domain, see [Use Group Policy to deploy a customized Start layout in a domain](#bkmk-domaingpodeployment). > ->This procedure creates a Local Group Policy that applies to all users on the computer. To configure Local Group Policy that applies to a specific user or group on the computer, see [Step-by-Step Guide to Managing Multiple Local Group Policy Objects](/previous-versions/windows/it-pro/windows-vista/cc766291(v=ws.10)). The guide was written for Windows Vista and the procedures still apply to Windows 10. +>This procedure creates a Local Group Policy that applies to all users on the computer. To configure Local Group Policy that applies to a specific user or group on the computer, see [Step-by-Step Guide to Managing Multiple Local Group Policy Objects](/previous-versions/windows/it-pro/windows-vista/cc766291(v=ws.10)). The guide was written for Windows Vista and the procedures still apply to Windows 10. -This procedure adds the customized Start and taskbar layout to the user configuration, which overrides any Start layout settings in the local computer configuration when a user signs in on the computer. +This procedure adds the customized Start and taskbar layout to the user configuration, which overrides any Start layout settings in the local computer configuration when a user signs in on the computer. -**To configure Start Layout policy settings in Local Group Policy Editor** +**To configure Start Layout policy settings in Local Group Policy Editor** -1. On the test computer, press the Windows key, type **gpedit**, and then select **Edit group policy (Control panel)**. +1. On the test computer, press the Windows key, type **gpedit**, and then select **Edit group policy (Control panel)**. -2. Go to **User Configuration** or **Computer Configuration** > **Administrative Templates** >**Start Menu and Taskbar**. +2. Go to **User Configuration** or **Computer Configuration** > **Administrative Templates** >**Start Menu and Taskbar**. - ![start screen layout policy settings.](images/starttemplate.jpg) + ![start screen layout policy settings.](images/starttemplate.jpg) -3. Right-click **Start Layout** in the right pane, and click **Edit**. +3. Right-click **Start Layout** in the right pane, and click **Edit**. - This opens the **Start Layout** policy settings. + This opens the **Start Layout** policy settings. - ![policy settings for start screen layout.](images/startlayoutpolicy.jpg) + ![policy settings for start screen layout.](images/startlayoutpolicy.jpg) -4. Enter the following settings, and then click **OK**: +4. Enter the following settings, and then click **OK**: - 1. Select **Enabled**. + 1. Select **Enabled**. - 2. Under **Options**, specify the path to the .xml file that contains the Start and taskbar layout. For example, type **C:\\Users\\Test01\\StartScreenMarketing.xml**. + 2. Under **Options**, specify the path to the .xml file that contains the Start and taskbar layout. For example, type **C:\\Users\\Test01\\StartScreenMarketing.xml**. - 3. Optionally, enter a comment to identify the Start and taskbar layout. + 3. Optionally, enter a comment to identify the Start and taskbar layout. > [!IMPORTANT] > If you disable Start Layout policy settings that have been in effect and then re-enable the policy, users will not be able to make changes to Start, however the layout in the .xml file will not be reapplied unless the file has been updated. In Windows PowerShell, you can update the timestamp on a file by running the following command: > - > `(ls ).LastWriteTime = Get-Date` - + > `(ls ).LastWriteTime = Get-Date` -## Update a customized Start layout + + +## Update a customized Start layout -After you use Group Policy to apply a customized Start and taskbar layout on a computer or in a domain, you can update the layout simply by replacing the .xml file that is specified in the Start Layout policy settings with a file with a newer timestamp. +After you use Group Policy to apply a customized Start and taskbar layout on a computer or in a domain, you can update the layout simply by replacing the .xml file that is specified in the Start Layout policy settings with a file with a newer timestamp. -## Related topics +## Related topics - [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md) @@ -126,3 +123,4 @@ After you use Group Policy to apply a customized Start and taskbar layout on a c - [Customize Windows 10 Start and taskbar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) - [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md) + diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md b/windows/configuration/start/customize-windows-10-start-screens-by-using-mobile-device-management.md similarity index 66% rename from windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md rename to windows/configuration/start/customize-windows-10-start-screens-by-using-mobile-device-management.md index ebd6bb9d28..e108f8027e 100644 --- a/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md +++ b/windows/configuration/start/customize-windows-10-start-screens-by-using-mobile-device-management.md @@ -1,91 +1,85 @@ --- title: Change the Windows 10 Start and taskbar using mobile device management | Microsoft Docs -description: In Windows 10, you can use a mobile device management (MDM) policy to deploy a customized Start and taskbar layout to users. For example, use Microsoft Intune to configure the start menu layout and taskbar, and deploy the policy to your devices. -ms.reviewer: -manager: aaroncz -ms.prod: windows-client -author: lizgt2000 -ms.topic: article -ms.author: lizlong -ms.localizationpriority: medium +description: In Windows 10, you can use a mobile device management (MDM) policy to deploy a customized Start and taskbar layout to users. For example, use Microsoft Intune to configure the start menu layout and taskbar, and deploy the policy to your devices. +ms.topic: article + ms.date: 08/05/2021 -ms.technology: itpro-configure ---- +--- -# Customize Windows 10 Start and taskbar with mobile device management (MDM) +# Customize Windows 10 Start and taskbar with mobile device management (MDM) -**Applies to** +**Applies to** -- Windows 10 +- Windows 10 ->**Looking for consumer information?** [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630) +>**Looking for consumer information?** [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630) -In Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, you can use a mobile device management (MDM) policy to deploy a customized Start and taskbar layout to users. No reimaging is required. The layout can be updated simply by overwriting the `.xml` file that contains the layout. This feature enables you to customize Start layouts for different departments or organizations, with minimal management overhead. +In Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, you can use a mobile device management (MDM) policy to deploy a customized Start and taskbar layout to users. No reimaging is required. The layout can be updated simply by overwriting the `.xml` file that contains the layout. This feature enables you to customize Start layouts for different departments or organizations, with minimal management overhead. >[!NOTE] ->Support for applying a customized taskbar using MDM is added in Windows 10, version 1703. +>Support for applying a customized taskbar using MDM is added in Windows 10, version 1703. -**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md) for desktop editions (also works for taskbar customization). +**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md) for desktop editions (also works for taskbar customization). >[!WARNING] ->When a full Start layout is applied with this method, the users cannot pin, unpin, or uninstall apps from Start. Users can view and open all apps in the **All Apps** view, but they cannot pin any apps to Start. When a partial Start layout is applied, the contents of the specified tile groups cannot be changed, but users can move those groups, and can also create and customize their own groups. +>When a full Start layout is applied with this method, the users cannot pin, unpin, or uninstall apps from Start. Users can view and open all apps in the **All Apps** view, but they cannot pin any apps to Start. When a partial Start layout is applied, the contents of the specified tile groups cannot be changed, but users can move those groups, and can also create and customize their own groups. - + -## How Start layout control works +## How Start layout control works -Two features enable Start layout control: +Two features enable Start layout control: -- The **Export-StartLayout** cmdlet in Windows PowerShell exports a description of the current Start layout in .xml file format. +- The **Export-StartLayout** cmdlet in Windows PowerShell exports a description of the current Start layout in .xml file format. >[!NOTE] - >To import the layout of Start to a mounted Windows image, use the [Import-StartLayout](/powershell/module/startlayout/import-startlayout) cmdlet. + >To import the layout of Start to a mounted Windows image, use the [Import-StartLayout](/powershell/module/startlayout/import-startlayout) cmdlet. - + -- In Microsoft Intune, you select the Start layout XML file and add it to a device configuration profile. +- In Microsoft Intune, you select the Start layout XML file and add it to a device configuration profile. >[!NOTE] - >Please do not include XML Prologs like \ in the Start layout XML file. The settings may not be reflected correctly. + >Please do not include XML Prologs like \ in the Start layout XML file. The settings may not be reflected correctly. -## Create a policy for your customized Start layout +## Create a policy for your customized Start layout -The following example uses Microsoft Intune to configure an MDM policy that applies a customized Start layout: +The following example uses Microsoft Intune to configure an MDM policy that applies a customized Start layout: -1. Sign in to the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Sign in to the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -2. Select **Devices** > **Configuration profiles** > **Create profile**. +2. Select **Devices** > **Configuration profiles** > **Create profile**. -3. Enter the following properties: +3. Enter the following properties: - **Platform**: Select **Windows 10 and later**. - - **Profile type**: Select **Templates** > **Device restrictions** > **Create**. + - **Profile type**: Select **Templates** > **Device restrictions** > **Create**. -4. In **Basics**, enter the following properties: +4. In **Basics**, enter the following properties: - **Name**: Enter a descriptive name for the profile. Name your profiles so you can easily identify it later. For example, a good profile name is **Customize Start menu and taskbar**. - - **Description**: Enter a description for the profile. This setting is optional, but recommended. + - **Description**: Enter a description for the profile. This setting is optional, but recommended. -5. Select **Next**. +5. Select **Next**. -6. In **Configuration settings**, select **Start**: +6. In **Configuration settings**, select **Start**: - If you're using an XML file, select **Start menu layout**. Browse to and select your Start layout XML file. - - If you don't have an XML file, configure the others settings. For more information on these settings, see [Start settings in Microsoft Intune](/mem/intune/configuration/device-restrictions-windows-10#start). + - If you don't have an XML file, configure the others settings. For more information on these settings, see [Start settings in Microsoft Intune](/mem/intune/configuration/device-restrictions-windows-10#start). 7. Select **Next**. 8. In **Scope tags**, select **Next**. For more information about scope tags, see [Use RBAC and scope tags for distributed IT](/mem/intune/fundamentals/scope-tags). 9. In **Assignments**, select the user or groups that will receive your profile. Select **Next**. For more information on assigning profiles, see [Assign user and device profiles](/mem/intune/configuration/device-profile-assign). -10. In **Review + create**, review your settings. When you select **Create**, your changes are saved, and the profile is assigned. The policy is also shown in the profiles list. +10. In **Review + create**, review your settings. When you select **Create**, your changes are saved, and the profile is assigned. The policy is also shown in the profiles list. > [!NOTE] -> For third party partner MDM solutions, you may need to use an OMA-URI setting for Start layout, based on the [Policy configuration service provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider). The OMA-URI setting is `./User/Vendor/MSFT/Policy/Config/Start/StartLayout`. +> For third party partner MDM solutions, you may need to use an OMA-URI setting for Start layout, based on the [Policy configuration service provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider). The OMA-URI setting is `./User/Vendor/MSFT/Policy/Config/Start/StartLayout`. -## Next steps +## Next steps - [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md) - [Configure Windows 10 taskbar](configure-windows-10-taskbar.md) diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md b/windows/configuration/start/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md similarity index 57% rename from windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md rename to windows/configuration/start/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md index 904afc2d16..59b545f846 100644 --- a/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md +++ b/windows/configuration/start/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md @@ -1,134 +1,128 @@ --- -title: Customize Windows 10 Start and taskbar with provisioning packages (Windows 10) -description: In Windows 10, you can use a provisioning package to deploy a customized Start layout to users. -ms.reviewer: -manager: aaroncz -ms.prod: windows-client -author: lizgt2000 -ms.author: lizlong -ms.topic: article -ms.localizationpriority: medium -ms.technology: itpro-configure +title: Customize Windows 10 Start and taskbar with provisioning packages +description: In Windows 10, you can use a provisioning package to deploy a customized Start layout to users. +ms.topic: article + ms.date: 12/31/2017 ---- +--- -# Customize Windows 10 Start and taskbar with provisioning packages +# Customize Windows 10 Start and taskbar with provisioning packages -**Applies to** +**Applies to** -- Windows 10 +- Windows 10 -> **Looking for consumer information?** [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630) +> **Looking for consumer information?** [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630) > [!NOTE] -> Currently, using provisioning packages to customize the Start menu layout is supported on Windows 10. It's not supported on Windows 11. +> Currently, using provisioning packages to customize the Start menu layout is supported on Windows 10. It's not supported on Windows 11. -In Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, version 1703, you can use a provisioning package that you create with Windows Configuration Designer to deploy a customized Start and taskbar layout to users. No reimaging is required, and the Start and taskbar layout can be updated simply by overwriting the .xml file that contains the layout. The provisioning package can be applied to a running device. This enables you to customize Start and taskbar layouts for different departments or organizations, with minimal management overhead. +In Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, version 1703, you can use a provisioning package that you create with Windows Configuration Designer to deploy a customized Start and taskbar layout to users. No reimaging is required, and the Start and taskbar layout can be updated simply by overwriting the .xml file that contains the layout. The provisioning package can be applied to a running device. This enables you to customize Start and taskbar layouts for different departments or organizations, with minimal management overhead. > [!IMPORTANT] -> If you use a provisioning package to configure the taskbar, your configuration will be reapplied each time the explorer.exe process restarts. If your configuration pins an app and the user unpins that app, the user's change will be overwritten the next time the configuration is applied. To apply a taskbar configuration and allow users to make changes that will persist, apply your configuration by using Group Policy. +> If you use a provisioning package to configure the taskbar, your configuration will be reapplied each time the explorer.exe process restarts. If your configuration pins an app and the user unpins that app, the user's change will be overwritten the next time the configuration is applied. To apply a taskbar configuration and allow users to make changes that will persist, apply your configuration by using Group Policy. -**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md) for desktop editions. +**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md) for desktop editions. -## How Start layout control works +## How Start layout control works -Three features enable Start and taskbar layout control: +Three features enable Start and taskbar layout control: -- The **Export-StartLayout** cmdlet in Windows PowerShell exports a description of the current Start layout in .xml file format. +- The **Export-StartLayout** cmdlet in Windows PowerShell exports a description of the current Start layout in .xml file format. > [!NOTE] - > To import the layout of Start to a mounted Windows image, use the [Import-StartLayout](/powershell/module/startlayout/import-startlayout) cmdlet. + > To import the layout of Start to a mounted Windows image, use the [Import-StartLayout](/powershell/module/startlayout/import-startlayout) cmdlet. -- [You can modify the Start .xml file](configure-windows-10-taskbar.md) to include `` or create an .xml file just for the taskbar configuration. +- [You can modify the Start .xml file](configure-windows-10-taskbar.md) to include `` or create an .xml file just for the taskbar configuration. -- In Windows Configuration Designer, you use the **Policies/Start/StartLayout** setting to provide the contents of the .xml file that defines the Start and taskbar layout. +- In Windows Configuration Designer, you use the **Policies/Start/StartLayout** setting to provide the contents of the .xml file that defines the Start and taskbar layout. - + -## Prepare the Start layout XML file +## Prepare the Start layout XML file -The **Export-StartLayout** cmdlet produces an XML file. Because Windows Configuration Designer produces a customizations.xml file that contains the configuration settings, adding the Start layout section to the customizations.xml file directly would result in an XML file embedded in an XML file. Before you add the Start layout section to the customizations.xml file, you must replace the markup characters in your layout.xml with escape characters. +The **Export-StartLayout** cmdlet produces an XML file. Because Windows Configuration Designer produces a customizations.xml file that contains the configuration settings, adding the Start layout section to the customizations.xml file directly would result in an XML file embedded in an XML file. Before you add the Start layout section to the customizations.xml file, you must replace the markup characters in your layout.xml with escape characters. -1. Copy the contents of layout.xml into an online tool that escapes characters. +1. Copy the contents of layout.xml into an online tool that escapes characters. -3. During the procedure to create a provisioning package, you will copy the text with the escape characters and paste it in the customizations.xml file for your project. +3. During the procedure to create a provisioning package, you will copy the text with the escape characters and paste it in the customizations.xml file for your project. -## Create a provisioning package that contains a customized Start layout +## Create a provisioning package that contains a customized Start layout -Use the Windows Configuration Designer tool to create a provisioning package. [Learn how to install Windows Configuration Designer.](provisioning-packages/provisioning-install-icd.md) +Use the Windows Configuration Designer tool to create a provisioning package. [Learn how to install Windows Configuration Designer.](provisioning-packages/provisioning-install-icd.md) > [!IMPORTANT] -> When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. +> When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. -1. Open Windows Configuration Designer (by default, %systemdrive%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe). +1. Open Windows Configuration Designer (by default, %systemdrive%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe). -2. Choose **Advanced provisioning**. +2. Choose **Advanced provisioning**. -3. Name your project, and click **Next**. +3. Name your project, and click **Next**. -4. Choose **All Windows desktop editions** and click **Next**. +4. Choose **All Windows desktop editions** and click **Next**. -5. On **New project**, click **Finish**. The workspace for your package opens. +5. On **New project**, click **Finish**. The workspace for your package opens. -6. Expand **Runtime settings** > **Policies** > **Start**, and click **StartLayout**. +6. Expand **Runtime settings** > **Policies** > **Start**, and click **StartLayout**. > [!TIP] - > If **Start** is not listed, check the type of settings you selected in step 4. You must create the project using settings for **All Windows desktop editions**. + > If **Start** is not listed, check the type of settings you selected in step 4. You must create the project using settings for **All Windows desktop editions**. -7. Enter **layout.xml**. This value creates a placeholder in the customizations.xml file that you will replace with the contents of the layout.xml file in a later step. +7. Enter **layout.xml**. This value creates a placeholder in the customizations.xml file that you will replace with the contents of the layout.xml file in a later step. -7. Save your project and close Windows Configuration Designer. +7. Save your project and close Windows Configuration Designer. -7. In File Explorer, open the project's directory. (The default location is C:\Users\\*user name*\Documents\Windows Imaging and Configuration Designer (WICD)\\*project name*) +7. In File Explorer, open the project's directory. (The default location is C:\Users\\*user name*\Documents\Windows Imaging and Configuration Designer (WICD)\\*project name*) -7. Open the customizations.xml file in a text editor. The **<Customizations>** section will look like this: +7. Open the customizations.xml file in a text editor. The **<Customizations>** section will look like this: - ![Customizations file with the placeholder text to replace highlighted.](images/customization-start.png) + ![Customizations file with the placeholder text to replace highlighted.](images/customization-start.png) -7. Replace **layout.xml** with the text from the layout.xml file, [with markup characters replaced with escape characters](#escape). +7. Replace **layout.xml** with the text from the layout.xml file, [with markup characters replaced with escape characters](#escape). -8. Save and close the customizations.xml file. +8. Save and close the customizations.xml file. -8. Open Windows Configuration Designer and open your project. +8. Open Windows Configuration Designer and open your project. -8. On the **File** menu, select **Save.** +8. On the **File** menu, select **Save.** -9. On the **Export** menu, select **Provisioning package**. +9. On the **Export** menu, select **Provisioning package**. -10. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.** +10. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.** -11. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing. +11. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing. - - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen. + - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen. - - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Browse** and choosing the certificate you want to use to sign the package. + - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Browse** and choosing the certificate you want to use to sign the package. -12. Click **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows Imaging and Configuration Designer (ICD) uses the project folder as the output location. +12. Click **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows Imaging and Configuration Designer (ICD) uses the project folder as the output location. - Optionally, you can click **Browse** to change the default output location. + Optionally, you can click **Browse** to change the default output location. -13. Click **Next**. +13. Click **Next**. -14. Click **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status. +14. Click **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status. - If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**. + If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**. -15. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again. +15. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again. - If your build is successful, the name of the provisioning package, output directory, and project directory will be shown. + If your build is successful, the name of the provisioning package, output directory, and project directory will be shown. - - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build. - - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**. + - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build. + - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**. -16. Copy the provisioning package to the target device. +16. Copy the provisioning package to the target device. -17. Double-click the ppkg file and allow it to install. +17. Double-click the ppkg file and allow it to install. -## Related topics +## Related topics - [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md) - [Configure Windows 10 taskbar](configure-windows-10-taskbar.md) diff --git a/windows/configuration/images/customize-start-menu-layout-windows-11/endpoint-manager-admin-center-custom-oma-uri-start-layout.png b/windows/configuration/start/images/endpoint-manager-admin-center-custom-oma-uri-start-layout.png similarity index 100% rename from windows/configuration/images/customize-start-menu-layout-windows-11/endpoint-manager-admin-center-custom-oma-uri-start-layout.png rename to windows/configuration/start/images/endpoint-manager-admin-center-custom-oma-uri-start-layout.png diff --git a/windows/configuration/images/customize-taskbar-windows-11/start-layout-group-policy.png b/windows/configuration/start/images/start-layout-group-policy.png similarity index 100% rename from windows/configuration/images/customize-taskbar-windows-11/start-layout-group-policy.png rename to windows/configuration/start/images/start-layout-group-policy.png diff --git a/windows/configuration/images/customize-start-menu-layout-windows-11/start-menu-layout.png b/windows/configuration/start/images/start-menu-layout.png similarity index 100% rename from windows/configuration/images/customize-start-menu-layout-windows-11/start-menu-layout.png rename to windows/configuration/start/images/start-menu-layout.png diff --git a/windows/configuration/start-layout-xml-desktop.md b/windows/configuration/start/start-layout-xml-desktop.md similarity index 88% rename from windows/configuration/start-layout-xml-desktop.md rename to windows/configuration/start/start-layout-xml-desktop.md index be361db92b..5f4e03638d 100644 --- a/windows/configuration/start-layout-xml-desktop.md +++ b/windows/configuration/start/start-layout-xml-desktop.md @@ -1,47 +1,44 @@ --- -title: Start layout XML for desktop editions of Windows 10 (Windows 10) +title: Start layout XML for desktop editions of Windows 10 description: This article describes the options for customizing Start layout in LayoutModification.xml for Windows 10 desktop editions. -ms.prod: windows-client -author: lizgt2000 -ms.author: lizlong ms.topic: article -ms.date: 10/02/2018 -ms.reviewer: -manager: aaroncz -ms.localizationpriority: medium -ms.technology: itpro-configure ---- +ms.date: 10/02/2018 -# Start layout XML for desktop editions of Windows 10 (reference) +--- + +# Start layout XML for desktop editions of Windows 10 (reference) -**Applies to** +**Applies to** -- Windows 10 +- Windows 10 ->**Looking for consumer information?** See [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630) +>**Looking for consumer information?** See [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630) -On Windows 10 for desktop editions, the customized Start works by: +On Windows 10 for desktop editions, the customized Start works by: -- Windows 10 checks the chosen base default layout, such as the desktop edition and whether Cortana is supported for the country/region. +- Windows 10 checks the chosen base default layout, such as the desktop edition and whether Cortana is supported for the country/region. - Windows 10 reads the LayoutModification.xml file and allows groups to be appended to Start. The groups have the following constraints: - Two groups that are six columns wide, or equivalent to the width of three medium tiles. - Two medium-sized tile rows in height. Windows 10 ignores any tiles that are pinned beyond the second row. + - No limit to the number of apps that can be pinned. There's a theoretical limit of 24 tiles per group (four small tiles per medium square x 3 columns x 2 rows). + + >[!NOTE] ->To use the layout modification XML to configure Start with roaming user profiles, see [Deploying Roaming User Profiles](/windows-server/storage/folder-redirection/deploy-roaming-user-profiles#step-7-optionally-specify-a-start-layout-for-windows-10-pcs). +>To use the layout modification XML to configure Start with roaming user profiles, see [Deploying Roaming User Profiles](/windows-server/storage/folder-redirection/deploy-roaming-user-profiles#step-7-optionally-specify-a-start-layout-for-windows-10-pcs). + +## LayoutModification XML -## LayoutModification XML +IT admins can provision the Start layout using a LayoutModification.xml file. This file supports several mechanisms to modify or replace the default Start layout and its tiles. The easiest method for creating a LayoutModification.xml file is by using the Export-StartLayout cmdlet; see [Customize and export Start layout](customize-and-export-start-layout.md) for instructions. -IT admins can provision the Start layout using a LayoutModification.xml file. This file supports several mechanisms to modify or replace the default Start layout and its tiles. The easiest method for creating a LayoutModification.xml file is by using the Export-StartLayout cmdlet; see [Customize and export Start layout](customize-and-export-start-layout.md) for instructions. +### Required order -### Required order - -The XML schema for `LayoutModification.xml` requires the following order for tags directly under the LayoutModificationTemplate node: +The XML schema for `LayoutModification.xml` requires the following order for tags directly under the LayoutModificationTemplate node: 1. LayoutOptions 1. DefaultLayoutOverride @@ -51,22 +48,22 @@ The XML schema for `LayoutModification.xml` requires the following order for tag 1. TopMFUApps 1. CustomTaskbarLayoutCollection 1. InkWorkspaceTopApps -1. StartLayoutCollection +1. StartLayoutCollection -Comments are not supported in the `LayoutModification.xml` file. +Comments are not supported in the `LayoutModification.xml` file. -### Supported elements and attributes +### Supported elements and attributes >[!NOTE] >To make sure the Start layout XML parser processes your file correctly, follow these guidelines when working with your LayoutModification.xml file: >- Do not leave spaces or white lines in between each element. >- Do not add comments inside the StartLayout node or any of its children elements. ->- Do not add multiple rows of comments. +>- Do not add multiple rows of comments. The following table lists the supported elements and attributes for the LayoutModification.xml file. > [!NOTE] -> RequiredStartGroupsCollection and AppendGroup syntax only apply when the Import-StartLayout method is used for building and deploying Windows images. +> RequiredStartGroupsCollection and AppendGroup syntax only apply when the Import-StartLayout method is used for building and deploying Windows images. | Element | Attributes | Description | | --- | --- | --- | @@ -83,19 +80,23 @@ The following table lists the supported elements and attributes for the LayoutMo | Tile

    Parent:
    TopMFUApps | AppUserModelID | Use with the TopMFUApps tags to specify an app with a known AppUserModelID.

