diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index 85b9e8d303..cae7712f27 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -1,5 +1,15 @@
{
"redirections": [
+{
+ "source_path": "windows/deployment/update/waas-windows-insider-for-business-aad.md",
+ "redirect_url": "https://docs.microsoft.com/en-us/windows-insider/at-work-pro/wip-4-biz-add",
+ "redirect_document_id": true
+ },
+{
+ "source_path": "windows/deployment/update/waas-windows-insider-for-business-faq.md",
+ "redirect_url": "https://docs.microsoft.com/en-us/windows-insider/at-work-pro/wip-4-biz-get-started",
+ "redirect_document_id": true
+},
{
"source_path": "windows/deployment/update/waas-windows-insider-for-business.md",
"redirect_url": "/windows-insider/at-work-pro/wip-4-biz-get-started",
@@ -6556,6 +6566,21 @@
"redirect_document_id": true
},
{
+"source_path": "windows/configuration/kiosk-shared-pc.md",
+"redirect_url": "/windows/configuration/kiosk-methods",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/configuration/setup-kiosk-digital-signage.md",
+"redirect_url": "/windows/configuration/kiosk-single-app",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/configuration/multi-app-kiosk-xml.md",
+"redirect_url": "/windows/configuration/kiosk-xml",
+"redirect_document_id": true
+},
+{
"source_path": "windows/configure/lock-down-windows-10-to-specific-apps.md",
"redirect_url": "/windows/configuration/lock-down-windows-10-to-specific-apps",
"redirect_document_id": true
@@ -6676,11 +6701,6 @@
"redirect_document_id": true
},
{
-"source_path": "windows/configuration/multi-app-kiosk-xml.md",
-"redirect_url": "windows/configuration/kiosk-xml.md",
-"redirect_document_id": true
-},
-{
"source_path": "windows/configure/provisioning-uninstall-package.md",
"redirect_url": "/windows/configuration/provisioning-packages/provisioning-uninstall-package",
"redirect_document_id": true
@@ -13491,11 +13511,6 @@
"redirect_document_id": true
},
{
-"source_path": "windows/update/waas-windows-insider-for-business-faq.md",
-"redirect_url": "/windows/deployment/update/waas-windows-insider-for-business-faq",
-"redirect_document_id": true
-},
-{
"source_path": "windows/update/waas-windows-insider-for-business.md",
"redirect_url": "/windows/deployment/update/waas-windows-insider-for-business",
"redirect_document_id": true
diff --git a/browsers/edge/Index.md b/browsers/edge/Index.md
index 214a02e1d0..f8a80c7b8d 100644
--- a/browsers/edge/Index.md
+++ b/browsers/edge/Index.md
@@ -37,7 +37,6 @@ Microsoft Edge lets you stay up-to-date through the Microsoft Store and to manag
| [Microsoft Edge requirements and language support](hardware-and-software-requirements.md) |Microsoft Edge is pre-installed on all Windows 10-capable devices that meet the minimum system requirements and are on the supported language list.|
| [Available policies for Microsoft Edge](available-policies.md) |Microsoft Edge works with Group Policy and Microsoft Intune to help you manage your organization's computer settings.
Group Policy objects (GPO's) can include registry-based Administrative Template policy settings, security settings, software deployment information, scripts, folder redirection, and preferences. By using Group Policy and Intune, you can set up a policy setting once, and then copy that setting onto many computers. For example, you can set up multiple security settings in a GPO that's linked to a domain, and then apply all of those settings to every computer in the domain. |
| [Use Enterprise Mode to improve compatibility](emie-to-improve-compatibility.md) |If you have specific web sites and apps that you know have compatibility problems with Microsoft Edge, you can use the Enterprise Mode site list so that the web sites will automatically open using Internet Explorer 11. Additionally, if you know that your intranet sites aren't going to work properly with Microsoft Edge, you can set all intranet sites to automatically open using IE11.
Using Enterprise Mode means that you can continue to use Microsoft Edge as your default browser, while also ensuring that your apps continue working on IE11. |
-| [Security enhancements for Microsoft Edge](security-enhancements-microsoft-edge.md) |Microsoft Edge is designed with significant security improvements over existing browsers, helping to defend people from increasingly sophisticated and prevalent web-based attacks against Windows. |
|[Microsoft Edge Frequently Asked Questions (FAQs)](microsoft-edge-faq.md)|Answering frequently asked questions about Microsoft Edge features, integration, support, and potential problems.
## Interoperability goals and enterprise guidance
diff --git a/browsers/edge/TOC.md b/browsers/edge/TOC.md
index cc22c085d6..21eef4d813 100644
--- a/browsers/edge/TOC.md
+++ b/browsers/edge/TOC.md
@@ -8,21 +8,19 @@
###[Home button settings](group-policies/home-button-gp.md)
###[Prelaunch Microsoft Edge and preload tabs](group-policies/prelaunch-preload-gp.md)
###[Search engine customization](group-policies/search-engine-customization-gp.md)
+###[Security and privacy management](group-policies/security-privacy-management-gp.md)
###[Start pages settings](group-policies/start-pages-gp.md)
###[Sync browser settings](group-policies/sync-browser-settings-gp.md)
-
+###[Interoperability and enterprise guidance](group-policies/interoperability-enterprise-guidance-gp.md)
##[Change history for Microsoft Edge](change-history-for-microsoft-edge.md)
-##[Enterprise guidance about using Microsoft Edge and Internet Explorer 11](enterprise-guidance-using-microsoft-edge-and-ie11.md)
-
##[Microsoft Edge requirements and language support](hardware-and-software-requirements.md)
##[Available policies for Microsoft Edge](available-policies.md)
##[Use Enterprise Mode to improve compatibility](emie-to-improve-compatibility.md)
-##[Security enhancements for Microsoft Edge](security-enhancements-microsoft-edge.md)
-
##[Microsoft Edge Frequently Asked Questions (FAQs)](microsoft-edge-faq.md)
+
diff --git a/browsers/edge/group-policies/address-bar-settings-gp.md b/browsers/edge/group-policies/address-bar-settings-gp.md
new file mode 100644
index 0000000000..7fe1afeed2
--- /dev/null
+++ b/browsers/edge/group-policies/address-bar-settings-gp.md
@@ -0,0 +1,23 @@
+---
+title: Microsoft Edge - Address bar settings
+description: 115-145 characters including spaces. Edit the intro para describing article intent to fit here. This abstract displays in the search result.
+services:
+keywords: Don’t add or edit keywords without consulting your SEO champ.
+author: shortpatti
+ms.author: pashort
+ms.date: 07/25/2018
+ms.topic: article
+ms.prod: edge
+ms.mktglfcycl: explore
+ms.sitesec: library
+---
+
+# Address bar settings
+>*Supported versions: Microsoft Edge on Windows 10*
+
+I need a description here
+
+
+[!INCLUDE [allow-address-bar-suggestions-include](../includes/allow-address-bar-suggestions-include.md)]
+
+[!INCLUDE [configure-search-suggestions-address-bar-include](../includes/configure-search-suggestions-address-bar-include.md)]
\ No newline at end of file
diff --git a/browsers/edge/group-policies/adobe-settings-gp.md b/browsers/edge/group-policies/adobe-settings-gp.md
new file mode 100644
index 0000000000..f910a747dd
--- /dev/null
+++ b/browsers/edge/group-policies/adobe-settings-gp.md
@@ -0,0 +1,24 @@
+---
+title: Microsoft Edge - Adobe settings
+description: 115-145 characters including spaces. Edit the intro para describing article intent to fit here. This abstract displays in the search result.
+services:
+keywords: Don’t add or edit keywords without consulting your SEO champ.
+author: shortpatti
+ms.author: pashort
+ms.date: 07/25/2018
+ms.topic: article
+ms.prod: edge
+ms.mktglfcycl: explore
+ms.sitesec: library
+---
+
+# Adobe settings
+>*Supported versions: Microsoft Edge on Windows 10*
+
+I need a description here, maybe with scenarios
+
+[!INCLUDE [allow-adobe-flash-include](../includes/allow-adobe-flash-include.md)]
+
+
+[!INCLUDE [configure-adobe-flash-click-to-run-include](../includes/configure-adobe-flash-click-to-run-include.md)]
+
diff --git a/browsers/edge/group-policies/books-library-management-gp.md b/browsers/edge/group-policies/books-library-management-gp.md
new file mode 100644
index 0000000000..95761893b2
--- /dev/null
+++ b/browsers/edge/group-policies/books-library-management-gp.md
@@ -0,0 +1,27 @@
+---
+title: Microsoft Edge - Books Library management
+description: 115-145 characters including spaces. Edit the intro para describing article intent to fit here. This abstract displays in the search result.
+services:
+keywords: Don’t add or edit keywords without consulting your SEO champ.
+author: shortpatti
+ms.author: pashort
+ms.date: 07/25/2018
+ms.topic: article
+ms.prod: edge
+ms.mktglfcycl: explore
+ms.sitesec: library
+---
+
+# Books Library management
+>*Supported versions: Microsoft Edge on Windows 10*
+
+I need a description here, maybe with scenarios
+
+
+[!INCLUDE [allow-shared-folder-books-include](../includes/allow-shared-folder-books-include.md)]
+
+[!INCLUDE [allow-config-updates-books-include](../includes/allow-config-updates-books-include.md)]
+
+[!INCLUDE [allow-ext-telemetry-books-tab-include](../includes/allow-ext-telemetry-books-tab-include.md)]
+
+[!INCLUDE [always-enable-book-library-include](../includes/always-enable-book-library-include.md)]
\ No newline at end of file
diff --git a/browsers/edge/group-policies/bowser-settings-management-gp.md b/browsers/edge/group-policies/bowser-settings-management-gp.md
new file mode 100644
index 0000000000..e38cacbf4c
--- /dev/null
+++ b/browsers/edge/group-policies/bowser-settings-management-gp.md
@@ -0,0 +1,47 @@
+---
+title: Microsoft Edge - Browser settings management
+description: 115-145 characters including spaces. Edit the intro para describing article intent to fit here. This abstract displays in the search result.
+services:
+keywords: Don’t add or edit keywords without consulting your SEO champ.
+author: shortpatti
+ms.author: pashort
+ms.date: 07/25/2018
+ms.topic: article
+ms.prod: edge
+ms.mktglfcycl: explore
+ms.sitesec: library
+---
+
+# Browser settings management
+>*Supported versions: Microsoft Edge on Windows 10*
+
+I need a description here, maybe with scenarios
+
+
+
+## Allow clearing browsing data on exit
+[!INCLUDE [allow-clearing-browsing-data-include](../includes/allow-clearing-browsing-data-include.md)]
+
+## Allow printing
+[!INCLUDE [allow-printing-include](../includes/allow-printing-include.md)]
+
+## Allow Saving History
+[!INCLUDE [allow-saving-history-include](../includes/allow-saving-history-include.md)]
+
+## Configure Autofill
+[!INCLUDE [configure-autofill-include](../includes/configure-autofill-include.md)]
+
+## Configure Pop-up Blocker
+[!INCLUDE [configure-pop-up-blocker-include](../includes/configure-pop-up-blocker-include.md)]
+
+## Do not sync
+[!INCLUDE [do-not-sync-include](../includes/do-not-sync-include.md)]
+
+## Do not sync browser settings
+[!INCLUDE [do-not-sync-browser-settings-include](../includes/do-not-sync-browser-settings-include.md)]
+
+## Prevent users from turning on browser syncing
+[!INCLUDE [prevent-users-to-turn-on-browser-syncing-include](../includes/prevent-users-to-turn-on-browser-syncing-include.md)]
+
+
+
diff --git a/browsers/edge/group-policies/browser-telemetry-gp.md b/browsers/edge/group-policies/browser-telemetry-gp.md
deleted file mode 100644
index e69de29bb2..0000000000
diff --git a/browsers/edge/group-policies/developer-settings-gp.md b/browsers/edge/group-policies/developer-settings-gp.md
new file mode 100644
index 0000000000..22cdbb9c06
--- /dev/null
+++ b/browsers/edge/group-policies/developer-settings-gp.md
@@ -0,0 +1,24 @@
+---
+title: Microsoft Edge - Developer settings
+description: 115-145 characters including spaces. Edit the intro para describing article intent to fit here. This abstract displays in the search result.
+services:
+keywords: Don’t add or edit keywords without consulting your SEO champ.
+author: shortpatti
+ms.author: pashort
+ms.date: 07/25/2018
+ms.topic: article
+ms.prod: edge
+ms.mktglfcycl: explore
+ms.sitesec: library
+---
+
+# Developer settings
+>*Supported versions: Microsoft Edge on Windows 10*
+
+I need a description here, maybe with scenarios
+
+## Allow Developer Tools
+[!INCLUDE [allow-dev-tools-include](../includes/allow-dev-tools-include.md)]
+
+## Prevent access to the about:flags page
+[!INCLUDE [prevent-access-about-flag-include](../includes/prevent-access-about-flag-include.md)]
diff --git a/browsers/edge/group-policies/enterprise-mode-gp.md b/browsers/edge/group-policies/enterprise-mode-gp.md
deleted file mode 100644
index e69de29bb2..0000000000
diff --git a/browsers/edge/group-policies/extensions-gp.md b/browsers/edge/group-policies/extensions-gp.md
deleted file mode 100644
index e69de29bb2..0000000000
diff --git a/browsers/edge/group-policies/extensions-management-gp.md b/browsers/edge/group-policies/extensions-management-gp.md
new file mode 100644
index 0000000000..0d236f343b
--- /dev/null
+++ b/browsers/edge/group-policies/extensions-management-gp.md
@@ -0,0 +1,27 @@
+---
+title: Microsoft Edge - Extensions management
+description: 115-145 characters including spaces. Edit the intro para describing article intent to fit here. This abstract displays in the search result.
+services:
+keywords: Don’t add or edit keywords without consulting your SEO champ.
+author: shortpatti
+ms.author: pashort
+ms.date: 07/25/2018
+ms.topic: article
+ms.prod: edge
+ms.mktglfcycl: explore
+ms.sitesec: library
+---
+
+# Extensions management
+>*Supported versions: Microsoft Edge on Windows 10*
+
+I need a description here, maybe with scenarios
+
+## Allow Extensions
+[!INCLUDE [allow-extensions-include](../includes/allow-extensions-include.md)]
+
+## Allow sideloading of extensions
+[!INCLUDE [allow-sideloading-extensions-include](../includes/allow-sideloading-extensions-include.md)]
+
+## Prevent turning off required extensions
+[!INCLUDE [prevent-turning-off-required-extensions-include](../includes/prevent-turning-off-required-extensions-include.md)]
diff --git a/browsers/edge/group-policies/favorites-bar-gp.md b/browsers/edge/group-policies/favorites-bar-gp.md
deleted file mode 100644
index e69de29bb2..0000000000
diff --git a/browsers/edge/group-policies/favorites-management-gp.md b/browsers/edge/group-policies/favorites-management-gp.md
new file mode 100644
index 0000000000..8f9645dee1
--- /dev/null
+++ b/browsers/edge/group-policies/favorites-management-gp.md
@@ -0,0 +1,31 @@
+---
+title: Microsoft Edge - Favorites management
+description: 115-145 characters including spaces. Edit the intro para describing article intent to fit here. This abstract displays in the search result.
+services:
+keywords: Don’t add or edit keywords without consulting your SEO champ.
+author: shortpatti
+ms.author: pashort
+ms.date: 07/25/2018
+ms.topic: article
+ms.prod: edge
+ms.mktglfcycl: explore
+ms.sitesec: library
+---
+
+# Favorites management
+>*Supported versions: Microsoft Edge on Windows 10*
+
+I need a description here, maybe with scenarios
+
+
+## Configure Favorites Bar
+[!INCLUDE [configure-favorites-bar-include](../includes/configure-favorites-bar-include.md)]
+
+## Keep favorites in sync between Internet Explorer and Microsoft Edge
+[!INCLUDE [keep-fav-sync-ie-edge-include](../includes/keep-fav-sync-ie-edge-include.md)]
+
+## Prevent changes to Favorites on Microsoft Edge
+[!INCLUDE [prevent-changes-to-favorites-include](../includes/prevent-changes-to-favorites-include.md)]
+
+## Provision Favorites
+[!INCLUDE [provision-favorites-shortdesc](../shortdesc/provision-favorites-shortdesc.md)]
\ No newline at end of file
diff --git a/browsers/edge/group-policies/home-button-gp.md b/browsers/edge/group-policies/home-button-gp.md
index 86776faa7a..442126a454 100644
--- a/browsers/edge/group-policies/home-button-gp.md
+++ b/browsers/edge/group-policies/home-button-gp.md
@@ -4,9 +4,14 @@ description: Microsoft Edge shows the home button and by clicking it the Start p
ms.author: pashort
author: shortpatti
ms.date: 07/23/2018
+ms.prod: edge
+ms.mktglfcycl: explore
+ms.sitesec: library
---
# Home button configuration options
+>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+
Microsoft Edge shows the home button and by clicking it the Start page loads by default. You can configure the Home button to load the New tab page or a URL defined in the Set Home button URL policy. You can also configure Microsoft Edge to hide the home button.
## Policies
diff --git a/browsers/edge/group-policies/interoperability-enterprise-guidance-gp.md b/browsers/edge/group-policies/interoperability-enterprise-guidance-gp.md
new file mode 100644
index 0000000000..760bd9aeee
--- /dev/null
+++ b/browsers/edge/group-policies/interoperability-enterprise-guidance-gp.md
@@ -0,0 +1,41 @@
+---
+title: Microsoft Edge - Interoperability and enterprise guidance
+description:
+ms.author: pashort
+author: shortpatti
+ms.date: 07/23/2018
+ms.prod: edge
+ms.mktglfcycl: explore
+ms.sitesec: library
+---
+
+# Interoperability and enterprise guidance
+>*Supported versions: Microsoft Edge on Windows 10*
+
+If you have specific websites and apps that you know have compatibility problems with Microsoft Edge, you can use the Enterprise Mode site list so that the websites automatically open using Internet Explorer 11. Additionally, if you know that your intranet sites aren't going to work correctly with Microsoft Edge, you can set all intranet sites to open using IE11 automatically.
+
+Using Enterprise Mode means that you can continue to use Microsoft Edge as your default browser, while also ensuring that your apps continue working on IE11.
+
+
+**Policies**
+
+1. [Configure the Enterprise Mode Site List](#configure-the-enterprise-mode-site-list)
+2. [Send all intranet sites to Internet Explorer 11](#send-all-intranet-sites-to-internet-explorer-11)
+3. [Show message when opening sites in Internet Explorer](#show-message-when-opening-sites-in-internet-explorer)
+4. [(IE11 policy) Send all sites not included in the Enterprise Mode Site List to Microsoft Edge](#ie11-policy-send-all-sites-not-included-in-the-enterprise-mode-site-list-to-microsoft-edge)
+
+
+
+
+
+## Configure the Enterprise Mode Site List
+[!INCLUDE [configure-enterprise-mode-site-list-include](../includes/configure-enterprise-mode-site-list-include.md)]
+
+## Send all intranet sites to Internet Explorer 11
+[!INCLUDE [send-all-intranet-sites-ie-include](../includes/send-all-intranet-sites-ie-include.md)]
+
+## Show message when opening sites in Internet Explorer
+[!INCLUDE [show-message-opening-sites-ie-include](../includes/show-message-opening-sites-ie-include.md)]
+
+## (IE11 policy) Send all sites not included in the Enterprise Mode Site List to Microsoft Edge
+[!INCLUDE [ie11-send-all-sites-not-in-site-list-include](../includes/ie11-send-all-sites-not-in-site-list-include.md)]
\ No newline at end of file
diff --git a/browsers/edge/group-policies/kiosk-mode-gp.md b/browsers/edge/group-policies/kiosk-mode-gp.md
deleted file mode 100644
index e69de29bb2..0000000000
diff --git a/browsers/edge/group-policies/new-tab-page-gp.md b/browsers/edge/group-policies/new-tab-page-settings-gp.md
similarity index 67%
rename from browsers/edge/group-policies/new-tab-page-gp.md
rename to browsers/edge/group-policies/new-tab-page-settings-gp.md
index 9f5dcc2823..c9058539c8 100644
--- a/browsers/edge/group-policies/new-tab-page-gp.md
+++ b/browsers/edge/group-policies/new-tab-page-settings-gp.md
@@ -1,17 +1,21 @@
---
-title: New tab page
+title: Microsoft Edge - New tab page
description: Microsoft Edge loads the default New tab page by default. You can configure Microsoft Edge to load a New tab page URL and prevent users from changing it.
ms.author: pashort
author: shortpatti
-ms.date: 07/20/2018
+ms.date: 07/25/2018
+ms.prod: edge
+ms.mktglfcycl: explore
+ms.sitesec: library
---
-
-
-
# New tab page
+>*Supported versions: Microsoft Edge on Windows 10*
+
Microsoft Edge loads the default New tab page by default. You can configure Microsoft Edge to load a New tab page URL and prevent users from changing it. When you enable this policy, and you disable the Allow web content on New tab page policy, Microsoft Edge ignores any URL specified in this policy and opens about:blank.
-Policy: Set New Tab page URL
\ No newline at end of file
+
+## Set New Tab page URL
+[!INCLUDE [set-new-tab-url-include](../includes/set-new-tab-url-include.md)]
\ No newline at end of file
diff --git a/browsers/edge/group-policies/open-sites-in-ie11-gp.md b/browsers/edge/group-policies/open-sites-in-ie11-gp.md
deleted file mode 100644
index e69de29bb2..0000000000
diff --git a/browsers/edge/group-policies/prelaunch-preload-gp.md b/browsers/edge/group-policies/prelaunch-preload-gp.md
index 1443c06e6a..7cb69d09f4 100644
--- a/browsers/edge/group-policies/prelaunch-preload-gp.md
+++ b/browsers/edge/group-policies/prelaunch-preload-gp.md
@@ -3,10 +3,12 @@ title: Microsoft Edge - Prelaunch and tab preload configuration options
description: Microsoft Edge pre-launches as a background process during Windows startup when the system is idle waiting to be launched by the user. Pre-launching helps the performance of Microsoft Edge and minimizes the amount of time required to start up Microsoft Edge.
ms.author: pashort
author: shortpatti
-ms.date: 07/23/2018
+ms.date: 07/25/2018
---
# Prelaunch Microsoft Edge and preload tabs in the background
+>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+
Microsoft Edge pre-launches as a background process during Windows startup when the system is idle waiting to be launched by the user. Pre-launching helps the performance of Microsoft Edge and minimizes the amount of time required to start up Microsoft Edge. You can also configure Microsoft Edge to prevent Microsoft Edge from pre-launching.
@@ -14,9 +16,11 @@ Additionally, Microsoft Edge preloads the Start and New tab pages during Windows
## Policies
+
+- [Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed](../new-policies.md#allow-microsoft-edge-to-pre-launch-at-windows-startup-when-the-system-is-idle-and-each-time-microsoft-edge-is-closed)
+
- [Allow Microsoft Edge to start and load the Start and New Tab page at Windows startup and each time Microsoft Edge is closed](../new-policies.md#allow-microsoft-edge-to-start-and-load-the-start-and-new-tab-page-at-windows-startup-and-each-time-microsoft-edge-is-closed)
-- [Allow Prelaunch ](../new-policies.md#allow-prelaunch)
## Configuration options
diff --git a/browsers/edge/group-policies/printing-gp.md b/browsers/edge/group-policies/printing-gp.md
deleted file mode 100644
index e69de29bb2..0000000000
diff --git a/browsers/edge/group-policies/search-engine-customization-gp.md b/browsers/edge/group-policies/search-engine-customization-gp.md
index d4343d0362..cc58a01261 100644
--- a/browsers/edge/group-policies/search-engine-customization-gp.md
+++ b/browsers/edge/group-policies/search-engine-customization-gp.md
@@ -3,26 +3,29 @@ title: Microsoft Edge - Search engine customization
description: By default, Microsoft Edge uses the default search engine specified in App settings, which lets users make changes to it. You can configure Microsoft Edge to use the policy-set search engine specified in the OpenSearch XML file.
ms.author: pashort
author: shortpatti
-ms.date: 07/23/2018
+ms.date: 07/25/2018
---
# Search engine customization
By default, Microsoft Edge uses the default search engine specified in App settings, which lets users make changes to it. You can configure Microsoft Edge to use the policy-set search engine specified in the OpenSearch XML file. You can also prevent users from making changes to the search engine settings.
+**Policies**
-## Policies
+- [Set default search engine](#set-default-search-engine)
+- [Allow search engine customization](#allow-search-engine-customization)
+- [Configure additional search engines](#configure-additional-search-engines)
-- [Set default search engine](../available-policies.md#set-default-search-engine)
-
-- [Allow web content on New Tab page](../available-policies.md#allow-web-content-on-new-tab-page)
-
-- [Configure additional search engines](../available-policies.md#configure-additional-search-engines)
-
-
-## Configuration options
+## Set default search engine
+[!INCLUDE [set-default-search-engine-include](../includes/set-default-search-engine-include.md)]
+
+## Allow search engine customization
+[!INCLUDE [allow-search-engine-customization-include](../includes/allow-search-engine-customization-include.md)]
+
+## Configure additional search engines
+[!INCLUDE [configure-additional-search-engines-include](../includes/configure-additional-search-engines-include.md)]
diff --git a/browsers/edge/group-policies/security-privacy-management-gp.md b/browsers/edge/group-policies/security-privacy-management-gp.md
new file mode 100644
index 0000000000..6b576d712b
--- /dev/null
+++ b/browsers/edge/group-policies/security-privacy-management-gp.md
@@ -0,0 +1,48 @@
+---
+title: Microsoft Edge - Security and privacy management
+description: Microsoft Edge helps to defend from increasingly sophisticated and prevalent web-based attacks against Windows. While most websites are safe, some sites have been designed to steal personal information or gain access to your system’s resources.
+ms.author: pashort
+author: shortpatti
+ms.date: 07/25/2018
+---
+
+# Security and privacy management
+>*Supported versions: Microsoft Edge on Windows 10*
+
+Microsoft Edge helps to defend from increasingly sophisticated and prevalent web-based attacks against Windows. While most websites are safe, some sites are malicious in nature, like stealing personal information or gain access to your system’s resources. By no longer supporting VBScript, JScript, VML, Browser Helper Objects, Toolbars, ActiveX controls, and Internet Explorer document modes, Microsoft Edge significantly reduces attacks making the browser more secure.
+
+
+| | |
+|---|---|
+| **Windows Hello** | Authenticates the user and the website with asymmetric cryptography. |
+| **Microsoft SmartScreen** | Defends against phishing by performing reputation checks on sites visited and blocking any site that is thought to be a phishing site. SmartScreen also helps to defend against installing malicious software or file downloads, even from trusted sites. |
+| **Certificate Reputation system** | Collects data about certificates in use, detecting new certificates and flagging fraudulent certificates automatically. |
+| **Microsoft EdgeHTML** | Defends against hacking through the following security standards features:- Support for the W3C standard for Content Security Policy (CSP), which helps web developers defend their sites against cross-site scripting attacks.
- Support for the HTTP Strict Transport Security (HSTS) feature, which is IETF-standard compliant, and helps to ensure that connections to sites are always secure.
|
+| **Code integrity and image loading restrictions** | Prevents malicious DLLs from loading or injecting into the content processes. Only signed images are allowed to load in Microsoft Edge. Binaries on remote devices (such as UNC or WebDAV) can't load. |
+| **Memory corruption mitigations** | Defends against memory corruption weaknesses and vulnerabilities with the use of [CWE-416: Use After Free](http://cwe.mitre.org/data/definitions/416.html) (UAF). |
+| **Memory Garbage Collector (MemGC) mitigation** | Replaces Memory Protector and helps to defend the browser from UAF vulnerabilities by freeing memory from the programmer and automating it, only freeing memory when the automation detects that there are no more references left pointing to a given block of memory. |
+| **Control Flow Guard** | Compiles checks around code that performs indirect jumps based on a pointer, restricting those jumps to only going to function entry points with known addresses. Control Flow Guard is a Microsoft Visual Studio technology. |
+
+
+## Configure cookies
+[!INCLUDE [configure-cookies-include](../includes/configure-cookies-include.md)]
+
+## Configure Password Manager
+[!INCLUDE [configure-password-manager-include](../includes/configure-password-manager-include.md)]
+
+## Configure Windows Defender SmartScreen
+[!INCLUDE [configure-windows-defender-smartscreen-include](../includes/configure-windows-defender-smartscreen-include.md)]
+
+## Prevent bypassing Windows Defender SmartScreen prompts for files
+[!INCLUDE [prevent-bypassing-win-defender-files-include](../includes/prevent-bypassing-win-defender-files-include.md)]
+
+## Prevent bypassing Windows Defender SmartScreen prompts for sites
+[!INCLUDE [prevent-bypassing-win-defender-sites-include](../includes/prevent-bypassing-win-defender-sites-include.md)]
+
+## Prevent certificate error overrides
+[!INCLUDE [prevent-certificate-error-overrides-include](../includes/prevent-certificate-error-overrides-include.md)]
+
+## Prevent using Localhost IP address for WebRTC
+[!INCLUDE [prevent-localhost-address-for-webrtc-include](../includes/prevent-localhost-address-for-webrtc-include.md)]
+
+
diff --git a/browsers/edge/group-policies/start-pages-gp.md b/browsers/edge/group-policies/start-pages-gp.md
index 8243c6af91..2dd04e1e28 100644
--- a/browsers/edge/group-policies/start-pages-gp.md
+++ b/browsers/edge/group-policies/start-pages-gp.md
@@ -1,29 +1,42 @@
---
-title: Start pages
+title: Microsoft Edge - Start pages
description: Configure Microsoft Edge to load either the Start page, New tab page, previously opened pages, or a specific page or pages.
ms.author: pashort
author: shortpatti
-ms.date: 07/23/2018
+ms.date: 07/25/2018
+ms.prod: edge
+ms.mktglfcycl: explore
+ms.sitesec: library
---
# Start pages
+>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+
Microsoft Edge loads the pages specified in App settings as the default Start pages. You can configure Microsoft Edge to load either the Start page, New tab page, previously opened pages, or a specific page or pages. You can also configure Microsoft Edge to prevent users from making changes.
+**Policies**
-## Policies
+- [Configure Open Microsoft Edge With](#configure-open-microsoft-edge-with)
+- [Configure Start Pages](#configure-start-pages)
+- [Disable Lockdown of Start pages](#disable-lockdown-of-start-pages)
-- [Configure Open Microsoft Edge With](../new-policies.md#configure-open-microsoft-edge-with)
-
-- [Configure Start Pages](../available-policies.md#configure-start-pages)
-
-- [Disable Lockdown of Start Pages](../available-policies.md#configure-windows-defender-smartscreen)
-
-## Configuration options
+## Configure Open Microsoft Edge With
+[!INCLUDE [configure-open-edge-with-include](../includes/configure-open-edge-with-include.md)]
+
+## Configure Start Pages
+[!INCLUDE [configure-start-pages-include](../includes/configure-start-pages-include.md)]
+
+## Disable Lockdown of Start pages
+[!INCLUDE [disable-lockdown-of-start-pages-include](../includes/disable-lockdown-of-start-pages-include.md)]
+
+
+## Configuration options
+
| **Configure Open Microsoft Edge With** | **Configure Start Pages** | **Disabled Lockdown of Start Pages** | **Outcome** |
| --- | --- | --- | --- |
| Enabled (applies to all options) | Enabled – String | Enabled (all configured start pages are editable) | Load URLs defined in the Configure Open Microsoft Edge With policy, and allow users to make changes. |
diff --git a/browsers/edge/group-policies/sync-browser-settings-gp.md b/browsers/edge/group-policies/sync-browser-settings-gp.md
index 77c702759c..9a056e4c25 100644
--- a/browsers/edge/group-policies/sync-browser-settings-gp.md
+++ b/browsers/edge/group-policies/sync-browser-settings-gp.md
@@ -1,12 +1,13 @@
---
-title: Microsoft Edge - Sync browser settings
+title: Microsoft Edge - Sync browser settings options
description: By default, the “browser” group syncs automatically between the user’s devices, letting users make changes.
ms.author: pashort
author: shortpatti
ms.date: 07/23/2018
---
-# Sync browser settings
+# Sync browser settings options
+>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
By default, the “browser” group syncs automatically between the user’s devices, letting users make changes. The “browser” group uses the Sync your Settings option in Settings to sync information like history and favorites. You can configure Microsoft Edge to prevent the “browser” group from syncing and prevent users from turning on the Sync your Settings toggle in Settings. If you want syncing turned off by default but not disabled, select the _Allow users to turn “browser” syncing_ option in the Do not sync browser policy.