    **Note**: Only applies to versions of Windows 10 earlier than version 1709. In Windows 10, version 1709, you can no longer pin apps to the Most Frequently Used apps list in Start. | | DesktopApplicationTile

    Parent:
    TopMFUApps | LinkFilePath | Use with the TopMFUApps tags to specify an app without a known AppUserModelID.

    **Note**: Only applies to versions of Windows 10 earlier than version 1709. In Windows 10, version 1709, you can no longer pin apps to the Most Frequently Used apps list in Start. | | AppendOfficeSuite

    Parent:
    LayoutModificationTemplate | n/a | Use to add the in-box installed Office suite to Start. For more information, see [Customize the Office suite of tiles](/windows-hardware/customize/desktop/customize-start-layout#customize-the-office-suite-of-tiles).

    Don't use this tag with AppendDownloadOfficeTile. | -| AppendDownloadOfficeTile

    Parent:
    LayoutModificationTemplate | n/a | Use to add a specific **Download Office** tile to a specific location in Start

    Do not use this tag with AppendOfficeSuite | +| AppendDownloadOfficeTile

    Parent:
    LayoutModificationTemplate | n/a | Use to add a specific **Download Office** tile to a specific location in Start

    Do not use this tag with AppendOfficeSuite | -### LayoutOptions +### LayoutOptions -New devices running Windows 10 for desktop editions will default to a Start menu with two columns of tiles unless boot to tablet mode is enabled. Devices with screens that are under 10" have boot to tablet mode enabled by default. For these devices, users see the full screen Start on the desktop. You can adjust the following features: +New devices running Windows 10 for desktop editions will default to a Start menu with two columns of tiles unless boot to tablet mode is enabled. Devices with screens that are under 10" have boot to tablet mode enabled by default. For these devices, users see the full screen Start on the desktop. You can adjust the following features: - Boot to tablet mode can be set on or off. -- Set full screen Start on desktop to on or off. - To do this, add the LayoutOptions element in your LayoutModification.xml file and set the FullScreenStart attribute to true or false. -- Specify the number of columns in the Start menu to 1 or 2. - To do this, add the LayoutOptions element in your LayoutModification.xml file and set the StartTileGroupsColumnCount attribute to 1 or 2. -The following example shows how to use the LayoutOptions element to specify full screen Start on the desktop and to use one column in the Start menu: +- Set full screen Start on desktop to on or off. + + To do this, add the LayoutOptions element in your LayoutModification.xml file and set the FullScreenStart attribute to true or false. + +- Specify the number of columns in the Start menu to 1 or 2. + + To do this, add the LayoutOptions element in your LayoutModification.xml file and set the StartTileGroupsColumnCount attribute to 1 or 2. + +The following example shows how to use the LayoutOptions element to specify full screen Start on the desktop and to use one column in the Start menu: ```XML -``` +``` -For devices being upgraded to Windows 10 for desktop editions: +For devices being upgraded to Windows 10 for desktop editions: - Devices being upgraded from Windows 7 will default to a Start menu with one column. -- Devices being upgraded from Windows 8.1 or Windows 8.1 Upgrade will default to a Start menu with two columns. +- Devices being upgraded from Windows 8.1 or Windows 8.1 Upgrade will default to a Start menu with two columns. -### RequiredStartGroups +### RequiredStartGroups -The **RequiredStartGroups** tag contains **AppendGroup** tags that represent groups that you can append to the default Start layout. +The **RequiredStartGroups** tag contains **AppendGroup** tags that represent groups that you can append to the default Start layout. >[!IMPORTANT] ->For Windows 10 for desktop editions, you can add a maximum of two (2) **AppendGroup** tags per **RequiredStartGroups** tag. +>For Windows 10 for desktop editions, you can add a maximum of two (2) **AppendGroup** tags per **RequiredStartGroups** tag. -You can also assign regions to the append groups in the **RequiredStartGroups** tag's using the optional **Region** attribute or you can use the multivariant capabilities in Windows provisioning. If you're using the **Region** attribute, you must use a two-letter country code to specify the country/region that the append group(s) apply to. To specify more than one country/region, use a pipe ("|") delimiter as shown in the following example: +You can also assign regions to the append groups in the **RequiredStartGroups** tag's using the optional **Region** attribute or you can use the multivariant capabilities in Windows provisioning. If you're using the **Region** attribute, you must use a two-letter country code to specify the country/region that the append group(s) apply to. To specify more than one country/region, use a pipe ("|") delimiter as shown in the following example: ```XML -``` +``` -If the country/region setting for the Windows device matches a **RequiredStartGroups**, then the tiles laid out within the **RequiredStartGroups** is applied to Start. +If the country/region setting for the Windows device matches a **RequiredStartGroups**, then the tiles laid out within the **RequiredStartGroups** is applied to Start. -If you specify a region-agnostic **RequiredStartGroups** (or one without the optional Region attribute), then the region-agnostic **RequiredStartGroups** is applied to Start. +If you specify a region-agnostic **RequiredStartGroups** (or one without the optional Region attribute), then the region-agnostic **RequiredStartGroups** is applied to Start. -### AppendGroup +### AppendGroup -**AppendGroup** tags specify a group of tiles that will be appended to Start. There is a maximum of two **AppendGroup** tags allowed per **RequiredStartGroups** tag. +**AppendGroup** tags specify a group of tiles that will be appended to Start. There is a maximum of two **AppendGroup** tags allowed per **RequiredStartGroups** tag. -For Windows 10 for desktop editions, AppendGroup tags contain start:Tile, start:DesktopApplicationTile, or start:SecondaryTile tags. +For Windows 10 for desktop editions, AppendGroup tags contain start:Tile, start:DesktopApplicationTile, or start:SecondaryTile tags. -You can specify any number of tiles in an **AppendGroup**, but you can't specify a tile with a **Row** attribute greater than 4. The Start layout doesn't support overlapping tiles. +You can specify any number of tiles in an **AppendGroup**, but you can't specify a tile with a **Row** attribute greater than 4. The Start layout doesn't support overlapping tiles. -### Specify Start tiles +### Specify Start tiles -To pin tiles to Start, partners must use the right tile depending on what you want to pin. +To pin tiles to Start, partners must use the right tile depending on what you want to pin. -#### Tile size and coordinates +#### Tile size and coordinates -All tile types require a size (**Size**) and coordinates (**Row** and **Column**) attributes regardless of the tile type that you use when prepinning items to Start. +All tile types require a size (**Size**) and coordinates (**Row** and **Column**) attributes regardless of the tile type that you use when prepinning items to Start. -The following table describes the attributes that you must use to specify the size and location for the tile. +The following table describes the attributes that you must use to specify the size and location for the tile. | Attribute | Description | | --- | --- | | Size | Determines how large the tile will be.

    - 1x1 - small tile
    - 2x2 - medium tile
    - 4x2 - wide tile
    - 4x4 - large tile | | Row | Specifies the row where the tile will appear. | -| Column | Specifies the column where the tile will appear. | +| Column | Specifies the column where the tile will appear. | -For example, a tile with Size="2x2", Row="2", and Column="2" results in a tile located at (2,2) where (0,0) is the top-left corner of a group. +For example, a tile with Size="2x2", Row="2", and Column="2" results in a tile located at (2,2) where (0,0) is the top-left corner of a group. -#### start:Tile +#### start:Tile -You can use the **start:Tile** tag to pin any of the following apps to Start: +You can use the **start:Tile** tag to pin any of the following apps to Start: - A Universal Windows app -- A Windows 8 app or Windows 8.1 app +- A Windows 8 app or Windows 8.1 app -To specify any one of these apps, you must set the **AppUserModelID** attribute to the application user model ID that's associated with the corresponding app. +To specify any one of these apps, you must set the **AppUserModelID** attribute to the application user model ID that's associated with the corresponding app. >[!IMPORTANT] ->**AppUserModelID** (AUMID) is case-sensitive. +>**AppUserModelID** (AUMID) is case-sensitive. -The following example shows how to pin the Microsoft Edge Universal Windows app: +The following example shows how to pin the Microsoft Edge Universal Windows app: ```XML - ``` + ``` -#### start:DesktopApplicationTile +#### start:DesktopApplicationTile -You can use the **start:DesktopApplicationTile** tag to pin a Windows desktop application to Start. There are two ways you can specify a Windows desktop application: +You can use the **start:DesktopApplicationTile** tag to pin a Windows desktop application to Start. There are two ways you can specify a Windows desktop application: -- Use a path to a shortcut link (.lnk file) to a Windows desktop application. +- Use a path to a shortcut link (.lnk file) to a Windows desktop application. >[!NOTE] - >In Start layouts for Windows 10, version 1703, you should use **DesktopApplicationID** rather than **DesktopApplicationLinkPath** if you are using Group Policy or MDM to apply the start layout and the application was installed after the user's first sign-in. + >In Start layouts for Windows 10, version 1703, you should use **DesktopApplicationID** rather than **DesktopApplicationLinkPath** if you are using Group Policy or MDM to apply the start layout and the application was installed after the user's first sign-in. - To pin a Windows desktop application through this method, you must first add the .lnk file in the specified location when the device first boots. + To pin a Windows desktop application through this method, you must first add the .lnk file in the specified location when the device first boots. - The following example shows how to pin the Command Prompt: + The following example shows how to pin the Command Prompt: ```XML ``` - You must set the **DesktopApplicationLinkPath** attribute to the .lnk file that points to the Windows desktop application. The path also supports environment variables. - If you are pointing to a third-party Windows desktop application and the layout is being applied before the first boot, you must put the .lnk file in a legacy Start Menu directory before first boot; for example, "%APPDATA%\Microsoft\Windows\Start Menu\Programs\" or the all users profile "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\". + You must set the **DesktopApplicationLinkPath** attribute to the .lnk file that points to the Windows desktop application. The path also supports environment variables. -- Use the application's application user model ID, if this is known. If the Windows desktop application doesn't have one, use the shortcut link option. + If you are pointing to a third-party Windows desktop application and the layout is being applied before the first boot, you must put the .lnk file in a legacy Start Menu directory before first boot; for example, "%APPDATA%\Microsoft\Windows\Start Menu\Programs\" or the all users profile "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\". + +- Use the application's application user model ID, if this is known. If the Windows desktop application doesn't have one, use the shortcut link option. - You can use the [Get-StartApps cmdlet](/powershell/module/startlayout/get-startapps) on a PC that has the application pinned to Start to obtain the app ID. + You can use the [Get-StartApps cmdlet](/powershell/module/startlayout/get-startapps) on a PC that has the application pinned to Start to obtain the app ID. - To pin a Windows desktop application through this method, you must set the **DesktopApplicationID** attribute to the application user model ID that's associated with the corresponding app. + To pin a Windows desktop application through this method, you must set the **DesktopApplicationID** attribute to the application user model ID that's associated with the corresponding app. - The following example shows how to pin the File Explorer Windows desktop application: + The following example shows how to pin the File Explorer Windows desktop application: ```XML ``` - + -You can also use the **start:DesktopApplicationTile** tag as one of the methods for pinning a Web link to Start. The other method is to use a Microsoft Edge secondary tile. +You can also use the **start:DesktopApplicationTile** tag as one of the methods for pinning a Web link to Start. The other method is to use a Microsoft Edge secondary tile. -To pin a legacy `.url` shortcut to Start, you must create a `.url` file (right-click on the desktop, select **New** > **Shortcut**, and then type a Web URL). You must add this `.url` file in a legacy Start Menu directory before first boot; for example, `%APPDATA%\Microsoft\Windows\Start Menu\Programs\` or the all users profile `%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\`. +To pin a legacy `.url` shortcut to Start, you must create a `.url` file (right-click on the desktop, select **New** > **Shortcut**, and then type a Web URL). You must add this `.url` file in a legacy Start Menu directory before first boot; for example, `%APPDATA%\Microsoft\Windows\Start Menu\Programs\` or the all users profile `%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\`. -The following example shows how to create a tile of the Web site's URL, which you can treat similarly to a Windows desktop application tile: +The following example shows how to create a tile of the Web site's URL, which you can treat similarly to a Windows desktop application tile: ```XML -``` +``` >[!NOTE] ->In Windows 10, version 1703, **Export-StartLayout** will use **DesktopApplicationLinkPath** for the .url shortcut. You must change **DesktopApplicationLinkPath** to **DesktopApplicationID** and provide the URL. +>In Windows 10, version 1703, **Export-StartLayout** will use **DesktopApplicationLinkPath** for the .url shortcut. You must change **DesktopApplicationLinkPath** to **DesktopApplicationID** and provide the URL. -#### start:SecondaryTile +#### start:SecondaryTile -You can use the **start:SecondaryTile** tag to pin a Web link through a Microsoft Edge secondary tile. This method doesn't require any additional action compared to the method of using legacy `.url` shortcuts (through the start:DesktopApplicationTile tag). +You can use the **start:SecondaryTile** tag to pin a Web link through a Microsoft Edge secondary tile. This method doesn't require any additional action compared to the method of using legacy `.url` shortcuts (through the start:DesktopApplicationTile tag). -The following example shows how to create a tile of the Web site's URL using the Microsoft Edge secondary tile: +The following example shows how to create a tile of the Web site's URL using the Microsoft Edge secondary tile: ```XML -``` +``` -The following table describes the other attributes that you can use with the **start:SecondaryTile** tag in addition to **Size**, **Row**, and **Column**. +The following table describes the other attributes that you can use with the **start:SecondaryTile** tag in addition to **Size**, **Row**, and **Column**. | Attribute | Required/optional | Description | | --- | --- | --- | @@ -279,23 +282,23 @@ The following table describes the other attributes that you can use with the **s | ShowNameOnSquare150x150Logo | Optional | Specifies whether the display name is shown on the 2x2 tile. The values you can use for this attribute are true or false. | | ShowNameOnWide310x150Logo | Optional | Specifies whether the display name is shown on the 4x2 tile. The values you can use for this attribute are true or false. | | BackgroundColor | Optional | Specifies the color of the tile. You can specify the value in ARGB hexadecimal (for example, #FF112233) or specify "transparent". | -| ForegroundText | Optional | Specifies the color of the foreground text. Set the value to either "light" or "dark". | +| ForegroundText | Optional | Specifies the color of the foreground text. Set the value to either "light" or "dark". | -Secondary Microsoft Edge tiles have the same size and location behavior as a Universal Windows app, Windows 8 app, or Windows 8.1 app. +Secondary Microsoft Edge tiles have the same size and location behavior as a Universal Windows app, Windows 8 app, or Windows 8.1 app. -#### TopMFUApps +#### TopMFUApps >[!NOTE] ->Only applies to versions of Windows 10 earlier than version 1709. In Windows 10, version 1709, you can no longer pin apps to the Most Frequently Used apps list in Start. +>Only applies to versions of Windows 10 earlier than version 1709. In Windows 10, version 1709, you can no longer pin apps to the Most Frequently Used apps list in Start. -You can use the **TopMFUApps** tag to add up to 3 default apps to the frequently used apps section in the system area, which delivers system-driven lists to the user including important or frequently accessed system locations and recently installed apps. +You can use the **TopMFUApps** tag to add up to 3 default apps to the frequently used apps section in the system area, which delivers system-driven lists to the user including important or frequently accessed system locations and recently installed apps. -You can use this tag to add: +You can use this tag to add: - Apps with an **AppUserModelID** attribute - This includes Windows desktop applications that have a known application user model ID. Use a **Tile** tag with the **AppUserModelID** attribute set to the app's application user model ID. -- Apps without a **AppUserModelID** attribute - For these apps, you must create a .lnk file that points to the installed app and place the .lnk file in the `%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs` directory. Use a **DesktopApplicationTile** tag with the **LinkFilePath** attribute set to the .lnk file name and path. +- Apps without a **AppUserModelID** attribute - For these apps, you must create a .lnk file that points to the installed app and place the .lnk file in the `%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs` directory. Use a **DesktopApplicationTile** tag with the **LinkFilePath** attribute set to the .lnk file name and path. -The following example shows how to modify your LayoutModification.xml file to add both kinds of apps to the system area in Start: +The following example shows how to modify your LayoutModification.xml file to add both kinds of apps to the system area in Start: ```XML -``` +``` -#### AppendOfficeSuite +#### AppendOfficeSuite -You can use the **AppendOfficeSuite** tag to add the in-box installed Office suite of apps to Start. +You can use the **AppendOfficeSuite** tag to add the in-box installed Office suite of apps to Start. >[!NOTE] ->The OEM must have installed Office for this tag to work. +>The OEM must have installed Office for this tag to work. -The following example shows how to add the **AppendOfficeSuite** tag to your LayoutModification.xml file to append the full Universal Office suite to Start: +The following example shows how to add the **AppendOfficeSuite** tag to your LayoutModification.xml file to append the full Universal Office suite to Start: ```XML -``` +``` -#### AppendOfficeSuiteChoice +#### AppendOfficeSuiteChoice -This tag is added in Windows 10, version 1803. You have two options in this tag: +This tag is added in Windows 10, version 1803. You have two options in this tag: - `` -- `` +- `` -Use `Choice=DesktopBridgeSubscription` on devices running Windows 10, version 1803, that have Office 365 preinstalled. This will set the heading of the Office suite of tiles to **Office 365**, to highlight the Office 365 apps that you've made available on the device. +Use `Choice=DesktopBridgeSubscription` on devices running Windows 10, version 1803, that have Office 365 preinstalled. This will set the heading of the Office suite of tiles to **Office 365**, to highlight the Office 365 apps that you've made available on the device. -Use `Choice=DesktopBridge` on devices running versions of Windows 10 earlier than version 1803, and on devices shipping with [perpetual licenses for Office](/archive/blogs/ausoemteam/choosing-the-right-office-version-for-your-customers). This will set the heading of the Office suite of tiles to **Create**. +Use `Choice=DesktopBridge` on devices running versions of Windows 10 earlier than version 1803, and on devices shipping with [perpetual licenses for Office](/archive/blogs/ausoemteam/choosing-the-right-office-version-for-your-customers). This will set the heading of the Office suite of tiles to **Create**. -For more information, see [Customize the Office suite of tiles](/windows-hardware/customize/desktop/customize-start-layout#customize-the-office-suite-of-tiles). +For more information, see [Customize the Office suite of tiles](/windows-hardware/customize/desktop/customize-start-layout#customize-the-office-suite-of-tiles). -#### AppendDownloadOfficeTile +#### AppendDownloadOfficeTile -You can use the **AppendDownloadOfficeTile** tag to append the Office trial installer to Start. This tag adds the **Download Office** tile to Start and the download tile will appear at the bottom right-hand side of the second group. +You can use the **AppendDownloadOfficeTile** tag to append the Office trial installer to Start. This tag adds the **Download Office** tile to Start and the download tile will appear at the bottom right-hand side of the second group. >[!NOTE] ->The OEM must have installed the Office trial installer for this tag to work. +>The OEM must have installed the Office trial installer for this tag to work. -The following example shows how to add the **AppendDownloadOfficeTile** tag to your LayoutModification.xml file: +The following example shows how to add the **AppendDownloadOfficeTile** tag to your LayoutModification.xml file: ```XML -``` +``` -## Sample LayoutModification.xml +## Sample LayoutModification.xml -The following sample LayoutModification.xml shows how you can configure the Start layout for devices running Windows 10 for desktop editions: +The following sample LayoutModification.xml shows how you can configure the Start layout for devices running Windows 10 for desktop editions: ```XML + +     + -``` +``` -## Use Windows Provisioning multivariant support +## Use Windows Provisioning multivariant support -The Windows Provisioning multivariant capability allows you to declare target conditions that, when met, supply specific customizations for each variant condition. For Start customization, you can create specific layouts for each variant that you have. To do this, you must create a separate LayoutModification.xml file for each variant that you want to support and then include these in your provisioning package. For more information on how to do this, see [Create a provisioning package with multivariant settings](./provisioning-packages/provisioning-multivariant.md). +The Windows Provisioning multivariant capability allows you to declare target conditions that, when met, supply specific customizations for each variant condition. For Start customization, you can create specific layouts for each variant that you have. To do this, you must create a separate LayoutModification.xml file for each variant that you want to support and then include these in your provisioning package. For more information on how to do this, see [Create a provisioning package with multivariant settings](./provisioning-packages/provisioning-multivariant.md). -The provisioning engine chooses the right customization file based on the target conditions that were met, adds the file in the location that's specified for the setting, and then uses the specific file to customize Start. To differentiate between layouts, you can add modifiers to the LayoutModification.xml filename such as "LayoutCustomization1". Regardless of the modifier that you use, the provisioning engine will always output "LayoutCustomization.xml" so that the operating system has a consistent file name to query against. +The provisioning engine chooses the right customization file based on the target conditions that were met, adds the file in the location that's specified for the setting, and then uses the specific file to customize Start. To differentiate between layouts, you can add modifiers to the LayoutModification.xml filename such as "LayoutCustomization1". Regardless of the modifier that you use, the provisioning engine will always output "LayoutCustomization.xml" so that the operating system has a consistent file name to query against. For example, if you want to ensure that there's a specific layout for a certain condition, you can: 1. Create a specific layout customization file and then name it LayoutCustomization1.xml. 2. Include the file as part of your provisioning package. -3. Create your multivariant target and reference the XML file within the target condition in the main customization XML file. +3. Create your multivariant target and reference the XML file within the target condition in the main customization XML file. -The following example shows what the overall customization file might look like with multivariant support for Start: +The following example shows what the overall customization file might look like with multivariant support for Start: ```XML @@ -467,23 +473,36 @@ The following example shows what the overall customization file might look like + + + + + 1 + 1 + 1 + + + 1 + + + @@ -499,30 +518,31 @@ The following example shows what the overall customization file might look like -``` +``` -When the condition is met, the provisioning engine takes the XML file and places it in the location that the operating system has set and then the Start subsystem reads the file and applies the specific customized layout. +When the condition is met, the provisioning engine takes the XML file and places it in the location that the operating system has set and then the Start subsystem reads the file and applies the specific customized layout. -You must repeat this process for all variants that you want to support so that each variant can have a distinct layout for each of the conditions and targets that need to be supported. For example, if you add a **Language** condition, you can create a Start layout that has its own localized group. +You must repeat this process for all variants that you want to support so that each variant can have a distinct layout for each of the conditions and targets that need to be supported. For example, if you add a **Language** condition, you can create a Start layout that has its own localized group. -## Add the LayoutModification.xml file to the device +## Add the LayoutModification.xml file to the device -Once you have created your LayoutModification.xml file to customize devices that will run Windows 10 for desktop editions, you can use Windows ICD methods to add the XML file to the device. +Once you have created your LayoutModification.xml file to customize devices that will run Windows 10 for desktop editions, you can use Windows ICD methods to add the XML file to the device. 1. In the **Available customizations** pane, expand **Runtime settings**, select **Start** > Select the **StartLayout** setting. 2. In the middle pane, click **Browse** to open File Explorer. 3. In the File Explorer window, navigate to the location where you saved your LayoutModification.xml file. -4. Select the file and then click **Open**. -This should set the value of **StartLayout**. The setting appears in the **Selected customizations** pane. +4. Select the file and then click **Open**. + +This should set the value of **StartLayout**. The setting appears in the **Selected customizations** pane. >[!NOTE] ->There is currently no way to add the .url and .lnk files through Windows ICD. +>There is currently no way to add the .url and .lnk files through Windows ICD. -Once you have created the LayoutModification.xml file and it is present in the device, the system overrides the base default layout and any Unattend settings used to customize Start. +Once you have created the LayoutModification.xml file and it is present in the device, the system overrides the base default layout and any Unattend settings used to customize Start. -## Related topics +## Related topics - [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md) - [Configure Windows 10 taskbar](configure-windows-10-taskbar.md) diff --git a/windows/configuration/start-secondary-tiles.md b/windows/configuration/start/start-secondary-tiles.md similarity index 75% rename from windows/configuration/start-secondary-tiles.md rename to windows/configuration/start/start-secondary-tiles.md index e9b63e1772..d210defada 100644 --- a/windows/configuration/start-secondary-tiles.md +++ b/windows/configuration/start/start-secondary-tiles.md @@ -1,222 +1,232 @@ --- -title: Add image for secondary Microsoft Edge tiles (Windows 10) -description: Add app tiles on Windows 10 that's a secondary tile. -ms.prod: windows-client -ms.localizationpriority: medium -author: lizgt2000 -ms.author: lizlong -ms.topic: article -ms.reviewer: -manager: aaroncz -ms.technology: itpro-configure +title: Add image for secondary Microsoft Edge tiles +description: Add app tiles on Windows 10 that's a secondary tile. + +ms.topic: article + ms.date: 12/31/2017 ---- +--- -# Add image for secondary Microsoft Edge tiles +# Add image for secondary Microsoft Edge tiles -**Applies to** +**Applies to** -- Windows 10 +- Windows 10 -App tiles are the Start screen tiles that represent and launch an app. A tile that allows a user to go to a specific location in an app is a *secondary tile*. Some examples of secondary tiles include: +App tiles are the Start screen tiles that represent and launch an app. A tile that allows a user to go to a specific location in an app is a *secondary tile*. Some examples of secondary tiles include: - Weather updates for a specific city in a weather app - A summary of upcoming events in a calendar app - Status and updates from an important contact in a social app -- A website in Microsoft Edge +- A website in Microsoft Edge -In a Start layout for Windows 10, version 1703, you can include secondary tiles for Microsoft Edge that display a custom image, rather than a tile with the standard Microsoft Edge logo. +In a Start layout for Windows 10, version 1703, you can include secondary tiles for Microsoft Edge that display a custom image, rather than a tile with the standard Microsoft Edge logo. -Suppose that the [Start layout that you export](customize-and-export-start-layout.md) had two secondary tiles, such as in the following image: +Suppose that the [Start layout that you export](customize-and-export-start-layout.md) had two secondary tiles, such as in the following image: -![tile for MSN and for a SharePoint site.](images/edge-with-logo.png) +![tile for MSN and for a SharePoint site.](images/edge-with-logo.png) -In prior versions of Windows 10, when you applied the Start layout to a device, the tiles would display as shown in the following image: +In prior versions of Windows 10, when you applied the Start layout to a device, the tiles would display as shown in the following image: -![tile for MSN and for a SharePoint site with no logos.](images/edge-without-logo.png) +![tile for MSN and for a SharePoint site with no logos.](images/edge-without-logo.png) -In Windows 10, version 1703, by using the PowerShell cmdlet `export-StartLayoutEdgeAssets` and the policy setting `ImportEdgeAssets`, the tiles will now display the same as they did on the device from which you exported the Start layout. +In Windows 10, version 1703, by using the PowerShell cmdlet `export-StartLayoutEdgeAssets` and the policy setting `ImportEdgeAssets`, the tiles will now display the same as they did on the device from which you exported the Start layout. -![tile for MSN and for a SharePoint site.](images/edge-with-logo.png) +![tile for MSN and for a SharePoint site.](images/edge-with-logo.png) -**Example of secondary tiles in XML generated by Export-StartLayout** +**Example of secondary tiles in XML generated by Export-StartLayout** ```xml -``` -## Export Start layout and assets + AppUserModelID="Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe!App" + + TileID="-9513911450" + + DisplayName="Bing" + + Size="2x2" + + Column="0" + + Row="0" + + Arguments="-contentTile -formatVersion 0x00000003 -pinnedTimeLow 0x36a8c2e4 -pinnedTimeHigh 0x01d0919b -securityFlags 0x00000000 -tileType 0x00000000 -url 0x00000014 http://www.bing.com/" Square150x150LogoUri="ms-appdata:///local/PinnedTiles/-9513911450/lowres.png" + + Wide310x150LogoUri="ms-appx:///" + + ShowNameOnSquare150x150Logo="true" + + ShowNameOnWide310x150Logo="true" + + BackgroundColor="#7fffffff" + + /> +``` + +## Export Start layout and assets 1. Follow the instructions in [Customize and export Start layout](customize-and-export-start-layout.md#customize-the-start-screen-on-your-test-computer) to customize the Start screen on your test computer. -2. Open Windows PowerShell as an administrator and enter the following command: +2. Open Windows PowerShell as an administrator and enter the following command: ```powershell Export-StartLayout -path .xml - ``` + ``` - In the previous command, `-path` is a required parameter that specifies the path and file name for the export file. You can specify a local path or a UNC path (for example, \\\\FileServer01\\StartLayouts\\StartLayoutMarketing.xml). + In the previous command, `-path` is a required parameter that specifies the path and file name for the export file. You can specify a local path or a UNC path (for example, \\\\FileServer01\\StartLayouts\\StartLayoutMarketing.xml). - Use a file name of your choice—for example, StartLayoutMarketing.xml. Include the .xml file name extension. The [Export-StartLayout](/powershell/module/startlayout/export-startlayout) cmdlet doesn't append the file name extension, and the policy settings require the extension. + Use a file name of your choice—for example, StartLayoutMarketing.xml. Include the .xml file name extension. The [Export-StartLayout](/powershell/module/startlayout/export-startlayout) cmdlet doesn't append the file name extension, and the policy settings require the extension. 3. If you’d like to change the image for a secondary tile to your own custom image, open the layout.xml file, and look for the images that the tile references. - For example, your layout.xml contains `Square150x150LogoUri="ms-appdata:///local/PinnedTiles/21581260870/hires.png" Wide310x150LogoUri="ms-appx:///"` - - Open `C:\Users\\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\21581260870\` and replace those images with your customized images. + + - Open `C:\Users\\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\21581260870\` and replace those images with your customized images. 4. In Windows PowerShell, enter the following command: + ```powershell Export-StartLayoutEdgeAssets assets.xml - ``` + ``` -## Configure policy settings +## Configure policy settings -You can apply the customized Start layout with images for secondary tiles by using [mobile device management](customize-windows-10-start-screens-by-using-mobile-device-management.md) or [a provisioning package](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md). However, because you're including the images for secondary tiles, you must configure another setting to import the Edge assets. +You can apply the customized Start layout with images for secondary tiles by using [mobile device management](customize-windows-10-start-screens-by-using-mobile-device-management.md) or [a provisioning package](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md). However, because you're including the images for secondary tiles, you must configure another setting to import the Edge assets. -### Using MDM +### Using MDM -In Microsoft Intune, you create a device restrictions policy to apply to device group. For other MDM solutions, you may need to use an OMA-URI setting for Start layout, based on the [Policy configuration service provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider). The OMA-URI setting is `./User/Vendor/MSFT/Policy/Config/Start/StartLayout`. +In Microsoft Intune, you create a device restrictions policy to apply to device group. For other MDM solutions, you may need to use an OMA-URI setting for Start layout, based on the [Policy configuration service provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider). The OMA-URI setting is `./User/Vendor/MSFT/Policy/Config/Start/StartLayout`. 1. Sign in to the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 2. Select **Devices** > **Configuration profiles** > **Create profile**. -3. Enter the following properties: +3. Enter the following properties: - **Platform**: Select **Windows 10 and later**. - - **Profile**: Select **Templates** > **Device restrictions**. + - **Profile**: Select **Templates** > **Device restrictions**. 4. Select **Create**. -5. In **Basics**, enter the following properties: +5. In **Basics**, enter the following properties: - **Name**: Enter a descriptive name for the policy. Name your policies so you can easily identify them later. - - **Description**: Enter a description for the policy. This setting is optional, but recommended. + - **Description**: Enter a description for the policy. This setting is optional, but recommended. -6. Select **Next**. +6. Select **Next**. -7. In **Configuration settings**, select **Start**. Configure the following properties: +7. In **Configuration settings**, select **Start**. Configure the following properties: - **Start menu layout**: Browse to, and select your Start layout XML file. - - **Pin websites to tiles in Start menu**: Browse to, and select your assets XML file. + - **Pin websites to tiles in Start menu**: Browse to, and select your assets XML file. - There are more Start menu settings you can configure. For more information on these settings, see [Start settings in Intune](/intune/device-restrictions-windows-10#start) + There are more Start menu settings you can configure. For more information on these settings, see [Start settings in Intune](/intune/device-restrictions-windows-10#start) 8. Select **Next**. -9. In **Scope tags** (optional), assign a tag to filter the profile to specific IT groups, such as `US-NC IT Team` or `JohnGlenn_ITDepartment`. For more information about scope tags, see [Use RBAC and scope tags for distributed IT](/mem/intune/fundamentals/scope-tags). +9. In **Scope tags** (optional), assign a tag to filter the profile to specific IT groups, such as `US-NC IT Team` or `JohnGlenn_ITDepartment`. For more information about scope tags, see [Use RBAC and scope tags for distributed IT](/mem/intune/fundamentals/scope-tags). - Select **Next**. + Select **Next**. -10. In **Assignments**, select the users or groups that will receive your profile. For more information on assigning profiles, see [Assign user and device profiles](/mem/intune/configuration/device-profile-assign). +10. In **Assignments**, select the users or groups that will receive your profile. For more information on assigning profiles, see [Assign user and device profiles](/mem/intune/configuration/device-profile-assign). - Select **Next**. + Select **Next**. -11. In **Review + create**, review your settings. When you select **Create**, your changes are saved, and the profile is assigned. The policy is also shown in the profiles list. +11. In **Review + create**, review your settings. When you select **Create**, your changes are saved, and the profile is assigned. The policy is also shown in the profiles list. -### Using a provisioning package +### Using a provisioning package -#### Prepare the Start layout and Edge assets XML files +#### Prepare the Start layout and Edge assets XML files -The **export-StartLayout** and **export-StartLayoutEdgeAssets** cmdlets produce XML files. Because Windows Configuration Designer produces a customizations.xml file that contains the configuration settings, adding the Start layout and Edge assets sections to the customizations.xml file directly would result in an XML file embedded in an XML file. Before you add the Start layout and Edge assets sections to the customizations.xml file, you must replace the markup characters in your layout.xml with escape characters. +The **export-StartLayout** and **export-StartLayoutEdgeAssets** cmdlets produce XML files. Because Windows Configuration Designer produces a customizations.xml file that contains the configuration settings, adding the Start layout and Edge assets sections to the customizations.xml file directly would result in an XML file embedded in an XML file. Before you add the Start layout and Edge assets sections to the customizations.xml file, you must replace the markup characters in your layout.xml with escape characters. + +1. Copy the contents of layout.xml into an online tool that escapes characters. -1. Copy the contents of layout.xml into an online tool that escapes characters. +2. Copy the contents of assets.xml into an online tool that escapes characters. -2. Copy the contents of assets.xml into an online tool that escapes characters. +3. When you create a provisioning package, you'll copy the text with the escape characters and paste it in the customizations.xml file for your project. -3. When you create a provisioning package, you'll copy the text with the escape characters and paste it in the customizations.xml file for your project. +#### Create a provisioning package that contains a customized Start layout -#### Create a provisioning package that contains a customized Start layout + - - -Use the Windows Configuration Designer tool to create a provisioning package. [Learn how to install Windows Configuration Designer.](provisioning-packages/provisioning-install-icd.md) +Use the Windows Configuration Designer tool to create a provisioning package. [Learn how to install Windows Configuration Designer.](provisioning-packages/provisioning-install-icd.md) >[!IMPORTANT] ->When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. +>When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. -1. Open Windows Configuration Designer (by default, %systemdrive%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe). +1. Open Windows Configuration Designer (by default, %systemdrive%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe). -2. Choose **Advanced provisioning**. +2. Choose **Advanced provisioning**. -3. Name your project, and select **Next**. +3. Name your project, and select **Next**. -4. Choose **All Windows desktop editions** and select **Next**. +4. Choose **All Windows desktop editions** and select **Next**. -5. On **New project**, select **Finish**. The workspace for your package opens. +5. On **New project**, select **Finish**. The workspace for your package opens. -6. Expand **Runtime settings** > **Policies** > **Start**, and select **StartLayout**. +6. Expand **Runtime settings** > **Policies** > **Start**, and select **StartLayout**. >[!TIP] - >If **Start** is not listed, check the type of settings you selected in step 4. You must create the project using settings for **All Windows desktop editions**. + >If **Start** is not listed, check the type of settings you selected in step 4. You must create the project using settings for **All Windows desktop editions**. -7. Enter **layout.xml**. This value creates a placeholder in the customizations.xml file that you'll replace with the contents of the layout.xml file in a later step. +7. Enter **layout.xml**. This value creates a placeholder in the customizations.xml file that you'll replace with the contents of the layout.xml file in a later step. -8. In the **Available customizations** pane, select **ImportEdgeAssets**. +8. In the **Available customizations** pane, select **ImportEdgeAssets**. -9. Enter **assets.xml**. This value creates a placeholder in the customizations.xml file that you'll replace with the contents of the assets.xml file in a later step. +9. Enter **assets.xml**. This value creates a placeholder in the customizations.xml file that you'll replace with the contents of the assets.xml file in a later step. -10. Save your project and close Windows Configuration Designer. +10. Save your project and close Windows Configuration Designer. -11. In File Explorer, open the project's directory. (The default location is C:\Users\\*user name*\Documents\Windows Imaging and Configuration Designer (WICD)\\*project name*) +11. In File Explorer, open the project's directory. (The default location is C:\Users\\*user name*\Documents\Windows Imaging and Configuration Designer (WICD)\\*project name*) -12. Open the customizations.xml file in a text editor. The **<Customizations>** section will look like this: +12. Open the customizations.xml file in a text editor. The **<Customizations>** section will look like this: - ![Customizations file with the placeholder text to replace highlighted.](images/customization-start-edge.png) + ![Customizations file with the placeholder text to replace highlighted.](images/customization-start-edge.png) -13. Replace **layout.xml** with the text from the layout.xml file, [with markup characters replaced with escape characters](#escape). +13. Replace **layout.xml** with the text from the layout.xml file, [with markup characters replaced with escape characters](#escape). -14. Replace **assets.xml** with the text from the assets.xml file, [with markup characters replaced with escape characters](#escape). +14. Replace **assets.xml** with the text from the assets.xml file, [with markup characters replaced with escape characters](#escape). -15. Save and close the customizations.xml file. +15. Save and close the customizations.xml file. -16. Open Windows Configuration Designer and open your project. +16. Open Windows Configuration Designer and open your project. -17. On the **File** menu, select **Save.** +17. On the **File** menu, select **Save.** -18. On the **Export** menu, select **Provisioning package**. +18. On the **Export** menu, select **Provisioning package**. -19. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.** +19. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.** -20. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing. +20. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing. - - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen. + - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen. - - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select...** and choosing the certificate you want to use to sign the package. + - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select...** and choosing the certificate you want to use to sign the package. -21. Select **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows Imaging and Configuration Designer (ICD) uses the project folder as the output location. +21. Select **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows Imaging and Configuration Designer (ICD) uses the project folder as the output location. - Optionally, you can select **Browse** to change the default output location. + Optionally, you can select **Browse** to change the default output location. -22. Select **Next**. +22. Select **Next**. -23. Select **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status. +23. Select **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status. - If you need to cancel the build, select **Cancel**. It cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**. + If you need to cancel the build, select **Cancel**. It cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**. -24. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again. +24. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again. - If your build is successful, the name of the provisioning package, output directory, and project directory will be shown. + If your build is successful, the name of the provisioning package, output directory, and project directory will be shown. - - If you choose, you can build the provisioning package again and pick a different path for the output package. To change the path, select **Back** to change the output package name and path, and then select **Next** to start another build. - - If you're done, select **Finish** to close the wizard and go back to the **Customizations Page**. + - If you choose, you can build the provisioning package again and pick a different path for the output package. To change the path, select **Back** to change the output package name and path, and then select **Next** to start another build. + - If you're done, select **Finish** to close the wizard and go back to the **Customizations Page**. -25. Copy the provisioning package to the target device. +25. Copy the provisioning package to the target device. -26. Double-click the ppkg file and allow it to install. +26. Double-click the ppkg file and allow it to install. ## Related articles + - [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md) - [Configure Windows 10 taskbar](configure-windows-10-taskbar.md) - [Customize and export Start layout](customize-and-export-start-layout.md) @@ -224,5 +234,5 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L - [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) - [Customize Windows 10 Start and taskbar with provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) - [Customize Windows 10 Start and taskbar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) -- [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md) +- [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md) diff --git a/windows/configuration/supported-csp-start-menu-layout-windows.md b/windows/configuration/start/supported-csp-start-menu-layout-windows.md similarity index 90% rename from windows/configuration/supported-csp-start-menu-layout-windows.md rename to windows/configuration/start/supported-csp-start-menu-layout-windows.md index d079399d4b..511d060b9c 100644 --- a/windows/configuration/supported-csp-start-menu-layout-windows.md +++ b/windows/configuration/start/supported-csp-start-menu-layout-windows.md @@ -1,31 +1,26 @@ --- title: Supported CSP policies to customize Start menu on Windows 11 | Microsoft Docs description: See a list of the Policy CSP - Start items that are supported on Windows 11 to customize the Start menu. -manager: aaroncz -ms.author: lizlong -ms.reviewer: ericpapa -ms.prod: windows-client -author: lizgt2000 -ms.localizationpriority: medium -ms.technology: itpro-configure +ms.reviewer: ericpapa + ms.date: 12/31/2017 ms.topic: article ---- +--- -# Supported configuration service provider (CSP) policies for Windows 11 Start menu +# Supported configuration service provider (CSP) policies for Windows 11 Start menu -**Applies to**: +**Applies to**: - Windows 11 -- Windows 11, version 22H2 +- Windows 11, version 22H2 -The Windows OS exposes CSPs that are used by MDM providers, like [Microsoft Intune](/mem/intune/fundamentals/what-is-intune). In an MDM policy, these CSPs are settings that you configure in a policy. When the policy is ready, you deploy the policy to your devices. +The Windows OS exposes CSPs that are used by MDM providers, like [Microsoft Intune](/mem/intune/fundamentals/what-is-intune). In an MDM policy, these CSPs are settings that you configure in a policy. When the policy is ready, you deploy the policy to your devices. -This article lists the CSPs that are available to customize the Start menu for Windows 11 devices. Windows 11 uses the [Policy CSP - Start](/windows/client-management/mdm/policy-csp-start). For more general information, see [Configuration service provider (CSP) reference](/windows/client-management/mdm/configuration-service-provider-reference). +This article lists the CSPs that are available to customize the Start menu for Windows 11 devices. Windows 11 uses the [Policy CSP - Start](/windows/client-management/mdm/policy-csp-start). For more general information, see [Configuration service provider (CSP) reference](/windows/client-management/mdm/configuration-service-provider-reference). -For information on customizing the Start menu layout using policy, see [Customize the Start menu layout on Windows 11](customize-start-menu-layout-windows-11.md). +For information on customizing the Start menu layout using policy, see [Customize the Start menu layout on Windows 11](customize-start-menu-layout-windows-11.md). -## Existing Windows CSP policies that Windows 11 supports +## Existing Windows CSP policies that Windows 11 supports - [Start/AllowPinnedFolderDocuments](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderdocuments) - [Start/AllowPinnedFolderDownloads](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderfileexplorer) @@ -49,31 +44,33 @@ For information on customizing the Start menu layout using policy, see [Customiz - [Start/HideUserTile](/windows/client-management/mdm/policy-csp-start#start-hideusertile) - [Start/HideRecentJumplists](/windows/client-management/mdm/policy-csp-start#start-hiderecentjumplists) - [Start/NoPinningToTaskbar](/windows/client-management/mdm/policy-csp-start#start-nopinningtotaskbar) -- **Start/ShowOrHideMostUsedApps**: New policy starting with Windows 11. This policy enforces always showing Most Used Apps, or always hiding Most Used Apps in the Start menu. If you use this policy, the [Start/HideFrequentlyUsedApps](/windows/client-management/mdm/policy-csp-start#start-hidefrequentlyusedapps) policy is ignored. +- **Start/ShowOrHideMostUsedApps**: New policy starting with Windows 11. This policy enforces always showing Most Used Apps, or always hiding Most Used Apps in the Start menu. If you use this policy, the [Start/HideFrequentlyUsedApps](/windows/client-management/mdm/policy-csp-start#start-hidefrequentlyusedapps) policy is ignored. - The [Start/HideFrequentlyUsedApps](/windows/client-management/mdm/policy-csp-start#start-hidefrequentlyusedapps) policy enforces hiding Most Used Apps on the Start menu. You can't use this policy to enforce always showing Most Used Apps on the Start menu. + The [Start/HideFrequentlyUsedApps](/windows/client-management/mdm/policy-csp-start#start-hidefrequentlyusedapps) policy enforces hiding Most Used Apps on the Start menu. You can't use this policy to enforce always showing Most Used Apps on the Start menu. -**The following policies are supported starting with Windows 11, version 22H2:** +**The following policies are supported starting with Windows 11, version 22H2:** - [Start/HideAppList](/windows/client-management/mdm/policy-csp-start#start-hideapplist) - [Start/DisableContextMenus](/windows/client-management/mdm/policy-csp-start#start-disablecontextmenus) -## Existing CSP policies that Windows 11 doesn't support +## Existing CSP policies that Windows 11 doesn't support - [Start/StartLayout](/windows/client-management/mdm/policy-csp-start#start-startlayout) - - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Start Layout` + - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Start Layout` - [Start/HideRecentlyAddedApps](/windows/client-management/mdm/policy-csp-start#start-hiderecentlyaddedapps) - Group policy: `Computer Configuration\Administrative Templates\Start Menu and Taskbar\Remove "Recently added" list from Start Menu` + > [!NOTE] -> The following two policies are supported starting in Windows 11, version 22H2 +> The following two policies are supported starting in Windows 11, version 22H2 - [Start/HideAppList](/windows/client-management/mdm/policy-csp-start#start-hideapplist) - Group policy: - `Computer Configuration\Administrative Templates\Start Menu and Taskbar\Remove All Programs list from the Start menu` - - `User Configuration\Administrative Templates\Start Menu and Taskbar\Remove All Programs list from the Start menu` + - `User Configuration\Administrative Templates\Start Menu and Taskbar\Remove All Programs list from the Start menu` - [Start/DisableContextMenus](/windows/client-management/mdm/policy-csp-start#start-disablecontextmenus) - Group policy: + - `Computer Configuration\Administrative Templates\Start Menu and Taskbar\Disable context menus in the Start Menu` - `User Configuration\Administrative Templates\Start Menu and Taskbar\Disable context menus in the Start Menu` diff --git a/windows/configuration/windows-10-start-layout-options-and-policies.md b/windows/configuration/start/windows-10-start-layout-options-and-policies.md similarity index 83% rename from windows/configuration/windows-10-start-layout-options-and-policies.md rename to windows/configuration/start/windows-10-start-layout-options-and-policies.md index 2603aa56ac..c12bd19658 100644 --- a/windows/configuration/windows-10-start-layout-options-and-policies.md +++ b/windows/configuration/start/windows-10-start-layout-options-and-policies.md @@ -1,71 +1,69 @@ --- title: Customize and manage the Windows 10 Start and taskbar layout description: On Windows devices, customize the start menu layout and taskbar using XML, group policy, provisioning package, or MDM policy. You can add pinned folders, add a start menu size, pin apps to the taskbar, and more. -author: lizgt2000 -ms.author: lizlong ms.topic: article ms.date: 08/05/2021 ---- +--- -# Customize the Start menu and taskbar layout on Windows 10 and later devices +# Customize the Start menu and taskbar layout on Windows 10 and later devices -**Applies to**: +**Applies to**: - Windows 10 version 1607 and later - Windows Server 2016 with Desktop Experience -- Windows Server 2019 with Desktop Experience +- Windows Server 2019 with Desktop Experience > **Looking for consumer information?** [See what's on the Start menu](https://support.microsoft.com/help/17195/windows-10-see-whats-on-the-menu) > -> **Looking for OEM information?** See [Customize the Taskbar](/windows-hardware/customize/desktop/customize-the-windows-11-taskbar) and [Customize the Start layout](/windows-hardware/customize/desktop/customize-the-windows-11-start-menu). +> **Looking for OEM information?