diff --git a/browsers/edge/group-policies/bowsing-history-gp.md b/browsers/edge/group-policies/telemetry-management-gp.md
similarity index 100%
rename from browsers/edge/group-policies/bowsing-history-gp.md
rename to browsers/edge/group-policies/telemetry-management-gp.md
diff --git a/browsers/edge/images/prelaunch-edge-and-preload-tabs-sm.png b/browsers/edge/images/prelaunch-edge-and-preload-tabs-sm.png
index d64a086446..51dfd7258a 100644
Binary files a/browsers/edge/images/prelaunch-edge-and-preload-tabs-sm.png and b/browsers/edge/images/prelaunch-edge-and-preload-tabs-sm.png differ
diff --git a/browsers/edge/images/prelaunch-edge-and-preload-tabs.png b/browsers/edge/images/prelaunch-edge-and-preload-tabs.png
index a92724f9b0..b786cfb3bb 100644
Binary files a/browsers/edge/images/prelaunch-edge-and-preload-tabs.png and b/browsers/edge/images/prelaunch-edge-and-preload-tabs.png differ
diff --git a/browsers/edge/images/prelaunch-edge-only-sm.png b/browsers/edge/images/prelaunch-edge-only-sm.png
index bb85307b41..875f1a8ce6 100644
Binary files a/browsers/edge/images/prelaunch-edge-only-sm.png and b/browsers/edge/images/prelaunch-edge-only-sm.png differ
diff --git a/browsers/edge/images/prelaunch-edge-only.png b/browsers/edge/images/prelaunch-edge-only.png
index 920c05cd50..89e1152ec6 100644
Binary files a/browsers/edge/images/prelaunch-edge-only.png and b/browsers/edge/images/prelaunch-edge-only.png differ
diff --git a/browsers/edge/images/preload-tabs-only-sm.png b/browsers/edge/images/preload-tabs-only-sm.png
index 61d4f40388..5ee58403f1 100644
Binary files a/browsers/edge/images/preload-tabs-only-sm.png and b/browsers/edge/images/preload-tabs-only-sm.png differ
diff --git a/browsers/edge/images/preload-tabs-only.png b/browsers/edge/images/preload-tabs-only.png
index 6fe90b363d..da42bc5a0f 100644
Binary files a/browsers/edge/images/preload-tabs-only.png and b/browsers/edge/images/preload-tabs-only.png differ
diff --git a/browsers/edge/includes/allow-ext-telemetry-books-tab-include.md b/browsers/edge/includes/allow-ext-telemetry-books-tab-include.md
index 722b2ce5e8..96da415a28 100644
--- a/browsers/edge/includes/allow-ext-telemetry-books-tab-include.md
+++ b/browsers/edge/includes/allow-ext-telemetry-books-tab-include.md
@@ -21,7 +21,7 @@
- **GP ADMX file name:** MicrosoftEdge.admx
#### MDM settings
-- **MDM name:** Browser/[Browser/EnableExtendedBooksTelemetry](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-enableextendedbookstelemetry)
+- **MDM name:** [Browser/EnableExtendedBooksTelemetry](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-enableextendedbookstelemetry)
- **Supported devices:** Desktop and Mobile
- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/EnableExtendedBooksTelemetry
- **Data type:** Integer
diff --git a/browsers/edge/includes/allow-full-screen-include.md b/browsers/edge/includes/allow-full-screen-include.md
index 1d4d274689..b7fc715298 100644
--- a/browsers/edge/includes/allow-full-screen-include.md
+++ b/browsers/edge/includes/allow-full-screen-include.md
@@ -1,5 +1,6 @@
-
+
+
+>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
>*Default setting: Enabled or not configured (Allowed)*
diff --git a/browsers/edge/includes/allow-prelaunch-include.md b/browsers/edge/includes/allow-prelaunch-include.md
index 840600bc3c..4721684c1f 100644
--- a/browsers/edge/includes/allow-prelaunch-include.md
+++ b/browsers/edge/includes/allow-prelaunch-include.md
@@ -1,6 +1,7 @@
-
+
+
+>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
>*Default setting: Enabled or not configured (Allowed)*
[!INCLUDE [allow-prelaunch-shortdesc](../shortdesc/allow-prelaunch-shortdesc.md)]
@@ -20,7 +21,7 @@ For more details about configuring the prelaunch and preload options, see [Prela
### ADMX info and settings
#### ADMX info
-- **GP English name:** Allow Prelaunch
+- **GP English name:** Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed
- **GP name:** AllowPreLaunch
- **GP path:** Windows Components/Microsoft Edge
- **GP ADMX file name:** MicrosoftEdge.admx
diff --git a/browsers/edge/includes/allow-printing-include.md b/browsers/edge/includes/allow-printing-include.md
index 9d4a72c6eb..e6bea96847 100644
--- a/browsers/edge/includes/allow-printing-include.md
+++ b/browsers/edge/includes/allow-printing-include.md
@@ -1,5 +1,5 @@
-
+
+>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
>*Default setting: Enabled or not configured (Allowed)*
[!INCLUDE [allow-printing-shortdesc](../shortdesc/allow-printing-shortdesc.md)]
diff --git a/browsers/edge/includes/allow-saving-history-include.md b/browsers/edge/includes/allow-saving-history-include.md
index 568901972a..f9d38d178e 100644
--- a/browsers/edge/includes/allow-saving-history-include.md
+++ b/browsers/edge/includes/allow-saving-history-include.md
@@ -1,5 +1,6 @@
-
+
+
+>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
>*Default setting: Enabled or not configured (Allowed)*
[!INCLUDE [allow-saving-history-shortdesc](../shortdesc/allow-saving-history-shortdesc.md)]
diff --git a/browsers/edge/includes/allow-sideloading-extensions-include.md b/browsers/edge/includes/allow-sideloading-extensions-include.md
index 5967adff78..0ad2b3c542 100644
--- a/browsers/edge/includes/allow-sideloading-extensions-include.md
+++ b/browsers/edge/includes/allow-sideloading-extensions-include.md
@@ -1,5 +1,5 @@
-
+
+>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
>*Default setting: Enabled (Allowed)*
[!INCLUDE [allow-sideloading-of-extensions-shortdesc](../shortdesc/allow-sideloading-of-extensions-shortdesc.md)]
diff --git a/browsers/edge/includes/allow-tab-preloading-include.md b/browsers/edge/includes/allow-tab-preloading-include.md
index 2e733ae025..b80f9ce8b6 100644
--- a/browsers/edge/includes/allow-tab-preloading-include.md
+++ b/browsers/edge/includes/allow-tab-preloading-include.md
@@ -1,5 +1,5 @@
-
+
+>*Supported versions: Microsoft Edge on Windows 10, version 1802*
>*Default setting: Enabled or not configured (Allowed)*
[!INCLUDE [allow-tab-preloading-shortdesc](../shortdesc/allow-tab-preloading-shortdesc.md)]
diff --git a/browsers/edge/includes/allow-web-content-new-tab-page-include.md b/browsers/edge/includes/allow-web-content-new-tab-page-include.md
index 97541bcdbc..ac8e6d2951 100644
--- a/browsers/edge/includes/allow-web-content-new-tab-page-include.md
+++ b/browsers/edge/includes/allow-web-content-new-tab-page-include.md
@@ -1,5 +1,5 @@
-
+
+>*Supported versions: Microsoft Edge on Windows 10*
>*Default setting: Enabled (Default New tab page loads)*
diff --git a/browsers/edge/includes/configure-browser-telemetry-for-m365-analytics-include.md b/browsers/edge/includes/configure-browser-telemetry-for-m365-analytics-include.md
index c83e7a6175..669ba4bf75 100644
--- a/browsers/edge/includes/configure-browser-telemetry-for-m365-analytics-include.md
+++ b/browsers/edge/includes/configure-browser-telemetry-for-m365-analytics-include.md
@@ -1,5 +1,5 @@
-
+
+>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
>*Default setting: Disabled or not configured (No data collected or sent)*
[!INCLUDE [configure-browser-telemetry-for-m365-analytics-shortdesc](../shortdesc/configure-browser-telemetry-for-m365-analytics-shortdesc.md)]
diff --git a/browsers/edge/includes/configure-edge-kiosk-reset-idle-timeout-include.md b/browsers/edge/includes/configure-edge-kiosk-reset-idle-timeout-include.md
index 6bd419669a..44539d481e 100644
--- a/browsers/edge/includes/configure-edge-kiosk-reset-idle-timeout-include.md
+++ b/browsers/edge/includes/configure-edge-kiosk-reset-idle-timeout-include.md
@@ -1,5 +1,6 @@
-
+
+
+>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
>*Default setting: 5 minutes*
[!INCLUDE [configure-kiosk-reset-after-idle-timeout-shortdesc](../shortdesc/configure-kiosk-reset-after-idle-timeout-shortdesc.md)]
diff --git a/browsers/edge/includes/configure-enterprise-mode-site-list-include.md b/browsers/edge/includes/configure-enterprise-mode-site-list-include.md
index 70c658640e..9d99e69788 100644
--- a/browsers/edge/includes/configure-enterprise-mode-site-list-include.md
+++ b/browsers/edge/includes/configure-enterprise-mode-site-list-include.md
@@ -35,8 +35,7 @@
### Related Policies
-[Show message opening sites in IE](../available-policies.md#show-message-when-opening-sites-in-internet-explorer):
-[!INCLUDE
+[Show message opening sites in IE](../available-policies.md#show-message-when-opening-sites-in-internet-explorer): [!INCLUDE
[show-message-when-opening-sites-in-ie-shortdesc](../shortdesc/show-message-when-opening-sites-in-ie-shortdesc.md)]
### Related topics
diff --git a/browsers/edge/includes/configure-favorites-bar-include.md b/browsers/edge/includes/configure-favorites-bar-include.md
index 5084758101..1b797ebb79 100644
--- a/browsers/edge/includes/configure-favorites-bar-include.md
+++ b/browsers/edge/includes/configure-favorites-bar-include.md
@@ -1,5 +1,5 @@
-
+
+>*Supported versions: Microsoft Edge on Windows 10, new major release*
>*Default setting: Not configured (Hidden)*
diff --git a/browsers/edge/includes/configure-home-button-include.md b/browsers/edge/includes/configure-home-button-include.md
index 5bc9e5ed5f..c6362b39dc 100644
--- a/browsers/edge/includes/configure-home-button-include.md
+++ b/browsers/edge/includes/configure-home-button-include.md
@@ -1,5 +1,5 @@
-
+
+>*Supported versions: Microsoft Edge on Windows 10*
>*Default setting: Disabled or not configured (Show home button and load the Start page)*
diff --git a/browsers/edge/includes/configure-microsoft-edge-kiosk-mode-include.md b/browsers/edge/includes/configure-microsoft-edge-kiosk-mode-include.md
index 1b14f42d96..034fd5b55e 100644
--- a/browsers/edge/includes/configure-microsoft-edge-kiosk-mode-include.md
+++ b/browsers/edge/includes/configure-microsoft-edge-kiosk-mode-include.md
@@ -1,6 +1,6 @@
-
+
+>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
>*Default setting: Not configured*
[!INCLUDE [configure-kiosk-mode-shortdesc](../shortdesc/configure-kiosk-mode-shortdesc.md)]
diff --git a/browsers/edge/includes/configure-open-edge-with-include.md b/browsers/edge/includes/configure-open-edge-with-include.md
index cb87605e7b..95da8a5fbd 100644
--- a/browsers/edge/includes/configure-open-edge-with-include.md
+++ b/browsers/edge/includes/configure-open-edge-with-include.md
@@ -1,6 +1,6 @@
-
->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
-->
+>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
>*Default setting: Enabled (A specific page or pages)*
[!INCLUDE [configure-open-microsoft-edge-with-shortdesc](../shortdesc/configure-open-microsoft-edge-with-shortdesc.md)]
diff --git a/browsers/edge/includes/configure-start-pages-include.md b/browsers/edge/includes/configure-start-pages-include.md
index 063493610f..9a3c3c9861 100644
--- a/browsers/edge/includes/configure-start-pages-include.md
+++ b/browsers/edge/includes/configure-start-pages-include.md
@@ -40,7 +40,7 @@ For more details about configuring the Start pages, see [Start pages](../group-p
- [Disable Lockdown of Start Pages](#disable-lockdown-of-start-pages-include): [!INCLUDE [disable-lockdown-of-start-pages-shortdesc](../shortdesc/disable-lockdown-of-start-pages-shortdesc.md)]
-- [Configure Start Pages](#configure-start-pages-include): [!INCLUDE [configure-start-pages-shortdesc](../shortdesc/configure-start-pages-shortdesc.md)]
+- [Configure Open Microsoft Edge With](../new-policies.md#configure-open-microsoft-edge-with): [!INCLUDE [configure-open-microsoft-edge-with-shortdesc](../shortdesc/configure-open-microsoft-edge-with-shortdesc.md)]
diff --git a/browsers/edge/includes/do-not-sync-browser-settings-include.md b/browsers/edge/includes/do-not-sync-browser-settings-include.md
index 416002380a..87c355b74f 100644
--- a/browsers/edge/includes/do-not-sync-browser-settings-include.md
+++ b/browsers/edge/includes/do-not-sync-browser-settings-include.md
@@ -1,5 +1,5 @@
-
+
+>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
>*Default setting: Disabled or not configured (Allowed/turned on)*
[!INCLUDE [do-not-sync-browser-settings-shortdesc](../shortdesc/do-not-sync-browser-settings-shortdesc.md)]
@@ -14,7 +14,7 @@
### Configuration options
-For more details about configuring the browser syncing options, see [Sync browser settings](../group-policies/sync-browser-settings-gp.md).
+For more details about configuring the browser syncing options, see [Sync browser settings options](../group-policies/sync-browser-settings-gp.md).
diff --git a/browsers/edge/includes/ie11-send-all-sites-not-in-site-list-include.md b/browsers/edge/includes/ie11-send-all-sites-not-in-site-list-include.md
new file mode 100644
index 0000000000..ed4e9b1019
--- /dev/null
+++ b/browsers/edge/includes/ie11-send-all-sites-not-in-site-list-include.md
@@ -0,0 +1,7 @@
+>*Supported versions: Internet Explorer 11 on Windows 10, version 1607 or later*
+>*Default setting: Disabled or not configured*
+
+By default, all sites open the currently active browser. With this policy, you can automatically open all sites not included in the Enterprise Mode Site List in Microsoft Edge. When you enable this policy, you must also turn on the Internet Explorer\Use the Enterprise Mode IE website list policy and include at least one site in the Enterprise Mode Site List.
+
+>[!NOTE]
+>If you’ve also enabled the Microsoft Edge [Send all intranet sites to Internet Explorer 11](../available-policies.md#send-all-intranet-sites-to-internet-explorer-11) policy, all intranet sites continue to open in Internet Explorer 11.
diff --git a/browsers/edge/includes/prevent-certificate-error-overrides-include.md b/browsers/edge/includes/prevent-certificate-error-overrides-include.md
index ecafd230d4..052ef6499e 100644
--- a/browsers/edge/includes/prevent-certificate-error-overrides-include.md
+++ b/browsers/edge/includes/prevent-certificate-error-overrides-include.md
@@ -1,5 +1,6 @@
-
+
+
+>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
>*Default setting: Disabled or not configured (Allowed/turned off)*
[!INCLUDE [prevent-certificate-error-overrides-shortdesc](../shortdesc/prevent-certificate-error-overrides-shortdesc.md)]
diff --git a/browsers/edge/includes/prevent-turning-off-required-extensions-include.md b/browsers/edge/includes/prevent-turning-off-required-extensions-include.md
index 14bb5698dd..dad8213fef 100644
--- a/browsers/edge/includes/prevent-turning-off-required-extensions-include.md
+++ b/browsers/edge/includes/prevent-turning-off-required-extensions-include.md
@@ -1,5 +1,6 @@
-
+
+
+>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
>*Default setting: Disabled or not configured (Allowed)*
[!INCLUDE [prevent-turning-off-required-extensions-shortdesc](../shortdesc/prevent-turning-off-required-extensions-shortdesc.md)]
diff --git a/browsers/edge/includes/prevent-users-to-turn-on-browser-syncing-include.md b/browsers/edge/includes/prevent-users-to-turn-on-browser-syncing-include.md
index 56aba7900a..7da4682d47 100644
--- a/browsers/edge/includes/prevent-users-to-turn-on-browser-syncing-include.md
+++ b/browsers/edge/includes/prevent-users-to-turn-on-browser-syncing-include.md
@@ -1,6 +1,5 @@
-
-
+
+>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
>*Default setting: Enabled or not configured (Prevented/turned off)*
[!INCLUDE [prevent-users-to-turn-on-browser-syncing-shortdesc](../shortdesc/prevent-users-to-turn-on-browser-syncing-shortdesc.md)]
@@ -14,7 +13,7 @@
### Configuration options
-For more details about configuring the browser syncing options, see [Sync browser settings](../group-policies/sync-browser-settings-gp.md).
+For more details about configuring the browser syncing options, see [Sync browser settings options](../group-policies/sync-browser-settings-gp.md).
### ADMX info and settings
diff --git a/browsers/edge/includes/set-home-button-url-include.md b/browsers/edge/includes/set-home-button-url-include.md
index f48928783f..26f674b19d 100644
--- a/browsers/edge/includes/set-home-button-url-include.md
+++ b/browsers/edge/includes/set-home-button-url-include.md
@@ -1,5 +1,5 @@
-
+
+>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
>*Default setting: Disabled or not configured (Blank)*
[!INCLUDE [set-home-button-url-shortdesc](../shortdesc/set-home-button-url-shortdesc.md)]
diff --git a/browsers/edge/includes/set-new-tab-url-include.md b/browsers/edge/includes/set-new-tab-url-include.md
index 1a87c558b7..ffd31bd264 100644
--- a/browsers/edge/includes/set-new-tab-url-include.md
+++ b/browsers/edge/includes/set-new-tab-url-include.md
@@ -1,5 +1,5 @@
-
+
+>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
>*Default setting: Disabled or not configured (Blank)*
[!INCLUDE [set-new-tab-url-shortdesc](../shortdesc/set-new-tab-url-shortdesc.md)]
diff --git a/browsers/edge/includes/show-message-opening-sites-ie-include.md b/browsers/edge/includes/show-message-opening-sites-ie-include.md
index 31ab3deef6..d6cdf4b94a 100644
--- a/browsers/edge/includes/show-message-opening-sites-ie-include.md
+++ b/browsers/edge/includes/show-message-opening-sites-ie-include.md
@@ -1,5 +1,6 @@
-
+
+
+>*Supported versions: Microsoft Edge on Windows 10, version 1607 and later*
>*Default setting: Disabled or not configured (No additional message)*
diff --git a/browsers/edge/includes/unlock-home-button-include.md b/browsers/edge/includes/unlock-home-button-include.md
index 45da5927a2..91a7a446e4 100644
--- a/browsers/edge/includes/unlock-home-button-include.md
+++ b/browsers/edge/includes/unlock-home-button-include.md
@@ -1,5 +1,5 @@
-
+
+>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
>*Default setting: Disabled or not configured (Home button is locked)*
[!INCLUDE [unlock-home-button-shortdesc](../shortdesc/unlock-home-button-shortdesc.md)]
diff --git a/browsers/edge/microsoft-edge-kiosk-mode-deploy.md b/browsers/edge/microsoft-edge-kiosk-mode-deploy.md
index dc1470d929..a3679f369c 100644
--- a/browsers/edge/microsoft-edge-kiosk-mode-deploy.md
+++ b/browsers/edge/microsoft-edge-kiosk-mode-deploy.md
@@ -7,13 +7,13 @@ ms.prod: edge
ms.sitesec: library
title: Deploy Microsoft Edge kiosk mode
ms.localizationpriority: high
-ms.date: 07/23/2018
+ms.date: 07/25/2018
---
# Deploy Microsoft Edge kiosk mode (Preview)
>Applies to: Microsoft Edge on Windows 10
->Preview build 17713+
+>Preview build 17723
Microsoft Edge kiosk mode works with assigned access to let IT administrators create a tailored browsing experience designed for kiosk devices. To use Microsoft Edge kiosk mode, you must configure Microsoft Edge as an application in assigned access. Learn more about [Configuring kiosk and shared devices running Windows desktop editions](https://docs.microsoft.com/en-us/windows/configuration/kiosk-shared-pc).
@@ -45,7 +45,7 @@ When you set up Microsoft Edge kiosk mode in multi-app assigned access, Microsof
The multi-app Microsoft Edge kiosk mode types include:
-3. **Public browsing** supports browsing the internet and runs InPrivate with minimal features available. In this configuration, Microsoft Edge can be one of many apps available. Users can close and open multiple InPrivate windows. On a multi-app kiosk device, Microsoft Edge can interact with other applications. For example, if Internet Explorer 11 is set up in multi-app assigned access. You can enable Enterprise Mode to automatically switch users to Internet Explorer 11 for sites that need backward compatibility support. Examples of public browsing include an information kiosk device at a public library or hotel concierge desk that provides access to Microsoft Edge and other app(s).
+3. **Public browsing** supports browsing the internet and runs InPrivate with minimal features available. In this configuration, Microsoft Edge can be one of many apps available. Users can close and open multiple InPrivate windows. On a multi-app kiosk device, Microsoft Edge can interact with other applications. For example, if Internet Explorer 11 is set up in multi-app assigned access. You can enable Enterprise Mode to automatically switch users to Internet Explorer 11 for sites that need backward compatibility support. A public library or hotel concierge desk are two examples of public browsing that provides access to Microsoft Edge and other app(s).
@@ -56,7 +56,7 @@ The multi-app Microsoft Edge kiosk mode types include:
## Let’s get started!
Before you can configure Microsoft Edge kiosk mode, you must set up Microsoft Edge in assigned access. You can set up Microsoft Edge kiosk mode in assigned access using:
-- **Windows Settings.** (Build 17723) Best for physically setting up a single device as a kiosk. With this method, you set up assigned access and configure the kiosk or digital sign device using Settings. You can configure Microsoft Edge in single-app (kiosk type – Full-screen or public browsing) and define a single URL for the Home button, Start page, and New tab page. You can also set the reset after an idle timeout.
+- **Windows Settings.** Best for physically setting up a single device as a kiosk. With this method, you set up assigned access and configure the kiosk or digital sign device using Settings. You can configure Microsoft Edge in single-app (kiosk type – Full-screen or public browsing) and define a single URL for the Home button, Start page, and New tab page. You can also set the reset after an idle timeout.
- **Microsoft Intune or other MDM service.** Best for setting up multiple devices as a kiosk. With this method, you configure Microsoft Edge in assigned access and configure how Microsoft Edge behaves when it’s running in kiosk mode with assigned access.
@@ -78,8 +78,6 @@ Before you can configure Microsoft Edge kiosk mode, you must set up Microsoft Ed
### Use Windows Settings
->Preview build 17723
-
Windows Settings is the simplest and easiest way to set up one or a couple of devices because you must perform these steps on each device. This method is ideal for small businesses.
@@ -116,7 +114,7 @@ Windows Settings is the simplest and easiest way to set up one or a couple of de
13. Close **Settings** to save your choices automatically and apply them the next time the user account logs on.
-14. Configure the policies for Microsoft Edge kiosk mode. For details on the valid kiosk policy settings, see [Related policies](#related-policies).
+14. Configure the policies for Microsoft Edge kiosk mode. For details on the valid kiosk policy settings, see [Relevant policies](#relevant-policies).
15. Validate the Microsoft Edge kiosk mode by restarting the device and signing in with the local kiosk account.
@@ -210,7 +208,7 @@ Use any of the Microsoft Edge policies listed below to enhance the kiosk experie
| [AllowMicrosoftCompatibilityList](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowmicrosoftcompatibilitylist) |  |  | 1 |  |
| [AllowPasswordManager](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowpasswordmanager) |  |  |  |  |
| [AllowPopups](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowpopups) |  |  |  |  |
-| [AllowPrelaunch](new-policies.md#allow-prelaunch)\* |  |  |  |  |
+| [AllowPrelaunch](new-policies.md#allow-microsoft-edge-to-pre-launch-at-windows-startup-when-the-system-is-idle-and-each-time-microsoft-edge-is-closed)\* |  |  |  |  |
| [AllowPrinting](new-policies.md#allow-printing)\* |  |  |  |  |
| [AllowSavingHistory](new-policies.md#allow-saving-history)\* |  |  |  |  |
| [AllowSearchEngineCustomization](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsearchenginecustomization) |  |  |  |  |
@@ -230,7 +228,7 @@ Use any of the Microsoft Edge policies listed below to enhance the kiosk experie
| [ConfigureOpenMicrosoftEdgeWith](new-policies.md#configure-open-microsoft-edge-with)\* |  |  |  |  |
| [ConfigureTelemetryForMicrosoft365Analytics](new-policies.md#configure-collection-of-browsing-data-for-microsoft-365-analytics)\* |  |  |  |  |
| [DisableLockdownOfStartPages](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-disablelockdownofstartpages) |  |  |  |  |
-| [DoNotSyncBrowserSetting](available-policies.md#do-not-sync-browser-settings)\* and [PreventUsersFromTurningOnBrowserSyncing](new-policies.md#prevent-users-from-turning-on-browser-syncing)\* |  |  |  |  |
+| [Experience/DoNotSyncBrowserSetting](available-policies.md#do-not-sync-browser-settings)\* and [Experience/PreventUsersFromTurningOnBrowserSyncing](new-policies.md#prevent-users-from-turning-on-browser-syncing)\* |  |  |  |  |
| [EnableExtendedBooksTelemetry](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-enableextendedbookstelemetry) |  |  |  |  |
| [EnterpriseModeSiteList](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-enterprisemodesitelist) |  |  | 1 |  |
| [FirstRunURL](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-firstrunurl) |  |  |  |  |
@@ -257,7 +255,7 @@ Use any of the Microsoft Edge policies listed below to enhance the kiosk experie
*\* New policy coming in the next release of Windows 10.*
*1) For multi-app assigned access, you must configure Internet Explorer 11.*
-*2) For digital/interactive signage to enable Flash, set [AllowFlashClickToRun](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowflashclicktorun) to 0.*
+*2) For digital/interactive signage to enable Flash, set [AllowFlashClickToRun].(https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowflashclicktorun) to 0.*
**Legend:**
 = Not applicable or not supported
@@ -287,23 +285,11 @@ Use any of the Microsoft Edge policies listed below to enhance the kiosk experie
---
-## Known issues with RS_PRERELEASE build 17723
+## Known issues with prerelease build 17723
-- When you set up Microsoft Edge kiosk mode on a single-app kiosk device you must set the “ConfigureKioskMode” policy because the default behavior is not honored.
- - **Expected behavior** – Microsoft Edge kiosk mode launches in full-screen mode.
- - **Actual behavior** – Normal Microsoft Edge launches.
-
-- When you enable or set the “ConfigureFavoritesBar” policy to 1, the favorites bar does not show in Microsoft Edge kiosk mode.
- - **Expected behavior** – Microsoft Edge kiosk mode shows the favorites bar.
- - **Actual behavior** – The favorites bar is hidden.
-
-- Extensions should not be available in Public browsing multi-app kiosk.
- - **Expected behavior** – Extensions are disabled in _Settings and more_ menu.
- - **Actual behavior** – Extensions are accessible in _Settings and more_ menu.
-
-- Books should not be available in Public browsing multi-app kiosk.
- - **Expected behavior** – Books are disabled in _Settings and more_ menu.
- - **Actual behavior** – Books are accessible in _Settings and more_ menu.
+When you set up Microsoft Edge kiosk mode on a single-app kiosk device you must set the “ConfigureKioskMode” policy because the default behavior is not honored.
+- **Expected behavior** – Microsoft Edge kiosk mode launches in full-screen mode.
+- **Actual behavior** – Normal Microsoft Edge launches.
---
diff --git a/browsers/edge/new-policies.md b/browsers/edge/new-policies.md
index 79ef29fafe..ac0e768adf 100644
--- a/browsers/edge/new-policies.md
+++ b/browsers/edge/new-policies.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
title: New Microsoft Edge Group Policies and MDM settings
ms.localizationpriority:
-ms.date: 07/23/2018
+ms.date: 07/25/2018
---
# New Microsoft Edge Group Policies and MDM settings (Preview)
@@ -32,8 +32,8 @@ We are discontinuing the use of the **Configure Favorites** group policy. Use th
| **Group Policy** | **New/update?** | **MDM Setting** | **New/update?** |
| --- | --- | --- | --- |
| [Allow fullscreen mode](#allow-fullscreen-mode) | New | [AllowFullscreen](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowfullscreenmode) | New |
+| [Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed](#allow-prelaunch) | New | [AllowPrelaunch](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowprelaunch) | New |
| [Allow Microsoft Edge to start and load the Start and New Tab page at Windows startup and each time Microsoft Edge is closed](#allow-microsoft-edge-to-start-and-load-the-start-and-new-tab-page-at-windows-startup-and-each-time-microsoft-edge-is-closed) | New | [AllowTabPreloading](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowtabpreloading) | New |
-| [Allow Prelaunch](#allow-prelaunch) | New | [AllowPrelaunch](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowprelaunch) | New |
| [Allow printing](#allow-printing) | New | [AllowPrinting](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowprinting) | New |
| [Allow Saving History](#allow-saving-history) | New | [AllowSavingHistory](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsavinghistory) | New |
| [Allow sideloading of Extensions](#allow-sideloading-of-extensions) | New | [AllowSideloadingExtensions](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsideloadingofextensions) | New |
@@ -60,12 +60,12 @@ We are discontinuing the use of the **Configure Favorites** group policy. Use th
## Allow fullscreen mode
[!INCLUDE [allow-full-screen-include](includes/allow-full-screen-include.md)]
+## Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed
+[!INCLUDE [allow-prelaunch-include](includes/allow-prelaunch-include.md)]
+
## Allow Microsoft Edge to start and load the Start and New Tab page at Windows startup and each time Microsoft Edge is closed
[!INCLUDE [allow-tab-preloading-include](includes/allow-tab-preloading-include.md)]
-## Allow Prelaunch
-[!INCLUDE [allow-prelaunch-include](includes/allow-prelaunch-include.md)]
-
## Allow printing
[!INCLUDE [allow-printing-include.md](includes/allow-printing-include.md)]
diff --git a/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md b/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md
index e3c64ee2bb..cd31220caa 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md
@@ -17,7 +17,7 @@ You can use the Group Policy setting, **Set a default associations configuration
**To set the default browser as Internet Explorer 11**
-1. Open your Group Policy editor and go to the **Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\File Explorer\\Set a default associations configuration file** setting.
+1. Open your Group Policy editor and go to the **Administrative Templates\\Windows Components\\File Explorer\\Set a default associations configuration file** setting.
Turning this setting on also requires you to create and store a default associations configuration file, locally or on a network share. For more information about creating this file, see [Export or Import Default Application Associations]( https://go.microsoft.com/fwlink/p/?LinkId=618268).
diff --git a/devices/hololens/TOC.md b/devices/hololens/TOC.md
index 49d9417151..e1fa685f30 100644
--- a/devices/hololens/TOC.md
+++ b/devices/hololens/TOC.md
@@ -1,5 +1,6 @@
# [Microsoft HoloLens](index.md)
## [What's new in Microsoft HoloLens](hololens-whats-new.md)
+## [Insider preview for Microsoft HoloLens](hololens-insider.md)
## [HoloLens in the enterprise: requirements and FAQ](hololens-requirements.md)
## [Set up HoloLens](hololens-setup.md)
## [Unlock Windows Holographic for Business features](hololens-upgrade-enterprise.md)
diff --git a/devices/hololens/change-history-hololens.md b/devices/hololens/change-history-hololens.md
index 68f9c695ce..95f7f92bed 100644
--- a/devices/hololens/change-history-hololens.md
+++ b/devices/hololens/change-history-hololens.md
@@ -9,13 +9,19 @@ author: jdeckerms
ms.author: jdecker
ms.topic: article
ms.localizationpriority: medium
-ms.date: 06/04/2018
+ms.date: 07/27/2018
---
# Change history for Microsoft HoloLens documentation
This topic lists new and updated topics in the [Microsoft HoloLens documentation](index.md).
+## July 2018
+
+New or changed topic | Description
+--- | ---
+[Insider preview for Microsoft HoloLens](hololens-insider.md) | New
+
## June 2018
New or changed topic | Description
diff --git a/devices/hololens/hololens-insider.md b/devices/hololens/hololens-insider.md
new file mode 100644
index 0000000000..05e12d5cce
--- /dev/null
+++ b/devices/hololens/hololens-insider.md
@@ -0,0 +1,176 @@
+---
+title: Insider preview for Microsoft HoloLens (HoloLens)
+description: It’s simple to get started with Insider builds and to provide valuable feedback for our next major operating system update for HoloLens.
+ms.prod: hololens
+ms.sitesec: library
+author: jdeckerms
+ms.author: jdecker
+ms.topic: article
+ms.localizationpriority: medium
+ms.date: 07/27/2018
+---
+
+# Insider preview for Microsoft HoloLens
+
+Welcome to the latest Insider Preview builds for HoloLens! It’s simple to get started and provide valuable feedback for our next major operating system update for HoloLens.
+
+>Latest insider version: 10.0.17720.1000
+
+
+## How do I install the Insider builds?
+
+On a device running the Windows 10 April 2018 Update, go to **Settings -> Update & Security -> Windows Insider Program** and select **Get started**. Link the account you used to register as a Windows Insider.
+
+Then, select **Active development of Windows**, choose whether you’d like to receive **Fast** or **Slow** builds, and review the program terms.
+
+Select **Confirm -> Restart Now** to finish up. After your device has rebooted, go to **Settings -> Update & Security -> Check for updates** to get the latest build.
+
+## New features for HoloLens
+
+The latest Insider Preview (RS5) has arrived for all HoloLens customers! This latest flight is packed with improvements that have been introduced since the [last major release of HoloLens software in May 2018](https://docs.microsoft.com/windows/mixed-reality/release-notes).
+
+### For everyone
+
+
+Feature | Details | Instructions
+--- | --- | ---
+Stop video capture from the Start or quick actions menu | If you start video capture from the Start menu or quick actions menu, you’ll be able to stop recording from the same place. (Don’t forget, you can always do this with voice commands too.) | To start recording, select **Start > Video**. To stop recording, select **Start > Stop video**.
+Project to a Miracast-enabled device | Project your HoloLens content to a nearby Surface device or TV/Monitor if using Microsoft Display adapter | On **Start**, select **Connect**. Select the device you want to project to.
+New notifications | View and respond to notification toasts on HoloLens, just like you do on a PC. | You’ll now see notifications from apps that provide them. Gaze to respond to or dismiss them (or if you’re in an immersive experience, use the bloom gesture).
+HoloLens overlays (file picker, keyboard, dialogs, etc.) | You’ll now see overlays such as the keyboard, dialogs, file picker, etc. when using immersive apps. | When you’re using an immersive app, input text, select a file from the file picker, or interact with dialogs without leaving the app.
+Visual feedback overlay UI for volume change | When you use the volume up/down buttons on your HoloLens you’ll see a visual display of the volume level. | Adjust the device volume using the volume up/down buttons located on the right arm of the HoloLens. Use the visual display to track the volume level.
+New UI for device boot | A loading indicator was added during the boot process to provide visual feedback that the system is loading. | Reboot your device to see the new loading indicator—it’s between the "Hello" message and the Windows boot logo.
+Share UX: Nearby Sharing | Addition of the Windows Nearby Sharing experience, allowing you to share a capture with a nearby Windows device. | Capture a photo or video on HoloLens (or use the share button from an app such as Microsoft Edge). Select a nearby Windows device to share with.
+Share from Microsoft Edge | Share button is now available on Microsoft Edge windows on HoloLens. | In Microsoft Edge, select **Share**. Use the HoloLens share picker to share web content.
+
+### For developers
+
+- Support for Holographic [Camera Capture UI API](https://docs.microsoft.com/windows/uwp/audio-video-camera/capture-photos-and-video-with-cameracaptureui), which will let developers expose a way for users to seamlessly invoke camera or video capture from within their applications. For example, users can now capture and insert photo or video content directly within apps like Word.
+- Mixed Reality Capture has been improved to exclude hidden mesh from captures, which means videos captures by apps will no longer contain black corners around the content.
+
+### For commercial customers
+
+
+Feature | Details | Instructions
+--- | --- | ---
+Enable post-setup provisioning | Can now apply a runtime provisioning package at any time using **Settings**. | On your PC:
1. Create a provisioning package as described at [Create a provisioning package for HoloLens using the HoloLens wizard](hololens-provisioning.md).
2. Connect the HoloLens device via USB to a PC. HoloLens will show up as a device in File Explorer on the PC.
3. Drag and drop the provisioning package to the Documents folder on the HoloLens.
On your HoloLens:
1. Go to **Settings > Accounts > Access work or school**.
2. In **Related Settings**, select **Add or remove a provisioning package**.
3. On the next page, select **Add a package** to launch the file picker and select your provisioning package.
**Note:** if the folder is empty, make sure you select **This Device** and select **Documents**.
After your package has been applied, it will show in the list of Installed packages. To view package details or to remove the package from the device, select the listed package.
+Assigned access with Azure AD groups | Flexibility to use Azure AD groups for configuration of Windows assigned access to set up single or multi-app kiosk configuration. | Prepare XML file to configure Assigned Access on PC:
1. In a text editor, open [the provided file AssignedAccessHoloLensConfiguration_AzureADGroup.xml](#xml).
2. Change the group ID to one available in your Azure AD tenant. You can find the group ID of an Azure Active Directory Group by either :
- following the steps at [Azure Active Directory version 2 cmdlets for group management](https://docs.microsoft.com/azure/active-directory/active-directory-accessmanagement-groups-settings-v2-cmdlets),
OR
- in the Azure portal, with the steps at [Manage the settings for a group in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-groups-settings-azure-portal).
**Note:** The sample configures the following apps: Skype, Learning, Feedback Hub, Flow, Camera, and Calibration.
Create provisioning package with WCD:
1. On a PC, follow the steps at [Create a provisioning package for HoloLens using the HoloLens wizard](hololens-provisioning.md) to create a provisioning package.
2. Ensure that you include the license file in **Set up device**.
3. Select **Switch to advanced editor** (bottom left), and **Yes** for warning prompt.
4. Expand the runtime settings selection in the **Available customizations** panel and select **AssignedAccess > MultiAppAssignedAccessSettings**.
5. In the middle panel, you should now see the setting displayed with documentation in the panel below. Browse to the XML you modified for Assigned Access.
6. On the **Export** menu, select **Provisioning package**.
**Warning:** If you encrypt the provisioning package, provisioning the HoloLens device will fail.
7. Select **Next** to specify the output location where you want the provisioning package to go once it's built.
8. Select **Next**, and then select **Build** to start building the package.
9. When the build completes, select **Finish**.
Apply the package to HoloLens:
1. Connect HoloLens via USB to a PC and start the device, but do not continue past the **Fit** page of OOBE (the first page with the blue box). HoloLens will show up as a device in File Explorer on the PC.
2. In File Explorer, drag and drop the provisioning package (.ppkg) onto the device storage.
3. Briefly press and release the **Volume Down** and **Power** buttons simultaneously again while on the fit page.
4. The device will ask you if you trust the package and would like to apply it. Confirm that you trust the package.
5. You will see whether the package was applied successfully or not. If it failed, you can fix your package and try again. If it succeeded, proceed with OOBE.
Enable assigned access on HoloLens:
1. After applying the provisioning package, during the **Account Setup** flows in OOBE, select **My work or school owns this** to set up your device with an Azure AD account.
**Note:** This account must not be in the group chosen for Assigned Access.
2. Once you reach the Shell, ensure the Skype app is installed either via your MDM environment or from the Store.
3. After the Skype app is installed, sign out.
4. On the sign-in screen, select the **Other User** option and enter an Azure AD account email address that belongs to the group chosen for Assigned Access. Then enter the password to sign in. You should now see this user with only the apps configured in the Assigned Access profile.
+PIN sign-in on profile switch from sign-in screen | PIN sign-in is now available for **Other User**. | When signing in as **Other User**, the PIN option is now available under **Sign-In options**.
+Sign in with Web Cred Provider using password | You can now select the Globe sign-in option to launch web sign-in with your password. Look for additional web sign-in methods coming in the future. | From the sign-in screen, select **Sign-In options** and select the Globe option to launch web sign-in. Enter your user name if needed, then your password.
**Note:** You can choose to bypass any PIN/Smartcard options when prompted during web sign-in.
+Read device hardware info through MDM so devices can be tracked by serial # | IT administrators can see and track HoloLens by device serial number in their MDM console. | Refer to your MDM documentation for feature availability, and for how to use your MDM console to view HoloLens device serial number.
+Set HoloLens device name through MDM (rename) | IT administrators can see and rename HoloLens devices in their MDM console. | Refer to your MDM documentation for feature availability, and for how to use your MDM console to view and set your HoloLens device name (rename).
+
+### For international customers
+
+
+Feature | Details | Instructions
+--- | --- | ---
+Localized Chinese and Japanese builds | Use HoloLens with localized user interface for Simplified Chinese or Japanese, including localized Pinyin keyboard, dictation, and voice commands. | See below.
+
+#### Installing the Chinese or Japanese versions of the Insider builds
+
+In order to switch to the Chinese or Japanese version of HoloLens, you’ll need to download the build for the language on a PC and then install it on your HoloLens using the Windows Device Recovery Tool (WDRT).
+
+>[!IMPORTANT]
+>Installing the Chinese or Japanese builds of HoloLens using WDRT will delete existing data, like personal files and settings, from your HoloLens.