** See [Customize the Taskbar](/windows-hardware/customize/desktop/customize-the-windows-11-taskbar) and [Customize the Start layout](/windows-hardware/customize/desktop/customize-the-windows-11-start-menu). -Your organization can deploy a customized Start and taskbar to Windows 10 Professional, Enterprise, or Education devices. Use a standard, customized Start layout on devices that are common to multiple users, and devices that are locked down. Configuring the taskbar allows you to pin useful apps for your users, and remove apps that are pinned by default. +Your organization can deploy a customized Start and taskbar to Windows 10 Professional, Enterprise, or Education devices. Use a standard, customized Start layout on devices that are common to multiple users, and devices that are locked down. Configuring the taskbar allows you to pin useful apps for your users, and remove apps that are pinned by default. >[!NOTE] ->Support for applying a customized taskbar using MDM is added in Windows 10, version 1703. +>Support for applying a customized taskbar using MDM is added in Windows 10, version 1703. -As administrator, you can use these features to customize Start and taskbar to meet your organization needs. This article describes the different ways you can customize Start and taskbar, and lists the Start policies. It also includes taskbar information on a clean operating system (OS) installation, and when an OS is upgraded. +As administrator, you can use these features to customize Start and taskbar to meet your organization needs. This article describes the different ways you can customize Start and taskbar, and lists the Start policies. It also includes taskbar information on a clean operating system (OS) installation, and when an OS is upgraded. >[!NOTE] >For information on using the layout modification XML to configure Start with roaming user profiles, see [Deploy Roaming User Profiles](/windows-server/storage/folder-redirection/deploy-roaming-user-profiles#step-7-optionally-specify-a-start-layout-for-windows-10-pcs). > ->Using CopyProfile for Start menu customization in Windows 10 isn't supported. For more information [Customize the Default User Profile by Using CopyProfile](/windows-hardware/manufacture/desktop/customize-the-default-user-profile-by-using-copyprofile) +>Using CopyProfile for Start menu customization in Windows 10 isn't supported. For more information [Customize the Default User Profile by Using CopyProfile](/windows-hardware/manufacture/desktop/customize-the-default-user-profile-by-using-copyprofile) -## Use XML +## Use XML -On an existing Windows device, you can set up the **Start** screen, and then export the layout to an XML file. When you have the XML file, add this file to a group policy, a Windows Configuration Designer provisioning package, or a mobile device management (MDM) policy. Using these methods, you can deploy the XML file to your devices. When the devices receive your policy, they'll use the layout configured in the XML file. +On an existing Windows device, you can set up the **Start** screen, and then export the layout to an XML file. When you have the XML file, add this file to a group policy, a Windows Configuration Designer provisioning package, or a mobile device management (MDM) policy. Using these methods, you can deploy the XML file to your devices. When the devices receive your policy, they'll use the layout configured in the XML file. -For more information, see [Customize and export Start layout](customize-and-export-start-layout.md). +For more information, see [Customize and export Start layout](customize-and-export-start-layout.md). -For the **taskbar**, you can use the same XML file as the start screen. Or, you can create a new XML file. When you have the XML file, add this file to a group policy or a provisioning package. Using these methods, you can deploy the XML file to your devices. When the devices receive your policy, they'll use the taskbar settings you configured in the XML file. +For the **taskbar**, you can use the same XML file as the start screen. Or, you can create a new XML file. When you have the XML file, add this file to a group policy or a provisioning package. Using these methods, you can deploy the XML file to your devices. When the devices receive your policy, they'll use the taskbar settings you configured in the XML file. -For more information, see [Configure Windows 10 taskbar](configure-windows-10-taskbar.md). +For more information, see [Configure Windows 10 taskbar](configure-windows-10-taskbar.md). -## Use group policy +## Use group policy -Using group policy objects (GPO), you can manage different parts of the Start menu and taskbar. You don't need to reimage the devices. Using administrative templates, you configure settings in a policy, and then deploy this policy to your devices. [Start menu policy settings](#start-menu-policy-settings) (in this article) lists the policies you can configure. +Using group policy objects (GPO), you can manage different parts of the Start menu and taskbar. You don't need to reimage the devices. Using administrative templates, you configure settings in a policy, and then deploy this policy to your devices. [Start menu policy settings](#start-menu-policy-settings) (in this article) lists the policies you can configure. -For more information, see [Use group policy to customize Windows 10 Start and taskbar](customize-windows-10-start-screens-by-using-group-policy.md). +For more information, see [Use group policy to customize Windows 10 Start and taskbar](customize-windows-10-start-screens-by-using-group-policy.md). -## Use provisioning packages +## Use provisioning packages -Provisioning packages are containers that include a set of configuration settings. They're designed to configure a device quickly, without installing a new image. For more information on what provisioning packages are, and what they do, see [Provisioning packages](./provisioning-packages/provisioning-packages.md). +Provisioning packages are containers that include a set of configuration settings. They're designed to configure a device quickly, without installing a new image. For more information on what provisioning packages are, and what they do, see [Provisioning packages](./provisioning-packages/provisioning-packages.md). -Using a provisioning package, you can customize the Start and taskbar. For more information, see [Use provisioning packages to customize Windows 10 Start and taskbar](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md). +Using a provisioning package, you can customize the Start and taskbar. For more information, see [Use provisioning packages to customize Windows 10 Start and taskbar](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md). -## Use a mobile device management (MDM) solution +## Use a mobile device management (MDM) solution -Using an MDM solution, you add an XML file to a policy, and then deploy this policy to your devices. +Using an MDM solution, you add an XML file to a policy, and then deploy this policy to your devices. -If you use Microsoft Intune for your MDM solution, then you can use settings to configure Start and the taskbar. For more information on the settings you can configure, see [Start settings in Microsoft Intune](/mem/intune/configuration/device-restrictions-windows-10#start). +If you use Microsoft Intune for your MDM solution, then you can use settings to configure Start and the taskbar. For more information on the settings you can configure, see [Start settings in Microsoft Intune](/mem/intune/configuration/device-restrictions-windows-10#start). -For more information, see [Use MDM to customize Windows 10 Start and taskbar](customize-windows-10-start-screens-by-using-mobile-device-management.md). +For more information, see [Use MDM to customize Windows 10 Start and taskbar](customize-windows-10-start-screens-by-using-mobile-device-management.md). -## Start menu policy settings +## Start menu policy settings -![start layout sections.](images/startannotated.png) +![start layout sections.](images/startannotated.png) -The following list includes the different Start options, and any policy or local settings. The settings in the list can also be used in a provisioning package. If you use a provisioning package, see the [Windows Configuration Designer reference](./wcd/wcd-policies.md#start). +The following list includes the different Start options, and any policy or local settings. The settings in the list can also be used in a provisioning package. If you use a provisioning package, see the [Windows Configuration Designer reference](./wcd/wcd-policies.md#start). - **User tile** - **Group policy**: `User Configuration\Administrative Templates\Start Menu and Taskbar\Remove Logoff on the Start menu` @@ -75,37 +73,37 @@ The following list includes the different Start options, and any policy or local - Start/HideSwitchAccount - Start/HideSignOut - Start/HideLock - - Start/HideChangeAccountSettings + - Start/HideChangeAccountSettings - **Most used** - **Group policy**: `User Configuration\Administrative Templates\Start Menu and Taskbar\Remove frequent programs from the Start menu` - **Local setting**: Settings > Personalization > Start > Show most used apps - - **MDM policy**: Start/HideFrequentlyUsedApps + - **MDM policy**: Start/HideFrequentlyUsedApps - **Suggestions, Dynamically inserted app tile** - - **Group policy**: `Computer Configuration\Administrative Templates\Windows Components\Cloud Content\Turn off Microsoft consumer experiences` + - **Group policy**: `Computer Configuration\Administrative Templates\Windows Components\Cloud Content\Turn off Microsoft consumer experiences` - This policy also enables or disables notifications for: + This policy also enables or disables notifications for: - A user's Microsoft account - - App tiles that Microsoft dynamically adds to the default Start menu + - App tiles that Microsoft dynamically adds to the default Start menu - **Local setting**: Settings > Personalization > Start > Occasionally show suggestions in Start - - **MDM policy**: Allow Windows Consumer Features + - **MDM policy**: Allow Windows Consumer Features - **Recently added** - - **Group policy**: `Computer configuration\Administrative Template\Start Menu and Taskbar\Remove "Recently Added" list from Start Menu` + - **Group policy**: `Computer configuration\Administrative Template\Start Menu and Taskbar\Remove "Recently Added" list from Start Menu` - This policy applies to: + This policy applies to: - - Windows 10 version 1803 and later + - Windows 10 version 1803 and later - **Local setting**: Settings > Personalization > Start > Show recently added apps - - **MDM policy**: Start/HideRecentlyAddedApps + - **MDM policy**: Start/HideRecentlyAddedApps - **Pinned folders** - **Local setting**: Settings > Personalization > Start > Choose which folders appear on Start - - **MDM policy**: AllowPinnedFolder + - **MDM policy**: AllowPinnedFolder - **Power** - **Group policy**: `User Configuration\Administrative Templates\Start Menu and Taskbar\Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands` @@ -115,104 +113,104 @@ The following list includes the different Start options, and any policy or local - Start/HideHibernate - Start/HideRestart - Start/HideShutDown - - Start/HideSleep + - Start/HideSleep - **Start layout** - - **Group policy**: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent users from customizing their Start screen` + - **Group policy**: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent users from customizing their Start screen` - When a full Start screen layout is imported with Group Policy or MDM, users can't pin, unpin, or uninstall apps from the Start screen. Users can see and open all apps in the **All Apps** view, but they can't pin any apps to the Start screen. When a partial Start screen layout is imported, users can't change the tile groups applied by the partial layout. They can change other tile groups, and create their own tile groups. + When a full Start screen layout is imported with Group Policy or MDM, users can't pin, unpin, or uninstall apps from the Start screen. Users can see and open all apps in the **All Apps** view, but they can't pin any apps to the Start screen. When a partial Start screen layout is imported, users can't change the tile groups applied by the partial layout. They can change other tile groups, and create their own tile groups. - **Start layout** policy can be used to pin apps to the taskbar based on an XML File you provide. Users can change the order of pinned apps, unpin apps, and pin more apps to the taskbar. + **Start layout** policy can be used to pin apps to the taskbar based on an XML File you provide. Users can change the order of pinned apps, unpin apps, and pin more apps to the taskbar. - **Local setting**: None - **MDM policy**: - Start layout - - ImportEdgeAssets + - ImportEdgeAssets - **Jump lists** - **Group policy**: `User Configuration\Administrative Templates\Start Menu and Taskbar\Do not keep history of recently opened documents` - **Local setting**: Settings > Personalization > Start > Show recently opened items in Jump Lists on Start or the taskbar - - **MDM policy**: Start/HideRecentJumplists + - **MDM policy**: Start/HideRecentJumplists - **Start size** - **Group policy**: `User Configuration\Administrative Templates\Start Menu and Taskbar\Force Start to be either full screen size or menu size` - **Local setting**: Settings > Personalization > Start > Use Start full screen - - **MDM policy**: Force Start size + - **MDM policy**: Force Start size - **App list** - **Local setting**: Settings > Personalization > Start > Show app list in Start menu - - **MDM policy**: Start/HideAppList + - **MDM policy**: Start/HideAppList - **All settings** - **Group policy**: `User Configuration\Administrative Templates\Prevent changes to Taskbar and Start Menu Settings` - - **Local setting**: None + - **Local setting**: None - **Taskbar** - **Local setting**: None - - **MDM policy**: Start/NoPinningToTaskbar + - **MDM policy**: Start/NoPinningToTaskbar > [!NOTE] -> In the **Settings** app > **Personalization** > **Start**, there is a **Show more tiles on Start** option. The default tile layout for Start tiles is 3 columns of medium sized tiles. **Show more tiles on Start** enables 4 columns. To configure the 4-column layout when you [customize and export a Start layout](customize-and-export-start-layout.md), turn on the **Show more tiles** setting, and then arrange your tiles. +> In the **Settings** app > **Personalization** > **Start**, there is a **Show more tiles on Start** option. The default tile layout for Start tiles is 3 columns of medium sized tiles. **Show more tiles on Start** enables 4 columns. To configure the 4-column layout when you [customize and export a Start layout](customize-and-export-start-layout.md), turn on the **Show more tiles** setting, and then arrange your tiles. -## Taskbar options +## Taskbar options -Starting in Windows 10 version 1607, you can pin more apps to the taskbar, and remove default pinned apps from the taskbar. You can select different taskbar configurations based on device locale or region. +Starting in Windows 10 version 1607, you can pin more apps to the taskbar, and remove default pinned apps from the taskbar. You can select different taskbar configurations based on device locale or region. -There are three app categories that could be pinned to a taskbar: +There are three app categories that could be pinned to a taskbar: - Apps pinned by the user - Default Windows apps pinned during the OS installation, such as Microsoft Edge, File Explorer, and Store -- Apps pinned by your organization, such as in an unattended Windows setup +- Apps pinned by your organization, such as in an unattended Windows setup - In an unattended Windows setup file, it's recommended to use the [layoutmodification.xml method](configure-windows-10-taskbar.md) to configure the taskbar options. It's not recommended to use [TaskbarLinks](/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-taskbarlinks). + In an unattended Windows setup file, it's recommended to use the [layoutmodification.xml method](configure-windows-10-taskbar.md) to configure the taskbar options. It's not recommended to use [TaskbarLinks](/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-taskbarlinks). -The following example shows how apps are pinned. In OS configured to use a right-to-left language, the taskbar order is reversed: +The following example shows how apps are pinned. In OS configured to use a right-to-left language, the taskbar order is reversed: - Windows default apps to the left (blue circle) - Apps pinned by the user in the center (orange triangle) -- Apps that you pin using XML to the right (green square) +- Apps that you pin using XML to the right (green square) -![Windows left, user center, enterprise to the right.](images/taskbar-generic.png) +![Windows left, user center, enterprise to the right.](images/taskbar-generic.png) -If you apply the taskbar configuration to a clean install or an update, users can still: +If you apply the taskbar configuration to a clean install or an update, users can still: - Pin more apps - Change the order of pinned apps -- Unpin any app +- Unpin any app > [!TIP] -> In Windows 10 version 1703, you can apply the `Start/NoPinningToTaskbar` MDM policy. This policy prevents users from pinning and unpinning apps on the taskbar. +> In Windows 10 version 1703, you can apply the `Start/NoPinningToTaskbar` MDM policy. This policy prevents users from pinning and unpinning apps on the taskbar. -### Taskbar configuration applied to clean install of Windows 10 +### Taskbar configuration applied to clean install of Windows 10 -In a clean install, if you apply a taskbar layout, only the following apps are pinned to the taskbar: +In a clean install, if you apply a taskbar layout, only the following apps are pinned to the taskbar: - Apps you specifically add -- Any default apps you don't remove +- Any default apps you don't remove -After the layout is applied, users can pin more apps to the taskbar. +After the layout is applied, users can pin more apps to the taskbar. -### Taskbar configuration applied to Windows 10 upgrades +### Taskbar configuration applied to Windows 10 upgrades -When a device is upgraded to Windows 10, apps are already pinned to the taskbar. Some apps may have been pinned to the taskbar by a user, by a customized base image, or by using Windows unattended setup. +When a device is upgraded to Windows 10, apps are already pinned to the taskbar. Some apps may have been pinned to the taskbar by a user, by a customized base image, or by using Windows unattended setup. -On Windows 10 version 1607 and later, the new taskbar layout for upgrades apply the following behavior: +On Windows 10 version 1607 and later, the new taskbar layout for upgrades apply the following behavior: - If users pinned apps to the taskbar, then those pinned apps remain. New apps are added to the right. - If users didn't pin any apps (they're pinned during installation or by policy), and the apps aren't in an updated layout file, then the apps are unpinned. - If a user didn't pin the app, and the app is in the updated layout file, then the app is pinned to the right. -- New apps specified in updated layout file are pinned to right of user's pinned apps. +- New apps specified in updated layout file are pinned to right of user's pinned apps. -[Learn how to configure Windows 10 taskbar](configure-windows-10-taskbar.md). +[Learn how to configure Windows 10 taskbar](configure-windows-10-taskbar.md). -## Start layout configuration errors +## Start layout configuration errors -If your Start layout customization isn't applied as you expect, open the **Event Viewer**. Go to **Applications and Services Log** > **Microsoft** > **Windows** > **ShellCommon-StartLayoutPopulation** > **Operational**. Look for the following events: +If your Start layout customization isn't applied as you expect, open the **Event Viewer**. Go to **Applications and Services Log** > **Microsoft** > **Windows** > **ShellCommon-StartLayoutPopulation** > **Operational**. Look for the following events: - **Event 22**: The XML is malformed. The specified file isn't valid XML. This event can happen if the file has extra spaces or unexpected characters. Or, if the file isn't saved in the UTF8 format. -- **Event 64**: The XML is valid, and has unexpected values. This event can happen when the configuration isn't understood, elements aren't in [the required order](start-layout-xml-desktop.md#required-order), or source isn't found, such as a missing or misspelled `.lnk`. +- **Event 64**: The XML is valid, and has unexpected values. This event can happen when the configuration isn't understood, elements aren't in [the required order](start-layout-xml-desktop.md#required-order), or source isn't found, such as a missing or misspelled `.lnk`. -## Next steps +## Next steps - [Configure Windows 10 taskbar](configure-windows-10-taskbar.md) - [Customize and export Start layout](customize-and-export-start-layout.md) diff --git a/windows/configuration/stop-employees-from-using-microsoft-store.md b/windows/configuration/store/stop-employees-from-using-microsoft-store.md similarity index 71% rename from windows/configuration/stop-employees-from-using-microsoft-store.md rename to windows/configuration/store/stop-employees-from-using-microsoft-store.md index 416187989e..d1daed7f42 100644 --- a/windows/configuration/stop-employees-from-using-microsoft-store.md +++ b/windows/configuration/store/stop-employees-from-using-microsoft-store.md @@ -1,116 +1,107 @@ --- title: Configure access to Microsoft Store description: Learn how to configure access to Microsoft Store for client computers and mobile devices in your organization. -author: lizgt2000 -ms.author: lizlong ms.topic: conceptual ms.date: 11/29/2022 ---- +--- -# Configure access to Microsoft Store +# Configure access to Microsoft Store -**Applies to:** - -- Windows 10 - -> [!TIP] -> For more info about the features and functionality that are supported in each edition of Windows, see [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare). - -IT pros can configure access to Microsoft Store for client computers in their organization. For some organizations, business policies require blocking access to Microsoft Store. +IT pros can configure access to Microsoft Store for client computers in their organization. For some organizations, business policies require blocking access to Microsoft Store. > [!IMPORTANT] -> All executable code including Microsoft Store applications should have an update and maintenance plan. Organizations that use Microsoft Store applications should ensure that the applications can be updated through the Microsoft Store over the internet, through the [Private Store](/microsoft-store/distribute-apps-from-your-private-store), or [distributed offline](/microsoft-store/distribute-offline-apps) to keep the applications up to date. +> All executable code including Microsoft Store applications should have an update and maintenance plan. Organizations that use Microsoft Store applications should ensure that the applications can be updated through the Microsoft Store over the internet, through the [Private Store](/microsoft-store/distribute-apps-from-your-private-store), or [distributed offline](/microsoft-store/distribute-offline-apps) to keep the applications up to date. -## Options to configure access to Microsoft Store +## Options to configure access to Microsoft Store -You can use either AppLocker or Group Policy to configure access to Microsoft Store. For Windows 10, configuring access to Microsoft Store is only supported on Windows 10 Enterprise edition. +You can use either AppLocker or Group Policy to configure access to Microsoft Store. For Windows 10, configuring access to Microsoft Store is only supported on Windows 10 Enterprise edition. -## Block Microsoft Store using AppLocker +## Block Microsoft Store using AppLocker -Applies to: Windows 10 Enterprise, Windows 10 Education +Applies to: Windows 10 Enterprise, Windows 10 Education -AppLocker provides policy-based access control management for applications. You can block access to Microsoft Store app with AppLocker by creating a rule for packaged apps. You'll give the name of the Microsoft Store app as the packaged app that you want to block from client computers. +AppLocker provides policy-based access control management for applications. You can block access to Microsoft Store app with AppLocker by creating a rule for packaged apps. You'll give the name of the Microsoft Store app as the packaged app that you want to block from client computers. -For more information on AppLocker, see [What is AppLocker?](/windows/device-security/applocker/what-is-applocker) For more information on creating an AppLocker rule for app packages, see [Create a rule for packaged apps](/windows/device-security/applocker/create-a-rule-for-packaged-apps). +For more information on AppLocker, see [What is AppLocker?](/windows/device-security/applocker/what-is-applocker) For more information on creating an AppLocker rule for app packages, see [Create a rule for packaged apps](/windows/device-security/applocker/create-a-rule-for-packaged-apps). -**To block Microsoft Store using AppLocker:** +**To block Microsoft Store using AppLocker:** -1. Enter **`secpol`** in the search bar to find and start AppLocker. +1. Enter **`secpol`** in the search bar to find and start AppLocker. -2. In the console tree of the snap-in, select **Application Control Policies**, select **AppLocker**, and then select **Packaged app Rules**. +2. In the console tree of the snap-in, select **Application Control Policies**, select **AppLocker**, and then select **Packaged app Rules**. -3. On the **Action** menu, or by right-clicking on **Packaged app Rules**, select **Create New Rule**. +3. On the **Action** menu, or by right-clicking on **Packaged app Rules**, select **Create New Rule**. -4. On **Before You Begin**, select **Next**. +4. On **Before You Begin**, select **Next**. -5. On **Permissions**, select the action (allow or deny) and the user or group that the rule should apply to, and then select **Next**. +5. On **Permissions**, select the action (allow or deny) and the user or group that the rule should apply to, and then select **Next**. -6. On **Publisher**, you can select **Use an installed app package as a reference**, and then select **Select**. +6. On **Publisher**, you can select **Use an installed app package as a reference**, and then select **Select**. -7. On **Select applications**, find and select **Store** under **Applications** column, and then select **OK**. Select **Next**. +7. On **Select applications**, find and select **Store** under **Applications** column, and then select **OK**. Select **Next**. - [Create a rule for packaged apps](/windows/device-security/applocker/create-a-rule-for-packaged-apps) has more information on reference options and setting the scope on packaged app rules. + [Create a rule for packaged apps](/windows/device-security/applocker/create-a-rule-for-packaged-apps) has more information on reference options and setting the scope on packaged app rules. -8. Optional: On **Exceptions**, specify conditions by which to exclude files from being affected by the rule. Conditions allow you to add exceptions based on the same rule reference and rule scope as you set before. Select **Next**. +8. Optional: On **Exceptions**, specify conditions by which to exclude files from being affected by the rule. Conditions allow you to add exceptions based on the same rule reference and rule scope as you set before. Select **Next**. -## Block Microsoft Store using configuration service provider +## Block Microsoft Store using configuration service provider -Applies to: Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education +Applies to: Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education -If you have Windows 10 devices in your organization that are managed using a mobile device management (MDM) system, such as Microsoft Intune, you can block access to Microsoft Store app using the following configuration service providers (CSPs): +If you have Windows 10 devices in your organization that are managed using a mobile device management (MDM) system, such as Microsoft Intune, you can block access to Microsoft Store app using the following configuration service providers (CSPs): - [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider) -- [AppLocker CSP](/windows/client-management/mdm/applocker-csp) +- [AppLocker CSP](/windows/client-management/mdm/applocker-csp) -For more information, see [Configure an MDM provider](/microsoft-store/configure-mdm-provider-microsoft-store-for-business). +For more information, see [Configure an MDM provider](/microsoft-store/configure-mdm-provider-microsoft-store-for-business). -For more information on the rules available via AppLocker on the different supported operating systems, see [Operating system requirements](/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker#operating-system-requirements). +For more information on the rules available via AppLocker on the different supported