+
+1. On a retail HoloLens device, [opt in to Insider Preview builds](#get-insider) to prepare your device for the RS5 Preview.
+2. On your PC, download and install [the Windows Device Recovery Tool (WDRT)](https://support.microsoft.com/help/12379).
+3. Download the package for the language you want to your PC: [Simplified Chinese](https://aka.ms/hololenspreviewdownload-ch) or [Japanese](https://aka.ms/hololenspreviewdownload-jp).
+4. When the download is finished, select **File Explorer > Downloads**. Right-click the zipped folder you just downloaded, and select **Extract all... > Extract** to unzip it.
+5. Connect your HoloLens to your PC using the micro-USB cable it came with. (Even if you've been using other cables to connect your HoloLens, this one works best.)
+6. The tool will automatically detect your HoloLens. Select the Microsoft HoloLens tile.
+7. On the next screen, select **Manual package selection** and choose the installation file contained in the folder you unzipped in step 4. (Look for a file with the extension “.ffu”.)
+8. Select **Install software** and follow the instructions to finish installing.
+9. Once the build is installed, HoloLens setup will start automatically. Put on the device and follow the setup directions.
+
+When you’re done with setup, go to **Settings -> Update & Security -> Windows Insider Program** and check that you’re configured to receive the latest preview builds. The Chinese/Japanese version of HoloLens will be kept up-to-date with the latest preview builds via the Windows Insider Program the same way the English version is.
+
+## Note for language support
+
+- You can’t change the system language between English, Japanese, and Chinese using the Settings app. Flashing a new build is the only supported way to change the device system language.
+- While you can enter Simplified Chinese / Japanese text using the on-screen Pinyin keyboard, typing in Simplified Chinese / Japanese using a Bluetooth hardware keyboard is not supported at this time. However, on Chinese/Japanese HoloLens, you can continue to use a BT keyboard to type in English (the ~ key on a hardware keyboard toggles the keyboard to type in English).
+
+## Note for developers
+
+You are welcome and encouraged to try developing your applications using this build of HoloLens. Check out the [HoloLens Developer Documentation](https://developer.microsoft.com/windows/mixed-reality/development) to get started. Those same instructions work with this latest build of HoloLens. You can use the same builds of Unity and Visual Studio that you're already using for HoloLens development.
+
+## Provide feedback and report issues
+
+Please use [the Feedback Hub app](https://docs.microsoft.com/windows/mixed-reality/give-us-feedback) on your HoloLens or Windows 10 PC to provide feedback and report issues. Using Feedback Hub ensures that all necessary diagnostics information is included to help our engineers quickly debug and resolve the problem. Issues with the Chinese and Japanese version of HoloLens should be reported the same way.
+
+>[!NOTE]
+>Be sure to accept the prompt that asks whether you’d like Feedback Hub to access your Documents folder (select **Yes** when prompted).
+
+
+## AssignedAccessHoloLensConfiguration_AzureADGroup.xml
+
+Copy this sample XML to use for the [**Assigned access with Azure AD groups** feature](#for-commercial-customers).
+
+```xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ]]>
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+
diff --git a/devices/hololens/index.md b/devices/hololens/index.md
index 90e76edb5e..786b38a1e3 100644
--- a/devices/hololens/index.md
+++ b/devices/hololens/index.md
@@ -7,7 +7,7 @@ author: jdeckerms
ms.author: jdecker
ms.topic: article
ms.localizationpriority: medium
-ms.date: 05/21/2018
+ms.date: 07/27/2018
---
# Microsoft HoloLens
@@ -22,6 +22,7 @@ ms.date: 05/21/2018
| Topic | Description |
| --- | --- |
| [What's new in Microsoft HoloLens](hololens-whats-new.md) | Discover the new features in the latest update. |
+[Insider preview for Microsoft HoloLens](hololens-insider.md) | Learn about new HoloLens features available in the latest Insider Preview build.
| [HoloLens in the enterprise: requirements](hololens-requirements.md) | Lists requirements for general use, Wi-Fi, and device management |
| [Set up HoloLens](hololens-setup.md) | How to set up HoloLens for the first time |
| [Unlock Windows Holographic for Business features](hololens-upgrade-enterprise.md) | How to upgrade your Development Edition HoloLens to Windows Holographic for Business |
diff --git a/devices/surface/surface-dock-updater.md b/devices/surface/surface-dock-updater.md
index 227433e7b2..6141054da4 100644
--- a/devices/surface/surface-dock-updater.md
+++ b/devices/surface/surface-dock-updater.md
@@ -117,6 +117,12 @@ Microsoft periodically updates Surface Dock Updater. To learn more about the app
>[!Note]
>Each update to Surface Dock firmware is included in a new version of Surface Dock Updater. To update a Surface Dock to the latest firmware, you must use the latest version of Surface Dock Updater.
+### Version 2.22.139.0
+*Release Date: 26 July 2018*
+
+This version of Surface Dock Updater adds support for the following:
+t.b.d.
+
### Version 2.12.136.0
*Release Date: 29 January 2018*
diff --git a/education/windows/use-set-up-school-pcs-app.md b/education/windows/use-set-up-school-pcs-app.md
index bdf6a298c9..ff0db1d6b4 100644
--- a/education/windows/use-set-up-school-pcs-app.md
+++ b/education/windows/use-set-up-school-pcs-app.md
@@ -15,7 +15,7 @@ ms.date: 07/11/2018
# Use the Set up School PCs app
-IT administrators and technical teachers can use the **Set up School PCs** app to quickly set up Windows 10 PCs for students. The app configures PCs with the apps and features students need, and it removes the ones they don't need. During setup, if licensed in your tenant, the app anrolls each student PC into a mobile device management (MDM) provider, such as Intune for Education. You can then manage all the settings Set up School PCs configures through the MDM.
+IT administrators and technical teachers can use the **Set up School PCs** app to quickly set up Windows 10 PCs for students. The app configures PCs with the apps and features students need, and it removes the ones they don't need. During setup, if licensed in your tenant, the app enrolls each student PC into a mobile device management (MDM) provider, such as Intune for Education. You can then manage all the settings Set up School PCs configures through the MDM.
Set up School PCs also:
* Joins each student PC to your organization's Office 365 and Azure Active Directory tenant.
diff --git a/mdop/mbam-v25/mbam-25-supported-configurations.md b/mdop/mbam-v25/mbam-25-supported-configurations.md
index 195791d851..db4b4232a6 100644
--- a/mdop/mbam-v25/mbam-25-supported-configurations.md
+++ b/mdop/mbam-v25/mbam-25-supported-configurations.md
@@ -284,7 +284,7 @@ MBAM supports the following versions of Configuration Manager.
-Microsoft System Center Configuration Manager (Current Branch), version 1610 |
+Microsoft System Center Configuration Manager (Current Branch), versions up to 1806 |
|
64-bit |
@@ -365,7 +365,7 @@ https://www.microsoft.com/en-us/download/details.aspx?id=54967<
**Note**
-In order to support SQL 2016 you must install the March 2017 Servicing Release for MDOP https://www.microsoft.com/en-us/download/details.aspx?id=54967 . In general stay current by always using the most recent servicing update as it also includes all bugfixes and new features.
+In order to support SQL 2016 you must install the March 2017 Servicing Release for MDOP https://www.microsoft.com/en-us/download/details.aspx?id=54967 and to support SQL 2017 you must install the July 2018 Servicing Release for MDOP https://www.microsoft.com/en-us/download/details.aspx?id=57157. In general stay current by always using the most recent servicing update as it also includes all bugfixes and new features.
### SQL Server processor, RAM, and disk space requirements – Stand-alone topology
diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md
index 441c14e310..cd6b862e43 100644
--- a/windows/client-management/mdm/configuration-service-provider-reference.md
+++ b/windows/client-management/mdm/configuration-service-provider-reference.md
@@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
-ms.date: 04/24/2018
+ms.date: 07/27/2018
---
# Configuration service provider reference
@@ -2660,6 +2660,7 @@ The following list shows the configuration service providers supported in Window
| [NodeCache CSP](nodecache-csp.md) |  |  |
[PassportForWork CSP](passportforwork-csp.md) |  |  |
| [Policy CSP](policy-configuration-service-provider.md) |  |  |
+| [RemoteFind CSP](remotefind-csp.md) |  | 4 |
| [RemoteWipe CSP](remotewipe-csp.md) |  | 4 |
| [RootCATrustedCertificates CSP](rootcacertificates-csp.md) |  |  |
| [Update CSP](update-csp.md) |  |  |
diff --git a/windows/client-management/mdm/devicestatus-csp.md b/windows/client-management/mdm/devicestatus-csp.md
index 89a798ab13..a20317c21f 100644
--- a/windows/client-management/mdm/devicestatus-csp.md
+++ b/windows/client-management/mdm/devicestatus-csp.md
@@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
-ms.date: 03/12/2018
+ms.date: 07/26/2018
---
# DeviceStatus CSP
@@ -178,11 +178,24 @@ Supported operation is Get.
**DeviceStatus/Antispyware/SignatureStatus**
Added in Windows, version 1607. Integer that specifies the status of the antispyware signature.
+Valid values:
+
+- 0 - The security software reports that it is not the most recent version.
+- 1 - The security software reports that it is the most recent version.
+- 2 - Not applicable. This is returned for devices like the phone that do not have an antivirus (where the API doesn’t exist.)
+
Supported operation is Get.
**DeviceStatus/Antispyware/Status**
Added in Windows, version 1607. Integer that specifies the status of the antispyware.
+Valid values:
+
+- 0 - The status of the security provider category is good and does not need user attention.
+- 1 - The status of the security provider category is not monitored by Windows Security Center (WSC).
+- 2 - The status of the security provider category is poor and the computer may be at risk.
+- 3 - The security provider category is in snooze state. Snooze indicates that WSC is not actively protecting the computer.
+
Supported operation is Get.
**DeviceStatus/Firewall**
diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md
index b4f3ce2304..e600fe9c9e 100644
--- a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md
+++ b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md
@@ -7,11 +7,13 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
-ms.date: 03/01/2018
+ms.date: 07/24/2018
---
# EnterpriseModernAppManagement CSP
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
The EnterpriseModernAppManagement configuration service provider (CSP) is used for the provisioning and reporting of modern enterprise apps. For details about how to use this CSP to for reporting apps inventory, installation and removal of apps for users, provisioning apps to devices, and managing app licenses, see [Enterprise app management](enterprise-app-management.md).
@@ -23,30 +25,30 @@ The following image shows the EnterpriseModernAppManagement configuration servic
**Device or User context**
- For user context, use **./User/Vendor/MSFT** path and for device context, use **./Device/Vendor/MSFT** path.
+For user context, use **./User/Vendor/MSFT** path and for device context, use **./Device/Vendor/MSFT** path.
> [!Note]
> Windows Holographic and Windows 10 Mobile only support per-user configuration of the EnterpriseModernAppManagement CSP.
**AppManagement**
- Required. Used for inventory and app management (post-install).
+Required. Used for inventory and app management (post-install).
**AppManagement/UpdateScan**
- Required. Used to start the Windows Update scan.
+Required. Used to start the Windows Update scan.
- Supported operation is Execute.
+Supported operation is Execute.
**AppManagement/LastScanError**
- Required. Reports the last error code returned by the update scan.
+Required. Reports the last error code returned by the update scan.
- Supported operation is Get.
+Supported operation is Get.
**AppManagement/AppInventoryResults**
- Added in Windows 10, version 1511. Required. Returns the results for app inventory that was created after the AppInventoryQuery operation.
+Added in Windows 10, version 1511. Required. Returns the results for app inventory that was created after the AppInventoryQuery operation.
- Supported operation is Get.
+Supported operation is Get.
- Here's an example of AppInventoryResults operation.
+Here's an example of AppInventoryResults operation.
``` syntax
@@ -60,9 +62,9 @@ The following image shows the EnterpriseModernAppManagement configuration servic
```
**AppManagement/AppInventoryQuery**
-Added in Windows 10, version 1511. Required. Specifies the query for app inventory.
+Added in Windows 10, version 1511. Required. Specifies the query for app inventory.
- Query parameters:
+Query parameters:
- Output - Specifies the parameters for the information returned in AppInventoryResults operation. Mutiple value must be separate by |. Valid values are:
- PackagesName - returns the *PackageFamilyName* and *PackageFullName* of the app. Default if nothing is specified.
@@ -92,9 +94,9 @@ The following image shows the EnterpriseModernAppManagement configuration servic
If you do not specify this value, then all publishers are returned.
- Supported operation is Get and Replace.
+Supported operation is Get and Replace.
- The following example sets the inventory query for the package names and checks the status for reinstallation for all main packages that are nonStore apps.
+The following example sets the inventory query for the package names and checks the status for reinstallation for all main packages that are nonStore apps.
``` syntax
@@ -109,9 +111,9 @@ The following image shows the EnterpriseModernAppManagement configuration servic
```
**AppManagement/RemovePackage**
- Added in Windows 10, version 1703. Used to remove packages. Not supported for ./User/Vendor/MSFT.
+Added in Windows 10, version 1703. Used to remove packages. Not supported for ./User/Vendor/MSFT.
- Parameters:
+Parameters:
- Package
@@ -128,9 +130,9 @@ The following image shows the EnterpriseModernAppManagement configuration servic
-Supported operation is Execute.
+Supported operation is Execute.
- The following example removes a package for all users:
+The following example removes a package for all users:
````XML
@@ -148,30 +150,30 @@ The following image shows the EnterpriseModernAppManagement configuration servic
````
**AppManagement/nonStore**
-Used to manage enterprise apps or developer apps that were not acquired from the Microsoft Store.
+Used to manage enterprise apps or developer apps that were not acquired from the Microsoft Store.
- Supported operation is Get.
+Supported operation is Get.
**AppManagement/System**
- Reports apps installed as part of the operating system.
+Reports apps installed as part of the operating system.
- Supported operation is Get.
+Supported operation is Get.
**AppManagement/AppStore**
- Required. Used for managing apps from the Microsoft Store.
+Required. Used for managing apps from the Microsoft Store.
- Supported operations are Get and Delete.
+Supported operations are Get and Delete.
**.../****_PackageFamilyName_**
- Optional. Package family name (PFN) of the app. There is one for each PFN on the device when reporting inventory. These items are rooted under their signing origin.
+Optional. Package family name (PFN) of the app. There is one for each PFN on the device when reporting inventory. These items are rooted under their signing origin.
- Supported operations are Get and Delete.
+Supported operations are Get and Delete.
> [!Note]
> XAP files use a product ID in place of PackageFamilyName. Here's an example of XAP product ID (including the braces), {12345678-9012-3456-7890-123456789012}.
- Here's an example for uninstalling an app:
+Here's an example for uninstalling an app:
``` syntax
@@ -191,79 +193,76 @@ The following image shows the EnterpriseModernAppManagement configuration servic
```
**.../*PackageFamilyName*/****_PackageFullName_**
-Optional. Full name of the package installed.
+Optional. Full name of the package installed.
- Supported operations are Get and Delete.
+Supported operations are Get and Delete.
> [!Note]
> XAP files use a product ID in place of PackageFullName. Here's an example of XAP product ID (including the braces), {12345678-9012-3456-7890-123456789012}.
**.../*PackageFamilyName*/*PackageFullName*/Name**
- Required. Name of the app. Value type is string.
+Required. Name of the app. Value type is string.
- Supported operation is Get.
+Supported operation is Get.
**.../*PackageFamilyName*/*PackageFullName*/Version**
- Required. Version of the app. Value type is string.
+Required. Version of the app. Value type is string.
- Supported operation is Get.
+Supported operation is Get.
**.../*PackageFamilyName*/*PackageFullName*/Publisher**
- Required. Publisher name of the app. Value type is string.
+Required. Publisher name of the app. Value type is string.
- Supported operation is Get.
+Supported operation is Get.
**.../*PackageFamilyName*/*PackageFullName*/Architecture**
- Required. Architecture of installed package. Value type is string.
+Required. Architecture of installed package. Value type is string.
> [!Note]
> Not applicable to XAP files.
- Supported operation is Get.
+Supported operation is Get.
**.../*PackageFamilyName*/*PackageFullName*/InstallLocation**
- Required. Install location of the app on the device. Value type is string.
+Required. Install location of the app on the device. Value type is string.
> [!Note]
> Not applicable to XAP files.
-
- Supported operation is Get.
+Supported operation is Get.
**.../*PackageFamilyName*/*PackageFullName*/IsFramework**
- Required. Whether or not the app is a framework package. Value type is int. The value is 1 if the app is a framework package and 0 (zero) for all other cases.
+Required. Whether or not the app is a framework package. Value type is int. The value is 1 if the app is a framework package and 0 (zero) for all other cases.
> [!Note]
> Not applicable to XAP files.
-
- Supported operation is Get.
+ Supported operation is Get.
**.../*PackageFamilyName*/*PackageFullName*/IsBundle**
- Required. The value is 1 if the package is an app bundle and 0 (zero) for all other cases. Value type is int.
+Required. The value is 1 if the package is an app bundle and 0 (zero) for all other cases. Value type is int.
- Supported operation is Get.
+Supported operation is Get.
**.../*PackageFamilyName*/*PackageFullName*/InstallDate**
- Required. Date the app was installed. Value type is string.
+Required. Date the app was installed. Value type is string.
- Supported operation is Get.
+Supported operation is Get.
**.../*PackageFamilyName*/*PackageFullName*/ResourceID**
- Required. Resource ID of the app. This is null for the main app, ~ for a bundle, and contains resource information for resources packages. Value type is string.
+Required. Resource ID of the app. This is null for the main app, ~ for a bundle, and contains resource information for resources packages. Value type is string.
> [!Note]
> Not applicable to XAP files.
-
- Supported operation is Get.
+Supported operation is Get.
**.../*PackageFamilyName*/*PackageFullName*/PackageStatus**
- Required. Provides information about the status of the package. Value type is int. Valid values are:
+Required. Provides information about the status of the package. Value type is int. Valid values are:
- OK (0) - The package is usable.
- LicenseIssue (1) - The license of the package is not valid.
@@ -274,50 +273,47 @@ The following image shows the EnterpriseModernAppManagement configuration servic
> [!Note]
> Not applicable to XAP files.
-
-
- Supported operation is Get.
+Supported operation is Get.
**.../*PackageFamilyName*/*PackageFullName*/RequiresReinstall**
- Required. Specifies whether the package state has changed and requires a reinstallation of the app. This can occur when new app resources are required, such as when a device has a change in language preference or a new DPI. It can also occur of the package was corrupted. If the value is 1, reinstallation of the app is performed. Value type is int.
+Required. Specifies whether the package state has changed and requires a reinstallation of the app. This can occur when new app resources are required, such as when a device has a change in language preference or a new DPI. It can also occur of the package was corrupted. If the value is 1, reinstallation of the app is performed. Value type is int.
> [!Note]
> Not applicable to XAP files.
-
- Supported operation is Get.
+Supported operation is Get.
**.../*PackageFamilyName*/*PackageFullName*/Users**
- Required. Registered users of the app and the package install state. If the query is at the device level, it returns all the registered users of the device. If you query the user context, it will only return the current user. Value type is string.
+Required. Registered users of the app and the package install state. If the query is at the device level, it returns all the registered users of the device. If you query the user context, it will only return the current user. Value type is string.
- Not Installed = 0
- Staged = 1
- Installed = 2
- Paused = 6
- Supported operation is Get.
+Supported operation is Get.
**.../*PackageFamilyName*/*PackageFullName*/IsProvisioned**
- Required. The value is 0 or 1 that indicates if the app is provisioned on the device. The value type is int.
+Required. The value is 0 or 1 that indicates if the app is provisioned on the device. The value type is int.
- Supported operation is Get.
+Supported operation is Get.
**.../*PackageFamilyName*/DoNotUpdate**
- Required. Specifies whether you want to block a specific app from being updated via auto-updates.
+Required. Specifies whether you want to block a specific app from being updated via auto-updates.
- Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace.
**.../*PackageFamilyName*/AppSettingPolicy** (only for ./User/Vendor/MSFT)
- Added in Windows 10, version 1511. Interior node for all managed app setting values. This node is only supported in the user context.
+Added in Windows 10, version 1511. Interior node for all managed app setting values. This node is only supported in the user context.
**.../*PackageFamilyName*/AppSettingPolicy/****_SettingValue_** (only for ./User/Vendor/MSFT)
- Added in Windows 10, version 1511. The *SettingValue* and data represent a key value pair to be configured for the app. The node represents the name of the key and the data represents the value. You can find this value in LocalSettings in the Managed.App.Settings container.
+Added in Windows 10, version 1511. The *SettingValue* and data represent a key value pair to be configured for the app. The node represents the name of the key and the data represents the value. You can find this value in LocalSettings in the Managed.App.Settings container.
- This setting only works for apps that support the feature and it is only supported in the user context.
+This setting only works for apps that support the feature and it is only supported in the user context.
- Value type is string. Supported operations are Add, Get, Replace, and Delete.
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
- The following example sets the value for the 'Server'
+The following example sets the value for the 'Server'
``` syntax
@@ -335,7 +331,7 @@ The following image shows the EnterpriseModernAppManagement configuration servic
```
- The following example gets all managed app settings for a specific app.
+The following example gets all managed app settings for a specific app.
``` syntax
@@ -349,7 +345,7 @@ The following image shows the EnterpriseModernAppManagement configuration servic
```
-**.../*PackageFamilyName*/MaintainProcessorArchitectureOnUpdate**
+**.../_PackageFamilyName_/MaintainProcessorArchitectureOnUpdate**
Added in Windows 10, version 1803. Specify whether on a AMD64 device, across an app update, the architecture of the installed app must not change. For example if you have the x86 flavor of a Windows app installed, with this setting enabled, across an update, the x86 flavor will be installed even when x64 flavor is available.
Supported operations are Add, Get, Delete, and Replace. Value type is integer.
@@ -363,32 +359,125 @@ Expected Behavior on an AMD64 machine that has x86 flavor of an app installed (M
|True |Disabled |X86 flavor is picked |
|False (not set) |Not configured |X64 flavor is picked |
+**.../_PackageFamilyName_/NonRemovable**
+Added in Windows 10, next major version. Specifies if an app is nonremovable by the user.
+
+This setting allows the IT admin to set an app to be nonremovable, or unable to be uninstalled by a user. This is useful in enterprise and education scenarios, where the IT admin might want to ensure that everyone always has certain apps and they won't be removed accidentally. This is also useful when there are multiple users per device, and you want to ensure that one user doesn’t remove it for all users.
+
+This setting requires admin permission. This can only be set per device, not per user. You can query the setting using AppInvetoryQuery or AppInventoryResults.
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+Valid values:
+- 0 – app is not in the nonremovable app policy list
+- 1 – app is included in the nonremovable app policy list
+
+**Examples:**
+
+Add an app to the nonremovable app policy list
+```
+
+
+
+ 1
+ -
+
+ ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/Test123/NonRemovable
+
+
+ int
+
+ 0
+
+
+
+
+
+```
+
+Delete an app from the nonremovable app policy list
+```
+
+
+
+ 1
+ -
+
+ ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/Test123/NonRemovable
+
+
+
+
+
+
+```
+
+Get list of apps in the nonremovable app policy list
+```
+
+
+
+ 1
+ -
+
+ ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/Test123/NonRemovable
+
+
+
+
+
+
+```
+
+Replace an app in the nonremovable app policy list
+Data 0 = app is not in the app policy list
+Data 1 = app is in the app policy list
+```
+
+
+
+ 1
+ -
+
+ ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/Test123/NonRemovable
+
+
+ int
+
+ 0
+
+
+
+
+
+```
+
**AppInstallation**
- Required node. Used to perform app installation.
+Required node. Used to perform app installation.
**AppInstallation/****_PackageFamilyName_**
- Optional node. Package family name (PFN) of the app. There is one for each PFN on the device when reporting inventory. These items are rooted under their signing origin.
+Optional node. Package family name (PFN) of the app. There is one for each PFN on the device when reporting inventory. These items are rooted under their signing origin.
- Supported operations are Get and Add.
+Supported operations are Get and Add.
> [!Note]
> XAP files use a product ID in place of PackageFamilyName. Here's an example of XAP product ID (including the braces), {12345678-9012-3456-7890-123456789012}.
**AppInstallation/*PackageFamilyName*/StoreInstall**
- Required. Command to perform an install of an app and a license from the Microsoft Store.
+Required. Command to perform an install of an app and a license from the Microsoft Store.
- Supported operation is Execute, Add, Delete, and Get.
+Supported operation is Execute, Add, Delete, and Get.
**AppInstallation/*PackageFamilyName*/HostedInstall**
- Required. Command to perform an install of an app package from a hosted location (this can be a local drive, a UNC, or https data source).
+Required. Command to perform an install of an app package from a hosted location (this can be a local drive, a UNC, or https data source).
- Supported operation is Execute, Add, Delete, and Get.
+Supported operation is Execute, Add, Delete, and Get.
**AppInstallation/*PackageFamilyName*/LastError**
- Required. Last error relating to the app installation.
+Required. Last error relating to the app installation.
- Supported operation is Get.
+Supported operation is Get.
> [!Note]
> This element is not present after the app is installed.
@@ -396,50 +485,50 @@ Expected Behavior on an AMD64 machine that has x86 flavor of an app installed (M
**AppInstallation/*PackageFamilyName*/LastErrorDescription**
- Required. Description of last error relating to the app installation.
+Required. Description of last error relating to the app installation.
- Supported operation is Get.
+Supported operation is Get.
> [!Note]
> This element is not present after the app is installed.
**AppInstallation/*PackageFamilyName*/Status**
- Required. Status of app installation. The following values are returned:
+Required. Status of app installation. The following values are returned:
- NOT\_INSTALLED (0) - The node was added, but the execution has not completed.
- INSTALLING (1) - Execution has started, but the deployment has not completed. If the deployment completes regardless of success, this value is updated.
- FAILED (2) - Installation failed. The details of the error can be found under LastError and LastErrorDescription.
- INSTALLED (3) - Once an install is successful this node is cleaned up, however in the event the clean up action has not completed, this state may briefly appear.
- Supported operation is Get.
+Supported operation is Get.
> [!Note]
> This element is not present after the app is installed.
**AppInstallation/*PackageFamilyName*/ProgessStatus**
- Required. An integer the indicates the progress of the app installation. For https locations, this indicates the download progress. ProgressStatus is not available for provisioning and it is only for user-based installations. In provisioning, the value is always 0 (zero).
+Required. An integer the indicates the progress of the app installation. For https locations, this indicates the download progress. ProgressStatus is not available for provisioning and it is only for user-based installations. In provisioning, the value is always 0 (zero).
- Supported operation is Get.
+Supported operation is Get.
> [!Note]
> This element is not present after the app is installed.
**AppLicenses**
- Required node. Used to manage licenses for app scenarios.
+Required node. Used to manage licenses for app scenarios.
**AppLicenses/StoreLicenses**
- Required node. Used to manage licenses for store apps.
+Required node. Used to manage licenses for store apps.
**AppLicenses/StoreLicenses/****_LicenseID_**
- Optional node. License ID for a store installed app. The license ID is generally the PFN of the app.
+Optional node. License ID for a store installed app. The license ID is generally the PFN of the app.
- Supported operations are Add, Get, and Delete.
+Supported operations are Add, Get, and Delete.
**AppLicenses/StoreLicenses/*LicenseID*/LicenseCategory**
- Added in Windows 10, version 1511. Required. Category of license that is used to classify various license sources. Valid value:
+Added in Windows 10, version 1511. Required. Category of license that is used to classify various license sources. Valid value:
- Unknown - unknown license category
- Retail - license sold through retail channels, typically from the Microsoft Store
@@ -447,39 +536,39 @@ Expected Behavior on an AMD64 machine that has x86 flavor of an app installed (M
- OEM - license issued to an OEM
- Developer - developer license, typically installed during the app development or side-loading scernarios.
- Supported operation is Get.
+Supported operation is Get.
**AppLicenses/StoreLicenses/*LicenseID*/LicenseUsage**
- Added in Windows 10, version 1511. Required. Indicates the allowed usage for the license. Valid values:
+Added in Windows 10, version 1511. Required. Indicates the allowed usage for the license. Valid values:
- Unknown - usage is unknown
- Online - the license is only valid for online usage. This is for applications with concurrence requirements, such as an app used on several computers, but can only be used on one at any given time.
- Offline - license is valid for use offline. You don't need a connection to the internet to use this license.
- Enterprise Root -
- Supported operation is Get.
+Supported operation is Get.
**AppLicenses/StoreLicenses/*LicenseID*/RequesterID**
- Added in Windows 10, version 1511. Required. Identifier for the entity that requested the license, such as the client who acquired the license. For example, all licenses issued by the Store for Business for a particular enterprise client has the same RequesterID.
+Added in Windows 10, version 1511. Required. Identifier for the entity that requested the license, such as the client who acquired the license. For example, all licenses issued by the Store for Business for a particular enterprise client has the same RequesterID.
- Supported operation is Get.
+Supported operation is Get.
**AppLicenses/StoreLicenses/*LicenseID*/AddLicense**
- Required. Command to add license.
+Required. Command to add license.
- Supported operation is Execute.
+Supported operation is Execute.
**AppLicenses/StoreLicenses/*LicenseID*/GetLicenseFromStore**
- Added in Windows 10, version 1511. Required. Command to get license from the store.
+Added in Windows 10, version 1511. Required. Command to get license from the store.
- Supported operation is Execute.
+Supported operation is Execute.
## Examples
- For examples of how to use this CSP to for reporting apps inventory, installation and removal of apps for users, provisioning apps to devices, and managing app licenses, see [Enterprise app management](enterprise-app-management.md).
+For examples of how to use this CSP to for reporting apps inventory, installation and removal of apps for users, provisioning apps to devices, and managing app licenses, see [Enterprise app management](enterprise-app-management.md).
- Query the device for a specific app subcategory, such as nonStore apps.
+Query the device for a specific app subcategory, such as nonStore apps.
``` syntax
@@ -492,9 +581,9 @@ Expected Behavior on an AMD64 machine that has x86 flavor of an app installed (M
```
- The result contains a list of apps, such as <Data>App1/App2/App3</Data>.
+The result contains a list of apps, such as <Data>App1/App2/App3</Data>.
- Subsequent query for a specific app for its properties.
+Subsequent query for a specific app for its properties.
``` syntax
diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md b/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md
index 08075cd45e..3bbc3d3401 100644
--- a/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md
+++ b/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md
@@ -7,17 +7,19 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
-ms.date: 03/01/2018
+ms.date: 07/23/2018
---
# EnterpriseModernAppManagement DDF
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
This topic shows the OMA DM device description framework (DDF) for the **EnterpriseModernAppManagement** configuration service provider. DDF files are used only with OMA DM provisioning XML.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
-The XML below is for Windows 10, version 1803.
+The XML below is for Windows 10, next major version.
``` syntax
@@ -26,41 +28,85 @@ The XML below is for Windows 10, version 1803.
[]>
1.2
+
+ EnterpriseModernAppManagement
+ ./Vendor/MSFT
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ AppManagement
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
- EnterpriseModernAppManagement
- ./Vendor/MSFT
+
+
+
-
+
-
+
+ EnterpriseID
- AppManagement
+
+
+
-
+
-
+
+ PackageFamilyName
@@ -76,632 +122,19 @@ The XML below is for Windows 10, version 1803.
-
-
-
-
-
-
- EnterpriseID
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- PackageFamilyName
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- PackageFullName
-
-
-
-
-
- Name
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Version
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Publisher
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Architecture
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- InstallLocation
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- IsFramework
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- IsBundle
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- InstallDate
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ResourceID
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- PackageStatus
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- RequiresReinstall
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Users
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- IsProvisioned
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- DoNotUpdate
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- DoNotUpdate
-
- text/plain
-
-
-
-
- AppSettingPolicy
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- SettingValue
-
- text/plain
-
-
-
-
-
- MaintainProcessorArchitectureOnUpdate
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- MaintainProcessorArchitectureOnUpdate
-
- text/plain
-
-
-
-
-
-
- UpdateScan
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- LastScanError
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- AppInventoryResults
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- AppInventoryQuery
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- RemovePackage
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- AppInstallation
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- PackageFamilyName
+ PackageFullName
- StoreInstall
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- HostedInstall
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- LastError
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- LastErrorDesc
+ Name
@@ -721,7 +154,87 @@ The XML below is for Windows 10, version 1803.
- Status
+ Version
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ Publisher
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ Architecture
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ InstallLocation
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ IsFramework
@@ -741,7 +254,127 @@ The XML below is for Windows 10, version 1803.
- ProgressStatus
+ IsBundle
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ InstallDate
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ResourceID
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ PackageStatus
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ RequiresReinstall
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ Users
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ IsProvisioned
@@ -761,31 +394,38 @@ The XML below is for Windows 10, version 1803.
-
-
- AppLicenses
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- StoreLicenses
+ DoNotUpdate
+
+
+
+
+
+
+
+
+
+
+
+
+
+ DoNotUpdate
+
+ text/plain
+
+
+
+
+ AppSettingPolicy
+
+
+
+
+
+
@@ -794,7 +434,7 @@ The XML below is for Windows 10, version 1803.
-
+
@@ -807,9 +447,10 @@ The XML below is for Windows 10, version 1803.
+
-
+
@@ -817,13 +458,172 @@ The XML below is for Windows 10, version 1803.
- LicenseID
+ SettingValue
+
+ text/plain
+
+
+
+
+
+ MaintainProcessorArchitectureOnUpdate
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ MaintainProcessorArchitectureOnUpdate
+
+ text/plain
+
+
+
+
+ NonRemovable
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ NonRemovable
+
+ text/plain
+
+
+
+
+
+ ReleaseManagement
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ReleaseManagementKey
+
+
+
+
+
+ ChannelId
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ReleaseId
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ EffectiveRelease
+
+
+
+
+
+
+
+
+
+
+
+
+
- LicenseCategory
+ ChannelId
@@ -832,7 +632,7 @@ The XML below is for Windows 10, version 1803.
-
+
@@ -843,7 +643,7 @@ The XML below is for Windows 10, version 1803.
- LicenseUsage
+ ReleaseId
@@ -852,67 +652,7 @@ The XML below is for Windows 10, version 1803.
-
-
-
-
-
-
- text/plain
-
-
-
-
- RequesterID
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- AddLicense
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- GetLicenseFromStore
-
-
-
-
-
-
-
-
-
+
@@ -926,19 +666,442 @@ The XML below is for Windows 10, version 1803.
+
+ UpdateScan
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ LastScanError
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ AppInventoryResults
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ AppInventoryQuery
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ RemovePackage
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+
+ AppInstallation
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ PackageFamilyName
+
+
+
+
+
+ StoreInstall
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ HostedInstall
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ LastError
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ LastErrorDesc
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ Status
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ProgressStatus
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+
+
+ AppLicenses
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ StoreLicenses
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ LicenseID
+
+
+
+
+
+ LicenseCategory
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ LicenseUsage
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ RequesterID
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ AddLicense
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ GetLicenseFromStore
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+
+
+
-```
-
-## Related topics
-
-[EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md)
-
-
-
-
-
-
-
-
-
-
+```
\ No newline at end of file
diff --git a/windows/client-management/mdm/firewall-csp.md b/windows/client-management/mdm/firewall-csp.md
index 1a552c057a..2a75d65c24 100644
--- a/windows/client-management/mdm/firewall-csp.md
+++ b/windows/client-management/mdm/firewall-csp.md
@@ -14,7 +14,7 @@ ms.date: 01/26/2018
The Firewall configuration service provider (CSP) allows the mobile device management (MDM) server to configure the Windows Defender Firewall global settings, per profile settings, as well as the desired set of custom rules to be enforced on the device. Using the Firewall CSP the IT admin can now manage non-domain devices, and reduce the risk of network security threats across all systems connecting to the corporate network. This CSP was added Windows 10, version 1709.
-Firewall configuration commands must be wrapped in an Atomic block in SyncML.
+Firewall rules in the FirewallRules section must be wrapped in an Atomic block in SyncML, either individually or collectively.
For detailed information on some of the fields below see [[MS-FASP]: Firewall and Advanced Security Protocol documentation](https://msdn.microsoft.com/en-us/library/mt620101.aspx).
@@ -284,7 +284,7 @@ Sample syncxml to provision the firewall settings to evaluate
**FirewallRules/_FirewallRuleName_/Enabled**
Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true.
- If not specified - a new rule is disabled by default.
+If not specified - a new rule is enabled by default.
Boolean value. Supported operations are Get and Replace.
**FirewallRules/_FirewallRuleName_/Profiles**
@@ -310,7 +310,7 @@ Sample syncxml to provision the firewall settings to evaluate
- IN - the rule applies to inbound traffic.
- OUT - the rule applies to outbound traffic.
-- If not specified, the default is IN.
+- If not specified, the default is Out.
Value type is string. Supported operations are Get and Replace.
@@ -331,7 +331,7 @@ Sample syncxml to provision the firewall settings to evaluate
New rules have the EdgeTraversal property disabled by default.
Value type is bool. Supported operations are Add, Get, Replace, and Delete.