operating systems, see [Operating system requirements](/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker#operating-system-requirements). > [!IMPORTANT] -> If you block access to the Store using CSP, you need to also configure [AllowAppStoreAutoUpdate](/windows/client-management/mdm/policy-csp-applicationmanagement#applicationmanagement-allowappstoreautoupdate) to enable in-box store apps to update while still blocking access to the store. +> If you block access to the Store using CSP, you need to also configure [AllowAppStoreAutoUpdate](/windows/client-management/mdm/policy-csp-applicationmanagement#applicationmanagement-allowappstoreautoupdate) to enable in-box store apps to update while still blocking access to the store. -## Block Microsoft Store using Group Policy +## Block Microsoft Store using Group Policy -Applies to: Windows 10 Enterprise, Windows 10 Education +Applies to: Windows 10 Enterprise, Windows 10 Education > [!NOTE] -> Not supported on Windows 10 Pro, starting with version 1511. For more info, see [Knowledge Base article #3135657](/troubleshoot/windows-client/group-policy/cannot-disable-microsoft-store). +> Not supported on Windows 10 Pro, starting with version 1511. For more info, see [Knowledge Base article #3135657](/troubleshoot/windows-client/group-policy/cannot-disable-microsoft-store). -You can also use Group Policy to manage access to Microsoft Store. +You can also use Group Policy to manage access to Microsoft Store. -**To block Microsoft Store using Group Policy:** +**To block Microsoft Store using Group Policy:** -1. Enter **`gpedit`** in the search bar to find and start Group Policy Editor. +1. Enter **`gpedit`** in the search bar to find and start Group Policy Editor. -2. In the console tree of the snap-in, select **Computer Configuration**, select **Administrative Templates**, select **Windows Components**, and then select **Store**. +2. In the console tree of the snap-in, select **Computer Configuration**, select **Administrative Templates**, select **Windows Components**, and then select **Store**. -3. In the Setting pane, select **Turn off the Store application**, and then select **Edit policy setting**. +3. In the Setting pane, select **Turn off the Store application**, and then select **Edit policy setting**. -4. On the **Turn off the Store application** setting page, select **Enabled**, and then select **OK**. +4. On the **Turn off the Store application** setting page, select **Enabled**, and then select **OK**. > [!IMPORTANT] -> When you enable the policy to **Turn off the Store application**, it turns off app updates from the Microsoft Store. To allow store apps to update, disable the policy to **Turn off automatic download and install of Updates**. This policy is found under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Store**. This configuration allows in-box store apps to update while still blocking access to the store. +> When you enable the policy to **Turn off the Store application**, it turns off app updates from the Microsoft Store. To allow store apps to update, disable the policy to **Turn off automatic download and install of Updates**. This policy is found under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Store**. This configuration allows in-box store apps to update while still blocking access to the store. -## Show private store only using Group Policy +## Show private store only using Group Policy -Applies to Windows 10 Enterprise, Windows 10 Education +Applies to Windows 10 Enterprise, Windows 10 Education -If you're using Microsoft Store for Business and you want employees to only see apps you're managing in your private store, you can use Group Policy to show only the private store. Microsoft Store app will still be available, but employees can't view or purchase apps. Employees can view and install apps that the admin has added to your organization's private store. +If you're using Microsoft Store for Business and you want employees to only see apps you're managing in your private store, you can use Group Policy to show only the private store. Microsoft Store app will still be available, but employees can't view or purchase apps. Employees can view and install apps that the admin has added to your organization's private store. -**To show private store only in Microsoft Store app:** +**To show private store only in Microsoft Store app:** -1. Enter **`gpedit`** in the search bar, and then select **Edit group policy (Control panel)** to find and start Group Policy Editor. +1. Enter **`gpedit`** in the search bar, and then select **Edit group policy (Control panel)** to find and start Group Policy Editor. -2. In the console tree of the snap-in, go to **User Configuration** or **Computer Configuration** > **Administrative Templates** > **Windows Components**, and then select **Store**. +2. In the console tree of the snap-in, go to **User Configuration** or **Computer Configuration** > **Administrative Templates** > **Windows Components**, and then select **Store**. -3. Right-click **Only display the private store within the Microsoft Store app** in the right pane, and select **Edit**. +3. Right-click **Only display the private store within the Microsoft Store app** in the right pane, and select **Edit**. - The **Only display the private store within the Microsoft Store app** policy settings will open. + The **Only display the private store within the Microsoft Store app** policy settings will open. -4. On the **Only display the private store within the Microsoft Store app** setting page, select **Enabled**, and then select **OK**. +4. On the **Only display the private store within the Microsoft Store app** setting page, select **Enabled**, and then select **OK**. -## Related articles +## Related articles -[Distribute apps using your private store](/microsoft-store/distribute-apps-from-your-private-store) +[Distribute apps using your private store](/microsoft-store/distribute-apps-from-your-private-store) [Manage access to private store](/microsoft-store/manage-access-to-private-store) diff --git a/windows/configuration/configure-windows-10-taskbar.md b/windows/configuration/taskbar/configure-windows-10-taskbar.md similarity index 89% rename from windows/configuration/configure-windows-10-taskbar.md rename to windows/configuration/taskbar/configure-windows-10-taskbar.md index 65937f4400..2e73630856 100644 --- a/windows/configuration/configure-windows-10-taskbar.md +++ b/windows/configuration/taskbar/configure-windows-10-taskbar.md @@ -1,36 +1,36 @@ --- -title: Configure Windows 10 taskbar +title: Configure Windows taskbar description: Administrators can pin more apps to the taskbar and remove default pinned apps from the taskbar by adding a section to a layout modification XML file. -author: lizgt2000 -ms.author: lizlong ms.topic: how-to ms.date: 08/18/2023 ---- +appliesto: +- ✅ Windows 10 +--- -# Configure Windows 10 taskbar +# Configure Windows 10 taskbar -Starting in Windows 10, version 1607, administrators can pin more apps to the taskbar and remove default pinned apps from the taskbar by adding a `` section to a layout modification XML file. This method never removes user-pinned apps from the taskbar. +Starting in Windows 10, version 1607, administrators can pin more apps to the taskbar and remove default pinned apps from the taskbar by adding a `` section to a layout modification XML file. This method never removes user-pinned apps from the taskbar. > [!NOTE] -> The only aspect of the taskbar that can currently be configured by the layout modification XML file is the layout. +> The only aspect of the taskbar that can currently be configured by the layout modification XML file is the layout. -You can specify different taskbar configurations based on device locale and region. There's no limit on the number of apps that you can pin. You specify apps using the [Application User Model ID (AUMID)](./find-the-application-user-model-id-of-an-installed-app.md) or Desktop Application Link Path (the local path to the application). +You can specify different taskbar configurations based on device locale and region. There's no limit on the number of apps that you can pin. You specify apps using the [Application User Model ID (AUMID)](./find-the-application-user-model-id-of-an-installed-app.md) or Desktop Application Link Path (the local path to the application). -If you specify an app to be pinned that isn't provisioned for the user on the computer, the pinned icon won't appear on the taskbar. +If you specify an app to be pinned that isn't provisioned for the user on the computer, the pinned icon won't appear on the taskbar. -The order of apps in the XML file dictates the order of pinned apps on the taskbar from left to right, starting to the right of any existing apps pinned by the user. +The order of apps in the XML file dictates the order of pinned apps on the taskbar from left to right, starting to the right of any existing apps pinned by the user. > [!NOTE] -> In operating systems configured to use a right-to-left language, the taskbar order will be reversed. +> In operating systems configured to use a right-to-left language, the taskbar order will be reversed. -The following example shows how apps will be pinned: Windows default apps to the left (blue circle), apps pinned by the user in the center (orange triangle), and apps that you pin using the XML file to the right (green square). +The following example shows how apps will be pinned: Windows default apps to the left (blue circle), apps pinned by the user in the center (orange triangle), and apps that you pin using the XML file to the right (green square). -![Windows left, user center, enterprise to the right.](images/taskbar-generic.png) +![Windows left, user center, enterprise to the right.](images/taskbar-generic.png) -## Configure taskbar (general) +## Configure taskbar (general) -**To configure the taskbar:** +**To configure the taskbar:** 1. Create the XML file. * If you're also [customizing the Start layout](customize-and-export-start-layout.md), use `Export-StartLayout` to create the XML, and then add the `` section from [the following sample](#sample-taskbar-configuration-added-to-start-layout-xml-file) to the file. @@ -39,26 +39,29 @@ The following example shows how apps will be pinned: Windows default apps to the * Add `xmlns:taskbar="http://schemas.microsoft.com/Start/2014/TaskbarLayout"` to the first line of the file, before the closing \>. * Use `` and [AUMID](./find-the-application-user-model-id-of-an-installed-app.md) to pin Universal Windows Platform apps. * Use `` and Desktop Application Link Path to pin desktop applications. -3. Apply the layout modification XML file to devices using [Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) or a [provisioning package created in Windows Imaging and Configuration Designer (Windows ICD)](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md). + +3. Apply the layout modification XML file to devices using [Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) or a [provisioning package created in Windows Imaging and Configuration Designer (Windows ICD)](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md). >[!IMPORTANT] >If you use a provisioning package or import-startlayout to configure the taskbar, your configuration will be reapplied each time the explorer.exe process restarts. If your configuration pins an app and the user then unpins that app, the user's change will be overwritten the next time the configuration is applied. To apply a taskbar configuration that allows users to make changes that will persist, apply your configuration by using Group Policy. > ->If you use Group Policy and your configuration only contains a taskbar layout, the default Windows tile layout will be applied and cannot be changed by users. If you use Group Policy and your configuration includes taskbar and a full Start layout, users can only make changes to the taskbar. If you use Group Policy and your configuration includes taskbar and a [partial Start layout](.//customize-and-export-start-layout.md#configure-a-partial-start-layout), users can make changes to the taskbar and to tile groups not defined in the partial Start layout. +>If you use Group Policy and your configuration only contains a taskbar layout, the default Windows tile layout will be applied and cannot be changed by users. If you use Group Policy and your configuration includes taskbar and a full Start layout, users can only make changes to the taskbar. If you use Group Policy and your configuration includes taskbar and a [partial Start layout](.//customize-and-export-start-layout.md#configure-a-partial-start-layout), users can make changes to the taskbar and to tile groups not defined in the partial Start layout. -### Tips for finding AUMID and Desktop Application Link Path +### Tips for finding AUMID and Desktop Application Link Path -In the layout modification XML file, you'll need to add entries for applications in the XML markup. In order to pin an application, you need either its AUMID or Desktop Application Link Path. +In the layout modification XML file, you'll need to add entries for applications in the XML markup. In order to pin an application, you need either its AUMID or Desktop Application Link Path. The easiest way to find this data for an application is to: 1. Pin the application to the Start menu on a reference or testing PC. 2. Open Windows PowerShell and run the `Export-StartLayout` cmdlet. + 3. Open the generated XML file. + 4. Look for an entry corresponding to the app you pinned. -5. Look for a property labeled `AppUserModelID` or `DesktopApplicationLinkPath`. +5. Look for a property labeled `AppUserModelID` or `DesktopApplicationLinkPath`. -### Sample taskbar configuration XML file +### Sample taskbar configuration XML file ```xml @@ -78,7 +81,7 @@ The easiest way to find this data for an application is to: ``` -### Sample taskbar configuration added to Start layout XML file +### Sample taskbar configuration added to Start layout XML file ```xml @@ -97,6 +100,7 @@ The easiest way to find this data for an application is to: +     @@ -109,11 +113,11 @@ The easiest way to find this data for an application is to: -``` +``` -## Keep default apps and add your own +## Keep default apps and add your own -The `` section will append listed apps to the taskbar by default. The following sample keeps the default apps pinned and adds pins for Paint, Microsoft Reader, and a command prompt. +The `` section will append listed apps to the taskbar by default. The following sample keeps the default apps pinned and adds pins for Paint, Microsoft Reader, and a command prompt. ```xml @@ -134,19 +138,19 @@ The `` section will append listed apps to the tas ``` -**Before:** +**Before:** -![default apps pinned to taskbar.](images/taskbar-default.png) +![default apps pinned to taskbar.](images/taskbar-default.png) -**After:** +**After:** - ![additional apps pinned to taskbar.](images/taskbar-default-plus.png) + ![additional apps pinned to taskbar.](images/taskbar-default-plus.png) -## Remove default apps and add your own +## Remove default apps and add your own -By adding `PinListPlacement="Replace"` to ``, you remove all default pinned apps; only the apps that you specify will be pinned to the taskbar. +By adding `PinListPlacement="Replace"` to ``, you remove all default pinned apps; only the apps that you specify will be pinned to the taskbar. -If you only want to remove some of the default pinned apps, you would use this method to remove all default pinned apps and then include the default app that you want to keep in your list of pinned apps. +If you only want to remove some of the default pinned apps, you would use this method to remove all default pinned apps and then include the default app that you want to keep in your list of pinned apps. ```xml @@ -167,17 +171,17 @@ If you only want to remove some of the default pinned apps, you would use this m ``` -**Before:** +**Before:** -![Taskbar with default apps.](images/taskbar-default.png) +![Taskbar with default apps.](images/taskbar-default.png) -**After:** +**After:** -![Taskbar with default apps removed.](images/taskbar-default-removed.png) +![Taskbar with default apps removed.](images/taskbar-default-removed.png) -## Remove default apps +## Remove default apps -By adding `PinListPlacement="Replace"` to ``, you remove all default pinned apps. +By adding `PinListPlacement="Replace"` to ``, you remove all default pinned apps. ```xml @@ -196,11 +200,11 @@ By adding `PinListPlacement="Replace"` to ``, you -``` +``` -## Configure taskbar by country or region +## Configure taskbar by country or region -The following example shows you how to configure taskbars by country or region. When the layout is applied to a computer, if there's no `` node with a region tag for the current region, the first `` node that has no specified region will be applied. When you specify one or more countries or regions in a `` node, the specified apps are pinned on computers configured for any of the specified countries or regions. +The following example shows you how to configure taskbars by country or region. When the layout is applied to a computer, if there's no `` node with a region tag for the current region, the first `` node that has no specified region will be applied. When you specify one or more countries or regions in a `` node, the specified apps are pinned on computers configured for any of the specified countries or regions. ```xml @@ -209,7 +213,7 @@ The following example shows you how to configure taskbars by country or region. xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" xmlns:taskbar="http://schemas.microsoft.com/Start/2014/TaskbarLayout" - Version="1"> + Version="1"> @@ -240,44 +244,44 @@ The following example shows you how to configure taskbars by country or region. -``` +``` -When the preceding example XML file is applied, the resulting taskbar for computers in the US or UK: +When the preceding example XML file is applied, the resulting taskbar for computers in the US or UK: -![taskbar for US and UK locale.](images/taskbar-region-usuk.png) +![taskbar for US and UK locale.](images/taskbar-region-usuk.png) -The resulting taskbar for computers in Germany or France: +The resulting taskbar for computers in Germany or France: -![taskbar for DE and FR locale.](images/taskbar-region-defr.png) +![taskbar for DE and FR locale.](images/taskbar-region-defr.png) -The resulting taskbar for computers in any other country region: +The resulting taskbar for computers in any other country region: -![taskbar for all other regions.](images/taskbar-region-other.png) +![taskbar for all other regions.](images/taskbar-region-other.png) > [!NOTE] -> [Look up country and region codes (use the ISO Short column)](/previous-versions/commerce-server/ee799297(v=cs.20)) +> [Look up country and region codes (use the ISO Short column)](/previous-versions/commerce-server/ee799297(v=cs.20)) + + - - -## Layout Modification Template schema definition +## Layout Modification Template schema definition ```xml + elementFormDefault="qualified"> - + - + @@ -287,44 +291,44 @@ The resulting taskbar for computers in any other country region: - + - + - + - + -``` +``` -## Related topics +## Related topics -[Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md) +[Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md) -[Customize and export Start layout](customize-and-export-start-layout.md) +[Customize and export Start layout](customize-and-export-start-layout.md) -[Add image for secondary tiles](start-secondary-tiles.md) +[Add image for secondary tiles](start-secondary-tiles.md) -[Start layout XML for desktop editions of Windows 10 (reference)](start-layout-xml-desktop.md) +[Start layout XML for desktop editions of Windows 10 (reference)](start-layout-xml-desktop.md) -[Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) +[Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) -[Customize Windows 10 Start and taskbar with provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) +[Customize Windows 10 Start and taskbar with provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) -[Customize Windows 10 Start and taskbar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) +[Customize Windows 10 Start and taskbar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md) diff --git a/windows/configuration/customize-taskbar-windows-11.md b/windows/configuration/taskbar/customize-taskbar-windows-11.md similarity index 84% rename from windows/configuration/customize-taskbar-windows-11.md rename to windows/configuration/taskbar/customize-taskbar-windows-11.md index 72a4298b7c..542a3b08bf 100644 --- a/windows/configuration/customize-taskbar-windows-11.md +++ b/windows/configuration/taskbar/customize-taskbar-windows-11.md @@ -1,56 +1,47 @@ --- title: Configure and customize Windows 11 taskbar description: On Windows 11 devices, pin and unpin default apps and organization apps on the taskbar using an XML file. Deploy the taskbar XML file using Group Policy or MDM and Microsoft Intune. See what happens to the taskbar when the Windows OS client is installed or upgraded. -manager: aaroncz -ms.author: lizlong -ms.reviewer: chataylo -ms.prod: windows-client -author: lizgt2000 -ms.localizationpriority: medium -ms.collection: - - tier1 -ms.technology: itpro-configure ms.date: 08/17/2023 ms.topic: article ---- +ms.collection: + - tier1 +appliesto: +- ✅ Windows 11 +--- -# Customize the Taskbar on Windows 11 +# Customize the Taskbar on Windows 11 -**Applies to**: +> **Looking for OEM information?** See [Customize the Taskbar](/windows-hardware/customize/desktop/customize-the-windows-11-taskbar) and [Customize the Start layout](/windows-hardware/customize/desktop/customize-the-windows-11-start-menu). -- Windows 11 +Your organization can deploy a customized taskbar to your Windows devices. Customizing the taskbar is common when your organization uses a common set of apps, or wants to bring attention to specific apps. You can also remove the default pinned apps. -> **Looking for OEM information?** See [Customize the Taskbar](/windows-hardware/customize/desktop/customize-the-windows-11-taskbar) and [Customize the Start layout](/windows-hardware/customize/desktop/customize-the-windows-11-start-menu). +For example, you can override the default set of apps with your own a set of pinned apps, and in the order you choose. As an administrator, use this feature to pin apps, remove default pinned apps, order the apps, and more on the taskbar. -Your organization can deploy a customized taskbar to your Windows devices. Customizing the taskbar is common when your organization uses a common set of apps, or wants to bring attention to specific apps. You can also remove the default pinned apps. +To add apps you want pinned to the taskbar, you use an XML file. You can use an existing XML file, or create a new file. If you have an XML file that's used on Windows 10 devices, you can also use it on Windows 11 devices. You may have to update the App IDs. -For example, you can override the default set of apps with your own a set of pinned apps, and in the order you choose. As an administrator, use this feature to pin apps, remove default pinned apps, order the apps, and more on the taskbar. +This article shows you how to create the XML file, add apps to the XML, and deploy the XML file. To learn how to customize the taskbar buttons, see [CSP policies to customize Windows 11 taskbar buttons](supported-csp-taskbar-windows.md#csp-policies-to-customize-windows-11-taskbar-buttons). -To add apps you want pinned to the taskbar, you use an XML file. You can use an existing XML file, or create a new file. If you have an XML file that's used on Windows 10 devices, you can also use it on Windows 11 devices. You may have to update the App IDs. +## Before you begin -This article shows you how to create the XML file, add apps to the XML, and deploy the XML file. To learn how to customize the taskbar buttons, see [CSP policies to customize Windows 11 taskbar buttons](supported-csp-taskbar-windows.md#csp-policies-to-customize-windows-11-taskbar-buttons). +- There isn't a limit on the number of apps that you can pin. In the XML file, add apps using the [Application User Model ID (AUMID)](./find-the-application-user-model-id-of-an-installed-app.md) or Desktop Application Link Path (the local path to the app). -## Before you begin +- There are some situations that an app pinned in your XML file won't be pinned in the taskbar. For example, if an app isn't approved or installed for a user, then the pinned icon won't show on the taskbar. -- There isn't a limit on the number of apps that you can pin. In the XML file, add apps using the [Application User Model ID (AUMID)](./find-the-application-user-model-id-of-an-installed-app.md) or Desktop Application Link Path (the local path to the app). +- The order of apps in the XML file dictates the order of pinned apps on the taskbar, from left to right, and to the right of any existing apps pinned by the user. If the OS is configured to use a right-to-left language, then the taskbar order is reversed. -- There are some situations that an app pinned in your XML file won't be pinned in the taskbar. For example, if an app isn't approved or installed for a user, then the pinned icon won't show on the taskbar. +- Some classic Windows applications are packaged differently than they were in previous versions of Windows, including Notepad and File Explorer. Be sure to enter the correct AppID. For more information, see [Application User Model ID (AUMID)](./find-the-application-user-model-id-of-an-installed-app.md) and [Get the AUMID and Desktop app link path](#get-the-aumid-and-desktop-app-link-path) (in this article). -- The order of apps in the XML file dictates the order of pinned apps on the taskbar, from left to right, and to the right of any existing apps pinned by the user. If the OS is configured to use a right-to-left language, then the taskbar order is reversed. +- It's recommended to use a Mobile Device Management (MDM) provider. MDM providers help manage your devices, and help manage apps on your devices. You can use Microsoft Intune. Intune is a family of products that include Microsoft Intune, which is a cloud service, and Configuration Manager, which is on-premises. -- Some classic Windows applications are packaged differently than they were in previous versions of Windows, including Notepad and File Explorer. Be sure to enter the correct AppID. For more information, see [Application User Model ID (AUMID)](./find-the-application-user-model-id-of-an-installed-app.md) and [Get the AUMID and Desktop app link path](#get-the-aumid-and-desktop-app-link-path) (in this article). - -- It's recommended to use a Mobile Device Management (MDM) provider. MDM providers help manage your devices, and help manage apps on your devices. You can use Microsoft Intune. Intune is a family of products that include Microsoft Intune, which is a cloud service, and Configuration Manager, which is on-premises. - - In this article, we mention these services. If you're not managing your devices using an MDM provider, the following resources may help you get started: + In this article, we mention these services. If you're not managing your devices using an MDM provider, the following resources may help you get started: - [Endpoint Management at Microsoft](/mem/endpoint-manager-overview) - [What is Microsoft Intune](/mem/intune/fundamentals/what-is-intune) and [Microsoft Intune planning guide](/mem/intune/fundamentals/intune-planning-guide) - - [What is Configuration Manager?](/mem/configmgr/core/understand/introduction) + - [What is Configuration Manager?](/mem/configmgr/core/understand/introduction) -## Create the XML file +## Create the XML file -1. In a text editor, such as Visual Studio Code, create a new XML file. To help you get started, you can copy and paste the following XML sample. The sample pins 2 apps to the taskbar - File Explorer and the Command Prompt: +1. In a text editor, such as Visual Studio Code, create a new XML file. To help you get started, you can copy and paste the following XML sample. The sample pins 2 apps to the taskbar - File Explorer and the Command Prompt: ```xml @@ -69,27 +60,27 @@ This article shows you how to create the XML file, add apps to the XML, and depl - ``` + ``` -2. In the `` node, add (or remove) the apps you want pinned. You can pin Universal Windows Platform (UWP) apps and desktop apps: +2. In the `` node, add (or remove) the apps you want pinned. You can pin Universal Windows Platform (UWP) apps and desktop apps: - ``: Select this option for UWP apps. Add the [AUMID](./find-the-application-user-model-id-of-an-installed-app.md) of the UWP app. - - ``: Select this option for desktop apps. Add the Desktop Application Link Path of the desktop app. + - ``: Select this option for desktop apps. Add the Desktop Application Link Path of the desktop app. - You can pin as many apps as you want. Just keep adding them to the list. Remember, the app order in the list is the same order the apps are shown on the taskbar. + You can pin as many apps as you want. Just keep adding them to the list. Remember, the app order in the list is the same order the apps are shown on the taskbar. - For more information, see [Get the AUMID and Desktop app link path](#get-the-aumid-and-desktop-app-link-path) (in this article). + For more information, see [Get the AUMID and Desktop app link path](#get-the-aumid-and-desktop-app-link-path) (in this article). -3. In the `` node, the apps you add are pinned after the default apps. If you want to remove the default apps, and only show the apps you add in the XML file, then add `PinListPlacement="Replace"`: +3. In the `` node, the apps you add are pinned after the default apps. If you want to remove the default apps, and only show the apps you add in the XML file, then add `PinListPlacement="Replace"`: - ``: Keeps the default pinned apps. After the default apps, the apps you add are pinned. - - ``: Unpins the default apps. Only the apps you add are pinned. + - ``: Unpins the default apps. Only the apps you add are pinned. - If you want to remove some of the default pinned apps, then add `PinListPlacement="Replace"`. When you add your apps to ``, include the default apps you still want pinned. + If you want to remove some of the default pinned apps, then add `PinListPlacement="Replace"`. When you add your apps to ``, include the default apps you still want pinned. -4. In the `` node, use `region=" | "` to use different taskbar configurations based on the device locale and region. +4. In the `` node, use `region=" | "` to use different taskbar configurations based on the device locale and region. - In the following XML example, two regions are added: `US|UK` and `DE|FR`: + In the following XML example, two regions are added: `US|UK` and `DE|FR`: ```xml @@ -98,7 +89,7 @@ This article shows you how to create the XML file, add apps to the XML, and depl xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" xmlns:taskbar="http://schemas.microsoft.com/Start/2014/TaskbarLayout" - Version="1"> + Version="1"> @@ -126,122 +117,122 @@ This article shows you how to create the XML file, add apps to the XML, and depl - ``` + ``` - The taskbar applies when: + The taskbar applies when: - If the `` node has a country or region, then the apps are pinned on devices configured for that country or region. - - If the `` node doesn't have a region tag for the current region, then the first `` node with no region is applied. + - If the `` node doesn't have a region tag for the current region, then the first `` node with no region is applied. -5. Save the file, and name the file so you know what it is. For example, name the file something like `TaskbarLayoutModification.xml`. Once you have the file, it's ready to be deployed to your Windows devices. +5. Save the file, and name the file so you know what it is. For example, name the file something like `TaskbarLayoutModification.xml`. Once you have the file, it's ready to be deployed to your Windows devices. -## Use Group Policy or MDM to create and deploy a taskbar policy +## Use Group Policy or MDM to create and deploy a taskbar policy -Now that you have the XML file with your customized taskbar, you're ready to deploy it to devices in your organization. You can deploy your taskbar XML file using Group Policy, or using an MDM provider, like Microsoft Intune. +Now that you have the XML file with your customized taskbar, you're ready to deploy it to devices in your organization. You can deploy your taskbar XML file using Group Policy, or using an MDM provider, like Microsoft Intune. -This section shows you how to deploy the XML both ways. +This section shows you how to deploy the XML both ways. -### Use Group Policy to deploy your XML file +### Use Group Policy to deploy your XML file -Use the following steps to add your XML file to a group policy, and apply the policy: +Use the following steps to add your XML file to a group policy, and apply the policy: 1. Open your policy editor. For example, open Group Policy Management Console (GPMC) for domain-based group policies, or open `gpedit` for local policies. -2. Go to one of the following policies: +2. Go to one of the following policies: - `Computer Configuration\Administrative Templates\Start Menu and Taskbar\Start Layout` - - `User Configuration\Administrative Templates\Start Menu and Taskbar\Start Layout` + - `User Configuration\Administrative Templates\Start Menu and Taskbar\Start Layout` -3. Double-select `Start Layout` > **Enable**. Enter the fully qualified path to your XML file, including the XML file name. You can enter a local path, like `C:\StartLayouts\TaskbarLayoutModification.xml`, or a network path, like `\\Server\Share\TaskbarLayoutModification.xml`. Be sure you enter the correct file path. If using a network share, be sure to give users read access to the XML file. If the file isn't available when the user signs in, then the taskbar isn't changed. Users can't customize the taskbar when this setting is enabled. +3. Double-select `Start Layout` > **Enable**. Enter the fully qualified path to your XML file, including the XML file name. You can enter a local path, like `C:\StartLayouts\TaskbarLayoutModification.xml`, or a network path, like `\\Server\Share\TaskbarLayoutModification.xml`. Be sure you enter the correct file path. If using a network share, be sure to give users read access to the XML file. If the file isn't available when the user signs in, then the taskbar isn't changed. Users can't customize the taskbar when this setting is enabled. - Your policy looks like the following policy: + Your policy looks like the following policy: - :::image type="content" source="./images/customize-taskbar-windows-11/start-layout-group-policy.png" alt-text="Add your taskbar layout XML file to the Start Layout policy on Windows devices."::: + :::image type="content" source="./images/customize-taskbar-windows-11/start-layout-group-policy.png" alt-text="Add your taskbar layout XML file to the Start Layout policy on Windows devices."::: - The `User Configuration\Administrative Templates\Start Menu and Taskbar` policy includes other settings that control the taskbar. Some policies may not work as expected. Be sure to test your policies before broadly deploying them across your devices. + The `User Configuration\Administrative Templates\Start Menu and Taskbar` policy includes other settings that control the taskbar. Some policies may not work as expected. Be sure to test your policies before broadly deploying them across your devices. -4. When you apply the policy, the taskbar includes your changes. The next time users sign in, they'll see the changes. +4. When you apply the policy, the taskbar includes your changes. The next time users sign in, they'll see the changes. - For more information on using group policies, see [Implement Group Policy Objects](/training/modules/implement-group-policy-objects/). + For more information on using group policies, see [Implement Group Policy Objects](/training/modules/implement-group-policy-objects/). -### Create a Microsoft Intune policy to deploy your XML file +### Create a Microsoft Intune policy to deploy your XML file -MDM providers can deploy policies to devices managed by the organization, including organization-owned devices, and personal or bring your own device (BYOD). Using an MDM provider, such as Microsoft Intune, you can deploy a policy that configures the pinned list. +MDM providers can deploy policies to devices managed by the organization, including organization-owned devices, and personal or bring your own device (BYOD). Using an MDM provider, such as Microsoft Intune, you can deploy a policy that configures the pinned list. -Use the following steps to create an Intune policy that deploys your taskbar XML file: +Use the following steps to create an Intune policy that deploys your taskbar XML file: -1. Sign in to the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Sign in to the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -2. Select **Devices** > **Configuration profiles** > **Create profile**. +2. Select **Devices** > **Configuration profiles** > **Create profile**. -3. Enter the following properties: +3. Enter the following properties: - **Platform**: Select **Windows 10 and later**. - - **Profile type**: Select **Templates** > **Device restrictions** > **Create**. + - **Profile type**: Select **Templates** > **Device restrictions** > **Create**. -4. In **Basics**, enter the following properties: +4. In **Basics**, enter the following properties: - **Name**: Enter a descriptive name for the profile. Name your profiles so you can easily identify it later. For example, a good profile name is **Win11: Custom taskbar**. - - **Description**: Enter a description for the profile. This setting is optional, and recommended. + - **Description**: Enter a description for the profile. This setting is optional, and recommended. -5. Select **Next**. +5. Select **Next**. -6. In **Configuration settings**, select **Start** > **Start menu layout**. Browse to, and select your taskbar XML file. +6. In **Configuration settings**, select **Start** > **Start menu layout**. Browse to, and select your taskbar XML file. -7. Select **Next**, and configure the rest of the policy settings. For more specific information, see [Configure device restriction settings](/mem/intune/configuration/device-restrictions-configure). +7. Select **Next**, and configure the rest of the policy settings. For more specific information, see [Configure device restriction settings](/mem/intune/configuration/device-restrictions-configure). -8. When the policy is created, you can deploy it now, or deploy it later. Since this policy is a customized taskbar, the policy can also be deployed before users sign in the first time. +8. When the policy is created, you can deploy it now, or deploy it later. Since this policy is a customized taskbar, the policy can also be deployed before users sign in the first time. - For more information and guidance on assigning policies using Microsoft Intune, see [Assign user and device profiles](/mem/intune/configuration/device-profile-assign). + For more information and guidance on assigning policies using Microsoft Intune, see [Assign user and device profiles](/mem/intune/configuration/device-profile-assign). > [!NOTE] -> For third party partner MDM solutions, you may need to use an OMA-URI setting for Start layout, based on the [Policy configuration service provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider). The OMA-URI setting is `./User/Vendor/MSFT/Policy/Config/Start/StartLayout`. +> For third party partner MDM solutions, you may need to use an OMA-URI setting for Start layout, based on the [Policy configuration service provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider). The OMA-URI setting is `./User/Vendor/MSFT/Policy/Config/Start/StartLayout`. -## Get the AUMID and Desktop app link path +## Get the AUMID and Desktop app link path -In the layout modification XML file, you add apps in the XML markup. To pin an app, you enter the AUMID or Desktop Application Link Path. The easiest way to find this app information is to use the [Export-StartLayout](/powershell/module/startlayout/export-startlayout) Windows PowerShell cmdlet: +In the layout modification XML file, you add apps in the XML markup. To pin an app, you enter the AUMID or Desktop Application Link Path. The easiest way to find this app information is to use the [Export-StartLayout](/powershell/module/startlayout/export-startlayout) Windows PowerShell cmdlet: 1. On an existing Windows 11 device, pin the app to the Start menu. 2. Create a folder to save an output file. For example, create the `C:\Layouts` folder. -3. Open the Windows PowerShell app, and run the following cmdlet: +3. Open the Windows PowerShell app, and run the following cmdlet: ```powershell Export-StartLayout -Path "C:\Layouts\GetIDorPath.xml" - ``` + ``` -4. Open the generated GetIDorPath.xml file, and look for the app you pinned. When you find the app, get the AppID or Path. Add these properties to your XML file. +4. Open the generated GetIDorPath.xml file, and look for the app you pinned. When you find the app, get the AppID or Path. Add these properties to your XML file. -## Pin order for all apps +## Pin order for all apps -On a taskbar, the following apps are typically pinned: +On a taskbar, the following apps are typically pinned: - Apps pinned by the user - Default Windows apps pinned during the OS installation, such as Microsoft Edge, File Explorer, and Microsoft Store. -- Apps pinned by your organization, such as in an unattended Windows setup. +- Apps pinned by your organization, such as in an unattended Windows setup. - In an unattended Windows setup file, use the XML file you created in this article. It's not recommended to use [TaskbarLinks](/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-taskbarlinks). + In an unattended Windows setup file, use the XML file you created in this article. It's not recommended to use [TaskbarLinks](/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-taskbarlinks). -Apps are pinned in the following order: +Apps are pinned in the following order: 1. Windows default apps are pinned first. 2. User-pinned apps are pinned after the Windows default apps. -3. XML-pinned apps are pinned after the user-pinned apps. +3. XML-pinned apps are pinned after the user-pinned apps. -If the OS is configured to use a right-to-left language, then the taskbar order is reversed. +If the OS is configured to use a right-to-left language, then the taskbar order is reversed. -## OS install and upgrade +## OS install and upgrade -- On a clean install of the Windows client, if you apply a taskbar layout, the following apps are pinned to the taskbar: +- On a clean install of the Windows client, if you apply a taskbar layout, the following apps are pinned to the taskbar: - Apps you specifically add - - Any default apps you don't remove + - Any default apps you don't remove - After the taskbar layout is applied, users can pin more apps, change the order, and unpin apps. + After the taskbar layout is applied, users can pin more apps, change the order, and unpin apps. -- On a Windows client upgrade, apps are already pinned to the taskbar. These apps may have been pinned by a user, by an image, or by using Windows unattended setup. For upgrades, the taskbar layout applies the following behavior: +- On a Windows client upgrade, apps are already pinned to the taskbar. These apps may have been pinned by a user, by an image, or by using Windows unattended setup. For upgrades, the taskbar layout applies the following behavior: - If users pinned apps to the taskbar, then those pinned apps remain. New apps are pinned after the existing user-pinned apps. - If the apps are pinned during the install or by a policy (not by a user), and the apps aren't pinned in an updated layout file, then the apps are unpinned. - If a user didn't pin an app, and the same app is pinned in the updated layout file, then the app is pinned after any existing pinned apps. - - New apps in updated layout file are pinned after the user's pinned apps. + - New apps in updated layout file are pinned after the user's pinned apps. After the layout is applied, users can pin more apps, change the order, and unpin apps. diff --git a/windows/configuration/images/taskbar-default-plus.png b/windows/configuration/taskbar/images/taskbar-default-plus.png similarity index 100% rename from windows/configuration/images/taskbar-default-plus.png rename to windows/configuration/taskbar/images/taskbar-default-plus.png diff --git a/windows/configuration/images/taskbar-default-removed.png b/windows/configuration/taskbar/images/taskbar-default-removed.png similarity index 100% rename from windows/configuration/images/taskbar-default-removed.png rename to windows/configuration/taskbar/images/taskbar-default-removed.png diff --git a/windows/configuration/images/taskbar-default.png b/windows/configuration/taskbar/images/taskbar-default.png similarity index 100% rename from windows/configuration/images/taskbar-default.png rename to windows/configuration/taskbar/images/taskbar-default.png diff --git a/windows/configuration/images/taskbar-generic.png b/windows/configuration/taskbar/images/taskbar-generic.png similarity index 100% rename from windows/configuration/images/taskbar-generic.png rename to windows/configuration/taskbar/images/taskbar-generic.png diff --git a/windows/configuration/images/taskbar-region-defr.png b/windows/configuration/taskbar/images/taskbar-region-defr.png similarity index 100% rename from windows/configuration/images/taskbar-region-defr.png rename to windows/configuration/taskbar/images/taskbar-region-defr.png diff --git a/windows/configuration/images/taskbar-region-other.png b/windows/configuration/taskbar/images/taskbar-region-other.png similarity index 100% rename from windows/configuration/images/taskbar-region-other.png rename to windows/configuration/taskbar/images/taskbar-region-other.png diff --git a/windows/configuration/images/taskbar-region-usuk.png b/windows/configuration/taskbar/images/taskbar-region-usuk.png similarity index 100% rename from windows/configuration/images/taskbar-region-usuk.png rename to windows/configuration/taskbar/images/taskbar-region-usuk.png diff --git a/windows/configuration/supported-csp-taskbar-windows.md b/windows/configuration/taskbar/supported-csp-taskbar-windows.md similarity index 81% rename from windows/configuration/supported-csp-taskbar-windows.md rename to windows/configuration/taskbar/supported-csp-taskbar-windows.md index a24ff5885a..b4f8a0c732 100644 --- a/windows/configuration/supported-csp-taskbar-windows.md +++ b/windows/configuration/taskbar/supported-csp-taskbar-windows.md @@ -1,82 +1,73 @@ --- -title: Supported CSP policies to customize the Taskbar on Windows 11 | Microsoft Docs +title: Supported CSP policies to customize the Taskbar on Windows 11 description: See a list of the Policy CSP - Start items that are supported on Windows 11 to customize the Taskbar. -manager: aaroncz -ms.author: lizlong -ms.reviewer: chataylo -ms.prod: windows-client -author: lizgt2000 -ms.localizationpriority: medium -ms.technology: itpro-configure ms.date: 12/31/2017 ms.topic: article ---- +appliesto: +- ✅ Windows 11 +--- -# Supported configuration service provider (CSP) policies for Windows 11 taskbar +# Supported configuration service provider (CSP) policies for Windows 11 taskbar -**Applies to**: +The Windows OS exposes CSPs that are used by MDM providers, like [Microsoft Intune](/mem/intune/fundamentals/what-is-intune). In an MDM policy, these CSPs are settings that you configure. When the policy is ready, you deploy the policy to your devices. This article lists the CSPs that are available to customize the Taskbar for Windows 11 devices. -- Windows 11 +For more general information, see [Configuration service provider (CSP) reference](/windows/client-management/mdm/configuration-service-provider-reference). -The Windows OS exposes CSPs that are used by MDM providers, like [Microsoft Intune](/mem/intune/fundamentals/what-is-intune). In an MDM policy, these CSPs are settings that you configure. When the policy is ready, you deploy the policy to your devices. This article lists the CSPs that are available to customize the Taskbar for Windows 11 devices. - -For more general information, see [Configuration service provider (CSP) reference](/windows/client-management/mdm/configuration-service-provider-reference). - -## CSP policies to customize Windows 11 taskbar buttons +## CSP policies to customize Windows 11 taskbar buttons - [Search/ConfigureSearchOnTaskbarMode](/windows/client-management/mdm/policy-csp-search#configuresearchontaskbarmode) - Group policy: `Computer Configuration\Administrative Templates\Windows Components\Search\Configures search on the taskbar` - - Local setting: Settings > Personalization > Taskbar > Search + - Local setting: Settings > Personalization > Taskbar > Search - [Start/HideTaskViewButton](/windows/client-management/mdm/policy-csp-start#hidetaskviewbutton) - Group policy: `Computer and User Configuration\Administrative Templates\Start Menu and Taskbar\Hide the TaskView button` - - Local setting: Settings > Personalization > Taskbar > Task view + - Local setting: Settings > Personalization > Taskbar > Task view - [NewsAndInterests/AllowNewsAndInterests](/windows/client-management/mdm/policy-csp-newsandinterests#allownewsandinterests) - Group policy: `Computer Configuration\Administrative Templates\Windows Components\Widgets\Allow widgets` - - Local setting: Settings > Personalization > Taskbar > Widgets + - Local setting: Settings > Personalization > Taskbar > Widgets - [Experience/ConfigureChatIcon](/windows/client-management/mdm/policy-csp-experience#configurechaticonvisibilityonthetaskbar) - Group policy: `Computer Configuration\Administrative Templates\Windows Components\Chat\Configure the Chat icon setting` - - Local setting: Settings > Personalization > Taskbar > Chat + - Local setting: Settings > Personalization > Taskbar > Chat -## Existing CSP policies that Windows 11 taskbar supports +## Existing CSP policies that Windows 11 taskbar supports - [Start/HideRecentJumplists](/windows/client-management/mdm/policy-csp-start#hiderecentjumplists) - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Do not keep history of recently opened documents` - - Local setting: Settings > Personalization > Start > Show recently opened items in Jump Lists on Start or the taskbar + - Local setting: Settings > Personalization > Start > Show recently opened items in Jump Lists on Start or the taskbar - [Start/NoPinningToTaskbar](/windows/client-management/mdm/policy-csp-start#nopinningtotaskbar) - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Do not allow pinning programs to the Taskbar` - - Local setting: None + - Local setting: None -## Existing CSP policies that Windows 11 doesn't support +## Existing CSP policies that Windows 11 doesn't support -The following list includes some of the CSP policies that aren't supported on Windows 11: +The following list includes some of the CSP policies that aren't supported on Windows 11: - [ADMX_Taskbar/TaskbarLockAll](/windows/client-management/mdm/policy-csp-admx-taskbar#taskbarlockall) - - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Lock all taskbar settings` + - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Lock all taskbar settings` - [ADMX_Taskbar/TaskbarNoAddRemoveToolbar](/windows/client-management/mdm/policy-csp-admx-taskbar#taskbarnoaddremovetoolbar) - - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent users from adding or removing toolbars` + - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent users from adding or removing toolbars` - [ADMX_Taskbar/TaskbarNoDragToolbar](/windows/client-management/mdm/policy-csp-admx-taskbar#taskbarnodragtoolbar) - - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent users from rearranging toolbars` + - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent users from rearranging toolbars` - [ADMX_Taskbar/TaskbarNoRedock](/windows/client-management/mdm/policy-csp-admx-taskbar#taskbarnoredock) - - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent users from moving taskbar to another screen dock location` + - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent users from moving taskbar to another screen dock location` - [ADMX_Taskbar/TaskbarNoResize](/windows/client-management/mdm/policy-csp-admx-taskbar#taskbarnoresize) - - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent users from resizing the taskbar` + - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent users from resizing the taskbar` - [ADMX_StartMenu/NoToolbarsOnTaskbar](/windows/client-management/mdm/policy-csp-admx-startmenu#notoolbarsontaskbar) - - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Do not display any custom toolbars in the taskbar` + - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Do not display any custom toolbars in the taskbar` - [ADMX_StartMenu/NoTaskGrouping](/windows/client-management/mdm/policy-csp-admx-startmenu#notaskgrouping) - - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent grouping of taskbar items` + - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent grouping of taskbar items` - [ADMX_StartMenu/QuickLaunchEnabled](/windows/client-management/mdm/policy-csp-admx-startmenu#quicklaunchenabled) - - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Show QuickLaunch on Taskbar` + - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Show QuickLaunch on Taskbar` - [Start/HidePeopleBar](/windows/client-management/mdm/policy-csp-start#hidepeoplebar) - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Remove the People Bar from the taskbar` diff --git a/windows/configuration/ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md b/windows/configuration/ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md index 9c048c2cf5..c6c8c61462 100644 --- a/windows/configuration/ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md +++ b/windows/configuration/ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md @@ -1,23 +1,12 @@ --- title: Administering UE-V with Windows PowerShell and WMI description: Learn how User Experience Virtualization (UE-V) provides Windows PowerShell cmdlets to help administrators perform various UE-V tasks. -author: aczechowski -ms.prod: windows-client -ms.collection: - - tier3 - - must-keep ms.date: 04/19/2017 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz ms.topic: article -ms.technology: itpro-configure --- # Administering UE-V with Windows PowerShell and WMI -**Applies to** -- Windows 10, version 1607 User Experience Virtualization (UE-V) provides Windows PowerShell cmdlets to help administrators perform various UE-V tasks. The following sections provide more information about using Windows PowerShell in UE-V. diff --git a/windows/configuration/ue-v/uev-administering-uev.md b/windows/configuration/ue-v/uev-administering-uev.md index 627039a508..98b270c7b2 100644 --- a/windows/configuration/ue-v/uev-administering-uev.md +++ b/windows/configuration/ue-v/uev-administering-uev.md @@ -1,23 +1,12 @@ --- title: Administering UE-V description: Learn how to perform administrative tasks for User Experience Virtualization (UE-V). These tasks include configuring the UE-V service and recovering lost settings. -author: aczechowski -ms.prod: windows-client -ms.collection: - - tier3 - - must-keep ms.date: 04/19/2017 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz ms.topic: article -ms.technology: itpro-configure --- # Administering UE-V -**Applies to** -- Windows 10, version 1607 After you finish deploying User Experience Virtualization (UE-V), you'll perform ongoing administrative tasks, such as managing the configuration of the UE-V service and recovering lost settings. These tasks are explained in the following sections. @@ -66,15 +55,15 @@ You can use UE-V with Microsoft Application Virtualization (App-V) to share sett ## Other resources for this feature -- [User Experience Virtualization for Windows overview](uev-for-windows.md) +- [User Experience Virtualization for Windows overview](uev-for-windows.md) -- [Get Started with UE-V](uev-getting-started.md) +- [Get Started with UE-V](uev-getting-started.md) -- [Prepare a UE-V Deployment](uev-prepare-for-deployment.md) +- [Prepare a UE-V Deployment](uev-prepare-for-deployment.md) -- [Troubleshooting UE-V](uev-troubleshooting.md) +- [Troubleshooting UE-V](uev-troubleshooting.md) -- [Technical Reference for UE-V](uev-technical-reference.md) +- [Technical Reference for UE-V](uev-technical-reference.md) diff --git a/windows/configuration/ue-v/uev-application-template-schema-reference.md b/windows/configuration/ue-v/uev-application-template-schema-reference.md index 21e3edd00d..12da9b839a 100644 --- a/windows/configuration/ue-v/uev-application-template-schema-reference.md +++ b/windows/configuration/ue-v/uev-application-template-schema-reference.md @@ -1,23 +1,12 @@ --- title: Application Template Schema Reference for UE-V description: Learn details about the XML structure of the UE-V settings location templates and learn how to edit these files. -author: aczechowski -ms.prod: windows-client -ms.collection: - - tier3 - - must-keep ms.date: 04/19/2017 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz ms.topic: article -ms.technology: itpro-configure --- # Application Template Schema Reference for UE-V -**Applies to** -- Windows 10, version 1607 User Experience Virtualization (UE-V) uses XML settings location templates to define the desktop application settings and Windows settings that are captured and applied by UE-V. UE-V includes a set of default settings location templates. You can also create custom settings location templates with the UE-V template generator. @@ -30,29 +19,29 @@ This section details the XML structure of the UE-V settings location template an ### In This Section -- [XML Declaration and Encoding Attribute](#xml21) +- [XML Declaration and Encoding Attribute](#xml21) -- [Namespace and Root Element](#namespace21) +- [Namespace and Root Element](#namespace21) -- [Data types](#data21) +- [Data types](#data21) -- [Name Element](#name21) +- [Name Element](#name21) -- [ID Element](#id21) +- [ID Element](#id21) -- [Version Element](#version21) +- [Version Element](#version21) -- [Author Element](#author21) +- [Author Element](#author21) -- [Processes and Process Element](#processes21) +- [Processes and Process Element](#processes21) -- [Application Element](#application21) +- [Application Element](#application21) -- [Common Element](#common21) +- [Common Element](#common21) -- [SettingsLocationTemplate Element](#settingslocationtemplate21) +- [SettingsLocationTemplate Element](#settingslocationtemplate21) -- [Appendix: SettingsLocationTemplate.xsd](#appendix21) +- [Appendix: SettingsLocationTemplate.xsd](#appendix21) ### XML Declaration and Encoding Attribute @@ -144,7 +133,7 @@ Settings is a container for all the settings that apply to a particular template |Element|Description| |--- |--- | |Asynchronous|Asynchronous settings packages are applied without blocking the application startup so that the application start proceeds while the settings are still being applied. This element is useful for settings that can be applied asynchronously, such as those settings get/set through an API, like SystemParameterSetting.