-**FirewallRules/_FirewallRuleName_/LocalUserAuthorizedList**
+**FirewallRules/_FirewallRuleName_/LocalUserAuthorizationList**
Specifies the list of authorized local users for the app container. This is a string in Security Descriptor Definition Language (SDDL) format.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
diff --git a/windows/client-management/mdm/images/provisioning-csp-enterprisemodernappmanagement.png b/windows/client-management/mdm/images/provisioning-csp-enterprisemodernappmanagement.png
index a28f41fe6a..95d2fcf840 100644
Binary files a/windows/client-management/mdm/images/provisioning-csp-enterprisemodernappmanagement.png and b/windows/client-management/mdm/images/provisioning-csp-enterprisemodernappmanagement.png differ
diff --git a/windows/client-management/mdm/images/provisioning-csp-passportforwork2.png b/windows/client-management/mdm/images/provisioning-csp-passportforwork2.png
index f12f2fbd44..af267f4f6d 100644
Binary files a/windows/client-management/mdm/images/provisioning-csp-passportforwork2.png and b/windows/client-management/mdm/images/provisioning-csp-passportforwork2.png differ
diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
index 2f7d533bf3..c92f8d40fc 100644
--- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
@@ -10,7 +10,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
-ms.date: 07/23 /2018
+ms.date: 07/27/2018
---
# What's new in MDM enrollment and management
@@ -1638,24 +1638,36 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
|
+| [PassportForWork CSP](passportforwork-csp.md) |
+Added new settings in Windows 10, next major version.
+ |
+
+| [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) |
+Added NonRemovable setting under AppManagement node in Windows 10, next major version.
+ |
+
+| [Win32CompatibilityAppraiser CSP](win32compatibilityappraiser-csp.md) |
+Added new configuration service provider in Windows 10, next major version.
+ |
+
| [WindowsLicensing CSP](windowslicensing-csp.md) |
-Added S mode settings.
+ | Added S mode settings and SyncML examples in Windows 10, next major version.
|
| [SUPL CSP](supl-csp.md) |
-Added 3 new certificate nodes.
+ | Added 3 new certificate nodes in Windows 10, next major version.
|
| [Defender CSP](defender-csp.md) |
-Added a new node Health/ProductStatus.
+ | Added a new node Health/ProductStatus in Windows 10, next major version.
|
| [BitLocker CSP](bitlocker-csp.md) |
-Added a new node AllowStandardUserEncryption.
+ | Added a new node AllowStandardUserEncryption in Windows 10, next major version.
|
| [DevDetail CSP](devdetail-csp.md) |
-Added a new node SMBIOSSerialNumber.
+ | Added a new node SMBIOSSerialNumber in Windows 10, next major version.
|
| [Policy CSP](policy-configuration-service-provider.md) |
@@ -1669,6 +1681,10 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
Defender/EnableLowCPUPriority
Defender/SignatureUpdateFallbackOrder
Defender/SignatureUpdateFileSharesSources
+DeviceInstallation/AllowInstallationOfMatchingDeviceIDs
+DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses
+DeviceInstallation/PreventDeviceMetadataFromNetwork
+DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings
DmaGuard/DeviceEnumerationPolicy
Experience/AllowClipboardHistory
TaskManager/AllowEndTask
@@ -1679,7 +1695,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
Recent changes:
-- DataUsage/SetCost3G - deprecated in RS5.
+- DataUsage/SetCost3G - deprecated in Windows 10, next major version.
diff --git a/windows/client-management/mdm/passportforwork-csp.md b/windows/client-management/mdm/passportforwork-csp.md
index ec53302d3c..3dd02f716d 100644
--- a/windows/client-management/mdm/passportforwork-csp.md
+++ b/windows/client-management/mdm/passportforwork-csp.md
@@ -7,11 +7,14 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
-ms.date: 06/26/2017
+ms.date: 07/26/2018
---
# PassportForWork CSP
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
The PassportForWork configuration service provider is used to provision Windows Hello for Business (formerly Microsoft Passport for Work). It allows you to login to Windows using your Active Directory or Azure Active Directory account and replace passwords, smartcards, and virtual smart cards.
> [!IMPORTANT]
@@ -30,204 +33,243 @@ The following diagram shows the PassportForWork configuration service provider i
**PassportForWork**
-Root node for PassportForWork configuration service provider.
+Root node for PassportForWork configuration service provider.
***TenantId***
-
A globally unique identifier (GUID), without curly braces ( { , } ), that is used as part of Windows Hello for Business provisioning and management.
+A globally unique identifier (GUID), without curly braces ( { , } ), that is used as part of Windows Hello for Business provisioning and management.
***TenantId*/Policies**
-
Node for defining the Windows Hello for Business policy settings.
+Node for defining the Windows Hello for Business policy settings.
***TenantId*/Policies/UsePassportForWork**
-
Boolean value that sets Windows Hello for Business as a method for signing into Windows.
+Boolean value that sets Windows Hello for Business as a method for signing into Windows.
-
Default value is true. If you set this policy to false, the user cannot provision Windows Hello for Business except on Azure Active Directory joined mobile phones where provisioning is required.
+Default value is true. If you set this policy to false, the user cannot provision Windows Hello for Business except on Azure Active Directory joined mobile phones where provisioning is required.
-
Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace.
***TenantId*/Policies/RequireSecurityDevice**
-
Boolean value that requires a Trusted Platform Module (TPM) for Windows Hello for Business. TPM provides an additional security benefit over software so that data stored in it cannot be used on other devices.
+Boolean value that requires a Trusted Platform Module (TPM) for Windows Hello for Business. TPM provides an additional security benefit over software so that data stored in it cannot be used on other devices.
-
Default value is false. If you set this policy to true, only devices with a usable TPM can provision Windows Hello for Business. If you set this policy to false, all devices can provision Windows Hello for Business using software even if there is not a usable TPM. If you do not configure this setting, all devices can provision Windows Hello for Business using software if the TPM is non-functional or unavailable.
+Default value is false. If you set this policy to true, only devices with a usable TPM can provision Windows Hello for Business. If you set this policy to false, all devices can provision Windows Hello for Business using software even if there is not a usable TPM. If you do not configure this setting, all devices can provision Windows Hello for Business using software if the TPM is non-functional or unavailable.
-
Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace.
***TenantId*/Policies/ExcludeSecurityDevices** (only for ./Device/Vendor/MSFT)
-
Added in Windows 10, version 1703. Root node for excluded security devices.
-
*Not supported on Windows Holographic and Windows Holographic for Business.*
+Added in Windows 10, version 1703. Root node for excluded security devices.
+*Not supported on Windows Holographic and Windows Holographic for Business.*
***TenantId*/Policies/ExcludeSecurityDevices/TPM12** (only for ./Device/Vendor/MSFT)
-
Added in Windows 10, version 1703. Some Trusted Platform Modules (TPMs) are compliant only with the older 1.2 revision of the TPM specification defined by the Trusted Computing Group (TCG).
+Added in Windows 10, version 1703. Some Trusted Platform Modules (TPMs) are compliant only with the older 1.2 revision of the TPM specification defined by the Trusted Computing Group (TCG).
-
Default value is false. If you enable this policy setting, TPM revision 1.2 modules will be disallowed from being used with Windows Hello for Business.
+Default value is false. If you enable this policy setting, TPM revision 1.2 modules will be disallowed from being used with Windows Hello for Business.
-
If you disable or do not configure this policy setting, TPM revision 1.2 modules will be allowed to be used with Windows Hello for Business.
+If you disable or do not configure this policy setting, TPM revision 1.2 modules will be allowed to be used with Windows Hello for Business.
-
Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace.
***TenantId*/Policies/EnablePinRecovery**
-
Added in Windows 10, version 1703. Boolean value that enables a user to change their PIN by using the Windows Hello for Business PIN recovery service.
+Added in Windows 10, version 1703. Boolean value that enables a user to change their PIN by using the Windows Hello for Business PIN recovery service.
This cloud service encrypts a recovery secret, which is stored locally on the client, and can be decrypted only by the cloud service.
-
Default value is false. If you enable this policy setting, the PIN recovery secret will be stored on the device and the user can change their PIN if needed.
+Default value is false. If you enable this policy setting, the PIN recovery secret will be stored on the device and the user can change their PIN if needed.
-
If you disable or do not configure this policy setting, the PIN recovery secret will not be created or stored. If the user's PIN is forgotten, the only way to get a new PIN is by deleting the existing PIN and creating a new one, which will require the user to re-register with any services the old PIN provided access to.
+If you disable or do not configure this policy setting, the PIN recovery secret will not be created or stored. If the user's PIN is forgotten, the only way to get a new PIN is by deleting the existing PIN and creating a new one, which will require the user to re-register with any services the old PIN provided access to.
-
Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace.
***TenantId*/Policies/UseCertificateForOnPremAuth** (only for ./Device/Vendor/MSFT)
-
Boolean value that enables Windows Hello for Business to use certificates to authenticate on-premises resources.
+Boolean value that enables Windows Hello for Business to use certificates to authenticate on-premises resources.
-
If you enable this policy setting, Windows Hello for Business will wait until the device has received a certificate payload from the mobile device management server before provisioning a PIN.
+If you enable this policy setting, Windows Hello for Business will wait until the device has received a certificate payload from the mobile device management server before provisioning a PIN.
-
If you disable or do not configure this policy setting, the PIN will be provisioned when the user logs in, without waiting for a certificate payload.
+If you disable or do not configure this policy setting, the PIN will be provisioned when the user logs in, without waiting for a certificate payload.
-
Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace.
***TenantId*/Policies/PINComplexity**
-
Node for defining PIN settings.
+Node for defining PIN settings.
***TenantId*/Policies/PINComplexity/MinimumPINLength**
-
Integer value that sets the minimum number of characters required for the PIN. Default value is 4. The lowest number you can configure for this policy setting is 4. The largest number you can configure must be less than the number configured in the Maximum PIN length policy setting or the number 127, whichever is the lowest.
+Integer value that sets the minimum number of characters required for the PIN. Default value is 4. The lowest number you can configure for this policy setting is 4. The largest number you can configure must be less than the number configured in the Maximum PIN length policy setting or the number 127, whichever is the lowest.
-
If you configure this policy setting, the PIN length must be greater than or equal to this number. If you disable or do not configure this policy setting, the PIN length must be greater than or equal to 4.
+If you configure this policy setting, the PIN length must be greater than or equal to this number. If you disable or do not configure this policy setting, the PIN length must be greater than or equal to 4.
> [!NOTE]
> If the conditions specified above for the minimum PIN length are not met, default values will be used for both the maximum and minimum PIN lengths.
-
Value type is int. Supported operations are Add, Get, Delete, and Replace.
+Value type is int. Supported operations are Add, Get, Delete, and Replace.
***TenantId*/Policies/PINComplexity/MaximumPINLength**
-
Integer value that sets the maximum number of characters allowed for the PIN. Default value is 127. The largest number you can configure for this policy setting is 127. The lowest number you can configure must be larger than the number configured in the Minimum PIN length policy setting or the number 4, whichever is greater.
+Integer value that sets the maximum number of characters allowed for the PIN. Default value is 127. The largest number you can configure for this policy setting is 127. The lowest number you can configure must be larger than the number configured in the Minimum PIN length policy setting or the number 4, whichever is greater.
-
If you configure this policy setting, the PIN length must be less than or equal to this number. If you disable or do not configure this policy setting, the PIN length must be less than or equal to 127.
+If you configure this policy setting, the PIN length must be less than or equal to this number. If you disable or do not configure this policy setting, the PIN length must be less than or equal to 127.
> [!NOTE]
> If the conditions specified above for the maximum PIN length are not met, default values will be used for both the maximum and minimum PIN lengths.
-
Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace.
***TenantId*/Policies/PINComplexity/UppercaseLetters**
-
Integer value that configures the use of uppercase letters in the Windows Hello for Business PIN.
+Integer value that configures the use of uppercase letters in the Windows Hello for Business PIN.
-
Valid values:
+Valid values:
- 0 - Allows the use of uppercase letters in PIN.
- 1 - Requires the use of at least one uppercase letters in PIN.
- 2 - Does not allow the use of uppercase letters in PIN.
-
Default value is 2. Default PIN complexity behavior is that digits are required and all other character sets are not allowed. If all character sets are allowed but none are explicitly required, then the default PIN complexity behavior will apply.
+Default value is 2. Default PIN complexity behavior is that digits are required and all other character sets are not allowed. If all character sets are allowed but none are explicitly required, then the default PIN complexity behavior will apply.
-
Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace.
***TenantId*/Policies/PINComplexity/LowercaseLetters**
-
Integer value that configures the use of lowercase letters in the Windows Hello for Business PIN.
+Integer value that configures the use of lowercase letters in the Windows Hello for Business PIN.
-
Valid values:
+Valid values:
- 0 - Allows the use of lowercase letters in PIN.
- 1 - Requires the use of at least one lowercase letters in PIN.
- 2 - Does not allow the use of lowercase letters in PIN.
-
Default value is 2. Default PIN complexity behavior is that digits are required and all other character sets are not allowed. If all character sets are allowed but none are explicitly required, then the default PIN complexity behavior will apply.
+Default value is 2. Default PIN complexity behavior is that digits are required and all other character sets are not allowed. If all character sets are allowed but none are explicitly required, then the default PIN complexity behavior will apply.
-
Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace.
***TenantId*/Policies/PINComplexity/SpecialCharacters**
-
Integer value that configures the use of special characters in the Windows Hello for Business PIN. Valid special characters for Windows Hello for Business PIN gestures include: ! " \# $ % & ' ( ) \* + , - . / : ; < = > ? @ \[ \\ \] ^ \_ \` { | } ~ .
+Integer value that configures the use of special characters in the Windows Hello for Business PIN. Valid special characters for Windows Hello for Business PIN gestures include: ! " \# $ % & ' ( ) \* + , - . / : ; < = > ? @ \[ \\ \] ^ \_ \` { | } ~ .
-
Valid values:
+Valid values:
- 0 - Allows the use of special characters in PIN.
- 1 - Requires the use of at least one special character in PIN.
- 2 - Does not allow the use of special characters in PIN.
-
Default value is 2. Default PIN complexity behavior is that digits are required and all other character sets are not allowed. If all character sets are allowed but none are explicitly required, then the default PIN complexity behavior will apply.
+Default value is 2. Default PIN complexity behavior is that digits are required and all other character sets are not allowed. If all character sets are allowed but none are explicitly required, then the default PIN complexity behavior will apply.
-
Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace.
***TenantId*/Policies/PINComplexity/Digits**
-
Integer value that configures the use of digits in the Windows Hello for Business PIN.
+Integer value that configures the use of digits in the Windows Hello for Business PIN.
-
Valid values:
+Valid values:
- 0 - Allows the use of digits in PIN.
- 1 - Requires the use of at least one digit in PIN.
- 2 - Does not allow the use of digits in PIN.
-
Default value is 1. Default PIN complexity behavior is that digits are required and all other character sets are not allowed. If all character sets are allowed but none are explicitly required, then the default PIN complexity behavior will apply.
+Default value is 1. Default PIN complexity behavior is that digits are required and all other character sets are not allowed. If all character sets are allowed but none are explicitly required, then the default PIN complexity behavior will apply.
-
Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace.
***TenantId*/Policies/PINComplexity/History**
-
Integer value that specifies the number of past PINs that can be associated to a user account that can’t be reused. The largest number you can configure for this policy setting is 50. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then storage of previous PINs is not required. This node was added in Windows 10, version 1511.
+Integer value that specifies the number of past PINs that can be associated to a user account that can’t be reused. The largest number you can configure for this policy setting is 50. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then storage of previous PINs is not required. This node was added in Windows 10, version 1511.
-
The current PIN of the user is included in the set of PINs associated with the user account. PIN history is not preserved through a PIN reset.
+The current PIN of the user is included in the set of PINs associated with the user account. PIN history is not preserved through a PIN reset.
-
Default value is 0.
+Default value is 0.
-
Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace.
***TenantId*/Policies/PINComplexity/Expiration**
-
Integer value specifies the period of time (in days) that a PIN can be used before the system requires the user to change it. The largest number you can configure for this policy setting is 730. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then the user’s PIN will never expire. This node was added in Windows 10, version 1511.
+Integer value specifies the period of time (in days) that a PIN can be used before the system requires the user to change it. The largest number you can configure for this policy setting is 730. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then the user’s PIN will never expire. This node was added in Windows 10, version 1511.
-
Default is 0.
+Default is 0.
-
Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace.
***TenantId*/Policies/Remote** (only for ./Device/Vendor/MSFT)
-
Interior node for defining remote Windows Hello for Business policies. This node was added in Windows 10, version 1511.
-
*Not supported on Windows Holographic and Windows Holographic for Business.*
+Interior node for defining remote Windows Hello for Business policies. This node was added in Windows 10, version 1511.
+*Not supported on Windows Holographic and Windows Holographic for Business.*
***TenantId*/Policies/Remote/UseRemotePassport** (only for ./Device/Vendor/MSFT)
-
Boolean value used to enable or disable the use of remote Windows Hello for Business. Remote Windows Hello for Business provides the ability for a portable, registered device to be usable as a companion device for desktop authentication. Remote Windows Hello for Business requires that the desktop be Azure AD joined and that the companion device has a Windows Hello for Business PIN. This node was added in Windows 10, version 1511.
+Boolean value used to enable or disable the use of remote Windows Hello for Business. Remote Windows Hello for Business provides the ability for a portable, registered device to be usable as a companion device for desktop authentication. Remote Windows Hello for Business requires that the desktop be Azure AD joined and that the companion device has a Windows Hello for Business PIN. This node was added in Windows 10, version 1511.
-
Default value is false. If you set this policy to true, Remote Windows Hello for Business will be enabled and a portable, registered device can be used as a companion device for desktop authentication. If you set this policy to false, Remote Windows Hello for Business will be disabled.
+Default value is false. If you set this policy to true, Remote Windows Hello for Business will be enabled and a portable, registered device can be used as a companion device for desktop authentication. If you set this policy to false, Remote Windows Hello for Business will be disabled.
+Supported operations are Add, Get, Delete, and Replace.
+*Not supported on Windows Holographic and Windows Holographic for Business.*
-
Supported operations are Add, Get, Delete, and Replace.
+***TenantId*/Policies/UseHelloCertificatesAsSmartCardCertificates** (only for ./Device/Vendor/MSFT)
+Added in Windows 10, next major version. If you enable this policy setting, applications use Windows Hello for Business certificates as smart card certificates. Biometric factors are unavailable when a user is asked to authorize the use of the certificate's private key. This policy setting is designed to allow compatibility with applications that rely exclusively on smart card certificates.
-
*Not supported on Windows Holographic and Windows Holographic for Business.*
+If you disable or do not configure this policy setting, applications do not use Windows Hello for Business certificates as smart card certificates, and biometric factors are available when a user is asked to authorize the use of the certificate's private key.
+
+Windows requires a user to lock and unlock their session after changing this setting if the user is currently signed in.
+
+Value type is bool. Supported operations are Add, Get, Replace, and Delete.
**UseBiometrics**
-
This node is deprecated. Use **Biometrics/UseBiometrics** node instead.
+This node is deprecated. Use **Biometrics/UseBiometrics** node instead.
**Biometrics** (only for ./Device/Vendor/MSFT)
-
Node for defining biometric settings. This node was added in Windows 10, version 1511.
-
*Not supported on Windows Holographic and Windows Holographic for Business.*
+Node for defining biometric settings. This node was added in Windows 10, version 1511.
+*Not supported on Windows Holographic and Windows Holographic for Business.*
**Biometrics/UseBiometrics** (only for ./Device/Vendor/MSFT)
-
Boolean value used to enable or disable the use of biometric gestures, such as face and fingerprint, as an alternative to the PIN gesture for Windows Hello for Business. Users must still configure a PIN if they configure biometric gestures to use in case of failures. This node was added in Windows 10, version 1511.
+Boolean value used to enable or disable the use of biometric gestures, such as face and fingerprint, as an alternative to the PIN gesture for Windows Hello for Business. Users must still configure a PIN if they configure biometric gestures to use in case of failures. This node was added in Windows 10, version 1511.
-
Default value is false. If you set this policy to true, biometric gestures are enabled for use with Windows Hello for Business. If you set this policy to false, biometric gestures are disabled for use with Windows Hello for Business.
+Default value is false. If you set this policy to true, biometric gestures are enabled for use with Windows Hello for Business. If you set this policy to false, biometric gestures are disabled for use with Windows Hello for Business.
-
Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace.
-
*Not supported on Windows Holographic and Windows Holographic for Business.*
+*Not supported on Windows Holographic and Windows Holographic for Business.*
**Biometrics/FacialFeaturesUseEnhancedAntiSpoofing** (only for ./Device/Vendor/MSFT)
-
Boolean value used to enable or disable enhanced anti-spoofing for facial feature recognition on Windows Hello face authentication. This node was added in Windows 10, version 1511.
+Boolean value used to enable or disable enhanced anti-spoofing for facial feature recognition on Windows Hello face authentication. This node was added in Windows 10, version 1511.
-
Default value is false. If you set this policy to false or don't configure this setting, Windows doesn't require enhanced anti-spoofing for Windows Hello face authentication.
+Default value is false. If you set this policy to false or don't configure this setting, Windows doesn't require enhanced anti-spoofing for Windows Hello face authentication.
-
If you set this policy to true, Windows requires all users on managed devices to use enhanced anti-spoofing for Windows Hello face authentication. Windows Hello face authentication is disabled on devices that do not support enhanced anti-spoofing.
+If you set this policy to true, Windows requires all users on managed devices to use enhanced anti-spoofing for Windows Hello face authentication. Windows Hello face authentication is disabled on devices that do not support enhanced anti-spoofing.
-
Note that enhanced anti-spoofing for Windows Hello face authentication is not required on unmanaged devices.
+Note that enhanced anti-spoofing for Windows Hello face authentication is not required on unmanaged devices.
-
Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace.
-
*Not supported on Windows Holographic and Windows Holographic for Business.*
+*Not supported on Windows Holographic and Windows Holographic for Business.*
+
+**DeviceUnlock** (only for ./Device/Vendor/MSFT)
+Added in Windows 10, version 1803. Interior node.
+
+**DeviceUnlock/GroupA** (only for ./Device/Vendor/MSFT)
+Added in Windows 10, version 1803. Contains a list of credential providers by GUID (comma separated) that are the first step of authentication.
+
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
+
+**DeviceUnlock/GroupB** (only for ./Device/Vendor/MSFT)
+Added in Windows 10, version 1803. Contains a list of credential providers by GUID (comma separated) that are the second step of authentication.
+
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
+
+**DeviceUnlock/Plugins** (only for ./Device/Vendor/MSFT)
+Added in Windows 10, version 1803. List of plugins (comma separated) that the passive provider monitors to detect user presence.
+
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
+
+**DynamicLock** (only for ./Device/Vendor/MSFT)
+Added in Windows 10, version 1803. Interior node.
+
+
+**DynamicLock/DynamicLock** (only for ./Device/Vendor/MSFT)
+Added in Windows 10, version 1803. Enables the dynamic lock.
+
+Value type is bool. Supported operations are Add, Get, Replace, and Delete.
+
+**DynamicLock/Plugins** (only for ./Device/Vendor/MSFT)
+Added in Windows 10, version 1803. List of plugins (comma separated) that the passive provider monitors to detect user absence.
+
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
## Examples
-
Here's an example for setting Windows Hello for Business and setting the PIN policies. It also turns on the use of biometrics and TPM.
+Here's an example for setting Windows Hello for Business and setting the PIN policies. It also turns on the use of biometrics and TPM.
``` syntax
diff --git a/windows/client-management/mdm/passportforwork-ddf.md b/windows/client-management/mdm/passportforwork-ddf.md
index 63c6b7819f..06eabcf651 100644
--- a/windows/client-management/mdm/passportforwork-ddf.md
+++ b/windows/client-management/mdm/passportforwork-ddf.md
@@ -7,16 +7,19 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
-ms.date: 12/05/2017
+ms.date: 07/26/2017
---
# PassportForWork DDF
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
This topic shows the OMA DM device description framework (DDF) for the **PassportForWork** configuration service provider. DDF files are used only with OMA DM provisioning XML.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
-The XML below is the current version for this CSP.
+The XML below is for Windows 10, next major version.
``` syntax
@@ -42,7 +45,7 @@ The XML below is the current version for this CSP.
- com.microsoft/1.3/MDM/PassportForWork
+ com.microsoft/1.5/MDM/PassportForWork
@@ -565,58 +568,58 @@ If you disable or do not configure this policy setting, the TPM is still preferr
- ExcludeSecurityDevices
+ ExcludeSecurityDevices
+
+
+
+
+
+
+ Root node for excluded security devices.
+
+
+
+
+
+
+
+
+
+ ExcludeSecurityDevices
+
+
+
+
+
+ TPM12
-
-
-
-
-
- Root node for excluded security devices.
-
-
-
-
-
-
-
-
-
- ExcludeSecurityDevices
-
-
-
-
-
- TPM12
-
-
-
-
-
-
-
- False
- Some Trusted Platform Modules (TPMs) are only compliant with the older 1.2 revision of the TPM specification defined by the Trusted Computing Group (TCG).
+
+
+
+
+
+
+ False
+ Some Trusted Platform Modules (TPMs) are only compliant with the older 1.2 revision of the TPM specification defined by the Trusted Computing Group (TCG).
If you enable this policy setting, TPM revision 1.2 modules will be disallowed from being used with Windows Hello for Business.
If you disable or do not configure this policy setting, TPM revision 1.2 modules will be allowed to be used with Windows Hello for Business.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
EnablePinRecovery
@@ -657,7 +660,7 @@ If you disable or do not configure this policy setting, the PIN recovery secret
False
- Windows Hello for Business can use certificates to authenticate to on-premises resources.
+ Windows Hello for Business can use certificates to authenticate to on-premise resources.
If you enable this policy setting, Windows Hello for Business will wait until the device has received a certificate payload from the mobile device management server before provisioning a PIN.
@@ -985,6 +988,35 @@ Default value is false. If you enable this setting, a desktop device will allow
+
+ UseHelloCertificatesAsSmartCardCertificates
+
+
+
+
+
+
+
+ False
+ If you enable this policy setting, applications use Windows Hello for Business certificates as smart card certificates. Biometric factors are unavailable when a user is asked to authorize the use of the certificate's private key. This policy setting is designed to allow compatibility with applications that rely exclusively on smart card certificates.
+
+If you disable or do not configure this policy setting, applications do not use Windows Hello for Business certificates as smart card certificates, and biometric factors are available when a user is asked to authorize the use of the certificate's private key.
+
+Windows requires a user to lock and unlock their session after changing this setting if the user is currently signed in.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
@@ -1083,9 +1115,9 @@ NOTE: Disabling this policy prevents the use of biometric gestures on the device
False
This setting determines whether enhanced anti-spoofing is required for Windows Hello face authentication.
-If you enable or don't configure this setting, Windows requires all users on managed devices to use enhanced anti-spoofing for Windows Hello face authentication. This disables Windows Hello face authentication on devices that do not support enhanced anti-spoofing.
+If you enable this setting, Windows requires all users on managed devices to use enhanced anti-spoofing for Windows Hello face authentication. This disables Windows Hello face authentication on devices that do not support enhanced anti-spoofing.
-If you disable this setting, Windows doesn't require enhanced anti-spoofing for Windows Hello face authentication.
+If you disable or do not configure this setting, Windows doesn't require enhanced anti-spoofing for Windows Hello face authentication.
Note that enhanced anti-spoofing for Windows Hello face authentication is not required on unmanaged devices.
@@ -1100,19 +1132,176 @@ Note that enhanced anti-spoofing for Windows Hello face authentication is not re
text/plain
+
+
+
+
+
+
+
+
+ DeviceUnlock
+
+
+
+
+ Device Unlock
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ GroupA
+
+
+
+
+
+
+
+ Contains a list of providers by GUID that are to be considered for the first step of authentication
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ GroupB
+
+
+
+
+
+
+
+ Contains a list of providers by GUID that are to be considered for the second step of authentication
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ Plugins
+
+
+
+
+
+
+
+ List of plugins that the passive provider monitors to detect user presence
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+
+ DynamicLock
+
+
+
+
+ Dynamic Lock
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ DynamicLock
+
+
+
+
+
+
+
+ False
+ Enables/Disables Dyanamic Lock
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ Plugins
+
+
+
+
+
+
+
+ List of plugins that the passive provider monitors to detect user absence
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
-```
-
-
-
-
-
-
-
-
-
-
+```
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index 6ff4d2dc96..2a6faa8bbb 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -979,6 +979,9 @@ The following diagram shows the Policy configuration service provider in tree fo
### DeviceGuard policies
+ -
+ DeviceGuard/EnableSystemGuard
+
-
DeviceGuard/EnableVirtualizationBasedSecurity
@@ -1246,6 +1249,12 @@ The following diagram shows the Policy configuration service provider in tree fo
-
Experience/DoNotShowFeedbackNotifications
+ -
+ Experience/DoNotSyncBrowserSetting
+
+ -
+ Experience/PreventUsersFromTurningOnBrowserSyncing
+
### ExploitGuard policies
@@ -4278,6 +4287,7 @@ The following diagram shows the Policy configuration service provider in tree fo
- [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth)
- [DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth)
- [Desktop/PreventUserRedirectionOfProfileFolders](./policy-csp-desktop.md#desktop-preventuserredirectionofprofilefolders)
+- [DeviceGuard/EnableSystemGuard](./policy-csp-deviceguard.md#deviceguard-enablesystemguard)
- [DeviceGuard/EnableVirtualizationBasedSecurity](./policy-csp-deviceguard.md#deviceguard-enablevirtualizationbasedsecurity)
- [DeviceGuard/LsaCfgFlags](./policy-csp-deviceguard.md#deviceguard-lsacfgflags)
- [DeviceGuard/RequirePlatformSecurityFeatures](./policy-csp-deviceguard.md#deviceguard-requireplatformsecurityfeatures)
@@ -4319,6 +4329,8 @@ The following diagram shows the Policy configuration service provider in tree fo
- [Experience/AllowWindowsTips](./policy-csp-experience.md#experience-allowwindowstips)
- [Experience/ConfigureWindowsSpotlightOnLockScreen](./policy-csp-experience.md#experience-configurewindowsspotlightonlockscreen)
- [Experience/DoNotShowFeedbackNotifications](./policy-csp-experience.md#experience-donotshowfeedbacknotifications)
+- [Experience/DoNotSyncBrowserSetting](./policy-csp-experience.md#experience-donotsyncbrowsersetting)
+- [Experience/PreventUsersFromTurningOnBrowserSyncing](./policy-csp-experience.md#experience-preventusersfromturningonbrowsersyncing)
- [ExploitGuard/ExploitProtectionSettings](./policy-csp-exploitguard.md#exploitguard-exploitprotectionsettings)
- [FileExplorer/TurnOffDataExecutionPreventionForExplorer](./policy-csp-fileexplorer.md#fileexplorer-turnoffdataexecutionpreventionforexplorer)
- [FileExplorer/TurnOffHeapTerminationOnCorruption](./policy-csp-fileexplorer.md#fileexplorer-turnoffheapterminationoncorruption)
diff --git a/windows/client-management/mdm/policy-csp-accounts.md b/windows/client-management/mdm/policy-csp-accounts.md
index 64e6764b0a..7b0ad06974 100644
--- a/windows/client-management/mdm/policy-csp-accounts.md
+++ b/windows/client-management/mdm/policy-csp-accounts.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
-ms.date: 05/14/2018
+ms.date: 07/30/2018
---
# Policy CSP - Accounts
@@ -248,9 +248,4 @@ Footnote:
-
-## Accounts policies supported by Windows Holographic for Business
-
-- [Accounts/AllowMicrosoftAccountConnection](#accounts-allowmicrosoftaccountconnection)
-
diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md
index 39cb905194..cca62e37b2 100644
--- a/windows/client-management/mdm/policy-csp-applicationmanagement.md
+++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
-ms.date: 07/11/2018
+ms.date: 07/30/2018
---
# Policy CSP - ApplicationManagement
@@ -1050,17 +1050,3 @@ Footnote:
-
-## ApplicationManagement policies supported by Windows Holographic for Business
-
-- [ApplicationManagement/AllowAllTrustedApps](#applicationmanagement-allowalltrustedapps)
-- [ApplicationManagement/AllowAppStoreAutoUpdate](#applicationmanagement-allowappstoreautoupdate)
-- [ApplicationManagement/AllowDeveloperUnlock](#applicationmanagement-allowdeveloperunlock)
-
-
-
-## ApplicationManagement policies supported by IoT Core
-
-- [ApplicationManagement/AllowDeveloperUnlock](#applicationmanagement-allowdeveloperunlock)
-
-
diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md
index 1b134ed0ff..a09d57f3d5 100644
--- a/windows/client-management/mdm/policy-csp-authentication.md
+++ b/windows/client-management/mdm/policy-csp-authentication.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
-ms.date: 05/14/2018
+ms.date: 07/30/2018
---
# Policy CSP - Authentication
@@ -312,16 +312,3 @@ Footnote:
- 4 - Added in Windows 10, version 1803.