| -|PreventOverlappingSynchronization|By default, UE-V only saves settings for an application when the last instance of an application using the template is closed. When this element is set to ‘false’, UE-V exports the settings even if other instances of an application are running. Suited templates – those templates that include a Common element section– that are shipped with UE-V use this flag to enable shared settings to always export on application close, while preventing application-specific settings from exporting until the last instance is closed.| +|PreventOverlappingSynchronization|By default, UE-V only saves settings for an application when the last instance of an application using the template is closed. When this element is set to ‘false’, UE-V exports the settings even if other instances of an application are running. Suited templates - those templates that include a Common element section– that are shipped with UE-V use this flag to enable shared settings to always export on application close, while preventing application-specific settings from exporting until the last instance is closed.| |AlwaysApplySettings|This parameter forces an imported settings package to be applied even if there are no differences between the package and the current state of the application. This parameter should be used only in special cases since it can slow down settings import.| ### Name Element @@ -200,11 +189,11 @@ Version identifies the version of the settings location template for administrat > [!IMPORTANT] > This value is queried to determine if a new version of a template should be applied to an existing template in these instances: -- When the scheduled Template Auto Update task executes +- When the scheduled Template Auto Update task executes -- When the Update-UevTemplate PowerShell cmdlet is executed +- When the Update-UevTemplate PowerShell cmdlet is executed -- When the microsoft\\uev:SettingsLocationTemplate Update method is called through WMI +- When the microsoft\\uev:SettingsLocationTemplate Update method is called through WMI @@ -262,13 +251,13 @@ Valid filenames must not match the regular expression \[^\\\\\\?\\\*\\|<>/ A value of **True** indicates that the string contains illegal characters. Here are some examples of illegal values: -- \\\\server\\share\\program.exe +- \\\\server\\share\\program.exe -- Program\*.exe +- Program\*.exe -- Pro?ram.exe +- Pro?ram.exe -- Program<1>.exe +- Program<1>.exe > [!NOTE] > The UE-V template generator encodes the greater than and less than characters as > and < respectively. diff --git a/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md b/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md index 0104526a2b..0e0636f653 100644 --- a/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md +++ b/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md @@ -1,33 +1,22 @@ --- title: Changing the Frequency of UE-V Scheduled Tasks description: Learn how to create a script that uses the Schtasks.exe command-line options so you can change the frequency of UE-V scheduled tasks. -author: aczechowski -ms.prod: windows-client -ms.collection: - - tier3 - - must-keep ms.date: 04/19/2017 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz ms.topic: article -ms.technology: itpro-configure --- # Changing the Frequency of UE-V Scheduled Tasks -**Applies to** -- Windows 10, version 1607 When the User Experience Virtualization (UE-V) service is enabled, it creates the following scheduled tasks: -- [Monitor Application Settings](#monitor-application-settings) +- [Monitor Application Settings](#monitor-application-settings) -- [Sync Controller Application](#sync-controller-application) +- [Sync Controller Application](#sync-controller-application) -- [Synchronize Settings at Logoff](#synchronize-settings-at-logoff) +- [Synchronize Settings at Logoff](#synchronize-settings-at-logoff) -- [Template Auto Update](#template-auto-update) +- [Template Auto Update](#template-auto-update) > [!NOTE] > These tasks must remain enabled, because UE-V cannot function without them. @@ -99,11 +88,11 @@ The following chart provides additional information about scheduled tasks for UE **Legend** -- **Power Toggle** – Task Scheduler will optimize power consumption when not connected to AC power. The task might stop running if the computer switches to battery power. +- **Power Toggle** - Task Scheduler will optimize power consumption when not connected to AC power. The task might stop running if the computer switches to battery power. -- **Idle Only** – The task will stop running if the computer ceases to be idle. By default the task won't restart when the computer is idle again. Instead the task will begin again on the next task trigger. +- **Idle Only** - The task will stop running if the computer ceases to be idle. By default the task won't restart when the computer is idle again. Instead the task will begin again on the next task trigger. -- **Network Connection** – Tasks marked “Yes” only run if the computer has a network connection available. Tasks marked “N/A” run regardless of network connectivity. +- **Network Connection** - Tasks marked “Yes” only run if the computer has a network connection available. Tasks marked “N/A” run regardless of network connectivity. ### How to Manage Scheduled Tasks @@ -119,13 +108,13 @@ To find Scheduled Tasks, perform the following steps: The following additional information applies to UE-V scheduled tasks: -- All task sequence programs are located in the UE-V Agent installation folder, `%programFiles%\Microsoft User Experience Virtualization\Agent\[architecture]\`, by default. +- All task sequence programs are located in the UE-V Agent installation folder, `%programFiles%\Microsoft User Experience Virtualization\Agent\[architecture]\`, by default. -- The Sync Controller Application Scheduled task is the crucial component when the UE-V SyncMethod is set to “SyncProvider” (UE-V default configuration). This scheduled task keeps the SettingsSToragePath synchronized with the locally cached versions of the settings package files. If users complain that settings don't synchronize often enough, then you can reduce the scheduled task setting to as little as 1 minute.  You can also increase the 30-min default to a higher amount if necessary. +- The Sync Controller Application Scheduled task is the crucial component when the UE-V SyncMethod is set to “SyncProvider” (UE-V default configuration). This scheduled task keeps the SettingsSToragePath synchronized with the locally cached versions of the settings package files. If users complain that settings don't synchronize often enough, then you can reduce the scheduled task setting to as little as 1 minute. You can also increase the 30-min default to a higher amount if necessary. -- You don't need to disable the Template Auto Update scheduled task if you use another method to keep the clients’ templates in sync (that is, Group Policy or Configuration Manager Baselines). Leaving the SettingsTemplateCatalog property value blank prevents UE-V from checking the settings catalog for custom templates. This scheduled task runs ApplySettingsCatalog.exe and will essentially return immediately. +- You don't need to disable the Template Auto Update scheduled task if you use another method to keep the clients’ templates in sync (that is, Group Policy or Configuration Manager Baselines). Leaving the SettingsTemplateCatalog property value blank prevents UE-V from checking the settings catalog for custom templates. This scheduled task runs ApplySettingsCatalog.exe and will essentially return immediately. -- The Monitor Application Settings scheduled task will update Windows app (AppX) settings in real time, based on Windows app program setting triggers built into each app. +- The Monitor Application Settings scheduled task will update Windows app (AppX) settings in real time, based on Windows app program setting triggers built into each app. diff --git a/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md b/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md index 44e725599f..cd4155a237 100644 --- a/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md +++ b/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md @@ -1,23 +1,12 @@ --- title: Configuring UE-V with Group Policy Objects description: In this article, learn how to configure User Experience Virtualization (UE-V) with Group Policy objects. -author: aczechowski -ms.prod: windows-client -ms.collection: - - tier3 - - must-keep ms.date: 04/19/2017 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz ms.topic: article -ms.technology: itpro-configure --- # Configuring UE-V with Group Policy Objects -**Applies to** -- Windows 10, version 1607 Some User Experience Virtualization (UE-V) Group Policy settings can be defined for computers, and other Group Policy settings can be defined for users. The Group Policy administrative templates for these settings are included in Windows 10, version 1607. diff --git a/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md b/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md index 30bf50f542..8d1882168b 100644 --- a/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md +++ b/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md @@ -1,23 +1,12 @@ --- title: Configuring UE-V with Microsoft Configuration Manager description: Learn how to configure User Experience Virtualization (UE-V) with Microsoft Configuration Manager. -author: aczechowski -ms.prod: windows-client -ms.collection: - - tier3 - - must-keep ms.date: 04/19/2017 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz ms.topic: article -ms.technology: itpro-configure --- # Configuring UE-V with Microsoft Configuration Manager -**Applies to** -- Windows 10, version 1607 After you deploy User Experience Virtualization (UE-V) and its required features, you can start to configure it to meet your organization's need. The UE-V Configuration Pack provides a way for administrators to use the Compliance Settings feature of Microsoft Configuration Manager to apply consistent configurations across sites where UE-V and Configuration Manager are installed. @@ -25,15 +14,15 @@ After you deploy User Experience Virtualization (UE-V) and its required features The UE-V Configuration Pack includes tools to: -- Create or update UE-V settings location template distribution baselines +- Create or update UE-V settings location template distribution baselines - - Define UE-V templates to be registered or unregistered + - Define UE-V templates to be registered or unregistered - - Update UE-V template configuration items and baselines as templates are added or updated + - Update UE-V template configuration items and baselines as templates are added or updated - - Distribute and register UE-V templates using standard Configuration Item remediation + - Distribute and register UE-V templates using standard Configuration Item remediation -- Create or update a UE-V Agent policy configuration item to set or clear these settings +- Create or update a UE-V Agent policy configuration item to set or clear these settings |Configuration|Setting|Description| |--- |--- |--- | @@ -45,7 +34,7 @@ The UE-V Configuration Pack includes tools to: |Sync method|First use notification|Define which Windows apps will roam settings| |Sync timeout||| -- Verify compliance by confirming that UE-V is running. +- Verify compliance by confirming that UE-V is running. ## Generate a UE-V service policy configuration item @@ -54,15 +43,15 @@ All UE-V service policy and configuration is distributed through a single config The UE-V service policy configuration item CAB file is created using the UevTemplateBaselineGenerator.exe command line tool, which has these parameters: -- Site <site code> +- Site <site code> -- PolicyName <name> Optional: Defaults to “UE-V Agent Policy” if not present +- PolicyName <name> Optional: Defaults to “UE-V Agent Policy” if not present -- PolicyDescription <description> Optional: A description is provided if not present +- PolicyDescription <description> Optional: A description is provided if not present -- CabFilePath <full path to configuration item .CAB file> +- CabFilePath <full path to configuration item .CAB file> -- ConfigurationFile <full path to agent configuration XML file> +- ConfigurationFile <full path to agent configuration XML file> > [!NOTE] > It might be necessary to change the PowerShell execution policy to allow these scripts to run in your environment. Perform these steps in the Configuration Manager console: @@ -77,48 +66,54 @@ The UE-V service policy configuration item CAB file is created using the UevTemp 1. Copy the default settings configuration file from the UE-V Config Pack installation directory to a location visible to your ConfigMgr Admin Console: ```cmd - C:\Program Files (x86)\Windows Kits\10\Microsoft User Experience Virtualization\Management\AgentConfiguration.xml + C:\Program Files (x86)\Windows Kits\10\Microsoft User Experience Virtualization\Management\AgentConfiguration.xml + ``` The default configuration file contains five sections: - **Computer Policy** + **Computer Policy** + All UE-V machine level settings. The DesiredState attribute can be - - **Set** to have the value assigned in the registry + - **Set** to have the value assigned in the registry - - **Clear** to remove the setting + - **Clear** to remove the setting - - **Unmanaged** to have the configuration item left at its current state + - **Unmanaged** to have the configuration item left at its current state Don't remove lines from this section. Instead, set the DesiredState to ‘Unmanaged’ if you don't want Configuration Manager to alter current or default values. - **CurrentComputerUserPolicy** + **CurrentComputerUserPolicy** + All UE-V user level settings. These entries override the machine settings for a user. The DesiredState attribute can be - - **Set** to have the value assigned in the registry + - **Set** to have the value assigned in the registry - - **Clear** to remove the setting + - **Clear** to remove the setting - - **Unmanaged** to have the configuration item left at its current state + - **Unmanaged** to have the configuration item left at its current state Don't remove lines from this section. Instead, set the DesiredState to ‘Unmanaged’ if you don't want Configuration Manager to alter current or default values. - **Services** + **Services** + Entries in this section control service operation. The default configuration file contains a single entry for the UevAgentService. The DesiredState attribute can be set to **Running** or **Stopped**. - **Windows8AppsComputerPolicy** + **Windows8AppsComputerPolicy** + All machine level Windows app synchronization settings. Each PackageFamilyName listed in this section can be assigned a DesiredState of - - **Enabled** to have settings roam + - **Enabled** to have settings roam - - **Disabled** to prevent settings from roaming + - **Disabled** to prevent settings from roaming - - **Cleared** to have the entry removed from UE-V control + - **Cleared** to have the entry removed from UE-V control More lines can be added to this section based on the list of installed Windows apps that can be viewed using the PowerShell cmdlet GetAppxPackage. - **Windows8AppsCurrentComputerUserPolicy** + **Windows8AppsCurrentComputerUserPolicy** + Identical to the Windows8AppsComputerPolicy with settings that override machine settings for an individual user. 2. Edit the configuration file by changing the desired state and value fields. @@ -145,19 +140,19 @@ UE-V templates are distributed using a baseline containing multiple configuratio The UE-V template baseline is created using the UevTemplateBaselineGenerator.exe command line tool, which has these parameters: -- Site <site code> +- Site <site code> -- BaselineName <name> (Optional: defaults to “UE-V Template Distribution Baseline” if not present) +- BaselineName <name> (Optional: defaults to “UE-V Template Distribution Baseline” if not present) -- BaselineDescription <description> (Optional: a description is provided if not present) +- BaselineDescription <description> (Optional: a description is provided if not present) -- TemplateFolder <UE-V template folder> +- TemplateFolder <UE-V template folder> -- Register <comma separated template file list> +- Register <comma separated template file list> -- Unregister <comma separated template list> +- Unregister <comma separated template list> -- CabFilePath <Full path to baseline CAB file to generate> +- CabFilePath <Full path to baseline CAB file to generate> The result is a baseline CAB file that is ready for import into Configuration Manager. If at a future date, you update or add a template, you can rerun the command using the same baseline name. Importing the CAB results in CI version updates on the changed templates. diff --git a/windows/configuration/ue-v/uev-deploy-required-features.md b/windows/configuration/ue-v/uev-deploy-required-features.md index 1ab8b30874..b23bd1c337 100644 --- a/windows/configuration/ue-v/uev-deploy-required-features.md +++ b/windows/configuration/ue-v/uev-deploy-required-features.md @@ -1,35 +1,24 @@ --- title: Deploy required UE-V features description: Learn how to install and configure User Experience Virtualization (UE-V) features, for example, a network share that stores and retrieves user settings. -author: aczechowski -ms.prod: windows-client -ms.collection: - - tier3 - - must-keep ms.date: 04/19/2017 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz ms.topic: article -ms.technology: itpro-configure --- # Deploy required UE-V features -**Applies to** -- Windows 10, version 1607 To get up and running with User Experience Virtualization (UE-V), install and configure the following features. -- [Deploy a settings storage location](#deploy-a-ue-v-settings-storage-location) that is accessible to end users. +- [Deploy a settings storage location](#deploy-a-ue-v-settings-storage-location) that is accessible to end users. This feature is a standard network share that stores and retrieves user settings. -- [Choose the configuration method for UE-V](#choose-the-configuration-method-for-ue-v) +- [Choose the configuration method for UE-V](#choose-the-configuration-method-for-ue-v) You can deploy and configure UE-V with common management tools including group policy, Configuration Manager, or Windows Management Infrastructure and PowerShell. -- [Enable the UE-V service](#enable-the-ue-v-service) on user devices. +- [Enable the UE-V service](#enable-the-ue-v-service) on user devices. With Windows 10, version 1607, UE-V is installed automatically. You need to enable the UE-V service on each user device you want to include in your UE-V environment. @@ -39,9 +28,9 @@ The articles in this section describe how to deploy these features. UE-V requires a location in which to store user settings in settings package files. You can configure this settings storage location in one of these ways: -- Create your own settings storage location +- Create your own settings storage location -- Use existing Active Directory for your settings storage location +- Use existing Active Directory for your settings storage location > **Note**   As a matter of [performance and capacity planning](uev-prepare-for-deployment.md#performance-and-capacity-planning) and to reduce problems with network latency, create settings storage locations on the same local networks where the users’ devices reside. We recommend 20 MB of disk space per user for the settings storage location. @@ -51,17 +40,17 @@ Before you define the settings storage location, you must create a root director The settings storage location is defined by setting the SettingsStoragePath configuration option, which you can configure by using one of these methods: -- Through [Group Policy](uev-configuring-uev-with-group-policy-objects.md) settings +- Through [Group Policy](uev-configuring-uev-with-group-policy-objects.md) settings -- With the [Configuration Manager Pack](uev-configuring-uev-with-system-center-configuration-manager.md) for UE-V +- With the [Configuration Manager Pack](uev-configuring-uev-with-system-center-configuration-manager.md) for UE-V -- With [Windows PowerShell or Windows Management Instrumentation (WMI)](uev-administering-uev-with-windows-powershell-and-wmi.md) +- With [Windows PowerShell or Windows Management Instrumentation (WMI)](uev-administering-uev-with-windows-powershell-and-wmi.md) The path must be in a universal naming convention (UNC) path of the server and share. For example, **\\\\Server\\Settingsshare\\**. This configuration option supports the use of variables to enable specific synchronization scenarios. For example, you can use the %username%\\%computername% variables to preserve the end user settings experience in these scenarios: -- End users that use multiple physical devices in your enterprise +- End users that use multiple physical devices in your enterprise -- Enterprise computers that are used by multiple end users +- Enterprise computers that are used by multiple end users The UE-V service dynamically creates a user-specific settings storage path, with a hidden system folder named **SettingsPackages**, based on the configuration setting of **SettingsStoragePath**. The service reads and writes settings to this location as defined by the registered UE-V settings location templates. @@ -108,7 +97,7 @@ You’ll need to decide which configuration method you'll use to manage UE-V aft You can configure UE-V before, during, or after you enable the UE-V service on user devices, depending on the configuration method that you use. -- [**Group Policy**](uev-configuring-uev-with-group-policy-objects.md) You can use your existing Group Policy infrastructure to configure UE-V before or after you enable the UE-V service. The UE-V Group Policy ADMX template enables the central management of common UE-V service configuration options and includes settings to configure UE-V synchronization. +- [**Group Policy**](uev-configuring-uev-with-group-policy-objects.md) You can use your existing Group Policy infrastructure to configure UE-V before or after you enable the UE-V service. The UE-V Group Policy ADMX template enables the central management of common UE-V service configuration options and includes settings to configure UE-V synchronization. >**Note** Starting with Windows 10, version 1607, UE-V ADMX templates are installed automatically. @@ -118,9 +107,9 @@ You can configure UE-V before, during, or after you enable the UE-V service on u Windows Server 2012 and Windows Server 2012 R2 -- [**Configuration Manager**](uev-configuring-uev-with-system-center-configuration-manager.md) The UE-V Configuration Pack lets you use the Compliance Settings feature of Microsoft Configuration Manager to apply consistent configurations across sites where UE-V and Configuration Manager are installed. +- [**Configuration Manager**](uev-configuring-uev-with-system-center-configuration-manager.md) The UE-V Configuration Pack lets you use the Compliance Settings feature of Microsoft Configuration Manager to apply consistent configurations across sites where UE-V and Configuration Manager are installed. -- [**Windows PowerShell and WMI**](uev-administering-uev-with-windows-powershell-and-wmi.md) You can use scripted commands for Windows PowerShell and Windows Management Instrumentation (WMI) to modify the configuration of the UE-V service. +- [**Windows PowerShell and WMI**](uev-administering-uev-with-windows-powershell-and-wmi.md) You can use scripted commands for Windows PowerShell and Windows Management Instrumentation (WMI) to modify the configuration of the UE-V service. >**Note** Registry modification can result in data loss, or the computer becomes unresponsive. We recommend that you use other configuration methods. diff --git a/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md b/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md index 65523c41b0..8cef71005b 100644 --- a/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md +++ b/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md @@ -1,23 +1,12 @@ --- title: Use UE-V with custom applications description: Use User Experience Virtualization (UE-V) to create your own custom settings location templates with the UE-V template generator. -author: aczechowski -ms.prod: windows-client -ms.collection: - - tier3 - - must-keep ms.date: 04/19/2017 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz ms.topic: article -ms.technology: itpro-configure --- # Use UE-V with custom applications -**Applies to** -- Windows 10, version 1607 User Experience Virtualization (UE-V) uses XML files called ***settings location templates*** to monitor and synchronize application settings and Windows settings between user devices. By default, some settings location templates are included in UE-V. However, if you want to synchronize settings for desktop applications other than those settings included in the default templates, you can create your own custom settings location templates with the UE-V template generator. @@ -25,27 +14,27 @@ After you’ve reviewed [Prepare a UE-V Deployment](uev-prepare-for-deployment.m To start, here are the main steps required to synchronize settings for custom applications: -- [Install the UE-V template generator](#install-the-uev-template-generator) +- [Install the UE-V template generator](#install-the-uev-template-generator) Use the UEV template generator to create custom XML settings location templates. -- [Configure a UE-V settings template catalog](#deploy-a-settings-template-catalog) +- [Configure a UE-V settings template catalog](#deploy-a-settings-template-catalog) You can define this path where custom settings location templates are stored. -- [Create custom settings location templates](#create-custom-settings-location-templates) +- [Create custom settings location templates](#create-custom-settings-location-templates) These custom templates let users sync settings for custom applications. -- [Deploy the custom settings location templates](#deploy-the-custom-settings-location-templates) +- [Deploy the custom settings location templates](#deploy-the-custom-settings-location-templates) After you test the custom template to ensure that settings are synced correctly, you can deploy these templates in one of these ways: - - With your existing electronic software distribution solution, such as Configuration Manager + - With your existing electronic software distribution solution, such as Configuration Manager - - With Group Policy preferences + - With Group Policy preferences - - With a UE-V settings template catalog + - With a UE-V settings template catalog >**Note** Templates that are deployed with electronic software distribution methods or Group Policy must be registered with UE-V Windows Management Instrumentation (WMI) or Windows PowerShell. @@ -58,30 +47,30 @@ Before you start deploying the UE-V features that handle custom applications, re Use the UE-V template generator to monitor, discover, and capture the locations where Win32 applications store settings. The template generator doesn't create settings location templates for the following types of applications: -- Virtualized applications +- Virtualized applications -- Applications that are offered through Terminal Services +- Applications that are offered through Terminal Services -- Java applications +- Java applications -- Windows applications +- Windows applications >**Note** UE-V settings location templates can't be created from virtualized applications or Terminal Services applications. However, settings that are synchronized by using the templates can be applied to those applications. To create templates that support Virtual Desktop Infrastructure (VDI) and Terminal Services applications, open a version of the Windows Installer (.msi) package of the application by using the UE-V template generator. For more information about synchronizing settings for virtual applications, see [Using UE-V with virtual applications](uev-using-uev-with-application-virtualization-applications.md). **Excluded Locations:** The discovery process excludes locations that commonly store application software files that don't synchronize settings well between user computers or computing environments. By default, these files are excluded: -- HKEY\_CURRENT\_USER registry keys and files to which the signed-in user can't write values +- HKEY\_CURRENT\_USER registry keys and files to which the signed-in user can't write values -- HKEY\_CURRENT\_USER registry keys and files that are associated with the core functionality of the Windows operating system +- HKEY\_CURRENT\_USER registry keys and files that are associated with the core functionality of the Windows operating system -- All registry keys that are located in the HKEY\_LOCAL\_MACHINE hive +- All registry keys that are located in the HKEY\_LOCAL\_MACHINE hive -- Files that are located in Program Files directories +- Files that are located in Program Files directories -- Files that are located in Users \\ \[User name\] \\ AppData \\ LocalLow +- Files that are located in Users \\ \[User name\] \\ AppData \\ LocalLow -- Windows operating system files that are located in %Systemroot% +- Windows operating system files that are located in %Systemroot% If registry keys and files that are stored in excluded locations are required to synchronize application settings, you can manually add the locations to the settings location template during the template creation process. @@ -183,31 +172,31 @@ Use the UE-V template generator to create settings location templates for line-o 7. Review and select the appropriate registry settings locations and settings file locations to synchronize for this application. The list includes the following two categories for settings locations: - - **Standard**: Application settings that are stored in the registry under the HKEY\_CURRENT\_USER keys or in the file folders under \\ **Users** \\ \[User name\] \\ **AppData** \\ **Roaming**. The UE-V template generator includes these settings by default. + - **Standard**: Application settings that are stored in the registry under the HKEY\_CURRENT\_USER keys or in the file folders under \\ **Users** \\ \[User name\] \\ **AppData** \\ **Roaming**. The UE-V template generator includes these settings by default. - - **Nonstandard**: Application settings that are stored outside the locations are specified in the best practices for settings data storage (optional). These include files and folders under **Users** \\ \[User name\] \\ **AppData** \\ **Local**. Review these locations to determine whether to include them in the settings location template. Select the locations check boxes to include them. + - **Nonstandard**: Application settings that are stored outside the locations are specified in the best practices for settings data storage (optional). These include files and folders under **Users** \\ \[User name\] \\ **AppData** \\ **Local**. Review these locations to determine whether to include them in the settings location template. Select the locations check boxes to include them. 8. Click **Next** to continue. 9. Review and edit any **Properties**, **Registry** locations, and **Files** locations for the settings location template. - - Edit the following properties on the **Properties** tab: + - Edit the following properties on the **Properties** tab: - - **Application Name**: The application name that is written in the description of the program files properties. + - **Application Name**: The application name that is written in the description of the program files properties. - - **Program name**: The name of the program that is taken from the program file properties. This name usually has the .exe file name extension. + - **Program name**: The name of the program that is taken from the program file properties. This name usually has the .exe file name extension. - - **Product version**: The product version number of the .exe file of the application. This property, in conjunction with the **File version**, helps determine which applications are targeted by the settings location template. This property accepts a major version number. If this property is empty, the settings location template applies to all versions of the product. + - **Product version**: The product version number of the .exe file of the application. This property, in conjunction with the **File version**, helps determine which applications are targeted by the settings location template. This property accepts a major version number. If this property is empty, the settings location template applies to all versions of the product. - - **File version**: The file version number of the .exe file of the application. This property, in conjunction with the **Product version**, helps determine which applications are targeted by the settings location template. This property accepts a major version number. If this property is empty, the settings location template applies to all versions of the program. + - **File version**: The file version number of the .exe file of the application. This property, in conjunction with the **Product version**, helps determine which applications are targeted by the settings location template. This property accepts a major version number. If this property is empty, the settings location template applies to all versions of the program. - - **template author name** (optional): The name of the settings location template author. + - **template author name** (optional): The name of the settings location template author. - - **template author email** (optional): The email address of the settings location template author. + - **template author email** (optional): The email address of the settings location template author. - - The **Registry** tab lists the **Key** and **Scope** of the registry locations that are included in the settings location template. Edit the registry locations by using the **Tasks** drop-down menu. Tasks enable you to add new keys, edit the name or scope of existing keys, delete keys, and browse the registry where the keys are located. Use the **All Settings** scope to include all the registry settings under the specified key. Use the **All Settings and Subkeys** to include all the registry settings under the specified key, subkeys, and subkey settings. + - The **Registry** tab lists the **Key** and **Scope** of the registry locations that are included in the settings location template. Edit the registry locations by using the **Tasks** drop-down menu. Tasks enable you to add new keys, edit the name or scope of existing keys, delete keys, and browse the registry where the keys are located. Use the **All Settings** scope to include all the registry settings under the specified key. Use the **All Settings and Subkeys** to include all the registry settings under the specified key, subkeys, and subkey settings. - - The **Files** tab lists the file path and file mask of the file locations that are included in the settings location template. Edit the file locations by use of the **Tasks** drop-down menu. Tasks for file locations enable you to add new files or folder locations, edit the scope of existing files or folders, delete files or folders, and open the selected location in Windows Explorer. Leave the file mask empty to include all files in the specified folder. + - The **Files** tab lists the file path and file mask of the file locations that are included in the settings location template. Edit the file locations by use of the **Tasks** drop-down menu. Tasks for file locations enable you to add new files or folder locations, edit the scope of existing files or folders, delete files or folders, and open the selected location in Windows Explorer. Leave the file mask empty to include all files in the specified folder. 10. Click **Create**, and then click **Save** to save the settings location template on the computer. @@ -223,11 +212,11 @@ After you create a settings location template with the UE-V template generator, You can deploy settings location templates using of these methods: -- An electronic software distribution (ESD) system such as Microsoft Configuration Manager +- An electronic software distribution (ESD) system such as Microsoft Configuration Manager -- Group Policy preferences +- Group Policy preferences -- A UE-V settings template catalog +- A UE-V settings template catalog Templates that are deployed by using an ESD system or Group Policy objects must be registered using UE-V Windows Management Instrumentation (WMI) or Windows PowerShell. Templates that are stored in the settings template catalog location are automatically registered by the UE-V service. diff --git a/windows/configuration/ue-v/uev-for-windows.md b/windows/configuration/ue-v/uev-for-windows.md index c8732241c7..b8238ea649 100644 --- a/windows/configuration/ue-v/uev-for-windows.md +++ b/windows/configuration/ue-v/uev-for-windows.md @@ -1,23 +1,12 @@ --- title: User Experience Virtualization for Windows 10, version 1607 description: Overview of User Experience Virtualization for Windows 10, version 1607 -author: aczechowski -ms.prod: windows-client -ms.collection: - - tier3 - - must-keep ms.date: 05/02/2017 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz ms.topic: article -ms.technology: itpro-configure --- # User Experience Virtualization (UE-V) for Windows 10 overview -**Applies to** -- Windows 10, version 1607 Many users customize their settings for Windows and for specific applications. Customizable Windows settings include Microsoft Store appearance, language, background picture, font size, and accent colors. Customizable application settings include language, appearance, behavior, and user interface options. @@ -25,13 +14,13 @@ With User Experience Virtualization (UE-V), you can capture user-customized Wind **With UE-V you can…** -- Specify which application and Windows settings synchronize across user devices +- Specify which application and Windows settings synchronize across user devices -- Deliver the settings anytime and anywhere users work throughout the enterprise +- Deliver the settings anytime and anywhere users work throughout the enterprise -- Create custom templates for your third-party or line-of-business applications +- Create custom templates for your third-party or line-of-business applications -- Recover settings after hardware replacement or upgrade, or after re-imaging a virtual machine to its initial state +- Recover settings after hardware replacement or upgrade, or after re-imaging a virtual machine to its initial state With the release of Windows 10, version 1607, UE-V is included with the Windows 10 for Enterprise edition. If you are new to Windows 10 and UE-V or upgrading from a previous version of UE-V, you’ll need to download, activate, and install server- and client-side components to start synchronizing user-customized settings across devices. @@ -72,32 +61,32 @@ Use these UE-V components to create and manage custom templates for your third-p UE-V synchronizes settings for these applications by default. For a complete list and more detailed information, see [Settings that are automatically synchronized in a UE-V deployment](uev-prepare-for-deployment.md). -- Microsoft Office 2016, 2013, and 2010 +- Microsoft Office 2016, 2013, and 2010 -- Internet Explorer 11 and 10 +- Internet Explorer 11 and 10 -- Many Windows applications, such as Xbox +- Many Windows applications, such as Xbox -- Many Windows desktop applications, such as Notepad +- Many Windows desktop applications, such as Notepad -- Many Windows settings, such as desktop background or wallpaper +- Many Windows settings, such as desktop background or wallpaper >**Note** You can also [customize UE-V to synchronize settings](uev-deploy-uev-for-custom-applications.md) for applications other than those synchronized by default. ## Other resources for this feature -- [Get Started with UE-V for Windows 10](uev-getting-started.md) +- [Get Started with UE-V for Windows 10](uev-getting-started.md) -- [UE-V for Windows 10 Release Notes](uev-release-notes-1607.md) +- [UE-V for Windows 10 Release Notes](uev-release-notes-1607.md) -- [Prepare to deploy UE-V for Windows 10](uev-prepare-for-deployment.md) +- [Prepare to deploy UE-V for Windows 10](uev-prepare-for-deployment.md) -- [Upgrade to UE-V for Windows 10](uev-upgrade-uev-from-previous-releases.md) +- [Upgrade to UE-V for Windows 10](uev-upgrade-uev-from-previous-releases.md) -- [Administer UE-V for Windows 10](uev-administering-uev.md) +- [Administer UE-V for Windows 10](uev-administering-uev.md) -- [Technical Reference for UE-V for Windows 10](uev-technical-reference.md) +- [Technical Reference for UE-V for Windows 10](uev-technical-reference.md) diff --git a/windows/configuration/ue-v/uev-getting-started.md b/windows/configuration/ue-v/uev-getting-started.md index 7bf8cae820..2cdfd8e9bf 100644 --- a/windows/configuration/ue-v/uev-getting-started.md +++ b/windows/configuration/ue-v/uev-getting-started.md @@ -1,22 +1,11 @@ --- title: Get Started with UE-V description: Use the steps in this article to deploy User Experience Virtualization (UE-V) for the first time in a test environment. -author: aczechowski -ms.prod: windows-client -ms.collection: - - tier3 - - must-keep ms.date: 03/08/2018 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz -ms.technology: itpro-configure --- # Get Started with UE-V -**Applies to** -- Windows 10, version 1607 >[!NOTE] >This documentation is for the most recent version of UE-V. If you're looking for information about UE-V 2.x, which was included in the Microsoft Desktop Optimization Pack (MDOP), see [Get Started with UE-V 2.x](/microsoft-desktop-optimization-pack/uev-v2/get-started-with-ue-v-2x-new-uevv2). @@ -28,15 +17,15 @@ Follow the steps in this topic to deploy User Experience Virtualization (UE-V) f The standard installation of UE-V synchronizes the default Microsoft Windows and Office settings and many Windows applications settings. For best results, ensure that your test environment includes two or more user computers that share network access. -- [Step 1: Confirm prerequisites](#step-1-confirm-prerequisites). Review the supported configurations in this section to verify that your environment is able to run UE-V. +- [Step 1: Confirm prerequisites](#step-1-confirm-prerequisites). Review the supported configurations in this section to verify that your environment is able to run UE-V. -- [Step 2: Deploy the settings storage location](#step-2-deploy-the-settings-storage-location). Explains how to deploy a settings storage location. All UE-V deployments require a location to store settings packages that contain the synchronized setting values. +- [Step 2: Deploy the settings storage location](#step-2-deploy-the-settings-storage-location). Explains how to deploy a settings storage location. All UE-V deployments require a location to store settings packages that contain the synchronized setting values. -- [Step 3: Enable and configure the UE-V service](#step-3-enable-and-configure-the-ue-v-service-on-user-devices). Explains how to enable to UE-V service on user devices and configure the storage path. To synchronize settings using UE-V, devices must have the UE-V service enabled and running. +- [Step 3: Enable and configure the UE-V service](#step-3-enable-and-configure-the-ue-v-service-on-user-devices). Explains how to enable to UE-V service on user devices and configure the storage path. To synchronize settings using UE-V, devices must have the UE-V service enabled and running. -- [Step 4: Test Your UE-V evaluation deployment](#step-4-test-your-ue-v-evaluation-deployment). Run a few tests on two computers with the UE-V service enabled to see how UE-V works and if it meets your organization’s needs. +- [Step 4: Test Your UE-V evaluation deployment](#step-4-test-your-ue-v-evaluation-deployment). Run a few tests on two computers with the UE-V service enabled to see how UE-V works and if it meets your organization’s needs. -- Step 5: Deploy UE-V for custom applications (optional). If you want to evaluate how your third-party and line-of-business applications work with UE-V, follow the steps in [Use UE-V with custom applications](uev-deploy-uev-for-custom-applications.md). Following this link takes you to another topic. Use your browser’s **Back** button to return to this topic. +- Step 5: Deploy UE-V for custom applications (optional). If you want to evaluate how your third-party and line-of-business applications work with UE-V, follow the steps in [Use UE-V with custom applications](uev-deploy-uev-for-custom-applications.md). Following this link takes you to another topic. Use your browser’s **Back** button to return to this topic. ## Step 1: Confirm prerequisites @@ -137,15 +126,15 @@ You’re ready to run a few tests on your UE-V evaluation deployment to see how 1. On the first device (Computer A), make one or more of these changes: - - Open Windows Desktop and move the taskbar to a different location in the window. + - Open Windows Desktop and move the taskbar to a different location in the window. - - Change the default fonts. + - Change the default fonts. - - Open Notepad and set format -> word wrap **on**. + - Open Notepad and set format -> word wrap **on**. - - Change the behavior of any Windows application, as detailed in [Managing UE-V settings location templates using Windows PowerShell and WMI](uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md). + - Change the behavior of any Windows application, as detailed in [Managing UE-V settings location templates using Windows PowerShell and WMI](uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md). - - Disable Microsoft Account settings synchronization and roaming profiles. + - Disable Microsoft Account settings synchronization and roaming profiles. 2. Log off Computer A. Settings are saved in a UE-V settings package when users lock, logoff, exit an application, or when the sync provider runs (every 30 minutes by default). @@ -161,14 +150,14 @@ For UE-V issues, use the [UE-V TechNet Forum](https://social.technet.microsoft.c ## Other resources for this feature -- [User Experience Virtualization overview](uev-for-windows.md) +- [User Experience Virtualization overview](uev-for-windows.md) -- [Prepare a UE-V Deployment](uev-prepare-for-deployment.md) +- [Prepare a UE-V Deployment](uev-prepare-for-deployment.md) -- [Upgrade to UE-V for Windows 10](uev-upgrade-uev-from-previous-releases.md) +- [Upgrade to UE-V for Windows 10](uev-upgrade-uev-from-previous-releases.md) -- [Administering UE-V](uev-administering-uev.md) +- [Administering UE-V](uev-administering-uev.md) -- [Troubleshooting UE-V](uev-troubleshooting.md) +- [Troubleshooting UE-V](uev-troubleshooting.md) -- [Technical Reference for UE-V](uev-technical-reference.md) +- [Technical Reference for UE-V](uev-technical-reference.md) diff --git a/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md b/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md index ec137a5b65..afbb06a103 100644 --- a/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md +++ b/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md @@ -1,23 +1,12 @@ --- title: Manage Administrative Backup and Restore in UE-V description: Learn how an administrator of User Experience Virtualization (UE-V) can back up and restore application and Windows settings to their original state. -author: aczechowski -ms.prod: windows-client -ms.collection: - - tier3 - - must-keep ms.date: 04/19/2017 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz ms.topic: article -ms.technology: itpro-configure --- # Manage Administrative Backup and Restore in UE-V -**Applies to** -- Windows 10, version 1607 As an administrator of User Experience Virtualization (UE-V), you can restore application and Windows settings to their original state. You can also restore more settings when a user adopts a new device. @@ -30,9 +19,9 @@ To restore settings when a user adopts a new device, you can put a settings loca Set-UevTemplateProfile -ID -Profile ``` -- <TemplateID> is the UE-V Template ID +- <TemplateID> is the UE-V Template ID -- <backup> can either be Backup or Roaming +- <backup> can either be Backup or Roaming When a user’s device is being replaced, UE-V automatically restores settings if the user’s domain, username, and device name all match. All synchronized and any backup data is restored on the device automatically. @@ -52,23 +41,23 @@ As part of the Backup/Restore feature, UE-V added **last known good (LKG)** to t Here are the key backup and restore components of UE-V: -- Template profiles +- Template profiles -- Settings packages location within the Settings Storage Location template +- Settings packages location within the Settings Storage Location template -- Backup trigger +- Backup trigger -- How settings are restored +- How settings are restored **Template Profiles** A UE-V template profile is defined when the template is registered on the device or post registration through the PowerShell/WMI configuration utility. The profile types include: -- Roaming (default) +- Roaming (default) -- Backup +- Backup -- BackupOnly +- BackupOnly All templates are included in the roaming profile when registered unless otherwise specified. These templates synchronize settings to all UE-V enabled devices with the corresponding template enabled. @@ -88,16 +77,17 @@ Backup is triggered by the same events that trigger a UE-V synchronization. Restoring a user’s device restores the currently registered Template’s settings from another device’s backup folder and all synchronized settings to the current machine. Settings are restored in these two ways: -- **Automatic restore** +- **Automatic restore** If the user’s UE-V settings storage path, domain, and Computer name match the current user then all of the settings for that user are synchronized, with only the latest settings applied. If a user signs in to a new device for the first time and these criteria are met, the settings data is applied to that device. - **Note** + **Note** + Accessibility and Windows Desktop settings require the user to sign in again to Windows to be applied. -- **Manual Restore** +- **Manual Restore** If you want to assist users by restoring a device during a refresh, you can choose to use the Restore-UevBackup cmdlet. This command ensures that the user’s current settings become the current state on the Settings Storage Location. @@ -115,7 +105,8 @@ WMI and Windows PowerShell commands let you restore application and Windows sett |**Windows PowerShell cmdlet**|**Description**| |--- |--- | |`Restore-UevUserSetting -` |Restores the user settings for an application or restores a group of Windows settings.| - + + **To restore application settings and Windows settings with WMI** 1. Open a Windows PowerShell window. diff --git a/windows/configuration/ue-v/uev-manage-configurations.md b/windows/configuration/ue-v/uev-manage-configurations.md index 419e2f3379..60de4ab632 100644 --- a/windows/configuration/ue-v/uev-manage-configurations.md +++ b/windows/configuration/ue-v/uev-manage-configurations.md @@ -1,23 +1,12 @@ --- title: Manage Configurations for UE-V description: Learn to manage the configuration of the User Experience Virtualization (UE-V) service and also learn to manage storage locations for UE-V resources. -author: aczechowski -ms.prod: windows-client -ms.collection: - - tier3 - - must-keep ms.date: 04/19/2017 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz ms.topic: article -ms.technology: itpro-configure --- # Manage Configurations for UE-V -**Applies to** -- Windows 10, version 1607 In the course of the User Experience Virtualization (UE-V) lifecycle, you have to manage the configuration of the UE-V service and also manage storage locations for resources such as settings package files. The following topics provide guidance for managing these UE-V resources. @@ -29,7 +18,7 @@ You can use Group Policy Objects to modify the settings that define how UE-V syn ## Configuring UE-V with Microsoft Configuration Manager -You can use Microsoft Endpoint Configuration Manager to manage the UE-V service by using the UE-V Configuration Pack. +You can use Microsoft Endpoint Configuration Manager to manage the UE-V service by using the UE-V Configuration Pack. [Configuring UE-V with Microsoft Configuration Manager](uev-configuring-uev-with-system-center-configuration-manager.md) @@ -43,23 +32,23 @@ UE-V provides Windows PowerShell cmdlets, which can help administrators perform Here are some examples of UE-V configuration settings: -- **Settings Storage Path:** Specifies the location of the file share that stores the UE-V settings. +- **Settings Storage Path:** Specifies the location of the file share that stores the UE-V settings. -- **Settings Template Catalog Path:** Specifies the Universal Naming Convention (UNC) path that defines the location that was checked for new settings location templates. +- **Settings Template Catalog Path:** Specifies the Universal Naming Convention (UNC) path that defines the location that was checked for new settings location templates. -- **Register Microsoft Templates:** Specifies whether the default Microsoft templates should be registered during installation. +- **Register Microsoft Templates:** Specifies whether the default Microsoft templates should be registered during installation. -- **Synchronization Method:** Specifies whether UE-V uses the sync provider or "none". The "SyncProvider" supports computers that are disconnected from the network. "None" applies when the computer is always connected to the network. For more information about the Sync Method, see [Sync Methods for UE-V](uev-sync-methods.md). +- **Synchronization Method:** Specifies whether UE-V uses the sync provider or "none". The "SyncProvider" supports computers that are disconnected from the network. "None" applies when the computer is always connected to the network. For more information about the Sync Method, see [Sync Methods for UE-V](uev-sync-methods.md). -- **Synchronization Timeout:** Specifies the number of milliseconds that the computer waits before time-out when it retrieves the user settings from the settings storage location. +- **Synchronization Timeout:** Specifies the number of milliseconds that the computer waits before time-out when it retrieves the user settings from the settings storage location. -- **Synchronization Enable:** Specifies whether the UE-V settings synchronization is enabled or disabled. +- **Synchronization Enable:** Specifies whether the UE-V settings synchronization is enabled or disabled. -- **Maximum Package Size:** Specifies a settings package file threshold size in bytes at which the UE-V service reports a warning. +- **Maximum Package Size:** Specifies a settings package file threshold size in bytes at which the UE-V service reports a warning. -- **Don’t Sync Windows App Settings:** Specifies that UE-V should not synchronize Windows apps. +- **Don’t Sync Windows App Settings:** Specifies that UE-V should not synchronize Windows apps. -- **Enable/Disable First Use Notification:** Specifies whether UE-V displays a dialog box the first time that the UE-V service runs on a user’s computer. +- **Enable/Disable First Use Notification:** Specifies whether UE-V displays a dialog box the first time that the UE-V service runs on a user’s computer. diff --git a/windows/configuration/ue-v/uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md b/windows/configuration/ue-v/uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md index fd0c9e9aac..9307c58cae 100644 --- a/windows/configuration/ue-v/uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md +++ b/windows/configuration/ue-v/uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md @@ -1,23 +1,12 @@ --- title: Managing UE-V Settings Location Templates Using Windows PowerShell and WMI description: Managing UE-V Settings Location Templates Using Windows PowerShell and WMI -author: aczechowski -ms.prod: windows-client -ms.collection: - - tier3 - - must-keep ms.date: 04/19/2017 -ms.reviewer: -manager: aaroncz -ms.author: aaroncz ms.topic: article -ms.technology: itpro-configure --- # Managing UE-V Settings Location Templates Using Windows PowerShell and WMI -**Applies to** -- Windows 10, version 1607 User Experience Virtualization (UE-V) uses XML settings location templates to define the settings that User Experience Virtualization captures and applies. UE-V includes a set of standard settings location templates. It also includes the UE-V template generator tool that enables you to create custom settings location templates. After you create and deploy settings location templates, you can manage those templates by using Windows PowerShell and the Windows Management Instrumentation (WMI). @@ -35,7 +24,8 @@ You must have administrator permissions to update, register, or unregister a set 1. Use an account with administrator rights to open a Windows PowerShell command prompt. 2. Use the following Windows PowerShell cmdlets to register and manage the UE-V settings location templates. - + + |Windows PowerShell command|Description| |--- |--- | |`Get-UevTemplate`|Lists all the settings location templates that are registered on the computer.| @@ -65,9 +55,11 @@ You must have administrator permissions to update, register, or unregister a set |`Enable-UevAppXPackage [-CurrentComputerUser] [-PackageFamilyName] [,]`|Enables one or more Windows apps in the current user Windows app list.| |`Test-UevTemplate [-Path]