-
-
-## Authentication policies supported by Windows Holographic for Business
-
-- [Authentication/AllowFastReconnect](#authentication-allowfastreconnect)
-
-
-
-## Authentication policies supported by IoT Core
-
-- [Authentication/AllowFastReconnect](#authentication-allowfastreconnect)
-
-
diff --git a/windows/client-management/mdm/policy-csp-bluetooth.md b/windows/client-management/mdm/policy-csp-bluetooth.md
index 1fb3b009d6..c46c7c823a 100644
--- a/windows/client-management/mdm/policy-csp-bluetooth.md
+++ b/windows/client-management/mdm/policy-csp-bluetooth.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
-ms.date: 05/14/2018
+ms.date: 07/30/2018
---
# Policy CSP - Bluetooth
@@ -439,30 +439,4 @@ Footnote: * The Surface pen uses the HID over GATT profile
{00001105-0000-1000-8000-00805F9B34FB};{00000008-0000-1000-8000-00805F9B34FB};{0000111E-0000-1000-8000-00805F9B34FB};{00001800-0000-1000-8000-00805F9B34FB};{0000180A-0000-1000-8000-00805F9B34FB};{00001813-0000-1000-8000-00805F9B34FB}
-
-## Bluetooth policies supported by Windows Holographic for Business
-
-- [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising)
-- [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode)
-- [Bluetooth/LocalDeviceName](#bluetooth-localdevicename)
-
-
-
-## Bluetooth policies supported by IoT Core
-
-- [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising)
-- [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode)
-- [Bluetooth/LocalDeviceName](#bluetooth-localdevicename)
-- [Bluetooth/ServicesAllowedList](#bluetooth-servicesallowedlist)
-
-
-
-## Bluetooth policies supported by Microsoft Surface Hub
-
-- [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising)
-- [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode)
-- [Bluetooth/AllowPrepairing](#bluetooth-allowprepairing)
-- [Bluetooth/LocalDeviceName](#bluetooth-localdevicename)
-- [Bluetooth/ServicesAllowedList](#bluetooth-servicesallowedlist)
-
diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md
index e9d7a78158..94bc0bf1bb 100644
--- a/windows/client-management/mdm/policy-csp-browser.md
+++ b/windows/client-management/mdm/policy-csp-browser.md
@@ -6,7 +6,7 @@ ms.prod: w10
ms.technology: windows
author: shortpatti
ms.author: pashort
-ms.date: 07/18/2018
+ms.date: 07/30/2018
---
# Policy CSP - Browser
@@ -1214,7 +1214,7 @@ To verify AllowPopups is set to 0 (not allowed):
ADMX Info:
-- GP English name: *Allow Prelaunch*
+- GP English name: *Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed*
- GP name: *AllowPrelaunch*
- GP path: *Windows Components/Microsoft Edge*
- GP ADMX file name: *MicrosoftEdge.admx*
@@ -3974,57 +3974,3 @@ Footnote:
-
-## Browser policies that can be set using Exchange Active Sync (EAS)
-
-- [Browser/AllowBrowser](#browser-allowbrowser)
-
-
-
-## Browser policies supported by Windows Holographic for Business
-
-- [Browser/AllowCookies](#browser-allowcookies)
-- [Browser/AllowDoNotTrack](#browser-allowdonottrack)
-- [Browser/AllowPasswordManager](#browser-allowpasswordmanager)
-- [Browser/AllowPopups](#browser-allowpopups)
-- [Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar)
-- [Browser/AllowSmartScreen](#browser-allowsmartscreen)
-
-
-
-## Browser policies supported by IoT Core
-
-- [Browser/AllowAutofill](#browser-allowautofill)
-- [Browser/AllowBrowser](#browser-allowbrowser)
-- [Browser/AllowCookies](#browser-allowcookies)
-- [Browser/AllowDoNotTrack](#browser-allowdonottrack)
-- [Browser/AllowInPrivate](#browser-allowinprivate)
-- [Browser/AllowPasswordManager](#browser-allowpasswordmanager)
-- [Browser/AllowPopups](#browser-allowpopups)
-- [Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar)
-- [Browser/EnterpriseModeSiteList](#browser-enterprisemodesitelist)
-- [Browser/EnterpriseSiteListServiceUrl](#browser-enterprisesitelistserviceurl)
-- [Browser/SendIntranetTraffictoInternetExplorer](#browser-sendintranettraffictointernetexplorer)
-
-
-
-## Browser policies supported by Microsoft Surface Hub
-
-- [Browser/AllowAddressBarDropdown](#browser-allowaddressbardropdown)
-- [Browser/AllowCookies](#browser-allowcookies)
-- [Browser/AllowDeveloperTools](#browser-allowdevelopertools)
-- [Browser/AllowDoNotTrack](#browser-allowdonottrack)
-- [Browser/AllowMicrosoftCompatibilityList](#browser-allowmicrosoftcompatibilitylist)
-- [Browser/AllowPopups](#browser-allowpopups)
-- [Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar)
-- [Browser/AllowSmartScreen](#browser-allowsmartscreen)
-- [Browser/ClearBrowsingDataOnExit](#browser-clearbrowsingdataonexit)
-- [Browser/ConfigureAdditionalSearchEngines](#browser-configureadditionalsearchengines)
-- [Browser/DisableLockdownOfStartPages](#browser-disablelockdownofstartpages)
-- [Browser/HomePages](#browser-homepages)
-- [Browser/PreventLiveTileDataCollection](#browser-preventlivetiledatacollection)
-- [Browser/PreventSmartScreenPromptOverride](#browser-preventsmartscreenpromptoverride)
-- [Browser/PreventSmartScreenPromptOverrideForFiles](#browser-preventsmartscreenpromptoverrideforfiles)
-- [Browser/SetDefaultSearchEngine](#browser-setdefaultsearchengine)
-
-
diff --git a/windows/client-management/mdm/policy-csp-connectivity.md b/windows/client-management/mdm/policy-csp-connectivity.md
index 26bd1f5d3e..cd6e49f41a 100644
--- a/windows/client-management/mdm/policy-csp-connectivity.md
+++ b/windows/client-management/mdm/policy-csp-connectivity.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
-ms.date: 05/14/2018
+ms.date: 07/30/2018
---
# Policy CSP - Connectivity
@@ -972,40 +972,5 @@ Footnote:
-
-## Connectivity policies that can be set using Exchange Active Sync (EAS)
-- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth)
-- [Connectivity/AllowCellularDataRoaming](#connectivity-allowcellulardataroaming)
-- [Connectivity/AllowUSBConnection](#connectivity-allowusbconnection)
-
-
-
-## Connectivity policies supported by Windows Holographic for Business
-
-- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth)
-
-
-
-## Connectivity policies supported by IoT Core
-
-- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth)
-- [Connectivity/AllowCellularDataRoaming](#connectivity-allowcellulardataroaming)
-- [Connectivity/AllowNFC](#connectivity-allownfc)
-- [Connectivity/AllowUSBConnection](#connectivity-allowusbconnection)
-- [Connectivity/AllowVPNOverCellular](#connectivity-allowvpnovercellular)
-- [Connectivity/AllowVPNRoamingOverCellular](#connectivity-allowvpnroamingovercellular)
-- [Connectivity/DiablePrintingOverHTTP](#connectivity-diableprintingoverhttp)
-- [Connectivity/DisableDownloadingOfPrintDriversOverHTTP](#connectivity-disabledownloadingofprintdriversoverhttp)
-- [Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards](#connectivity-disableinternetdownloadforwebpublishingandonlineorderingwizards)
-- [Connectivity/HardenedUNCPaths](#connectivity-hardeneduncpaths)
-- [Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge](#connectivity-prohibitinstallationandconfigurationofnetworkbridge)
-
-
-
-## Connectivity policies supported by Microsoft Surface Hub
-
-- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth)
-- [Connectivity/AllowConnectedDevices](#connectivity-allowconnecteddevices)
-
diff --git a/windows/client-management/mdm/policy-csp-deviceguard.md b/windows/client-management/mdm/policy-csp-deviceguard.md
index 345a36f617..cacbb2acc6 100644
--- a/windows/client-management/mdm/policy-csp-deviceguard.md
+++ b/windows/client-management/mdm/policy-csp-deviceguard.md
@@ -6,11 +6,13 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
-ms.date: 03/12/2018
+ms.date: 07/30/2018
---
# Policy CSP - DeviceGuard
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
@@ -19,6 +21,9 @@ ms.date: 03/12/2018
## DeviceGuard policies
+ -
+ DeviceGuard/EnableSystemGuard
+
-
DeviceGuard/EnableVirtualizationBasedSecurity
@@ -31,6 +36,75 @@ ms.date: 03/12/2018
+
+
+
+**DeviceGuard/EnableSystemGuard**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+  |
+ |
+ |
+  5 |
+ 5 |
+ |
+ |
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This policy allows the IT admin to configure the launch of System Guard.
+
+Secure Launch configuration:
+
+- 0 - Unmanaged, configurable by Administrative user
+- 1 - Enables Secure Launch if supported by hardware
+- 2 - Disables Secure Launch.
+
+For more information about System Guard, see [Introducing Windows Defender System Guard runtime attestation](https://cloudblogs.microsoft.com/microsoftsecure/2018/04/19/introducing-windows-defender-system-guard-runtime-attestation/) and [How hardware-based containers help protect Windows 10](https://docs.microsoft.com/en-us/windows/security/hardware-protection/how-hardware-based-containers-help-protect-windows).
+
+
+
+ADMX Info:
+- GP English name: *Turn On Virtualization Based Security*
+- GP name: *VirtualizationBasedSecurity*
+- GP element: *SystemGuardDrop*
+- GP path: *System/Device Guard*
+- GP ADMX file name: *DeviceGuard.admx*
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -215,6 +289,7 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
+- 5 - Added in the next major release of Windows 10.
diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md
index 46a6862046..05c055a478 100644
--- a/windows/client-management/mdm/policy-csp-devicelock.md
+++ b/windows/client-management/mdm/policy-csp-devicelock.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
-ms.date: 05/14/2018
+ms.date: 07/30/2018
---
# Policy CSP - DeviceLock
@@ -1217,32 +1217,3 @@ Footnote:
-
-## DeviceLock policies that can be set using Exchange Active Sync (EAS)
-
-- [DeviceLock/AllowSimpleDevicePassword](#devicelock-allowsimpledevicepassword)
-- [DeviceLock/AlphanumericDevicePasswordRequired](#devicelock-alphanumericdevicepasswordrequired)
-- [DeviceLock/DevicePasswordEnabled](#devicelock-devicepasswordenabled)
-- [DeviceLock/DevicePasswordExpiration](#devicelock-devicepasswordexpiration)
-- [DeviceLock/DevicePasswordHistory](#devicelock-devicepasswordhistory)
-- [DeviceLock/MaxDevicePasswordFailedAttempts](#devicelock-maxdevicepasswordfailedattempts)
-- [DeviceLock/MaxInactivityTimeDeviceLock](#devicelock-maxinactivitytimedevicelock)
-- [DeviceLock/MinDevicePasswordComplexCharacters](#devicelock-mindevicepasswordcomplexcharacters)
-- [DeviceLock/MinDevicePasswordLength](#devicelock-mindevicepasswordlength)
-- [DeviceLock/PreventLockScreenSlideShow](#devicelock-preventlockscreenslideshow)
-
-
-
-## DeviceLock policies supported by Windows Holographic for Business
-
-- [DeviceLock/AllowIdleReturnWithoutPassword](#devicelock-allowidlereturnwithoutpassword)
-- [DeviceLock/AllowSimpleDevicePassword](#devicelock-allowsimpledevicepassword)
-- [DeviceLock/AlphanumericDevicePasswordRequired](#devicelock-alphanumericdevicepasswordrequired)
-- [DeviceLock/DevicePasswordEnabled](#devicelock-devicepasswordenabled)
-- [DeviceLock/DevicePasswordHistory](#devicelock-devicepasswordhistory)
-- [DeviceLock/MaxDevicePasswordFailedAttempts](#devicelock-maxdevicepasswordfailedattempts)
-- [DeviceLock/MaxInactivityTimeDeviceLock](#devicelock-maxinactivitytimedevicelock)
-- [DeviceLock/MinDevicePasswordComplexCharacters](#devicelock-mindevicepasswordcomplexcharacters)
-- [DeviceLock/MinDevicePasswordLength](#devicelock-mindevicepasswordlength)
-
-
diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md
index f2dec99193..55a43ec5ac 100644
--- a/windows/client-management/mdm/policy-csp-experience.md
+++ b/windows/client-management/mdm/policy-csp-experience.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
-ms.date: 07/13/2018
+ms.date: 07/30/2018
---
# Policy CSP - Experience
@@ -90,6 +90,12 @@ ms.date: 07/13/2018
Experience/DoNotShowFeedbackNotifications
+
+ Experience/DoNotSyncBrowserSetting
+
+
+ Experience/PreventUsersFromTurningOnBrowserSyncing
+
@@ -1392,6 +1398,159 @@ The following list shows the supported values:
+
+**Experience/DoNotSyncBrowserSetting**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ 5 |
+ 5 |
+ |
+ |
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+By default, the "browser" group syncs automatically between user’s devices and allowing users to choose to make changes. The "browser" group uses the **Sync your Settings** option in Settings to sync information like history and favorites. Enabling this policy prevents the "browser" group from using the **Sync your Settings** option. If you want syncing turned off by default but not disabled, select the Allow users to turn "browser" syncing option.
+
+Related policy: PreventUsersFromTurningOnBrowserSyncing.
+
+Value type is integer. Supported values:
+
+- 0 (default) - Allowed/turned on. The "browser" group syncs automatically between user’s devices and lets users to make changes.
+- 2 - Prevented/turned off. The "browser" group does not use the **Sync your Settings** option.
+
+
+
+ADMX Info:
+- GP English name: *Do not sync browser settings*
+- GP name: *DisableWebBrowserSettingSync*
+- GP path: *Windows Components/Sync your settings*
+- GP ADMX file name: *SettingSync.admx*
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+**Experience/PreventUsersFromTurningOnBrowserSyncing**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ 5 |
+ 5 |
+ |
+ |
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+By default, the "browser" group syncs automatically between the user’s devices, letting users make changes. With this policy, though, you can prevent the "browser" group from syncing and prevent users from turning on the Sync your Settings toggle in Settings. If you want syncing turned off by default but not disabled, select the Allow users to turn "browser" syncing option in the Do not sync browser policy. For this policy to work correctly, you must enable the Do not sync browser policy.
+
+Related policy: DoNotSyncBrowserSetting
+
+Value type is integer. Supported values:
+
+- 0 - Allowed/turned on. Users can sync the browser settings.
+- 1 (default) - Prevented/turned off.
+
+This policy only works with the Experience/DoNotSyncBrowserSetting policy, and for this policy to work correctly, you must set Experience/DoNotSynBrowserSettings to 2 (enabled). By default, when you set this policy and the Experience/DoNotSyncBrowserSetting policy to 0 (disabled or not configured), the browser settings sync automatically. However, with this policy, you can prevent the syncing of browser settings and prevent users from turning on the Sync your Settings option. Additionally, you can prevent syncing the browser settings but give users a choice to turn on syncing.
+
+If you want to prevent syncing of browser settings and prevent users from turning it on:
+1. Set Experience/DoNotSyncBrowserSetting to 2 (enabled).
+1. Set this policy (Experience/PreventUsersFromTurningOnBrowserSyncing) to 1 (enabled or not configured).
+
+If you want to prevent syncing of browser settings but give users a choice to turn on syncing:
+1. Set Experience/DoNotSyncBrowserSetting to 2 (enabled).
+1. Set this policy (Experience/PreventUsersFromTurningOnBrowserSyncing) to 0 (disabled).
+
+
+
+ADMX Info:
+- GP English name: *Do not sync browser settings*
+- GP name: *DisableWebBrowserSettingSync*
+- GP element: *CheckBox_UserOverride*
+- GP path: *Windows Components/Sync your settings*
+- GP ADMX file name: *SettingSync.admx*
+
+
+
+
+
+
+
+
+
+**Validation procedure:**
+
+Microsoft Edge on your PC:
+1. Select More > Settings.
+1. See if the setting is enabled or disabled based on your setting.
+
+
+
+<<<<<<< HEAD
+=======
+
+>>>>>>> 3c06afe9875ad82fff960313bea663f49a2f7d2c
+
+
Footnote:
- 1 - Added in Windows 10, version 1607.
@@ -1402,10 +1561,4 @@ Footnote:
-
-## Experience policies supported by Windows Holographic for Business
-
-- [Experience/AllowCortana](#experience-allowcortana)
-- [Experience/AllowManualMDMUnenrollment](#experience-allowmanualmdmunenrollment)
-
diff --git a/windows/client-management/mdm/policy-csp-privacy.md b/windows/client-management/mdm/policy-csp-privacy.md
index 23a98eaa7b..ac16face75 100644
--- a/windows/client-management/mdm/policy-csp-privacy.md
+++ b/windows/client-management/mdm/policy-csp-privacy.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
-ms.date: 06/05/2018
+ms.date: 07/30/2018
---
# Policy CSP - Privacy
@@ -4844,43 +4844,4 @@ Footnote:
-
-## Privacy policies supported by Windows Holographic for Business
-
-- [Privacy/AllowCrossDeviceClipboard](#privacy-allowcrossdeviceclipboard)
-- [Privacy/AllowInputPersonalization](#privacy-allowinputpersonalization)
-- [Privacy/LetAppsAccessGazeInput](#privacy-letappsaccessgazeinput)
-- [Privacy/LetAppsAccessGazeInput_ForceAllowTheseApps](#privacy-letappsaccessgazeinput-forceallowtheseapps)
-- [Privacy/LetAppsAccessGazeInput_ForceDenyTheseApps](#privacy-letappsaccessgazeinput-forcedenytheseapps)
-- [Privacy/LetAppsAccessGazeInput_UserInControlOfTheseApps](#privacy-letappsaccessgazeinput-userincontroloftheseapps)
-- [Privacy/UploadUserActivities](#privacy-uploaduseractivities)
-
-
-
-## Privacy policies supported by IoT Core
-
-- [Privacy/LetAppsGetDiagnosticInfo](#privacy-letappsgetdiagnosticinfo)
-- [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](#privacy-letappsgetdiagnosticinfo-forceallowtheseapps)
-- [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](#privacy-letappsgetdiagnosticinfo-forcedenytheseapps)
-- [Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps](#privacy-letappsgetdiagnosticinfo-userincontroloftheseapps)
-- [Privacy/LetAppsRunInBackground](#privacy-letappsruninbackground)
-- [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](#privacy-letappsruninbackground-forceallowtheseapps)
-- [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](#privacy-letappsruninbackground-forcedenytheseapps)
-- [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](#privacy-letappsruninbackground-userincontroloftheseapps)
-
-
-
-## Privacy policies supported by Microsoft Surface Hub
-
-- [Privacy/EnableActivityFeed](#privacy-enableactivityfeed)
-- [Privacy/LetAppsGetDiagnosticInfo](#privacy-letappsgetdiagnosticinfo)
-- [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](#privacy-letappsgetdiagnosticinfo-forceallowtheseapps)
-- [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](#privacy-letappsgetdiagnosticinfo-forcedenytheseapps)
-- [Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps](#privacy-letappsgetdiagnosticinfo-userincontroloftheseapps)
-- [Privacy/LetAppsRunInBackground](#privacy-letappsruninbackground)
-- [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](#privacy-letappsruninbackground-forceallowtheseapps)
-- [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](#privacy-letappsruninbackground-forcedenytheseapps)
-- [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](#privacy-letappsruninbackground-userincontroloftheseapps)
-- [Privacy/PublishUserActivities](#privacy-publishuseractivities)
-
diff --git a/windows/client-management/mdm/policy-csp-search.md b/windows/client-management/mdm/policy-csp-search.md
index 90d61b4f33..f51a32f819 100644
--- a/windows/client-management/mdm/policy-csp-search.md
+++ b/windows/client-management/mdm/policy-csp-search.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
-ms.date: 05/14/2018
+ms.date: 07/30/2018
---
# Policy CSP - Search
@@ -860,15 +860,5 @@ Footnote:
-
-## Search policies that can be set using Exchange Active Sync (EAS)
-- [Search/AllowSearchToUseLocation](#search-allowsearchtouselocation)
-
-
-
-## Search policies supported by Windows Holographic for Business
-
-- [Search/AllowSearchToUseLocation](#search-allowsearchtouselocation)
-
diff --git a/windows/client-management/mdm/policy-csp-security.md b/windows/client-management/mdm/policy-csp-security.md
index 923b4a3d8a..e0557a49ab 100644
--- a/windows/client-management/mdm/policy-csp-security.md
+++ b/windows/client-management/mdm/policy-csp-security.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
-ms.date: 06/26/2018
+ms.date: 07/30/2018
---
# Policy CSP - Security
@@ -664,31 +664,5 @@ Footnote:
-
-## Security policies that can be set using Exchange Active Sync (EAS)
-- [Security/RequireDeviceEncryption](#security-requiredeviceencryption)
-
-
-
-## Security policies supported by Windows Holographic for Business
-
-- [Security/RequireDeviceEncryption](#security-requiredeviceencryption)
-
-
-
-## Security policies supported by IoT Core
-
-- [Security/AllowAddProvisioningPackage](#security-allowaddprovisioningpackage)
-- [Security/AllowRemoveProvisioningPackage](#security-allowremoveprovisioningpackage)
-- [Security/RequireDeviceEncryption](#security-requiredeviceencryption)
-- [Security/RequireProvisioningPackageSignature](#security-requireprovisioningpackagesignature)
-
-
-
-## Security policies supported by Microsoft Surface Hub
-
-- [Security/RequireProvisioningPackageSignature](#security-requireprovisioningpackagesignature)
-- [Security/RequireRetrieveHealthCertificateOnBoot](#security-requireretrievehealthcertificateonboot)
-
diff --git a/windows/client-management/mdm/policy-csp-settings.md b/windows/client-management/mdm/policy-csp-settings.md
index ba5cc1e9ef..6400be4c46 100644
--- a/windows/client-management/mdm/policy-csp-settings.md
+++ b/windows/client-management/mdm/policy-csp-settings.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
-ms.date: 05/14/2018
+ms.date: 07/30/2018
---
# Policy CSP - Settings
@@ -849,10 +849,5 @@ Footnote:
-
-## Settings policies supported by Windows Holographic for Business
-- [Settings/AllowDateTime](#settings-allowdatetime)
-- [Settings/AllowVPN](#settings-allowvpn)
-
diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md
index b7f8fb114a..63649af40c 100644
--- a/windows/client-management/mdm/policy-csp-system.md
+++ b/windows/client-management/mdm/policy-csp-system.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
-ms.date: 06/05/2018
+ms.date: 07/30/2018
---
# Policy CSP - System
@@ -1194,34 +1194,5 @@ Footnote:
-
-## System policies that can be set using Exchange Active Sync (EAS)
-- [System/AllowStorageCard](#system-allowstoragecard)
-- [System/TelemetryProxy](#system-telemetryproxy)
-
-
-
-## System policies supported by Windows Holographic for Business
-
-- [System/AllowLocation](#system-allowlocation)
-- [System/AllowTelemetry](#system-allowtelemetry)
-
-
-
-## System policies supported by IoT Core
-
-- [System/AllowEmbeddedMode](#system-allowembeddedmode)
-- [System/AllowFontProviders](#system-allowfontproviders)
-- [System/AllowStorageCard](#system-allowstoragecard)
-- [System/TelemetryProxy](#system-telemetryproxy)
-
-
-
-## System policies supported by Microsoft Surface Hub
-
-- [System/AllowFontProviders](#system-allowfontproviders)
-- [System/AllowLocation](#system-allowlocation)
-- [System/AllowTelemetry](#system-allowtelemetry)
-
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index 7f6dde9d31..8bda477361 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
-ms.date: 07/18/2018
+ms.date: 07/30/2018
---
# Policy CSP - Update
@@ -3551,52 +3551,4 @@ Footnote:
-
-## Update policies supported by Windows Holographic for Business
-
-- [Update/AllowAutoUpdate](#update-allowautoupdate)
-- [Update/AllowUpdateService](#update-allowupdateservice)
-- [Update/RequireDeferUpgrade](#update-requiredeferupgrade)
-- [Update/RequireUpdateApproval](#update-requireupdateapproval)
-- [Update/UpdateServiceUrl](#update-updateserviceurl)
-
-
-
-## Update policies supported by IoT Core
-
-- [Update/AllowNonMicrosoftSignedUpdate](#update-allownonmicrosoftsignedupdate)
-- [Update/AllowUpdateService](#update-allowupdateservice)
-- [Update/AutoRestartDeadlinePeriodInDaysForFeatureUpdates](#update-autorestartdeadlineperiodindaysforfeatureupdates)
-- [Update/EngagedRestartDeadlineForFeatureUpdates](#update-engagedrestartdeadlineforfeatureupdates)
-- [Update/EngagedRestartSnoozeScheduleForFeatureUpdates](#update-engagedrestartsnoozescheduleforfeatureupdates)
-- [Update/EngagedRestartTransitionScheduleForFeatureUpdates](#update-engagedrestarttransitionscheduleforfeatureupdates)
-- [Update/PauseDeferrals](#update-pausedeferrals)
-- [Update/RequireDeferUpgrade](#update-requiredeferupgrade)
-- [Update/RequireUpdateApproval](#update-requireupdateapproval)
-- [Update/ScheduledInstallDay](#update-scheduledinstallday)
-- [Update/ScheduledInstallTime](#update-scheduledinstalltime)
-- [Update/SetDisablePauseUXAccess](#update-setdisablepauseuxaccess)
-- [Update/SetDisableUXWUAccess](#update-setdisableuxwuaccess)
-- [Update/UpdateServiceUrl](#update-updateserviceurl)
-
-
-
-## Update policies supported by Microsoft Surface Hub
-
-- [Update/AllowAutoUpdate](#update-allowautoupdate)
-- [Update/AllowUpdateService](#update-allowupdateservice)
-- [Update/AutoRestartNotificationSchedule](#update-autorestartnotificationschedule)
-- [Update/AutoRestartRequiredNotificationDismissal](#update-autorestartrequirednotificationdismissal)
-- [Update/BranchReadinessLevel](#update-branchreadinesslevel)
-- [Update/DeferFeatureUpdatesPeriodInDays](#update-deferfeatureupdatesperiodindays)
-- [Update/DeferQualityUpdatesPeriodInDays](#update-deferqualityupdatesperiodindays)
-- [Update/DetectionFrequency](#update-detectionfrequency)
-- [Update/PauseFeatureUpdates](#update-pausefeatureupdates)
-- [Update/PauseQualityUpdates](#update-pausequalityupdates)
-- [Update/ScheduleImminentRestartWarning](#update-scheduleimminentrestartwarning)
-- [Update/ScheduleRestartWarning](#update-schedulerestartwarning)
-- [Update/SetAutoRestartNotificationDisable](#update-setautorestartnotificationdisable)
-- [Update/UpdateServiceUrl](#update-updateserviceurl)
-- [Update/UpdateServiceUrlAlternate](#update-updateserviceurlalternate)
-
diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md
index e98cd44400..e7dc68df1b 100644
--- a/windows/client-management/mdm/vpnv2-csp.md
+++ b/windows/client-management/mdm/vpnv2-csp.md
@@ -255,7 +255,14 @@ An optional flag to enable Always On mode. This will automatically connect the V
> **Note** Always On only works for the active profile. The first profile provisioned that can be auto triggered will automatically be set as active.
-
+Preserving user Always On preference
+
+Windows has a feature to preserve a user’s AlwaysOn preference. In the event that a user manually unchecks the “Connect automatically” checkbox, Windows will remember this user preference for this profile name by adding the profile name to the value AutoTriggerDisabledProfilesList.
+Should a management tool remove/add the same profile name back and set AlwaysOn to true, Windows will not check the box if the profile name exists in the below registry value in order to preserve user preference.
+Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Config
+Value: AutoTriggerDisabledProfilesList
+Type: REG_MULTI_SZ
+
Valid values:
diff --git a/windows/client-management/mdm/windowslicensing-csp.md b/windows/client-management/mdm/windowslicensing-csp.md
index 82c46fc738..1e61634c31 100644
--- a/windows/client-management/mdm/windowslicensing-csp.md
+++ b/windows/client-management/mdm/windowslicensing-csp.md
@@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
-ms.date: 07/16/2018
+ms.date: 07/25/2018
---
# WindowsLicensing CSP
@@ -164,7 +164,7 @@ The supported operation is Get.
Interior node for managing S mode.
**SMode/SwitchingPolicy**
-Added in Windows 10, next major version. Determines whether a consumer can switch the device out of S mode. This setting is only applicable to devices available in S mode.
+Added in Windows 10, next major version. Determines whether a consumer can switch the device out of S mode. This setting is only applicable to devices available in S mode. For examples, see [Add S mode SwitchingPolicy](#smode-switchingpolicy-add), [Get S mode SwitchingPolicy](#smode-switchingpolicy-get), [Replace S mode SwitchingPolicy](#smode-switchingpolicy-replace) and [Delete S mode SwitchingPolicy](#smode-switchingpolicy-delete)
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
@@ -173,12 +173,12 @@ Supported values:
- 1 - User Blocked: The admin has blocked the user from switching their device out of S mode. Only the admin can switch the device out of S mode through the SMode/SwitchFromSMode node.
**SMode/SwitchFromSMode**
-Added in Windows 10, next major version. Switches a device out of S mode if possible. Does not reboot.
+Added in Windows 10, next major version. Switches a device out of S mode if possible. Does not reboot. For an example, see [Execute SwitchFromSMode](#smode-switchfromsmode-execute)
Supported operation is Execute.
**SMode/Status**
-Added in Windows 10, next major version. Returns the status of the latest SwitchFromSMode set request.
+Added in Windows 10, next major version. Returns the status of the latest SwitchFromSMode set request. For an example, see [Get S mode status](#smode-status-example)
Value type is integer. Supported operation is Get.
@@ -315,6 +315,140 @@ Value type is integer. Supported operation is Get.
```
+**Get S mode status**
+
+```
+
+
+
+ 6
+ -
+
+
+ ./Vendor/MSFT/WindowsLicensing/SMode/Status
+
+
+
+
+
+
+
+```
+
+**Execute SwitchFromSMode**
+
+```
+
+
+
+ 5
+ -
+
+
+ ./Vendor/MSFT/WindowsLicensing/SMode/SwitchFromSMode
+
+
+
+ null
+ text/plain
+
+
+
+
+
+
+
+```
+
+**Add S mode SwitchingPolicy**
+
+```
+
+
+
+ 4
+ -
+
+
+ ./Vendor/MSFT/WindowsLicensing/SMode/SwitchingPolicy
+
+
+
+ int
+ text/plain
+
+ 1
+
+
+
+
+
+```
+
+**Get S mode SwitchingPolicy**
+
+```
+
+
+
+ 2
+ -
+
+
+ ./Vendor/MSFT/WindowsLicensing/SMode/SwitchingPolicy
+
+
+
+
+
+
+
+```
+
+**Replace S mode SwitchingPolicy**
+
+```
+
+
+
+ 1
+ -
+
+
+ ./Vendor/MSFT/WindowsLicensing/SMode/SwitchingPolicy
+
+
+
+ int
+ text/plain
+
+ 1
+
+
+
+
+
+```
+
+**Delete S mode SwitchingPolicy**
+
+```
+
+
+
+ 3
+ -
+
+
+ ./Vendor/MSFT/WindowsLicensing/SMode/SwitchingPolicy
+
+
+
+
+
+
+
+```
## Related topics
diff --git a/windows/configuration/TOC.md b/windows/configuration/TOC.md
index 6480fcac26..dad54fdffa 100644
--- a/windows/configuration/TOC.md
+++ b/windows/configuration/TOC.md
@@ -1,13 +1,20 @@
# [Configure Windows 10](index.md)
## [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md)
-## [Configure kiosk and shared devices running Windows 10 desktop editions](kiosk-shared-pc.md)
-### [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md)
-### [Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education](setup-kiosk-digital-signage.md)
-### [Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md)
-### [Create a Windows 10 kiosk that runs multiple apps](lock-down-windows-10-to-specific-apps.md)
+## [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md)
+## [Configure kiosks and digital signs on Windows desktop editions](kiosk-methods.md)
+### [Prepare a device for kiosk configuration](kiosk-prepare.md)
+### [Set up digital signs on Windows 10](setup-digital-signage.md)
+### [Set up a single-app kiosk](kiosk-single-app.md)
+### [Set up a multi-app kiosk](lock-down-windows-10-to-specific-apps.md)
+### [More kiosk methods and reference information](kiosk-additional-reference.md)
+#### [Validate your kiosk configuration](kiosk-validate.md)
+#### [Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md)
+#### [Policies enforced on kiosk devices](kiosk-policies.md)
+#### [Assigned access XML reference](kiosk-xml.md)
+#### [Use AppLocker to create a Windows 10 kiosk](lock-down-windows-10-applocker.md)
+#### [Use Shell Launcher to create a Windows 10 kiosk](kiosk-shelllauncher.md)
+#### [Use MDM Bridge WMI Provider to create a Windows 10 kiosk](kiosk-mdm-bridge.md)
#### [Troubleshoot multi-app kiosk](multi-app-kiosk-troubleshoot.md)
-#### [Use AppLocker to create a Windows 10 kiosk that runs multiple apps](lock-down-windows-10-applocker.md)
-### [Assigned Access configuration (kiosk) XML reference](kiosk-xml.md)
## [Configure Windows 10 Mobile devices](mobile-devices/configure-mobile.md)
### [Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md)
### [Use Windows Configuration Designer to configure Windows 10 Mobile devices](mobile-devices/provisioning-configure-mobile.md)
diff --git a/windows/configuration/change-history-for-configure-windows-10.md b/windows/configuration/change-history-for-configure-windows-10.md
index 8fac2d4142..2407ef393e 100644
--- a/windows/configuration/change-history-for-configure-windows-10.md
+++ b/windows/configuration/change-history-for-configure-windows-10.md
@@ -10,14 +10,18 @@ ms.localizationpriority: medium
author: jdeckerms
ms.author: jdecker
ms.topic: article
-ms.date: 06/27/2018
+ms.date: 07/30/2018
---
# Change history for Configure Windows 10
This topic lists new and updated topics in the [Configure Windows 10](index.md) documentation for Windows 10 and Windows 10 Mobile.
+## July 2018
+New or changed topic | Description
+--- | ---
+[Configure kiosks and child topics](kiosk-methods.md) | Reorganized the information for configuring kiosks into new topics, and moved [Set up shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md).
## June 2018
@@ -70,7 +74,7 @@ New or changed topic | Description
New or changed topic | Description
--- | ---
[Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md) and [Windows 10, version 1703 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md) | Added events and fields that were added in the March update.
-Set up a kiosk on Windows 10 Pro, Enterprise, or Education | Renamed it [Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education](setup-kiosk-digital-signage.md) and reorganized the information to make the choices clearer.
+Set up a kiosk on Windows 10 Pro, Enterprise, or Education | Renamed it **Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education** and reorganized the information to make the choices clearer.
## February 2018
diff --git a/windows/configuration/guidelines-for-assigned-access-app.md b/windows/configuration/guidelines-for-assigned-access-app.md
index 844295ad38..cde506630f 100644
--- a/windows/configuration/guidelines-for-assigned-access-app.md
+++ b/windows/configuration/guidelines-for-assigned-access-app.md
@@ -1,6 +1,6 @@
---
title: Guidelines for choosing an app for assigned access (Windows 10)
-description: You can configure Windows 10 as a kiosk device, so that users can only interact with a single app.
+description: The following guidelines may help you choose an appropriate Windows app for your assigned access experience.
keywords: ["kiosk", "lockdown", "assigned access"]
ms.prod: w10
ms.mktglfcycl: manage
@@ -9,7 +9,7 @@ author: jdeckerms
ms.localizationpriority: medium
ms.author: jdecker
ms.topic: article
-ms.date: 05/31/2018
+ms.date: 07/30/2018
---
# Guidelines for choosing an app for assigned access (kiosk mode)
@@ -55,7 +55,7 @@ In Windows 10, version 1803, you can install the **Kiosk Browser** app from Micr
>[!NOTE]
>If you configure the kiosk using a provisioning package, you must apply the provisioning package after the device completes the out-of-box experience (OOBE).
-#### Kiosk Browser settings
+### Kiosk Browser settings
Kiosk Browser settings | Use this setting to
--- | ---
diff --git a/windows/configuration/images/kiosk-desktop.PNG b/windows/configuration/images/kiosk-desktop.PNG
new file mode 100644
index 0000000000..cf74c646c7
Binary files /dev/null and b/windows/configuration/images/kiosk-desktop.PNG differ
diff --git a/windows/configuration/images/kiosk-fullscreen-sm.png b/windows/configuration/images/kiosk-fullscreen-sm.png
new file mode 100644
index 0000000000..b096d6837d
Binary files /dev/null and b/windows/configuration/images/kiosk-fullscreen-sm.png differ
diff --git a/windows/configuration/images/kiosk-fullscreen.PNG b/windows/configuration/images/kiosk-fullscreen.PNG
new file mode 100644
index 0000000000..37ccd4f8a4
Binary files /dev/null and b/windows/configuration/images/kiosk-fullscreen.PNG differ
diff --git a/windows/configuration/images/kiosk-intune.PNG b/windows/configuration/images/kiosk-intune.PNG
new file mode 100644
index 0000000000..2cbe25c6a5
Binary files /dev/null and b/windows/configuration/images/kiosk-intune.PNG differ
diff --git a/windows/configuration/images/kiosk-settings.PNG b/windows/configuration/images/kiosk-settings.PNG
new file mode 100644
index 0000000000..51a4338371
Binary files /dev/null and b/windows/configuration/images/kiosk-settings.PNG differ
diff --git a/windows/configuration/images/kiosk-wizard.png b/windows/configuration/images/kiosk-wizard.png
new file mode 100644
index 0000000000..160e170e5c
Binary files /dev/null and b/windows/configuration/images/kiosk-wizard.png differ
diff --git a/windows/configuration/images/kiosk.png b/windows/configuration/images/kiosk.png
new file mode 100644
index 0000000000..868ea31bb1
Binary files /dev/null and b/windows/configuration/images/kiosk.png differ
diff --git a/windows/configuration/images/office-logo.png b/windows/configuration/images/office-logo.png
new file mode 100644
index 0000000000..cd6d504301
Binary files /dev/null and b/windows/configuration/images/office-logo.png differ
diff --git a/windows/configuration/images/set-assignedaccess.png b/windows/configuration/images/set-assignedaccess.png
new file mode 100644
index 0000000000..c2899361eb
Binary files /dev/null and b/windows/configuration/images/set-assignedaccess.png differ
diff --git a/windows/configuration/images/user.PNG b/windows/configuration/images/user.PNG
new file mode 100644
index 0000000000..d1386d4a0d
Binary files /dev/null and b/windows/configuration/images/user.PNG differ
diff --git a/windows/configuration/images/windows.png b/windows/configuration/images/windows.png
new file mode 100644
index 0000000000..e3889eff6a
Binary files /dev/null and b/windows/configuration/images/windows.png differ
diff --git a/windows/configuration/index.md b/windows/configuration/index.md
index 5ed671a894..11ec530a2c 100644
--- a/windows/configuration/index.md
+++ b/windows/configuration/index.md
@@ -22,7 +22,8 @@ Enterprises often need to apply custom configurations to devices for their users
| Topic | Description |
| --- | --- |
| [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) | Wi-Fi Sense automatically connects you to Wi-Fi, so you can get online quickly in more places. It can connect you to open Wi-Fi hotspots it knows about through crowdsourcing, or to Wi-Fi networks your contacts have shared with you by using Wi-Fi Sense. The initial settings for Wi-Fi Sense are determined by the options you chose when you first set up your PC with Windows 10. |
-| [Configure kiosk and shared devices running Windows 10 desktop editions](kiosk-shared-pc.md) | These topics help you configure Windows 10 devices to be shared by multiple users or to run as a kiosk device that runs a single app. |
+| [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md) | Windows 10, version 1607, introduced *shared PC mode*, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. |
+| [Configure kiosk and digital signage devices running Windows 10 desktop editions](kiosk-methods.md) | These topics help you configure Windows 10 devices to run as a kiosk device. |
| [Configure Windows 10 Mobile devices](mobile-devices/configure-mobile.md) | These topics help you configure the features and apps and Start screen for a device running Windows 10 Mobile, as well as how to configure a kiosk device that runs a single app. |
| [Configure cellular settings for tablets and PCs](provisioning-apn.md) | Enterprises can provision cellular settings for tablets and PC with built-in cellular modems or plug-in USB modem dongles. |
| [Configure Start, taskbar, and lock screen](start-taskbar-lockscreen.md) | A standard, customized Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. Configuring the taskbar allows the organization to pin useful apps for their employees and to remove apps that are pinned by default. |
diff --git a/windows/configuration/kiosk-additional-reference.md b/windows/configuration/kiosk-additional-reference.md
new file mode 100644
index 0000000000..1776738f55
--- /dev/null
+++ b/windows/configuration/kiosk-additional-reference.md
@@ -0,0 +1,37 @@
+---
+title: More kiosk methods and reference information (Windows 10)
+description: Find more information for configuring, validating, and troubleshooting kiosk configuration.
+ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC
+keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"]
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerms
+ms.localizationpriority: high
+ms.date: 07/30/2018
+---
+
+# More kiosk methods and reference information
+
+
+**Applies to**
+
+- Windows 10 Pro, Enterprise, and Education
+
+
+## In this section
+
+Topic | Description
+--- | ---
+[Validate your kiosk configuration](kiosk-validate.md) | This topic explain what to expect on a multi-app kiosk.
+[Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md) | These guidelines will help you choose an appropriate Windows app for your assigned access experience.
+[Policies enforced on kiosk devices](kiosk-policies.md) | Learn about the policies enforced on a device when you configure it as a kiosk.
+[Assigned access XML reference](kiosk-xml.md) | The XML and XSD for kiosk device configuration.
+[Use AppLocker to create a Windows 10 kiosk](lock-down-windows-10-applocker.md) | Learn how to use AppLocker to configure a kiosk device running Windows 10 Enterprise or Windows 10 Education, version 1703 and earlier, so that users can only run a few specific apps.
+[Use Shell Launcher to create a Windows 10 kiosk](kiosk-shelllauncher.md) | Using Shell Launcher, you can configure a kiosk device that runs a Windows desktop application as the user interface.
+[Use MDM Bridge WMI Provider to create a Windows 10 kiosk](kiosk-mdm-bridge.md) | Environments that use Windows Management Instrumentation (WMI) can use the MDM Bridge WMI Provider to configure the MDM_AssignedAccess class.
+[Troubleshoot multi-app kiosk](multi-app-kiosk-troubleshoot.md) | Tips for troubleshooting multi-app kiosk configuration.
+
+
+
+
diff --git a/windows/configuration/kiosk-mdm-bridge.md b/windows/configuration/kiosk-mdm-bridge.md
new file mode 100644
index 0000000000..542b9abf2e
--- /dev/null
+++ b/windows/configuration/kiosk-mdm-bridge.md
@@ -0,0 +1,86 @@
+---
+title: Use MDM Bridge WMI Provider to create a Windows 10 kiosk (Windows 10)
+description: Environments that use Windows Management Instrumentation (WMI)can use the MDM Bridge WMI Provider to configure the MDM_AssignedAccess class.
+ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC
+keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"]
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerms
+ms.localizationpriority: high
+ms.date: 07/30/2018
+---
+
+# Use MDM Bridge WMI Provider to create a Windows 10 kiosk
+
+
+**Applies to**
+
+- Windows 10 Pro, Enterprise, and Education
+
+Environments that use [Windows Management Instrumentation (WMI)](https://msdn.microsoft.com/library/aa394582.aspx) can use the [MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/desktop/dn905224.aspx) to configure the MDM_AssignedAccess class. See [PowerShell Scripting with WMI Bridge Provider](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/using-powershell-scripting-with-the-wmi-bridge-provider) for more details about using a PowerShell script to configure AssignedAccess.
+
+Here’s an example to set AssignedAccess configuration:
+
+1. Download the [psexec tool](https://technet.microsoft.com/sysinternals/bb897553.aspx).
+2. Run `psexec.exe -i -s cmd.exe`.
+3. In the command prompt launched by psexec.exe, enter `powershell.exe` to open PowerShell.
+4. Execute the following script:
+
+```ps
+$nameSpaceName="root\cimv2\mdm\dmmap"
+$className="MDM_AssignedAccess"
+$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
+$obj.Configuration = @"
+<?xml version="1.0" encoding="utf-8" ?>
+<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config">
+ <Profiles>
+ <Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}">
+ <AllAppsList>
+ <AllowedApps>
+ <App AppUserModelId="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" />
+ <App AppUserModelId="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" />
+ <App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
+ <App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
+ <App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
+ <App DesktopAppPath="%windir%\system32\mspaint.exe" />
+ <App DesktopAppPath="C:\Windows\System32\notepad.exe" />
+ </AllowedApps>
+ </AllAppsList>
+ <StartLayout>
+ <![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification">
+ <LayoutOptions StartTileGroupCellWidth="6" />
+ <DefaultLayoutOverride>
+ <StartLayoutCollection>
+ <defaultlayout:StartLayout GroupCellWidth="6">
+ <start:Group Name="Group1">
+ <start:Tile Size="4x4" Column="0" Row="0" AppUserModelID="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" />
+ <start:Tile Size="2x2" Column="4" Row="2" AppUserModelID="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" />
+ <start:Tile Size="2x2" Column="4" Row="0" AppUserModelID="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
+ <start:Tile Size="2x2" Column="4" Row="4" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
+ <start:Tile Size="4x2" Column="0" Row="4" AppUserModelID="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
+ </start:Group>
+ <start:Group Name="Group2">
+ <start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk" />
+ <start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk" />
+ </start:Group>
+ </defaultlayout:StartLayout>
+ </StartLayoutCollection>
+ </DefaultLayoutOverride>
+ </LayoutModificationTemplate>
+ ]]>
+ </StartLayout>
+ <Taskbar ShowTaskbar="true"/>
+ </Profile>
+ </Profiles>
+ <Configs>
+ <Config>
+ <Account>MultiAppKioskUser</Account>
+ <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
+ </Config>
+ </Configs>
+</AssignedAccessConfiguration>
+"@
+
+Set-CimInstance -CimInstance $obj
+```
diff --git a/windows/configuration/kiosk-methods.md b/windows/configuration/kiosk-methods.md
new file mode 100644
index 0000000000..a142517a28
--- /dev/null
+++ b/windows/configuration/kiosk-methods.md
@@ -0,0 +1,77 @@
+---
+title: Configure kiosks and digital signs on Windows desktop editions (Windows 10)
+description: Learn about the methods for configuring kiosks.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+author: jdeckerms
+ms.date: 07/30/2018
+---
+
+# Configure kiosks and digital signs on Windows desktop editions
+
+Some desktop devices in an enterprise serve a special purpose, such as a PC in the lobby that customers can use to view your product catalog or a PC displaying visual content as a digital sign. Windows 10 offers two different locked-down experiences for public or specialized use:
+
+| | |
+--- | ---
+ | **A single-app kiosk**, which runs a single Universal Windows Platform (UWP) app in fullscreen above the lockscreen. People using the kiosk can see only that app.
When the kiosk account (a local standard user account) signs in, the kiosk app will launch automatically, and you can configure the kiosk account to sign in automatically as well. If the kiosk app is closed, it will automatically restart.
A single-app kiosk is ideal for public use.
(Using [ShellLauncher WMI](kiosk-shelllauncher.md), you can configure a kiosk device that runs a Windows desktop application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on. This type of single-app kiosk does not run above the lockscreen.) | 
+ | **A multi-app kiosk**, which runs one or more apps from the desktop. People using the kiosk see a customized Start that shows only the tiles for the apps that are allowed. With this approach, you can configure a locked-down experience for different account types.
A multi-app kiosk is appropriate for devices that are shared by multiple people.
When you configure a multi-app kiosk, [specific policies are enforced](kiosk-policies.md) that will affect **all** non-administrator users on the device. | 
+
+Kiosk configurations are based on **Assigned Access**, a feature in Windows 10 that allows an administrator to manage the user's experience by limiting the application entry points exposed to the user.
+
+There are several kiosk configuration methods that you can choose from, depending on your answers to the following questions.
+
+| | |
+--- | ---
+ | **Which type of app will your kiosk run?** Your kiosk can run a Universal Windows Platform (UWP) app or a Windows desktop application. For [digital signage](setup-digital-signage.md), simply select a digital sign player as your kiosk app. [Check out the guidelines for kiosk apps.](guidelines-for-assigned-access-app.md)
+ | **Which type of kiosk do you need?** If you want your kiosk to run a single app for anyone to see or use, consider a single-app kiosk that runs either a [Universal Windows Platform (UWP) app](#uwp) or a [Windows desktop application](#classic). For a kiosk that people can sign in to with their accounts or that runs more than one app, choose [a multi-app kiosk](#desktop).
+ | **Which edition of Windows 10 will the kiosk run?** All of the configuration methods work for Windows 10 Enterprise and Education; some of the methods work for Windows 10 Pro. Kiosk mode is not available on Windows 10 Home.
+ | **Which type of user account will be the kiosk account?** The kiosk account can be a local standard user account, a local administrator account, a domain account, or an Azure Active Directory (Azure AD) account, depending on the method that you use to configure the kiosk. If you want people to sign in and authenticate on the device, you should use a multi-app kiosk configuration. The single-app kiosk configuration doesn't require people to sign in to the device, although they can sign in to the kiosk app if you select an app that has a sign-in method.
+
+
+
+## Methods for a single-app kiosk running a UWP app
+
+You can use this method | For this edition | For this kiosk account type
+--- | --- | ---
+[Assigned access in Settings](kiosk-single-app.md#local) | Pro, Ent, Edu | Local standard user
+[Assigned access cmdlets](kiosk-single-app.md#powershell) | Pro, Ent, Edu | Local standard user
+[The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) | Pro (version 1709), Ent, Edu | Local standard user, Active Directory, Azure AD
+[Microsoft Intune or other mobile device management (MDM)](kiosk-single-app.md#mdm) | Pro (version 1709), Ent, Edu | Local standard user, Azure AD
+
+
+## Methods for a single-app kiosk running a Windows desktop application
+
+You can use this method | For this edition | For this kiosk account type
+--- | --- | ---
+[The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) | Ent, Edu | Local standard user, Active Directory, Azure AD
+[ShellLauncher WMI](kiosk-shelllauncher.md) | Ent, Edu | Local standard user, Active Directory, Azure AD
+[Microsoft Intune or other mobile device management (MDM)](kiosk-single-app.md#mdm) | Pro (version 1709), Ent, Edu | Local standard user, Azure AD
+
+
+## Methods for a multi-app kiosk
+
+You can use this method | For this edition | For this kiosk account type
+--- | --- | ---
+[XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) | Pro, Ent, Edu | Local standard user, Active Directory, Azure AD
+[Microsoft Intune or other MDM](lock-down-windows-10-to-specific-apps.md) | Pro, Ent, Edu | Local standard user, Azure AD
+[MDM WMI Bridge Provider](kiosk-mdm-bridge.md) | Pro, Ent, Edu | Local standard user, Active Directory, Azure AD
+
+## Summary of kiosk configuration methods
+
+Method | App type | Account type | Single-app kiosk | Multi-app kiosk
+--- | --- | --- | :---: | :---:
+[Assigned access in Settings](kiosk-single-app.md#local) | UWP | Local account | X |
+[Assigned access cmdlets](kiosk-single-app.md#powershell) | UWP | Local account | X |
+[The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) | UWP, Windows desktop app | Local standard user, Active Directory, Azure AD | X |
+[XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) | UWP, Windows desktop app | Local standard user, Active Directory, Azure AD | X | X
+Microsoft Intune or other MDM [for full-screen single-app kiosk](kiosk-single-app.md#mdm) or [for multi-app kiosk with desktop](lock-down-windows-10-to-specific-apps.md) | UWP, Windows desktop app | Local standard user, Azure AD | X | X
+[ShellLauncher WMI](kiosk-shelllauncher.md) |Windows desktop app | Local standard user, Active Directory, Azure AD | X |
+[MDM Bridge WMI Provider](kiosk-mdm-bridge.md) | UWP, Windows desktop app | Local standard user, Active Directory, Azure AD | | X
+
+
+>[!NOTE]
+>For devices running Windows 10 Enterprise and Education, version 1703 and earlier, you can use [AppLocker](lock-down-windows-10-applocker.md) to lock down a device to specific apps.
+
diff --git a/windows/configuration/kiosk-policies.md b/windows/configuration/kiosk-policies.md
new file mode 100644
index 0000000000..b6fe2acd42
--- /dev/null
+++ b/windows/configuration/kiosk-policies.md
@@ -0,0 +1,82 @@
+---
+title: Policies enforced on kiosk devices (Windows 10)
+description: Learn about the policies enforced on a device when you configure it as a kiosk.
+ms.assetid: 14DDDC96-88C7-4181-8415-B371F25726C8
+keywords: ["lockdown", "app restrictions", "applocker"]
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: edu, security
+author: jdeckerms
+ms.localizationpriority: high
+ms.date: 07/30/2018
+ms.author: jdecker
+---
+
+# Policies enforced on kiosk devices
+
+
+**Applies to**
+
+- Windows 10 Pro, Enterprise, and Education
+
+
+
+It is not recommended to set policies enforced in assigned access kiosk mode to different values using other channels, as the kiosk mode has been optimized to provide a locked-down experience.
+
+When the assigned access kiosk configuration is applied on the device, certain policies are enforced system-wide, and will impact other users on the device.
+
+
+## Group Policy
+
+The following local policies affect all **non-administrator** users on the system, regardless whether the user is configured as an assigned access user or not. This includes local users, domain users, and Azure Active Directory users.
+
+| Setting | Value |
+| --- | --- |
+Remove access to the context menus for the task bar | Enabled
+Clear history of recently opened documents on exit | Enabled
+Prevent users from customizing their Start Screen | Enabled
+Prevent users from uninstalling applications from Start | Enabled
+Remove All Programs list from the Start menu | Enabled
+Remove Run menu from Start Menu | Enabled
+Disable showing balloon notifications as toast | Enabled
+Do not allow pinning items in Jump Lists | Enabled
+Do not allow pinning programs to the Taskbar | Enabled
+Do not display or track items in Jump Lists from remote locations | Enabled
+Remove Notifications and Action Center | Enabled
+Lock all taskbar settings | Enabled
+Lock the Taskbar | Enabled
+Prevent users from adding or removing toolbars | Enabled
+Prevent users from resizing the taskbar | Enabled
+Remove frequent programs list from the Start Menu | Enabled
+Remove Pinned programs from the taskbar | Enabled
+Remove the Security and Maintenance icon | Enabled
+Turn off all balloon notifications | Enabled
+Turn off feature advertisement balloon notifications | Enabled
+Turn off toast notifications | Enabled
+Remove Task Manager | Enabled
+Remove Change Password option in Security Options UI | Enabled
+Remove Sign Out option in Security Options UI | Enabled
+Remove All Programs list from the Start Menu | Enabled – Remove and disable setting
+Prevent access to drives from My Computer | Enabled - Restrict all drivers
+
+>[!NOTE]
+>When **Prevent access to drives from My Computer** is enabled, users can browse the directory structure in File Explorer, but they cannot open folders and access the contents. Also, they cannot use the **Run** dialog box or the **Map Network Drive** dialog box to view the directories on these drives. The icons representing the specified drives still appear in File Explorer, but if users double-click the icons, a message appears expalining that a setting prevents the action. This setting does not prevent users from using programs to access local and network drives. It does not prevent users from using the Disk Management snap-in to view and change drive characteristics.
+
+
+
+## MDM policy
+
+
+Some of the MDM policies based on the [Policy configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) affect all users on the system (i.e. system-wide).
+
+Setting | Value | System-wide
+ --- | --- | ---
+[Experience/AllowCortana](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowcortana) | 0 - Not allowed | Yes
+[Start/AllowPinnedFolderSettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldersettings) | 0 - Shortcut is hidden and disables the setting in the Settings app | Yes
+Start/HidePeopleBar | 1 - True (hide) | No
+[Start/HideChangeAccountSettings](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-start#start-hidechangeaccountsettings) | 1 - True (hide) | Yes
+[WindowsInkWorkspace/AllowWindowsInkWorkspace](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-windowsinkworkspace#windowsinkworkspace-allowwindowsinkworkspace) | 0 - Access to ink workspace is disabled and the feature is turned off | Yes
+[Start/StartLayout](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-startlayout) | Configuration dependent | No
+[WindowsLogon/DontDisplayNetworkSelectionUI](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-windowslogon#windowslogon-dontdisplaynetworkselectionui) | <Enabled/> | Yes
+
diff --git a/windows/configuration/kiosk-prepare.md b/windows/configuration/kiosk-prepare.md
new file mode 100644
index 0000000000..a9fa30337a
--- /dev/null
+++ b/windows/configuration/kiosk-prepare.md
@@ -0,0 +1,81 @@
+---
+title: Prepare a device for kiosk configuration (Windows 10)
+description: Some tips for device settings on kiosks.
+ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC
+keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"]
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerms
+ms.localizationpriority: high
+ms.date: 07/30/2018
+---
+
+# Prepare a device for kiosk configuration
+
+
+**Applies to**
+
+- Windows 10 Pro, Enterprise, and Education
+
+>[!WARNING]
+>For kiosks in public-facing environments with auto sign-in enabled, you should use a user account with least privilege, such as a local standard user account.
+>
+>Assigned access can be configured via Windows Management Instrumentation (WMI) or configuration service provider (CSP) to run its applications under a domain user or service account, rather than a local account. However, use of domain user or service accounts introduces risks that an attacker subverting the assigned access application might gain access to sensitive domain resources that have been inadvertently left accessible to any domain account. We recommend that customers proceed with caution when using domain accounts with assigned access, and consider the domain resources potentially exposed by the decision to do so.
+
+
+For a more secure kiosk experience, we recommend that you make the following configuration changes to the device before you configure it as a kiosk:
+
+Recommendation | How to
+--- | ---
+Replace "blue screen" with blank screen for OS errors | Add the following registry key as DWORD (32-bit) type with a value of `1`:`HKLM\SYSTEM\CurrentControlSet\Control\CrashControl\DisplayDisabled`[Learn how to modify the Windows registry](https://go.microsoft.com/fwlink/p/?LinkId=615002)You must restart the device after changing the registry.
+Put device in **Tablet mode**. | If you want users to be able to use the touch (on screen) keyboard, go to **Settings** > **System** > **Tablet mode** and choose **On.** Do not turn on this setting if users will not interact with the kiosk, such as for a digital sign.
+Hide **Ease of access** feature on the sign-in screen. | Go to **Control Panel** > **Ease of Access** > **Ease of Access Center**, and turn off all accessibility tools.
+Disable the hardware power button. | Go to **Power Options** > **Choose what the power button does**, change the setting to **Do nothing**, and then **Save changes**.
+Remove the power button from the sign-in screen. | Go to **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** >**Security Options** > **Shutdown: Allow system to be shut down without having to log on** and select **Disabled.**
+Disable the camera. | Go to **Settings** > **Privacy** > **Camera**, and turn off **Let apps use my camera**.
+Turn off app notifications on the lock screen. | Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen**.
+Disable removable media. | Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Device Installation\\Device Installation Restrictions**. Review the policy settings available in **Device Installation Restrictions** for the settings applicable to your situation.**NOTE**: To prevent this policy from affecting a member of the Administrators group, in **Device Installation Restrictions**, enable **Allow administrators to override Device Installation Restriction policies**.
+
+In addition to the settings in the table, you may want to set up **automatic logon** for your kiosk device. When your kiosk device restarts, whether from an update or power outage, you can sign in the assigned access account manually or you can configure the device to sign in to the assigned access account automatically. Make sure that Group Policy settings applied to the device do not prevent automatic sign in.
+
+>[!TIP]
+>If you use the [kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) or [XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) to configure your kiosk, you can set an account to sign in automatically in the wizard or XML.
+
+
+**How to edit the registry to have an account sign in automatically**
+
+1. Open Registry Editor (regedit.exe).
+
+ >[!NOTE]
+ >If you are not familiar with Registry Editor, [learn how to modify the Windows registry](https://go.microsoft.com/fwlink/p/?LinkId=615002).
+
+
+2. Go to
+
+ **HKEY\_LOCAL\_MACHINE\SOFTWARE\\Microsoft\WindowsNT\CurrentVersion\Winlogon**
+
+3. Set the values for the following keys.
+
+ - *AutoAdminLogon*: set value as **1**.
+
+ - *DefaultUserName*: set value as the account that you want signed in.
+
+ - *DefaultPassword*: set value as the password for the account.
+
+ > [!NOTE]
+ > If *DefaultUserName* and *DefaultPassword* aren't there, add them as **New** > **String Value**.
+
+ - *DefaultDomainName*: set value for domain, only for domain accounts. For local accounts, do not add this key.
+
+4. Close Registry Editor. The next time the computer restarts, the account will sign in automatically.
+
+>[!TIP]
+>You can also configure automatic sign-in [using the Autologon tool from Sysinternals](https://docs.microsoft.com/sysinternals/downloads/autologon).
+
+
+
+
+
+
+
diff --git a/windows/configuration/kiosk-shared-pc.md b/windows/configuration/kiosk-shared-pc.md
deleted file mode 100644
index 4627f16d24..0000000000
--- a/windows/configuration/kiosk-shared-pc.md
+++ /dev/null
@@ -1,26 +0,0 @@
----
-title: Configure kiosk and shared devices running Windows desktop editions (Windows 10)
-description:
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: jdeckerms
-ms.author: jdecker
-ms.topic: article
-ms.date: 08/08/2017
----
-
-# Configure kiosk and shared devices running Windows desktop editions
-
-Some desktop devices in an enterprise serve a special purpose, such as a common PC in a touchdown space that any employee can sign in to, or a PC in the lobby that customers can use to view your product catalog. Windows 10 is easy to configure for shared use or for use as a kiosk (single app).
-
-## In this section
-
-| Topic | Description |
-| --- | --- |
-| [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md) | Windows 10, version 1607, introduced *shared PC mode*, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. |
-| [Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education](setup-kiosk-digital-signage.md) | You can configure a device running Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education as a kiosk device, so that users can only interact with a single application that you select. |
-| [Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md) | You can choose almost any Windows app for assigned access; however, some apps may not provide a good user experience. This topic provides guidelines to help you choose an approprate app for a kiosk device. |
-| [Create a Windows 10 kiosk that runs multiple apps](lock-down-windows-10-to-specific-apps.md) | Learn how to configure a device running Windows 10 Enterprise or Windows 10 Education so that users can only run a few specific apps. The result is similar to a kiosk device, but with multiple apps available. For example, you might set up a library computer so that users can search the catalog and browse the Internet, but can't run any other apps or change computer settings. |
\ No newline at end of file
diff --git a/windows/configuration/kiosk-shelllauncher.md b/windows/configuration/kiosk-shelllauncher.md
new file mode 100644
index 0000000000..b25eb4e96a
--- /dev/null
+++ b/windows/configuration/kiosk-shelllauncher.md
@@ -0,0 +1,201 @@
+---
+title: Use Shell Launcher to create a Windows 10 kiosk (Windows 10)
+description: A single-use device such as a digital sign is easy to set up in Windows 10 for desktop editions (Pro, Enterprise, and Education).
+ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC
+keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"]
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerms
+ms.localizationpriority: high
+ms.date: 07/30/2018
+---
+
+# Use Shell Launcher to create a Windows 10 kiosk
+
+
+**Applies to**
+>App type: Windows desktop application
+>
+>OS edition: Windows 10 Ent, Edu
+>
+>Account type: Local standard user or administrator, Active Directory, Azure AD
+
+
+Using Shell Launcher, you can configure a kiosk device that runs a Windows desktop application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on.
+
+>[!NOTE]
+>You can also configure a kiosk device that runs a Windows desktop application by using the [Provision kiosk devices wizard](#wizard).
+
+>[!WARNING]
+>- Windows 10 doesn’t support setting a custom shell prior to OOBE. If you do, you won’t be able to deploy the resulting image.
+>- Shell Launcher doesn't support a custom shell with an application that launches a different process and exits. For example, you cannot specify **write.exe** in Shell Launcher. Shell Launcher launches a custom shell and monitors the process to identify when the custom shell exits. **Write.exe** creates a 32-bit wordpad.exe process and exits. Because Shell Launcher is not aware of the newly created wordpad.exe process, Shell Launcher will take action based on the exit code of **Write.exe**, such as restarting the custom shell.
+
+### Requirements
+
+- A domain or local user account.
+
+- A Windows desktop application that is installed for that account. The app can be your own company application or a common app like Internet Explorer.
+
+[See the technical reference for the shell launcher component.](https://go.microsoft.com/fwlink/p/?LinkId=618603)
+
+
+### Configure Shell Launcher
+
+To set a Windows desktop application as the shell, you first turn on the Shell Launcher feature, and then you can set your custom shell as the default using PowerShell.
+
+**To turn on Shell Launcher in Windows features**
+
+1. Go to Control Panel > **Programs and features** > **Turn Windows features on or off**.
+
+2. Expand **Device Lockdown**.
+
+2. Select **Shell Launcher** and **OK**.
+
+Alternatively, you can turn on Shell Launcher using Windows Configuration Designer in a provisioning package, using `SMISettings > ShellLauncher`, or the Deployment Image Servicing and Management (DISM.exe) tool.
+
+**To turn on Shell Launcher using DISM**
+
+1. Open a command prompt as an administrator.
+2. Enter the following command.
+
+ ```
+ Dism /online /Enable-Feature /all /FeatureName:Client-EmbeddedShellLauncher
+ ```
+
+**To set your custom shell**
+
+Modify the following PowerShell script as appropriate. The comments in the sample script explain the purpose of each section and tell you where you will want to change the script for your purposes. Save your script with the extension .ps1, open Windows PowerShell as administrator, and run the script on the kiosk device.
+
+```
+# Check if shell launcher license is enabled
+function Check-ShellLauncherLicenseEnabled
+{
+ [string]$source = @"
+using System;
+using System.Runtime.InteropServices;
+
+static class CheckShellLauncherLicense
+{
+ const int S_OK = 0;
+
+ public static bool IsShellLauncherLicenseEnabled()
+ {
+ int enabled = 0;
+
+ if (NativeMethods.SLGetWindowsInformationDWORD("EmbeddedFeature-ShellLauncher-Enabled", out enabled) != S_OK) {
+ enabled = 0;
+ }
+
+ return (enabled != 0);
+ }
+
+ static class NativeMethods
+ {
+ [DllImport("Slc.dll")]
+ internal static extern int SLGetWindowsInformationDWORD([MarshalAs(UnmanagedType.LPWStr)]string valueName, out int value);
+ }
+
+}
+"@
+
+ $type = Add-Type -TypeDefinition $source -PassThru
+
+ return $type[0]::IsShellLauncherLicenseEnabled()
+}
+
+[bool]$result = $false
+
+$result = Check-ShellLauncherLicenseEnabled
+"`nShell Launcher license enabled is set to " + $result
+if (-not($result))
+{
+ "`nThis device doesn't have required license to use Shell Launcher"
+ exit
+}
+
+$COMPUTER = "localhost"
+$NAMESPACE = "root\standardcimv2\embedded"
+
+# Create a handle to the class instance so we can call the static methods.
+try {
+ $ShellLauncherClass = [wmiclass]"\\$COMPUTER\${NAMESPACE}:WESL_UserSetting"
+ } catch [Exception] {
+ write-host $_.Exception.Message;
+ write-host "Make sure Shell Launcher feature is enabled"
+ exit
+ }
+
+
+# This well-known security identifier (SID) corresponds to the BUILTIN\Administrators group.
+
+$Admins_SID = "S-1-5-32-544"
+
+# Create a function to retrieve the SID for a user account on a machine.
+
+function Get-UsernameSID($AccountName) {
+
+ $NTUserObject = New-Object System.Security.Principal.NTAccount($AccountName)
+ $NTUserSID = $NTUserObject.Translate([System.Security.Principal.SecurityIdentifier])
+
+ return $NTUserSID.Value
+
+}
+
+# Get the SID for a user account named "Cashier". Rename "Cashier" to an existing account on your system to test this script.
+
+$Cashier_SID = Get-UsernameSID("Cashier")
+
+# Define actions to take when the shell program exits.
+
+$restart_shell = 0
+$restart_device = 1
+$shutdown_device = 2
+
+# Examples. You can change these examples to use the program that you want to use as the shell.
+
+# This example sets the command prompt as the default shell, and restarts the device if the command prompt is closed.
+
+$ShellLauncherClass.SetDefaultShell("cmd.exe", $restart_device)
+
+# Display the default shell to verify that it was added correctly.
+
+$DefaultShellObject = $ShellLauncherClass.GetDefaultShell()
+
+"`nDefault Shell is set to " + $DefaultShellObject.Shell + " and the default action is set to " + $DefaultShellObject.defaultaction
+
+# Set Internet Explorer as the shell for "Cashier", and restart the machine if Internet Explorer is closed.
+
+$ShellLauncherClass.SetCustomShell($Cashier_SID, "c:\program files\internet explorer\iexplore.exe www.microsoft.com", ($null), ($null), $restart_shell)
+
+# Set Explorer as the shell for administrators.
+
+$ShellLauncherClass.SetCustomShell($Admins_SID, "explorer.exe")
+
+# View all the custom shells defined.
+
+"`nCurrent settings for custom shells:"
+Get-WmiObject -namespace $NAMESPACE -computer $COMPUTER -class WESL_UserSetting | Select Sid, Shell, DefaultAction
+
+# Enable Shell Launcher
+
+$ShellLauncherClass.SetEnabled($TRUE)
+
+$IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled()
+
+"`nEnabled is set to " + $IsShellLauncherEnabled.Enabled
+
+# Remove the new custom shells.
+
+$ShellLauncherClass.RemoveCustomShell($Admins_SID)
+
+$ShellLauncherClass.RemoveCustomShell($Cashier_SID)
+
+# Disable Shell Launcher
+
+$ShellLauncherClass.SetEnabled($FALSE)
+
+$IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled()
+
+"`nEnabled is set to " + $IsShellLauncherEnabled.Enabled
+```
diff --git a/windows/configuration/kiosk-single-app.md b/windows/configuration/kiosk-single-app.md
new file mode 100644
index 0000000000..68dc1a807c
--- /dev/null
+++ b/windows/configuration/kiosk-single-app.md
@@ -0,0 +1,244 @@
+---
+title: Set up a single-app kiosk (Windows 10)
+description: A single-use device is easy to set up in Windows 10 for desktop editions (Pro, Enterprise, and Education).
+ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC
+keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"]
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerms
+ms.localizationpriority: high
+ms.date: 07/30/2018
+---
+
+# Set up a single-app kiosk
+
+
+**Applies to**
+
+- Windows 10 Pro, Enterprise, and Education
+
+
+
+| | |
+--- | ---
+A single-app kiosk uses the Assigned Access feature to run a single app above the lockscreen.
When the kiosk account signs in, the app is launched automatically. The person using the kiosk cannot do anything on the device outside of the kiosk app. | 
+
+You have several options for configuring your single-app kiosk.
+
+Method | Description
+--- | ---
+[Assigned access in Settings](#local) | The **Assigned Access** option in **Settings** is a quick and easy method to set up a single device as a kiosk for a local standard user account. First, you need to [create the user account](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10) on the device and install the kiosk app for that account.
This method is supported on Windows 10 Pro, Enterprise, and Education.
+[PowerShell](#powershell) | You can use Windows PowerShell cmdlets to set up a single-app kiosk. First, you need to [create the user account](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10) on the device and install the kiosk app for that account.
This method is supported on Windows 10 Pro, Enterprise, and Education.
+[The kiosk wizard in Windows Configuration Designer](#wizard) | Windows Configuration Designer is a tool that produces a *provisioning package*, which is a package of configuration settings that can be applied to one or more devices during the first-run experience (OOBE) or after OOBE is done (runtime). You can also create the kiosk user account and install the kiosk app, as well as other useful settings, using the kiosk wizard.
This method is supported on Windows 10 Pro (version 1709 and later), Enterprise, and Education.
+[Microsoft Intune or other mobile device management (MDM) provider](#mdm) | For managed devices, you can use MDM to set up a kiosk configuration.
This method is supported on Windows 10 Pro (version 1709 and later), Enterprise, and Education.
+
+
+>[!TIP]
+>You can also configure a kiosk account and app for single-app kiosk within [XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) by using a [kiosk profile](lock-down-windows-10-to-specific-apps.md#profile).
+
+
+
+
+## Set up a kiosk in local Settings
+
+>App type: UWP
+>
+>OS edition: Windows 10 Pro, Ent, Edu
+>
+>Account type: Local standard user
+
+You can use **Settings** to quickly configure one or a few devices as a kiosk. When you set up a kiosk (also known as *assigned access*) in **Settings**, you must select a local standard user account. [Learn how to create a local standard user account.](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10)
+
+
+
+**To set up assigned access in PC settings**
+
+1. Go to **Start** > **Settings** > **Accounts** > **Other people**.
+
+2. Choose **Set up assigned access**.
+
+3. Choose an account.
+
+4. Choose an app. Only apps that can run above the lock screen will be available in the list of apps to choose from. For more information, see [Guidelines for choosing an app for assigned access](guidelines-for-assigned-access-app.md).
+
+5. Close **Settings** – your choices are saved automatically, and will be applied the next time that user account logs on.
+
+To remove assigned access, choose **Turn off assigned access and sign out of the selected account**.
+
+When your kiosk is a local device that is not managed by Active Directory or Azure Active Directory, there is a default setting that enables automatic sign-in after a restart. That means that when the device restarts, the last signed-in user will be signed in automatically. If the last signed-in user is the kiosk account, the kiosk app will be launched automatically after the device restarts.
+
+- If you want the kiosk account signed in automatically and the kiosk app launched when the device restarts, there is nothing you need to do.
+
+- If you do not want the kiosk account signed in automatically when the device restarts, you must change the default setting before you configure the device as a kiosk. Sign in with the account that you will assign as the kiosk account, go to **Settings** > **Accounts** > **Sign-in options**, and toggle the **Use my sign-in info to automatically finish setting up my device after an update or restart** setting to **Off**. After you change the setting, you can apply the kiosk configuration to the device.
+
+
+
+
+
+
+
+
+## Set up a kiosk using Windows PowerShell
+
+
+>App type: UWP
+>
+>OS edition: Windows 10 Pro, Ent, Edu
+>
+>Account type: Local standard user
+
+
+
+You can use any of the following PowerShell cmdlets to set up assigned access on multiple devices.
+
+Before you run the cmdlet:
+
+1. Log in as administrator.
+2. [Create the user account](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10) for Assigned Access.
+3. Log in as the Assigned Access user account.
+4. Install the Universal Windows app that follows the assigned access/above the lock guidelines.
+5. Log out as the Assigned Access user account.
+6. Log in as administrator.
+
+To open PowerShell on Windows 10, search for PowerShell and find **Windows PowerShell Desktop app** in the results. Run PowerShell as administrator.
+
+**Configure assigned access by AppUserModelID and user name**
+
+```
+Set-AssignedAccess -AppUserModelId -UserName
+```
+**Configure assigned access by AppUserModelID and user SID**
+
+```
+Set-AssignedAccess -AppUserModelId -UserSID
+```
+**Configure assigned access by app name and user name**
+
+```
+Set-AssignedAccess -AppName -UserName
+```
+**Configure assigned access by app name and user SID**
+
+```
+Set-AssignedAccess -AppName -UserSID
+```
+
+> [!NOTE]
+> To set up assigned access using `-AppName`, the user account that you specify for assigned access must have logged on at least once.
+
+[Learn how to get the AUMID](https://go.microsoft.com/fwlink/p/?LinkId=614867).
+
+[Learn how to get the AppName](https://msdn.microsoft.com/library/windows/hardware/mt620046%28v=vs.85%29.aspx) (see **Parameters**).
+
+[Learn how to get the SID](https://go.microsoft.com/fwlink/p/?LinkId=615517).
+
+To remove assigned access, using PowerShell, run the following cmdlet.
+
+```
+Clear-AssignedAccess
+```
+
+
+
+## Set up a kiosk using the kiosk wizard in Windows Configuration Designer
+
+>App type: UWP or Windows desktop application
+>
+>OS edition: Windows 10 Pro (version 1709 and later) for UWP only; Ent, Edu for both app types
+>
+>Account type: Local standard user, Active Directory
+
+
+
+
+>[!IMPORTANT]
+>When Exchange Active Sync (EAS) password restrictions are active on the device, the autologon feature does not work. This behavior is by design. For more informations, see [How to turn on automatic logon in Windows}(https://support.microsoft.com/help/324737/how-to-turn-on-automatic-logon-in-windows).
+
+When you use the **Provision kiosk devices** wizard in Windows Configuration Designer, you can configure the kiosk to run either a Universal Windows app or a Windows desktop application.
+
+
+[Install Windows Configuration Designer](provisioning-packages/provisioning-install-icd.md), then open Windows Configuration Designer and select **Provision kiosk devices**. After you name your project, and click **Next**, configure the settings as shown in the following table.
+
+
+
+
+| Enable device setup if you want to configure settings on this page.**If enabled:**Enter a name for the device.(Optional) Select a license file to upgrade Windows 10 to a different edition. [See the permitted upgrades.](https://technet.microsoft.com/itpro/windows/deploy/windows-10-edition-upgrades)Toggle **Configure devices for shared use** off. This setting optimizes Windows 10 for shared use scenarios and isn't necessary for a kiosk scenario.You can also select to remove pre-installed software from the device. |  |
+|  Enable network setup if you want to configure settings on this page.**If enabled:**Toggle **On** or **Off** for wireless network connectivity. If you select **On**, enter the SSID, the network type (**Open** or **WPA2-Personal**), and (if **WPA2-Personal**) the password for the wireless network. |  |
+|  Enable account management if you want to configure settings on this page. **If enabled:**You can enroll the device in Active Directory, enroll in Azure Active Directory, or create a local administrator account on the deviceTo enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain.Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup). The **maximum number of devices per user** setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 30 days from the date you get the token). Click **Get bulk token**. In the **Let's get you signed in** window, enter an account that has permissions to join a device to Azure AD, and then the password. Click **Accept** to give Windows Configuration Designer the necessary permissions.**Warning:** You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards.To create a local administrator account, select that option and enter a user name and password. **Important:** If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. |  |
+|  You can provision the kiosk app in the **Add applications** step. You can install multiple applications, both Windows desktop applications (Win32) and Universal Windows Platform (UWP) apps, in a provisioning package. The settings in this step vary according to the application that you select. For help with the settings, see [Provision PCs with apps](provisioning-packages/provision-pcs-with-apps.md)**Warning:** If you click the plus button to add an application, you must specify an application for the provisioning package to validate. If you click the plus button in error, select any executable file in **Installer Path**, and then a **Cancel** button becomes available, allowing you to complete the provisioning package without an application. |  |
+|  To provision the device with a certificate for the kiosk app, click **Add a certificate**. Enter a name for the certificate, and then browse to and select the certificate to be used. |  |
+|  You can create a local standard user account that will be used to run the kiosk app. If you toggle **No**, make sure that you have an existing user account to run the kiosk app.If you want to create an account, enter the user name and password, and then toggle **Yes** or **No** to automatically sign in the account when the device starts.In **Configure the kiosk mode app**, enter the name of the user account that will run the kiosk mode app. Select the type of app to run in kiosk mode, and then enter the path or filename (for a Windows desktop application) or the AUMID (for a Universal Windows app). For a Windows desktop application, you can use the filename if the path to the file is in the PATH environment variable, otherwise the full path is required. |  |
+|  On this step, select your options for tablet mode, the user experience on the Welcome and shutdown screens, and the timeout settings. |  |
+| You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device. |  |
+
+
+
+>[!NOTE]
+>If you want to use [the advanced editor in Windows Configuration Designer](provisioning-packages/provisioning-create-package.md#configure-settings), specify the user account and app (by AUMID) in **Runtime settings** > **AssignedAccess** > **AssignedAccessSettings**
+
+>[!IMPORTANT]
+>When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
+
+
+
+
+[Learn how to apply a provisioning package.](provisioning-packages/provisioning-apply-package.md)
+
+
+
+
+
+
+
+
+
+## Set up a kiosk or digital sign using Microsoft Intune or other MDM service
+
+>App type: UWP
+>
+>OS edition: Windows 10 Pro (version 1709), Ent, Edu
+>
+>Account type: Local standard user, Azure AD
+
+
+
+Microsoft Intune and other MDM services enable kiosk configuration through the [AssignedAccess configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp). Assigned Access has a `KioskModeApp` setting. In the `KioskModeApp` setting, you enter the user account name and the [AUMID](https://docs.microsoft.com/windows-hardware/customize/enterprise/find-the-application-user-model-id-of-an-installed-app) for the app to run in kiosk mode.
+
+>[!TIP]
+>Starting in Windows 10, version 1803, a ShellLauncher node has been added to the [AssignedAccess CSP](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp).
+
+The following steps explain how to configure a kiosk in Microsoft Intune. For other MDM services, see the documentation for your provider.
+
+**To configure kiosk in Microsoft Intune**
+
+2. In the Microsoft Azure portal, search for **Intune** or go to **More services** > **Intune**.
+3. Select **Device configuration**.
+4. Select **Profiles**.
+5. Select **Create profile**.
+6. Enter a friendly name for the profile.
+7. Select **Windows 10 and later** for the platform.
+8. Select **Device restrictions** for the profile type.
+9. Select **Kiosk**.
+10. In **Kiosk Mode**, select **Single app kiosk**.
+1. Enter the user account (Azure AD or a local standard user account).
+11. Enter the Application User Model ID for an installed app.
+14. Select **OK**, and then select **Create**.
+18. Assign the profile to a device group to configure the devices in that group as kiosks.
+
+
+
+## Sign out of assigned access
+
+To exit the assigned access (kiosk) app, press **Ctrl + Alt + Del**, and then sign in using another account. When you press **Ctrl + Alt + Del** to sign out of assigned access, the kiosk app will exit automatically. If you sign in again as the assigned access account or wait for the login screen timeout, the kiosk app will be re-launched. The assigned access user will remain signed in until an admin account opens **Task Manager** > **Users** and signs out the user account.
+
+If you press **Ctrl + Alt + Del** and do not sign in to another account, after a set time, assigned access will resume. The default time is 30 seconds, but you can change that in the following registry key:
+
+**HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI**
+
+To change the default time for assigned access to resume, add *IdleTimeOut* (DWORD) and enter the value data as milliseconds in hexadecimal.
+
+
+
+
+
diff --git a/windows/configuration/kiosk-validate.md b/windows/configuration/kiosk-validate.md
new file mode 100644
index 0000000000..d46cd63941
--- /dev/null
+++ b/windows/configuration/kiosk-validate.md
@@ -0,0 +1,94 @@
+---
+title: Validate kiosk configuration (Windows 10)
+description: This topic explains what to expect on a multi-app kiosk.
+ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC
+keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"]
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerms
+ms.localizationpriority: high
+ms.date: 07/30/2018
+---
+
+# Validate kiosk configuration
+
+
+**Applies to**
+
+- Windows 10 Pro, Enterprise, and Education
+
+To identify the provisioning packages applied to a device, go to **Settings** > **Accounts** > **Access work or school**, and then click **Add or remove a provisioning package**. You should see a list of packages that were applied to the device.
+
+Optionally, run Event Viewer (eventvwr.exe) and look through logs under **Applications and Services Logs** > **Microsoft** > **Windows** > **Provisioning-Diagnostics-Provider** > **Admin**.
+
+To test the kiosk, sign in with the assigned access user account you specified in the configuration to check out the multi-app experience.
+
+>[!NOTE]
+>The kiosk configuration setting will take effect the next time the assigned access user signs in. If that user account is signed in when you apply the configuration, make sure the user signs out and signs back in to validate the experience.
+
+The following sections explain what to expect on a multi-app kiosk.
+
+### App launching and switching experience
+
+In the multi-app mode, to maximize the user productivity and streamline the experience, an app will be always launched in full screen when the users click the tile on the Start. The users can minimize and close the app, but cannot resize the app window.
+
+The users can switch apps just as they do today in Windows. They can use the Task View button, Alt + Tab hotkey, and the swipe in from the left gesture to view all the open apps in task view. They can click the Windows button to show Start, from which they can open apps, and they can switch to an opened app by clicking it on the taskbar.
+
+### Start changes
+
+When the assigned access user signs in, you should see a restricted Start experience:
+- Start gets launched in full screen and prevents the end user from accessing the desktop.
+- Start shows the layout aligned with what you defined in the multi-app configuration XML.
+- Start prevents the end user from changing the tile layout.
+ - The user cannot resize, reposition, and unpin the tiles.
+ - The user cannot pin additional tiles on the start.
+- Start hides **All Apps** list.
+- Start hides all the folders on Start (including File Explorer, Settings, Documents, Downloads, Music, Pictures, Videos, HomeGroup, Network, and Personal folders).
+- Only **User** and **Power** buttons are available. (You can control whether to show the **User/Power** buttons using [existing policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start).)
+- Start hides **Change account settings** option under **User** button.
+
+### Taskbar changes
+
+If the applied multi-app configuration enables taskbar, when the assigned access user signs in, you should see a restricted Taskbar experience:
+- Disables context menu of Start button (Quick Link)
+- Disables context menu of taskbar
+- Prevents the end user from changing the taskbar
+- Disables Cortana and Search Windows
+- Hides notification icons and system icons, e.g. Action Center, People, Windows Ink Workspace
+- Allows the end user to view the status of the network connection and power state, but disables the flyout of **Network/Power** to prevent end user from changing the settings
+
+### Blocked hotkeys
+
+The multi-app mode blocks the following hotkeys, which are not relevant for the lockdown experience.
+
+| Hotkey | Action |
+| --- | --- |
+| Windows logo key + A | Open Action center |
+| Windows logo key + Shift + C | Open Cortana in listening mode |
+| Windows logo key + D | Display and hide the desktop |
+| Windows logo key + Alt + D | Display and hide the date and time on the desktop |
+| Windows logo key + E | Open File Explorer |
+| Windows logo key + F | Open Feedback Hub |
+| Windows logo key + G | Open Game bar when a game is open |
+| Windows logo key + I | Open Settings |
+| Windows logo key + J | Set focus to a Windows tip when one is available. |
+| Windows logo key + O | Lock device orientation |
+| Windows logo key + Q | Open search |
+| Windows logo key + R | Open the Run dialog box |
+| Windows logo key + S | Open search |
+| Windows logo key + X | Open the Quick Link menu |
+| Windows logo key + comma (,) | Temporarily peek at the desktop |
+| Windows logo key + Ctrl + F | Search for PCs (if you're on a network) |
+
+
+
+### Locked-down Ctrl+Alt+Del screen
+
+The multi-app mode removes options (e.g. **Change a password**, **Task Manager**, **Network**) in the Ctrl+Alt+Del screen to ensure the users cannot access the functionalities that are not allowed in the lockdown experience.
+
+### Auto-trigger touch keyboard
+
+In the multi-app mode, the touch keyboard will be automatically triggered when there is an input needed and no physical keyboard is attached on touch-enabled devices. You don’t need to configure any other setting to enforce this behavior.
+
+
diff --git a/windows/configuration/kiosk-xml.md b/windows/configuration/kiosk-xml.md
index 74cdfe88e1..9be99277a6 100644
--- a/windows/configuration/kiosk-xml.md
+++ b/windows/configuration/kiosk-xml.md
@@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: edu, security
author: jdeckerms
ms.localizationpriority: medium
-ms.date: 04/30/2018
+ms.date: 07/30/2018
ms.author: jdecker
ms.topic: article
---
diff --git a/windows/configuration/lock-down-windows-10-applocker.md b/windows/configuration/lock-down-windows-10-applocker.md
index de93d13008..876d2a663d 100644
--- a/windows/configuration/lock-down-windows-10-applocker.md
+++ b/windows/configuration/lock-down-windows-10-applocker.md
@@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: edu, security
author: jdeckerms
ms.localizationpriority: medium
-ms.date: 08/14/2017
+ms.date: 07/30/2018
ms.author: jdecker
ms.topic: article
---
@@ -37,7 +37,7 @@ This topic describes how to lock down apps on a local device. You can also use A
## Install apps
-First, install the desired apps on the device for the target user account(s). This works for both Store and Win32. For Store apps, you must log on as that user for the app to install. For Win32 you can install an app for all users without logging on to the particular account.
+First, install the desired apps on the device for the target user account(s). This works for both Unified Windows Platform (UWP) apps and Windows desktop apps. For UWP apps, you must log on as that user for the app to install. For desktop apps, you can install an app for all users without logging on to the particular account.
## Use AppLocker to set rules for apps
diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md
index 8e3162d8d0..7793d23b83 100644
--- a/windows/configuration/lock-down-windows-10-to-specific-apps.md
+++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md
@@ -1,5 +1,5 @@
---
-title: Create a Windows 10 kiosk that runs multiple apps (Windows 10)
+title: Set up a multi-app kiosk (Windows 10)
description: Learn how to configure a kiosk device running Windows 10 so that users can only run a few specific apps.
ms.assetid: 14DDDC96-88C7-4181-8415-B371F25726C8
keywords: ["lockdown", "app restrictions", "applocker"]
@@ -9,29 +9,29 @@ ms.sitesec: library
ms.pagetype: edu, security
author: jdeckerms
ms.localizationpriority: medium
-ms.date: 06/21/2018
+ms.date: 07/30/2018
ms.author: jdecker
ms.topic: article
---
-# Create a Windows 10 kiosk that runs multiple apps
+# Set up a multi-app kiosk
**Applies to**
- Windows 10 Pro, Enterprise, and Education
-A [kiosk device](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) typically runs a single app, and users are prevented from accessing any features or functions on the device outside of the kiosk app. In Windows 10, version 1709, the [AssignedAccess configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) has been expanded to make it easy for administrators to create kiosks that run more than one app. In Windows 10, version 1803, you can also:
+
+A [kiosk device](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) typically runs a single app, and users are prevented from accessing any features or functions on the device outside of the kiosk app. In Windows 10, version 1709, the [AssignedAccess configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) was expanded to make it easy for administrators to create kiosks that run more than one app. In Windows 10, version 1803, you can also:
- Configure [a single-app kiosk profile](#profile) in your XML file.
- Assign [group accounts to a config profile](#config-for-group-accounts).
- Configure [an account to sign in automatically](#config-for-autologon-account).
-
-The benefit of a multi-app kiosk, or fixed-purpose device, is to provide an easy-to-understand experience for individuals by putting in front of them only the things they need to use, and removing from their view the things they don’t need to access.
+The benefit of a kiosk with desktop that runs only one or more specified apps is to provide an easy-to-understand experience for individuals by putting in front of them only the things they need to use, and removing from their view the things they don’t need to access.
>[!WARNING]
->The assigned access feature is intended for corporate-owned fixed-purpose devices, like kiosks. When the multi-app assigned access configuration is applied on the device, [certain policies](#policies-set-by-multi-app-kiosk-configuration) are enforced system-wide, and will impact other users on the device. Deleting the multi-app configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all the enforced policies (such as Start layout). A factory reset is needed to clear all the policies enforced via assigned access.
+>The assigned access feature is intended for corporate-owned fixed-purpose devices, like kiosks. When the multi-app assigned access configuration is applied on the device, [certain policies](kiosk-policies.md) are enforced system-wide, and will impact other users on the device. Deleting the kiosk configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all the enforced policies (such as Start layout). A factory reset is needed to clear all the policies enforced via assigned access.
You can configure multi-app kiosks using [Microsoft Intune](#intune) or a [provisioning package](#provision).
@@ -65,7 +65,6 @@ You can configure multi-app kiosks using [Microsoft Intune](#intune) or a [provi
>Managed apps are apps that are in the Microsoft Store for Business that is synced with your Intune subscription.
-
## Configure a kiosk using a provisioning package
Process:
@@ -77,12 +76,12 @@ Watch how to use a provisioning package to configure a multi-app kiosk.
>[!VIDEO https://www.microsoft.com/videoplayer/embed/fa125d0f-77e4-4f64-b03e-d634a4926884?autoplay=false]
-If you don't want to use a provisioning package, you can deploy the configuration XML file using [mobile device management (MDM)](#alternate-methods) or you can configure assigned access using the [MDM Bridge WMI Provider](#bridge).
+If you don't want to use a provisioning package, you can deploy the configuration XML file using [mobile device management (MDM)](#alternate-methods) or you can configure assigned access using the [MDM Bridge WMI Provider](kiosk-mdm-bridge.md).
### Prerequisites
-- Windows Configuration Designer (Windows 10, version 1709)
-- The kiosk device must be running Windows 10 (S, Pro, Enterprise, or Education), version 1709
+- Windows Configuration Designer (Windows 10, version 1709 or later)
+- The kiosk device must be running Windows 10 (S, Pro, Enterprise, or Education), version 1709 or later
>[!NOTE]
>For devices running versions of Windows 10 earlier than version 1709, you can [create AppLocker rules](lock-down-windows-10-applocker.md) to configure a multi-app kiosk.
@@ -161,7 +160,7 @@ The profile **Id** is a GUID attribute to uniquely identify the profile. You can
##### AllowedApps
-**AllowedApps** is a list of applications that are allowed to run. Apps can be Universal Windows Platform (UWP) apps or Classic Windows desktop apps.
+**AllowedApps** is a list of applications that are allowed to run. Apps can be Universal Windows Platform (UWP) apps or Windows desktop applications.
Based on the purpose of the kiosk device, define the list of applications that are allowed to run. This list can contain both UWP apps and desktop apps. When the mult-app kiosk configuration is applied to a device, AppLocker rules will be generated to allow the apps that are listed in the configuration.
@@ -479,10 +478,7 @@ Provisioning packages can be applied to a device during the first-run experience
-### Validate provisioning
-- Go to **Settings** > **Accounts** > **Access work or school**, and then click **Add or remove a provisioning package**. You should see a list of packages that were applied to the device, including the one you applied for the multi-app configuration.
-- Optionally, run Event Viewer (eventvwr.exe) and look through logs under **Applications and Services Logs** > **Microsoft** > **Windows** > **Provisioning-Diagnostics-Provider** > **Admin**.
@@ -496,147 +492,9 @@ If your device is enrolled with a MDM server which supports applying the assigne
The OMA-URI for multi-app policy is `./Device/Vendor/MSFT/AssignedAccess/Configuration`.
-
-## Use MDM Bridge WMI Provider to configure assigned access
-
-Environments that use WMI can use the [MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/desktop/dn905224.aspx) to configure the MDM_AssignedAccess class. See [PowerShell Scripting with WMI Bridge Provider](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/using-powershell-scripting-with-the-wmi-bridge-provider) for more details about using a PowerShell script to configure AssignedAccess.
-
-Here’s an example to set AssignedAccess configuration:
-
-1. Download the [psexec tool](https://technet.microsoft.com/sysinternals/bb897553.aspx).
-2. Run `psexec.exe -i -s cmd.exe`.
-3. In the command prompt launched by psexec.exe, enter `powershell.exe` to open PowerShell.
-4. Execute the following script:
-
-```ps
-$nameSpaceName="root\cimv2\mdm\dmmap"
-$className="MDM_AssignedAccess"
-$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
-$obj.Configuration = @"
-<?xml version="1.0" encoding="utf-8" ?>
-<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config">
- <Profiles>
- <Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}">
- <AllAppsList>
- <AllowedApps>
- <App AppUserModelId="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" />
- <App AppUserModelId="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" />
- <App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
- <App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
- <App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
- <App DesktopAppPath="%windir%\system32\mspaint.exe" />
- <App DesktopAppPath="C:\Windows\System32\notepad.exe" />
- </AllowedApps>
- </AllAppsList>
- <StartLayout>
- <![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification">
- <LayoutOptions StartTileGroupCellWidth="6" />
- <DefaultLayoutOverride>
- <StartLayoutCollection>
- <defaultlayout:StartLayout GroupCellWidth="6">
- <start:Group Name="Group1">
- <start:Tile Size="4x4" Column="0" Row="0" AppUserModelID="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" />
- <start:Tile Size="2x2" Column="4" Row="2" AppUserModelID="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" />
- <start:Tile Size="2x2" Column="4" Row="0" AppUserModelID="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
- <start:Tile Size="2x2" Column="4" Row="4" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
- <start:Tile Size="4x2" Column="0" Row="4" AppUserModelID="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
- </start:Group>
- <start:Group Name="Group2">
- <start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk" />
- <start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk" />
- </start:Group>
- </defaultlayout:StartLayout>
- </StartLayoutCollection>
- </DefaultLayoutOverride>
- </LayoutModificationTemplate>
- ]]>
- </StartLayout>
- <Taskbar ShowTaskbar="true"/>
- </Profile>
- </Profiles>
- <Configs>
- <Config>
- <Account>MultiAppKioskUser</Account>
- <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
- </Config>
- </Configs>
-</AssignedAccessConfiguration>
-"@
-
-Set-CimInstance -CimInstance $obj
-```
-
-
-## Validate multi-app kiosk configuration
-
-Sign in with the assigned access user account you specified in the configuration to check out the multi-app experience.
-
->[!NOTE]
->The setting will take effect the next time the assigned access user signs in. If that user account is signed in when you apply the configuration, make sure the user signs out and signs back in to validate the experience.
-
-The following sections explain what to expect on a multi-app kiosk.
-
-### App launching and switching experience
-
-In the multi-app mode, to maximize the user productivity and streamline the experience, an app will be always launched in full screen when the users click the tile on the Start. The users can minimize and close the app, but cannot resize the app window.
-
-The users can switch apps just as they do today in Windows. They can use the Task View button, Alt + Tab hotkey, and the swipe in from the left gesture to view all the open apps in task view. They can click the Windows button to show Start, from which they can open apps, and they can switch to an opened app by clicking it on the taskbar.
-
-### Start changes
-
-When the assigned access user signs in, you should see a restricted Start experience:
-- Start gets launched in full screen and prevents the end user from accessing the desktop.
-- Start shows the layout aligned with what you defined in the multi-app configuration XML.
-- Start prevents the end user from changing the tile layout.
- - The user cannot resize, reposition, and unpin the tiles.
- - The user cannot pin additional tiles on the start.
-- Start hides **All Apps** list.
-- Start hides all the folders on Start (including File Explorer, Settings, Documents, Downloads, Music, Pictures, Videos, HomeGroup, Network, and Personal folders).
-- Only **User** and **Power** buttons are available. (You can control whether to show the **User/Power** buttons using [existing policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start).)
-- Start hides **Change account settings** option under **User** button.
-
-### Taskbar changes
-
-If the applied multi-app configuration enables taskbar, when the assigned access user signs in, you should see a restricted Taskbar experience:
-- Disables context menu of Start button (Quick Link)
-- Disables context menu of taskbar
-- Prevents the end user from changing the taskbar
-- Disables Cortana and Search Windows
-- Hides notification icons and system icons, e.g. Action Center, People, Windows Ink Workspace
-- Allows the end user to view the status of the network connection and power state, but disables the flyout of **Network/Power** to prevent end user from changing the settings
-
-### Blocked hotkeys
-
-The multi-app mode blocks the following hotkeys, which are not relevant for the lockdown experience.
-
-| Hotkey | Action |
-| --- | --- |
-| Windows logo key + A | Open Action center |
-| Windows logo key + Shift + C | Open Cortana in listening mode |
-| Windows logo key + D | Display and hide the desktop |
-| Windows logo key + Alt + D | Display and hide the date and time on the desktop |
-| Windows logo key + E | Open File Explorer |
-| Windows logo key + F | Open Feedback Hub |
-| Windows logo key + G | Open Game bar when a game is open |
-| Windows logo key + I | Open Settings |
-| Windows logo key + J | Set focus to a Windows tip when one is available. |
-| Windows logo key + O | Lock device orientation |
-| Windows logo key + Q | Open search |
-| Windows logo key + R | Open the Run dialog box |
-| Windows logo key + S | Open search |
-| Windows logo key + X | Open the Quick Link menu |
-| Windows logo key + comma (,) | Temporarily peek at the desktop |
-| Windows logo key + Ctrl + F | Search for PCs (if you're on a network) |
-### Locked-down Ctrl+Alt+Del screen
-
-The multi-app mode removes options (e.g. **Change a password**, **Task Manager**, **Network**) in the Ctrl+Alt+Del screen to ensure the users cannot access the functionalities that are not allowed in the lockdown experience.
-
-### Auto-trigger touch keyboard
-
-In the multi-app mode, the touch keyboard will be automatically triggered when there is an input needed and no physical keyboard is attached on touch-enabled devices. You don’t need to configure any other setting to enforce this behavior.
@@ -756,3 +614,6 @@ In Windows Configuration Designer, under **ProvisioningCommands** > **DeviceCont
- Under **CommandLine**, enter `cmd /c *FileName*.bat`.
+## Other methods
+
+Environments that use WMI can use the [MDM Bridge WMI Provider to configure a kiosk](kiosk-mdm-bridge.md).
\ No newline at end of file
diff --git a/windows/configuration/lockdown-features-windows-10.md b/windows/configuration/lockdown-features-windows-10.md
index d77388e0cb..1628b1c866 100644
--- a/windows/configuration/lockdown-features-windows-10.md
+++ b/windows/configuration/lockdown-features-windows-10.md
@@ -52,10 +52,10 @@ Many of the lockdown features available in Windows Embedded 8.1 Industry have be
Keyboard filter is added in Windows 10, version 1511. As in Windows Embedded Industry 8.1, Keyboard Filter is an optional component that can be turned on via Turn Windows Features On/Off. Keyboard Filter (in addition to the WMI configuration previously available) will be configurable through Windows Imaging and Configuration Designer (ICD) in the SMISettings path. |
-[Shell Launcher](https://go.microsoft.com/fwlink/p/?LinkId=626676): launch a Classic Windows application on sign-on |
+[Shell Launcher](https://go.microsoft.com/fwlink/p/?LinkId=626676): launch a Windows desktop application on sign-on |
[Shell Launcher](https://go.microsoft.com/fwlink/p/?LinkId=618603) |
Shell Launcher continues in Windows 10. It is now configurable in Windows ICD under the SMISettings category.
-Learn [how to use Shell Launcher to create a kiosk device](https://go.microsoft.com/fwlink/p/?LinkId=626922) that runs a Classic Windows application. |
+Learn [how to use Shell Launcher to create a kiosk device](https://go.microsoft.com/fwlink/p/?LinkId=626922) that runs a Windows desktop application.
[Application Launcher]( https://go.microsoft.com/fwlink/p/?LinkId=626675): launch a Universal Windows Platform (UWP) app on sign-on |
diff --git a/windows/configuration/multi-app-kiosk-troubleshoot.md b/windows/configuration/multi-app-kiosk-troubleshoot.md
index 0ee82de1b3..6857cf8aac 100644
--- a/windows/configuration/multi-app-kiosk-troubleshoot.md
+++ b/windows/configuration/multi-app-kiosk-troubleshoot.md
@@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: edu, security
author: jdeckerms
ms.localizationpriority: medium
-ms.date: 09/27/2017
+ms.date: 07/30/2018
ms.author: jdecker
ms.topic: article
---
@@ -31,7 +31,7 @@ For example:
**Troubleshooting steps**
-1. [Verify that the provisioning package is applied successfully](lock-down-windows-10-to-specific-apps.md#validate-provisioning).
+1. [Verify that the provisioning package is applied successfully](kiosk-validate.md).
2. Verify that the account (config) is mapped to a profile in the configuration XML file.
3. Verify that the configuration XML file is authored and formatted correctly. Correct any configuration errors, then create and apply a new provisioning package. Sign out and sign in again to check the new configuration.
diff --git a/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md b/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md
index 17162822c3..9979020ba7 100644
--- a/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md
+++ b/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md
@@ -82,7 +82,7 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L
| Enter a name for the device.(Optional) Select a license file to upgrade Windows 10 to a different edition. [See the permitted upgrades.](https://technet.microsoft.com/itpro/windows/deploy/windows-10-edition-upgrades)Toggle **Yes** or **No** to **Configure devices for shared use**. This setting optimizes Windows 10 for shared use scenarios. [Learn more about shared PC configuration.](../set-up-shared-or-guest-pc.md)You can also select to remove pre-installed software from the device. |  |
|  Toggle **On** or **Off** for wireless network connectivity. If you select **On**, enter the SSID, the network type (**Open** or **WPA2-Personal**), and (if **WPA2-Personal**) the password for the wireless network. |  |
|  Enable account management if you want to configure settings on this page. You can enroll the device in Active Directory, enroll in Azure Active Directory, or create a local administrator account on the deviceTo enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain.Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup). The **maximum number of devices per user** setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 30 days from the date you get the token). Click **Get bulk token**. In the **Let's get you signed in** window, enter an account that has permissions to join a device to Azure AD, and then the password. Click **Accept** to give Windows Configuration Designer the necessary permissions. To create a local administrator account, select that option and enter a user name and password. **Important:** If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. |  |
-|  You can install multiple applications, both Classic Windows (Win32) apps and Universal Windows Platform (UWP) apps, in a provisioning package. The settings in this step vary according to the application that you select. For help with the settings, see [Provision PCs with apps](provision-pcs-with-apps.md). |  |
+|  You can install multiple applications, both Windows desktop applications (Win32) and Universal Windows Platform (UWP) apps, in a provisioning package. The settings in this step vary according to the application that you select. For help with the settings, see [Provision PCs with apps](provision-pcs-with-apps.md). |  |
|  To provision the device with a certificate, click **Add a certificate**. Enter a name for the certificate, and then browse to and select the certificate to be used. |  |
| You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device. |  |
diff --git a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md
index bacec7e70a..9f7712c5d3 100644
--- a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md
+++ b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md
@@ -20,7 +20,7 @@ ms.date: 09/06/2017
- Windows 10
-In Windows 10, version 1703, you can install multiple Universal Windows Platform (UWP) apps and Classic Windows (Win32) applications in a provisioning package. This topic explains the various settings in [Windows Configuration Designer](provisioning-install-icd.md) for app install.
+In Windows 10, version 1703, you can install multiple Universal Windows Platform (UWP) apps and Windows desktop applications (Win32) in a provisioning package. This topic explains the various settings in [Windows Configuration Designer](provisioning-install-icd.md) for app install.
When you add an app in a Windows Configuration Designer wizard, the appropriate settings are displayed based on the app that you select. For instructions on adding an app using the advanced editor in Windows Configuration Designer, see [Add an app using advanced editor](#adv).
@@ -35,7 +35,7 @@ When you add an app in a Windows Configuration Designer wizard, the appropriate
- **Required appx dependencies**: Specify the appx dependency packages that are required for the installation of the app
-## Settings for Classic Windows apps
+## Settings for Windows desktop applications
### MSI installer
@@ -61,7 +61,7 @@ When you add an app in a Windows Configuration Designer wizard, the appropriate
-## Add a Classic Windows app using advanced editor in Windows Configuration Designer
+## Add a Windows desktop application using advanced editor in Windows Configuration Designer
1. In the **Available customizations** pane, go to **Runtime settings** > **ProvisioningCommands** > **PrimaryContext** > **Command**.
diff --git a/windows/configuration/provisioning-packages/provisioning-create-package.md b/windows/configuration/provisioning-packages/provisioning-create-package.md
index b05f6637ed..c0cbd3ed3f 100644
--- a/windows/configuration/provisioning-packages/provisioning-create-package.md
+++ b/windows/configuration/provisioning-packages/provisioning-create-package.md
@@ -43,7 +43,7 @@ You use Windows Configuration Designer to create a provisioning package (.ppkg)
- [Instructions for the desktop wizard](provision-pcs-for-initial-deployment.md)
- [Instructions for the mobile wizard](../mobile-devices/provisioning-configure-mobile.md)
- - [Instructions for the kiosk wizard](../setup-kiosk-digital-signage.md#wizard)
+ - [Instructions for the kiosk wizard](../kiosk-single-app.md#wizard)
- [Instructions for HoloLens wizard](https://technet.microsoft.com/itpro/hololens/hololens-provisioning)
- [Instructions for Surface Hub wizard](https://technet.microsoft.com/itpro/surface-hub/provisioning-packages-for-certificates-surface-hub)
diff --git a/windows/configuration/provisioning-packages/provisioning-packages.md b/windows/configuration/provisioning-packages/provisioning-packages.md
index 4bbbf8ad10..2a331f5839 100644
--- a/windows/configuration/provisioning-packages/provisioning-packages.md
+++ b/windows/configuration/provisioning-packages/provisioning-packages.md
@@ -86,7 +86,7 @@ The following table describes settings that you can configure using the wizards
- [Instructions for the desktop wizard](provision-pcs-for-initial-deployment.md)
- [Instructions for the mobile wizard](../mobile-devices/provisioning-configure-mobile.md)
-- [Instructions for the kiosk wizard](../setup-kiosk-digital-signage.md#wizard)
+- [Instructions for the kiosk wizard](../kiosk-single-app.md#wizard)
- [Instructions for the HoloLens wizard](https://docs.microsoft.com/hololens/hololens-provisioning#wizard)
diff --git a/windows/configuration/setup-digital-signage.md b/windows/configuration/setup-digital-signage.md
new file mode 100644
index 0000000000..c0fdbf85d4
--- /dev/null
+++ b/windows/configuration/setup-digital-signage.md
@@ -0,0 +1,87 @@
+---
+title: Set up digital signs on Windows 10 (Windows 10)
+description: A single-use device such as a digital sign is easy to set up in Windows 10 (Pro, Enterprise, and Education).
+ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC
+keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage", "kiosk browser", "browser"]
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: jdeckerms
+ms.localizationpriority: high
+ms.date: 07/30/2018
+---
+
+# Set up digital signs on Windows 10
+
+
+**Applies to**
+
+- Windows 10 Pro, Enterprise, and Education
+
+Digital signage can be a useful and exciting business tool. Use digital signs to showcase your products and services, to display testimonials, or to advertise promotions and campaigns. A digital sign can be a static display, such as a building directory or menu, or it can be dynamic, such as repeating videos or a social media feed.
+
+For digital signage, simply select a digital sign player as your kiosk app. You can also use the Kiosk Browser app (a new Microsoft app for Windows 10, version 1803) and configure it to show your online content.
+
+>[!TIP]
+>Kiosk Browser can also be used in [single-app kiosks](kiosk-single-app.md) and [multi-app kiosk](lock-down-windows-10-to-specific-apps.md) as a web browser. For more information, see [Guidelines for web browsers](guidelines-for-assigned-access-app.md#guidelines-for-web-browsers).
+
+Kiosk Browser must be downloaded for offline licensing using Microsoft Store for Business. You can deploy Kiosk Browser to devices running Windows 10, version 1803.
+
+>[!NOTE]
+>If you haven't set up your Microsoft Store for Business yet, check out [the prerequisites](https://docs.microsoft.com/microsoft-store/prerequisites-microsoft-store-for-business) and then [sign up](https://docs.microsoft.com/microsoft-store/sign-up-microsoft-store-for-business).
+
+
+This procedure explains how to configure digital signage using Kiosk Browser on a device running Windows 10, version 1803, that has already been set up (completed the first-run experience).
+
+1. [Get **Kiosk Browser** in Microsoft Store for Business with offline, unencoded license type.](https://docs.microsoft.com/microsoft-store/acquire-apps-microsoft-store-for-business#acquire-apps)
+2. [Download the **Kiosk Browser** package, license file, and all required frameworks.](https://docs.microsoft.com/microsoft-store/distribute-offline-apps#download-an-offline-licensed-app)
+2. [Install Windows Configuration Designer.](~/provisioning-packages/provisioning-install-icd.md)
+3. Open Windows Configuration Designer and select **Provision kiosk devices**.
+4. Enter a friendly name for the project, and select **Finish**.
+5. On **Set up device**, select **Disabled**, and select **Next**.
+6. On **Set up network**, enable network setup.
+ - Toggle **On** wireless network connectivity.
+ - Enter the SSID, the network type (**Open** or **WPA2-Personal**), and (if **WPA2-Personal**) the password for the wireless network.
+7. On **Account management**, select **Disabled**, and select **Next**.
+8. On **Add applications**, select **Add an application**.
+ - For **Application name**, enter `Kiosk Browser`.
+ - For **Installer path**, browse to and select the AppxBundle that you downloaded from Microsoft Store for Business. After you select the package, additional fields are displayed.
+ - For **License file path**, browse to and select the XML license file that you downloaded from Microsoft Store for Business.
+ - The **Package family name** is populated automatically.
+ - Select **Next**.
+9. On **Add certificates**, select **Next**.
+10. On **Configure kiosk account and app**, toggle **Yes** to create a local user account for your digital signage.
+ - Enter a user name and password, and toggle **Auto sign-in** to **Yes**.
+ - Under **Configure the kiosk mode app**, enter the user name for the account that you're creating.
+ - For **App type**, select **Universal Windows App**.
+ - In **Enter the AUMID for the app**, enter `Microsoft.KioskBrowser_8wekyb3d8bbwe`.
+11. In the bottom left corner of Windows Configuration Designer, select **Switch to advanced editor**.
+12. Go to **Runtime settings** > **Policies** > **KioskBrowser**. Let's assume that the URL for your digital signage content is contoso.com/menu.
+ - In **BlockedUrlExceptions**, enter `https://www.contoso.com/menu`.
+ - In **BlockedUrl**, enter `*`.
+ - In **DefaultUrl**, enter `https://www.contoso.com/menu`.
+ - Set **EnableEndSessionButton**, **EnableHomeButton**, and **EnableNavigationButtons** to **No**.
+13. On the **File** menu, select **Save**, and select **OK** in the **Keep your info secure** dialog box.
+14. On the **Export** menu, select **Provisioning package**.
+15. Change the **Owner** to **IT Admin**, and select **Next**.
+16. On **Select security details for the provisioning package**, select **Next**.
+17. On **Select where to save the provisioning package**, select **Next**.
+18. On **Build the provisioning package**, select **Build**.
+19. On the **All done!** screen, click the **Output location**.
+20. Copy the .ppkg file to a USB drive.
+21. Attach the USB drive to the device that you want to use for your digital sign.
+22. Go to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package on the USB drive.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/windows/configuration/setup-kiosk-digital-signage.md b/windows/configuration/setup-kiosk-digital-signage.md
deleted file mode 100644
index f2f227fd8c..0000000000
--- a/windows/configuration/setup-kiosk-digital-signage.md
+++ /dev/null
@@ -1,487 +0,0 @@
----
-title: Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education (Windows 10)
-description: A single-use device such as a digital sign is easy to set up in Windows 10 for desktop editions (Pro, Enterprise, and Education).
-ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC
-keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"]
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-author: jdeckerms
-ms.author: jdecker
-ms.topic: article
-ms.localizationpriority: medium
-ms.date: 06/05/2018
----
-
-# Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education
-
-
-**Applies to**
-
-- Windows 10 Pro, Enterprise, and Education
-
-
-
-Some desktop devices in an enterprise serve a special purpose, such as a PC in the lobby that customers can use to view your product catalog or a PC displaying visual content as a digital sign. A single-use, kiosk device is easy to set up in Windows 10. (For kiosks that run more than one more app, see [Create a Windows 10 kiosk that runs multiple apps](lock-down-windows-10-to-specific-apps.md).)
-
-
-
-## Choose a method for configuring your kiosks and digitals signs
-
-**Which type of app will your kiosk run?** Your kiosk can run a Universal Windows Platform (UWP) app or a Classic Windows desktop application. When the kiosk account signs in, the kiosk app will launch automatically. If the kiosk app is closed, it will automatically restart.
-
->[!TIP]
->For **digital signage**, simply select a digital sign player as your kiosk app. You can also use the **Kiosk Browser** app ([new in Windows 10, version 1803)](guidelines-for-assigned-access-app.md#guidelines-for-web-browsers) and configure it to show your online content.
-
-**Which type of user account will be the kiosk account?** The kiosk account can be a local standard user account, a local administrator account, a domain account, or an Azure Active Directory (Azure AD) account, depending on the method that you use to configure the kiosk.
-
->[!WARNING]
->For kiosks in public-facing environments with auto sign-in enabled, you should use a user account with least privilege, such as a local standard user account.
->
->Assigned access can be configured via Windows Management Instrumentation (WMI) or configuration service provider (CSP) to run its applications under a domain user or service account, rather than a local account. However, use of domain user or service accounts introduces risks that an attacker subverting the assigned access application might gain access to sensitive domain resources that have been inadvertently left accessible to any domain account. We recommend that customers proceed with caution when using domain accounts with assigned access, and consider the domain resources potentially exposed by the decision to do so.
-
-**Which edition of Windows 10 will the kiosk run?** All of the configuration methods work for Windows 10 Enterprise and Education; some of the methods work for Windows 10 Pro. Kiosk mode is not available on Windows 10 Home.
-
-### Methods for kiosks and digital signs running a UWP app
-
-Choose this method | For this edition | For this kiosk account type
---- | --- | ---
-[Local settings](#local) (for 1 or a few devices) | Pro, Ent, Edu | Local standard user
-[PowerShell](#powershell) | Pro, Ent, Edu | Local standard user
-[Provisioning](#wizard) | Pro (version 1709), Ent, Edu | Local standard user, Active Directory
-[Intune or other mobile device management (MDM)](#set-up-assigned-access-in-mdm) | Pro (version 1709), Ent, Edu | Local standard user, Azure AD
-
-### Methods for kiosks and digital signs running a Classic Windows app
-
-Choose this method | For this edition | For this kiosk account type
---- | --- | ---
-[Provisioning](#wizard) | Ent, Edu | Local standard user, Active Directory
-[ShellLauncher](#shelllauncher) | Ent, Edu | Local standard user or administrator, Active Directory, Azure AD
-
-
-
-
-
-### Other settings to lock down
-
-For a more secure kiosk experience, we recommend that you make the following configuration changes to the device before you configure it as a kiosk:
-
-Recommendation | How to
---- | ---
-Replace "blue screen" with blank screen for OS errors | Add the following registry key as DWORD (32-bit) type with a value of `1`:`HKLM\SYSTEM\CurrentControlSet\Control\CrashControl\DisplayDisabled`[Learn how to modify the Windows registry](https://go.microsoft.com/fwlink/p/?LinkId=615002)You must restart the device after changing the registry.
-Put device in **Tablet mode**. | If you want users to be able to use the touch (on screen) keyboard, go to **Settings** > **System** > **Tablet mode** and choose **On.** Do not turn on this setting if users will not interact with the kiosk, such as for a digital sign.
-Hide **Ease of access** feature on the logon screen. | Go to **Control Panel** > **Ease of Access** > **Ease of Access Center**, and turn off all accessibility tools.
-Disable the hardware power button. | Go to **Power Options** > **Choose what the power button does**, change the setting to **Do nothing**, and then **Save changes**.
-Remove the power button from the sign-in screen. | Go to **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** >**Security Options** > **Shutdown: Allow system to be shut down without having to log on** and select **Disabled.**
-Disable the camera. | Go to **Settings** > **Privacy** > **Camera**, and turn off **Let apps use my camera**.
-Turn off app notifications on the lock screen. | Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen**.
-Disable removable media. | Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Device Installation\\Device Installation Restrictions**. Review the policy settings available in **Device Installation Restrictions** for the settings applicable to your situation.**NOTE**: To prevent this policy from affecting a member of the Administrators group, in **Device Installation Restrictions**, enable **Allow administrators to override Device Installation Restriction policies**.
-
-In addition to the settings in the table, you may want to set up **automatic logon** for your kiosk device. When your kiosk device restarts, whether from an update or power outage, you can log on the assigned access account manually or you can configure the device to log on to the assigned access account automatically. Make sure that Group Policy settings applied to the device do not prevent automatic logon.
-
-
-**How to edit the registry to have an account automatically logged on**
-
-1. Open Registry Editor (regedit.exe).
-
- >[!NOTE]
- >If you are not familiar with Registry Editor, [learn how to modify the Windows registry](https://go.microsoft.com/fwlink/p/?LinkId=615002).
-
-
-2. Go to
-
- **HKEY\_LOCAL\_MACHINE\SOFTWARE\\Microsoft\WindowsNT\CurrentVersion\Winlogon**
-
-3. Set the values for the following keys.
-
- - *AutoAdminLogon*: set value as **1**.
-
- - *DefaultUserName*: set value as the account that you want logged in.
-
- - *DefaultPassword*: set value as the password for the account.
-
- > [!NOTE]
- > If *DefaultUserName* and *DefaultPassword* aren't there, add them as **New** > **String Value**.
-
- - *DefaultDomainName*: set value for domain, only for domain accounts. For local accounts, do not add this key.
-
-4. Close Registry Editor. The next time the computer restarts, the account will be logged on automatically.
-
->[!TIP]
->You can also configure automatic logon [using the Autologon tool from Sysinternals](https://docs.microsoft.com/sysinternals/downloads/autologon).
-
-
-
-## Set up a kiosk or digital sign in local Settings
-
->App type: UWP
->
->OS edition: Windows 10 Pro, Ent, Edu
->
->Account type: Local standard user
-
-You can use **Settings** to quickly configure one or a few devices as a kiosk. (Using **Settings** isn't practical for configuring a lot of devices, but it would work.) When you set up a kiosk (also known as *assigned access*) in **Settings**, you must select a local standard user account. [Learn how to create a local standard user account.](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10)
-
-When your kiosk is a local device that is not managed by Active Directory or Azure Active Directory, there is a default setting that enables automatic sign-in after a restart. That means that when the device restarts, the last signed-in user will be signed in automatically. If the last signed-in user is the kiosk account, the kiosk app will be launched automatically after the device restarts.
-
-If you want the kiosk account signed in automatically and the kiosk app launched when the device restarts, there is nothing you need to do.
-
-If you do not want the kiosk account signed in automatically when the device restarts, you must change the default setting before you configure the device as a kiosk. Sign in with the account that you will assign as the kiosk account, go to **Settings** > **Accounts** > **Sign-in options**, and toggle the **Use my sign-in info to automatically finish setting up my device after an update or restart** setting to **Off**. After you change the setting, you can apply the kiosk configuration to the device.
-
-
-
-**To set up assigned access in PC settings**
-
-1. Go to **Start** > **Settings** > **Accounts** > **Other people**.
-
-2. Choose **Set up assigned access**.
-
-3. Choose an account.
-
-4. Choose an app. Only apps that can run above the lock screen will be available in the list of apps to choose from. For more information, see [Guidelines for choosing an app for assigned access](guidelines-for-assigned-access-app.md).
-
-5. Close **Settings** – your choices are saved automatically, and will be applied the next time that user account logs on.
-
-To remove assigned access, choose **Turn off assigned access and sign out of the selected account**.
-
-
-
-
-
-## Set up a kiosk or digital sign using Windows PowerShell
-
-
->App type: UWP
->
->OS edition: Windows 10 Pro, Ent, Edu
->
->Account type: Local standard user
-
-You can use any of the following PowerShell cmdlets to set up assigned access on multiple devices.
-
-To open PowerShell on Windows 10, search for PowerShell and find **Windows PowerShell Desktop app** in the results. Run PowerShell as administrator.
-
-```
-Set-AssignedAccess -AppUserModelId -UserName
-```
-
-```
-Set-AssignedAccess -AppUserModelId -UserSID
-```
-
-```
-Set-AssignedAccess -AppName -UserName
-```
-
-```
-Set-AssignedAccess -AppName -UserSID
-```
-
-> [!NOTE]
-> To set up assigned access using `-AppName`, the user account that you specify for assigned access must have logged on at least once.
-
-[Learn how to get the AUMID](https://go.microsoft.com/fwlink/p/?LinkId=614867).
-
-[Learn how to get the AppName](https://msdn.microsoft.com/library/windows/hardware/mt620046%28v=vs.85%29.aspx) (see **Parameters**).
-
-[Learn how to get the SID](https://go.microsoft.com/fwlink/p/?LinkId=615517).
-
-To remove assigned access, using PowerShell, run the following cmdlet.
-
-```
-Clear-AssignedAccess
-```
-
-
-
-## Set up a kiosk or digital sign using a provisioning package
-
->App type: UWP or Classic Windows
->
->OS edition: Windows 10 Pro (version 1709) for UWP only; Ent, Edu for both app types
->
->Account type: Local standard user, Active Directory
-
->[!IMPORTANT]
->When Exchange Active Sync (EAS) password restrictions are active on the device, the autologon feature does not work. This behavior is by design. For more informations, see [How to turn on automatic logon in Windows](https://support.microsoft.com/help/324737/how-to-turn-on-automatic-logon-in-windows).
-
-
-When you use the **Provision kiosk devices** wizard in Windows Configuration Designer, you can configure the kiosk to run either a Universal Windows app or a Classic Windows application.
-
-
-
-
-[Install Windows Configuration Designer](provisioning-packages/provisioning-install-icd.md), then open Windows Configuration Designer and select **Provision kiosk devices**. After you name your project, and click **Next**, configure the settings as shown in the following table.
-
-
-
-
-| Enable device setup if you want to configure settings on this page.**If enabled:**Enter a name for the device.(Optional) Select a license file to upgrade Windows 10 to a different edition. [See the permitted upgrades.](https://technet.microsoft.com/itpro/windows/deploy/windows-10-edition-upgrades)Toggle **Configure devices for shared use** off. This setting optimizes Windows 10 for shared use scenarios and isn't necessary for a kiosk scenario.You can also select to remove pre-installed software from the device. |  |
-|  Enable network setup if you want to configure settings on this page.**If enabled:**Toggle **On** or **Off** for wireless network connectivity. If you select **On**, enter the SSID, the network type (**Open** or **WPA2-Personal**), and (if **WPA2-Personal**) the password for the wireless network. |  |
-|  Enable account management if you want to configure settings on this page. **If enabled:**You can enroll the device in Active Directory, enroll in Azure Active Directory, or create a local administrator account on the deviceTo enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain.Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup). The **maximum number of devices per user** setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 30 days from the date you get the token). Click **Get bulk token**. In the **Let's get you signed in** window, enter an account that has permissions to join a device to Azure AD, and then the password. Click **Accept** to give Windows Configuration Designer the necessary permissions.**Warning:** You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards.To create a local administrator account, select that option and enter a user name and password. **Important:** If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. |  |
-|  You can provision the kiosk app in the **Add applications** step. You can install multiple applications, both Classic Windows (Win32) apps and Universal Windows Platform (UWP) apps, in a provisioning package. The settings in this step vary according to the application that you select. For help with the settings, see [Provision PCs with apps](provisioning-packages/provision-pcs-with-apps.md)**Warning:** If you click the plus button to add an application, you must specify an application for the provisioning package to validate. If you click the plus button in error, select any executable file in **Installer Path**, and then a **Cancel** button becomes available, allowing you to complete the provisioning package without an application. |  |
-|  To provision the device with a certificate for the kiosk app, click **Add a certificate**. Enter a name for the certificate, and then browse to and select the certificate to be used. |  |
-|  You can create a local standard user account that will be used to run the kiosk app. If you toggle **No**, make sure that you have an existing user account to run the kiosk app.If you want to create an account, enter the user name and password, and then toggle **Yes** or **No** to automatically sign in the account when the device starts.In **Configure the kiosk mode app**, enter the name of the user account that will run the kiosk mode app. Select the type of app to run in kiosk mode, and then enter the path or filename (for a Classic Windows app) or the AUMID (for a Universal Windows app). For a Classic Windows app, you can use the filename if the path to the file is in the PATH environment variable, otherwise the full path is required. |  |
-|  On this step, select your options for tablet mode, the user experience on the Welcome and shutdown screens, and the timeout settings. |  |
-| You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device. |  |
-
-
-
->[!NOTE]
->If you want to use [the advanced editor in Windows Configuration Designer](provisioning-packages/provisioning-create-package.md#configure-settings), specify the user account and app (by AUMID) in **Runtime settings** > **AssignedAccess** > **AssignedAccessSettings**
-
->[!TIP]
->You can also use [an XML file to configure both multi-app and single-app kiosks.](lock-down-windows-10-to-specific-apps.md)
-
->[!IMPORTANT]
->When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
-
-
-
-[Learn how to apply a provisioning package.](provisioning-packages/provisioning-apply-package.md)
-
-
-
-
-
-
-
-
-
-## Set up a kiosk or digital sign in Intune or other MDM service
-
->App type: UWP
->
->OS edition: Windows 10 Pro (version 1709), Ent, Edu
->
->Account type: Local standard user, Azure AD
-
-Microsoft Intune and other MDM services enable kiosk configuration through the [AssignedAccess configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp). Assigned Access has a KioskModeApp setting. In the KioskModeApp setting, you enter the user account name and [AUMID](https://docs.microsoft.com/windows-hardware/customize/enterprise/find-the-application-user-model-id-of-an-installed-app) for the app to run in kiosk mode.
-
-The following steps explain how to configure a kiosk in Microsoft Intune. For other MDM services, see the documentation for your provider.
-
-**To configure kiosk in Microsoft Intune**
-
-2. In the Microsoft Azure portal, search for **Intune** or go to **More services** > **Intune**.
-3. Select **Device configuration**.
-4. Select **Profiles**.
-5. Select **Create profile**.
-6. Enter a friendly name for the profile.
-7. Select **Windows 10 and later** for the platform.
-8. Select **Kiosk (Preview)** for the profile type.
-9. Enter a friendly name for the kiosk configuration.
-10. Select **Kiosk - 1 setting available**.
-10. Select **Add** to add a kiosk configuration.
-10. Enter a friendly name for the kiosk configuration, and then in **Kiosk Mode**, select **Single full-screen app kiosk**.
-10. Select either **Select a managed app** to choose a kiosk app that is managed by Intune, or **Enter UWP app AUMID** to specify the kiosk app by AUMID, and then select the app or enter the AUMID as appropriate.
-1. For the user account, select either **Autologon** to create a user account for the kiosk that will sign in automatically, or **Local user account** to configure an existing user account to run the kiosk. **Local user account** can be a local standard user account on the device or an Azure Active Directory account.
-14. Select **OK**, and then select **Create**.
-18. Assign the profile to a device group to configure the devices in that group as kiosks.
-
-
-
-## Set up a kiosk or digital sign using Shell Launcher
-
->App type: Classic Windows
->
->OS edition: Windows 10 Ent, Edu
->
->Account type: Local standard user or administrator, Active Directory, Azure AD
-
-Using Shell Launcher, you can configure a kiosk device that runs a Classic Windows application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on.
-
->[!NOTE]
->In Windows 10, version 1803, you can configure Shell Launcher using the **ShellLauncher** node of the [Assigned Access CSP](https://docs.microsoft.com/en-us/windows/client-management/mdm/assignedaccess-csp).
->
->You can also configure a kiosk device that runs a Classic Windows application by using the [Provision kiosk devices wizard](#wizard).
-
->[!WARNING]
->- Windows 10 doesn’t support setting a custom shell prior to OOBE. If you do, you won’t be able to deploy the resulting image.
->- Shell Launcher doesn't support a custom shell with an application that launches a different process and exits. For example, you cannot specify **write.exe** in Shell Launcher. Shell Launcher launches a custom shell and monitors the process to identify when the custom shell exits. **Write.exe** creates a 32-bit wordpad.exe process and exits. Because Shell Launcher is not aware of the newly created wordpad.exe process, Shell Launcher will take action based on the exit code of **Write.exe**, such as restarting the custom shell.
-
-### Requirements
-
-- A domain or local user account.
-
-- A Classic Windows application that is installed for that account. The app can be your own company application or a common app like Internet Explorer.
-
-[See the technical reference for the shell launcher component.](https://go.microsoft.com/fwlink/p/?LinkId=618603)
-
-
-### Configure Shell Launcher
-
-To set a Classic Windows application as the shell, you first turn on the Shell Launcher feature, and then you can set your custom shell as the default using PowerShell.
-
-**To turn on Shell Launcher in Windows features**
-
-1. Go to Control Panel > **Programs and features** > **Turn Windows features on or off**.
-
-2. Expand **Device Lockdown**.
-
-2. Select **Shell Launcher** and **OK**.
-
-Alternatively, you can turn on Shell Launcher using Windows Configuration Designer in a provisioning package, using `SMISettings > ShellLauncher`, or the Deployment Image Servicing and Management (DISM.exe) tool.
-
-**To turn on Shell Launcher using DISM**
-
-1. Open a command prompt as an administrator.
-2. Enter the following command.
-
- ```
- Dism /online /Enable-Feature /all /FeatureName:Client-EmbeddedShellLauncher
- ```
-
-**To set your custom shell**
-
-Modify the following PowerShell script as appropriate. The comments in the sample script explain the purpose of each section and tell you where you will want to change the script for your purposes. Save your script with the extension .ps1, open Windows PowerShell as administrator, and run the script on the kiosk device.
-
-```
-# Check if shell launcher license is enabled
-function Check-ShellLauncherLicenseEnabled
-{
- [string]$source = @"
-using System;
-using System.Runtime.InteropServices;
-
-static class CheckShellLauncherLicense
-{
- const int S_OK = 0;
-
- public static bool IsShellLauncherLicenseEnabled()
- {
- int enabled = 0;
-
- if (NativeMethods.SLGetWindowsInformationDWORD("EmbeddedFeature-ShellLauncher-Enabled", out enabled) != S_OK) {
- enabled = 0;
- }
-
- return (enabled != 0);
- }
-
- static class NativeMethods
- {
- [DllImport("Slc.dll")]
- internal static extern int SLGetWindowsInformationDWORD([MarshalAs(UnmanagedType.LPWStr)]string valueName, out int value);
- }
-
-}
-"@
-
- $type = Add-Type -TypeDefinition $source -PassThru
-
- return $type[0]::IsShellLauncherLicenseEnabled()
-}
-
-[bool]$result = $false
-
-$result = Check-ShellLauncherLicenseEnabled
-"`nShell Launcher license enabled is set to " + $result
-if (-not($result))
-{
- "`nThis device doesn't have required license to use Shell Launcher"
- exit
-}
-
-$COMPUTER = "localhost"
-$NAMESPACE = "root\standardcimv2\embedded"
-
-# Create a handle to the class instance so we can call the static methods.
-try {
- $ShellLauncherClass = [wmiclass]"\\$COMPUTER\${NAMESPACE}:WESL_UserSetting"
- } catch [Exception] {
- write-host $_.Exception.Message;
- write-host "Make sure Shell Launcher feature is enabled"
- exit
- }
-
-
-# This well-known security identifier (SID) corresponds to the BUILTIN\Administrators group.
-
-$Admins_SID = "S-1-5-32-544"
-
-# Create a function to retrieve the SID for a user account on a machine.
-
-function Get-UsernameSID($AccountName) {
-
- $NTUserObject = New-Object System.Security.Principal.NTAccount($AccountName)
- $NTUserSID = $NTUserObject.Translate([System.Security.Principal.SecurityIdentifier])
-
- return $NTUserSID.Value
-
-}
-
-# Get the SID for a user account named "Cashier". Rename "Cashier" to an existing account on your system to test this script.
-
-$Cashier_SID = Get-UsernameSID("Cashier")
-
-# Define actions to take when the shell program exits.
-
-$restart_shell = 0
-$restart_device = 1
-$shutdown_device = 2
-
-# Examples. You can change these examples to use the program that you want to use as the shell.
-
-# This example sets the command prompt as the default shell, and restarts the device if the command prompt is closed.
-
-$ShellLauncherClass.SetDefaultShell("cmd.exe", $restart_device)
-
-# Display the default shell to verify that it was added correctly.
-
-$DefaultShellObject = $ShellLauncherClass.GetDefaultShell()
-
-"`nDefault Shell is set to " + $DefaultShellObject.Shell + " and the default action is set to " + $DefaultShellObject.defaultaction
-
-# Set Internet Explorer as the shell for "Cashier", and restart the machine if Internet Explorer is closed.
-
-$ShellLauncherClass.SetCustomShell($Cashier_SID, "c:\program files\internet explorer\iexplore.exe www.microsoft.com", ($null), ($null), $restart_shell)
-
-# Set Explorer as the shell for administrators.
-
-$ShellLauncherClass.SetCustomShell($Admins_SID, "explorer.exe")
-
-# View all the custom shells defined.
-
-"`nCurrent settings for custom shells:"
-Get-WmiObject -namespace $NAMESPACE -computer $COMPUTER -class WESL_UserSetting | Select Sid, Shell, DefaultAction
-
-# Enable Shell Launcher
-
-$ShellLauncherClass.SetEnabled($TRUE)
-
-$IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled()
-
-"`nEnabled is set to " + $IsShellLauncherEnabled.Enabled
-
-# Remove the new custom shells.
-
-$ShellLauncherClass.RemoveCustomShell($Admins_SID)
-
-$ShellLauncherClass.RemoveCustomShell($Cashier_SID)
-
-# Disable Shell Launcher
-
-$ShellLauncherClass.SetEnabled($FALSE)
-
-$IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled()
-
-"`nEnabled is set to " + $IsShellLauncherEnabled.Enabled
-```
-
-## Sign out of assigned access
-
-To exit the assigned access (kiosk) app, press **Ctrl + Alt + Del**, and then sign in using another account. When you press **Ctrl + Alt + Del** to sign out of assigned access, the kiosk app will exit automatically. If you sign in again as the assigned access account or wait for the login screen timeout, the kiosk app will be re-launched. The assigned access user will remain signed in until an admin account opens **Task Manager** > **Users** and signs out the user account.
-
-If you press **Ctrl + Alt + Del** and do not sign in to another account, after a set time, assigned access will resume. The default time is 30 seconds, but you can change that in the following registry key:
-
-**HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI**
-
-To change the default time for assigned access to resume, add *IdleTimeOut* (DWORD) and enter the value data as milliseconds in hexadecimal.
-
-
-## Related topics
-
-- [Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md)
-
-
-
diff --git a/windows/configuration/wcd/wcd-accounts.md b/windows/configuration/wcd/wcd-accounts.md
index b1547d99cd..db8812512d 100644
--- a/windows/configuration/wcd/wcd-accounts.md
+++ b/windows/configuration/wcd/wcd-accounts.md
@@ -30,7 +30,7 @@ The **Azure > Authority** and **Azure > BPRT** settings for bulk Azure Active Di
- [Instructions for desktop wizard](../provisioning-packages/provision-pcs-for-initial-deployment.md)
- [Instructions for the mobile wizard](../mobile-devices/provisioning-configure-mobile.md)
-- [Instructions for the kiosk wizard](../setup-kiosk-digital-signage.md#wizard)
+- [Instructions for the kiosk wizard](../kiosk-single-app.md#wizard)
## ComputerAccount
diff --git a/windows/configuration/wcd/wcd-policies.md b/windows/configuration/wcd/wcd-policies.md
index a8b96f80b9..1ba48ada16 100644
--- a/windows/configuration/wcd/wcd-policies.md
+++ b/windows/configuration/wcd/wcd-policies.md
@@ -49,7 +49,7 @@ This section describes the **Policies** settings that you can configure in [prov
| [AllowDeveloperUnlock](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-allowdeveloperunlock) | Whether developer unlock of device is allowed | X | X | X | X | X |
| [AllowGameDVR](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-allowgamedvr) |Whether DVR and broadcasting is allowed | X | | | | |
| [AllowSharedUserAppData](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-allowshareduserappdata) | Whether multiple users of the same app can share data | X | X | | | |
-| [AllowStore](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-allowstore) | Whether app store is allowed at device (?) | | X | | | |
+| [AllowStore](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-allowstore) | Whether app store is allowed at device | | X | | | |
| [ApplicationRestrictions](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-applicationrestrictions) | An XML blob that specifies app restrictions, such as an allow list, disallow list, etc. | | x | | | |
| [RestrictAppDataToSystemVolume](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-restrictappdatatosystemvolume) | Whether app data is restricted to the system drive | X | X | | | |
| [RestrictAppToSystemVolume](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-restrictapptosystemvolume) | Whether the installation of apps is restricted to the system drive | X | X | | | |
diff --git a/windows/configuration/wcd/wcd-provisioningcommands.md b/windows/configuration/wcd/wcd-provisioningcommands.md
index 744ae6a3b6..0f63fc68e7 100644
--- a/windows/configuration/wcd/wcd-provisioningcommands.md
+++ b/windows/configuration/wcd/wcd-provisioningcommands.md
@@ -13,7 +13,7 @@ ms.date: 09/06/2017
# ProvisioningCommands (Windows Configuration Designer reference)
-Use ProvisioningCommands settings to install Classic Windows apps using a provisioning package.
+Use ProvisioningCommands settings to install Windows desktop applications using a provisioning package.
## Applies to
diff --git a/windows/configuration/wcd/wcd-smisettings.md b/windows/configuration/wcd/wcd-smisettings.md
index 2f7f8216e2..a9e588a6f8 100644
--- a/windows/configuration/wcd/wcd-smisettings.md
+++ b/windows/configuration/wcd/wcd-smisettings.md
@@ -93,7 +93,7 @@ When you **enable** KeyboardFilter, a number of other settings become available
## ShellLauncher settings
-Use ShellLauncher to specify the application or executable to use as the default custom shell. One use of ShellLauncher is to [create a kiosk (fixed-purpose) device running a Classic Windows application](https://docs.microsoft.com/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions#shell-launcher-for-classic-windows-applications).
+Use ShellLauncher to specify the application or executable to use as the default custom shell. One use of ShellLauncher is to [create a kiosk (fixed-purpose) device running a Windows desktop application](https://docs.microsoft.com/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions#shell-launcher-for-classic-windows-applications).
>[!WARNING]
>Windows 10 doesn’t support setting a custom shell prior to OOBE. If you do, you won’t be able to deploy the resulting image.
diff --git a/windows/deployment/TOC.md b/windows/deployment/TOC.md
index a149748012..80adf12056 100644
--- a/windows/deployment/TOC.md
+++ b/windows/deployment/TOC.md
@@ -235,10 +235,6 @@
### [Manage device restarts after updates](update/waas-restart.md)
### [Manage additional Windows Update settings](update/waas-wu-settings.md)
### [Determine the source of Windows updates](update/windows-update-sources.md)
-### [Windows Insider Program for Business](update/waas-windows-insider-for-business.md)
-#### [Introduction to the Windows Insider Program for Business](update/WIP4Biz-intro.md)
-#### [Windows Insider Program for Business Frequently Asked Questions](update/waas-windows-insider-for-business-faq.md)
-#### [Olympia Corp enrollment](update/olympia/olympia-enrollment-guidelines.md)
### [Change history for Update Windows 10](update/change-history-for-update-windows-10.md)
## [Windows Analytics](update/windows-analytics-overview.md)
diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md
index 0e3ae864cf..d0c4ddbf52 100644
--- a/windows/deployment/update/waas-overview.md
+++ b/windows/deployment/update/waas-overview.md
@@ -70,7 +70,7 @@ To align with this new update delivery model, Windows 10 has three servicing cha
### Naming changes
As part of the alignment with Windows 10 and Office 365 ProPlus, we are adopting common terminology to make it as easy as possible to understand the servicing process. Going forward, these are the new terms we will be using:
-* Semi-Annual Channel - We will be referreing to Current Branch (CB) as "Semi-Annual Channel (Targeted)", while Current Branch for Business (CBB) will simply be referred to as "Semi-Annual Channel".
+* Semi-Annual Channel - We will be referring to Current Branch (CB) as "Semi-Annual Channel (Targeted)", while Current Branch for Business (CBB) will simply be referred to as "Semi-Annual Channel".
* Long-Term Servicing Channel - The Long-Term Servicing Branch (LTSB) will be referred to as Long-Term Servicing Channel (LTSC).
>[!IMPORTANT]
diff --git a/windows/deployment/update/waas-windows-insider-for-business-aad.md b/windows/deployment/update/waas-windows-insider-for-business-aad.md
deleted file mode 100644
index e8099960b8..0000000000
--- a/windows/deployment/update/waas-windows-insider-for-business-aad.md
+++ /dev/null
@@ -1,123 +0,0 @@
----
-title: Windows Insider Program for Business using Azure Active Directory
-description: Benefits and configuration of corporate accounts in the Windows Insider Program
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-author: DaniHalfin
-ms.localizationpriority: medium
-ms.author: daniha
-ms.date: 10/16/2017
----
-
-# Windows Insider Program for Business using Azure Active Directory
-
-
-**Applies to**
-
-- Windows 10
-
-> **Looking for information about Windows 10 for personal or home use?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
-
-We recently added features and benefits to better support the IT Professionals and business users in our Windows Insider community. This includes the option to download Windows 10 Insider Preview builds using your corporate credentials in Azure Active Directory (AAD). By enrolling devices in AAD, you increase the visibility of feedback submitted by users in your organization – especially on features that support your specific business needs.
-
->[!NOTE]
->At this point, the Windows Insider Program for Business only supports Azure Active Directory (and not Active Directory on premises) as a corporate authentication method.
-
->[!TIP]
->New to Azure Active Directory? Go here for [an introduction to AAD](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect), including guidance for [adding users](https://docs.microsoft.com/azure/active-directory/active-directory-users-create-azure-portal), [device registration](https://docs.microsoft.com/azure/active-directory/active-directory-device-registration-overview) and [integrating your on-premises directories with Azure AD](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect).
->
->If your company is currently not using AAD – but has a paid subscription to Office 365, Microsoft Dynamics CRM Online, Enterprise Mobility Suite, or other Microsoft services – you have a free subscription to Microsoft Azure Active Directory. This subscription can be used to create users for enrollment in the Windows Insider Program for Business.
-
-In order to get the most benefit out of the Windows Insider Program for Business, organizations should not use a test tenant of AAD. There will be no modifications to the AAD tenant to support the Windows Insider Program as it will only be used as an authentication method.
-
-## Register your organization's Azure AD domain to the Windows Insider Program for Business
-Rather than have each user in your organization register for Windows 10 Insider Preview builds, you can now simply register your domain – and cover all users with just one registration.
-
-1. On the [Windows Insider](https://insider.windows.com) website, go to **For Business > Getting Started** to [register your organizational Azure AD account](https://insider.windows.com/en-us/insidersigninaad/).
-2. **Register your domain**. Rather than have each user register individually for Windows Insider Preview builds, administrators can simply [register their domain](https://insider.windows.com/en-us/for-business-organization-admin/) and control settings centrally.
-
->[!IMPORTANT]
->The signed-in user needs to be a **Global Administrator** of the Azure AD domain in order to be able to register the domain.
-
-## Check if a device is connected to your company’s Azure Active Directory subscription
-Simply go to **Settings > Accounts > Access work or school**. If a corporate account is on Azure Active Directory and it is connected to the device, you will see the account listed as highlighted in the image below.
-
-
-
-## Enroll a device with an Azure Active Directory account
-1. Navigate to the [**Getting Started**](https://insider.windows.com/en-us/getting-started/) page on [Windows Insider](https://insider.windows.com).
-2. Go to **Register your organization account** and follow the instructions.
-3. On your Windows 10 device, go to **Settings > Updates & Security > Windows Insider Program**.
-4. Enter the AAD account that you used to register and follow the on-screen directions.
-
->[!NOTE]
->Make sure that you have administrator rights to the machine and that it has latest Windows updates.
-
-## Switch device enrollment from your Microsoft account to your AAD account
-1. Visit [insider.windows.com](https://insider.windows.com) to register your AAD account. If you are signed in with your Microsoft account, sign out, then sign back in with your corporate AAD account.
-2. Click **Get started**, read and accept the privacy statement and program terms and click **Submit**.
-3. On your Windows 10 PC, go to **Settings > Updates & Security > Windows Insider Program**.
-4. Under Windows Insider account, click your Microsoft account, then **Change** to open a Sign In box.
-5. Select your corporate account and click Continue to change your account.
-
-
-
->[!NOTE]
->Your device must be connected to your corporate account in AAD for the account to appear in the account list.
-
-## User consent requirement
-
-With the current version of the Feedback Hub app, we need the user's consent to access their AAD account profile data (We read their name, organizational tenant ID and user ID). When they sign in for the first time with the AAD account, they will see a popup asking for their permission, like this:
-
-
-
-Once agreed, everything will work fine, and that user won't be prompted for permission again.
-
-### Something went wrong
-
-The option for users to give consent for apps to access their profile data is controlled through Azure Active Directory. This means the AAD administrators have the ability to allow or block users from giving consent.
-
-In case the administrators blocked this option, when the user signs in with the AAD account, they will see the following error message:
-
-
-
-This blocks the user from signing in, which means they won't be able to use the Feedback Hub app with their AAD credentials.
-
-**To fix this issue**, an administrator of the AAD directory will need to enable user consent for apps to access their data.
-
-To do this through the **classic Azure portal**:
-1. Go to https://manage.windowsazure.com/ .
-2. Switch to the **Active Directory** dashboard.
- 
-3. Select the appropriate directory and go to the **Configure** tab.
-4. Under the **integrated applications** section, enable **Users may give applications permissions to access their data**.
- 
-
-To do this through the **new Azure portal**:
-1. Go to https://portal.azure.com/ .
-2. Switch to the **Active Directory** dashboard.
- 
-3. Switch to the appropriate directory.
- 
-4. Under the **Manage** section, select **User settings**.
- 
-5. In the **Enterprise applications** section, enable **Users can allow apps to access their data**.
- 
-
-
-## Frequently Asked Questions
-
-### Will my test machines be affected by automatic registration?
-All devices enrolled in the Windows Insider Program (physical or virtual) will receive Windows 10 Insider Preview builds (regardless of registration with MSA or AAD).
-
-### Once I register with my corporate account in AAD, do I need to keep my Microsoft account for the Windows Insider Program?
-No, once you set up your device using AAD credentials – all feedback and flighting on that machine will be under your AAD account. You may need MSA for other machines that aren’t being used on your corporate network or to get Microsoft Store App updates.
-
-### How do I stop receiving updates?
-You can simply “unlink” your account by going to **Settings > Updates & Security > Windows Insider Program**, select Windows Insider Account and click **Unlink**.
-
-
-## Related Topics
-- [Windows Insider Program for Business](waas-windows-insider-for-business.md)
-- [Windows Insider Program for Business Frequently Asked Questions](waas-windows-insider-for-business-faq.md)
diff --git a/windows/deployment/update/waas-windows-insider-for-business-faq.md b/windows/deployment/update/waas-windows-insider-for-business-faq.md
deleted file mode 100644
index 0d5282bf9f..0000000000
--- a/windows/deployment/update/waas-windows-insider-for-business-faq.md
+++ /dev/null
@@ -1,106 +0,0 @@
----
-title: Windows Insider Program for Business Frequently Asked Questions
-description: Frequently Asked Questions and answers about the Windows Insider Program
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-author: DaniHalfin
-ms.localizationpriority: medium
-ms.author: daniha
-ms.date: 10/24/2017
----
-
-# Windows Insider Program for Business Frequently Asked Questions
-
-
-**Applies to**
-
-- Windows 10
-
-> **Looking for information about Windows 10 for personal or home use?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
-
-### Are the Windows Insider Program and Windows Insider Program for Business separate programs?
-No, in fact just the opposite. The Windows Insider Program was created in 2014 to help Microsoft engage with Windows Fans worldwide. Windows Insiders are the first to be able to try new Windows features that we introduce through Windows 10 Insider Preview Builds. At the same time, they can provide feedback through the Feedback Hub App which helps create even better versions of Windows for all users. The Windows Insider Program for Business enables you to incorporate Insider Preview builds into your deployment plans using your corporate credentials, deepen connections with the IT Pro community, collect feedback within your organization, and increase the visibility of your organization’s feedback – especially on features that support productivity and business needs. Together we can resolve blocking or critical issues to better support your organization’s needs sooner. Incorporating the Windows Insider Program for Business into your deployment plans enables you to prepare your organization for the next update of Windows 10, to deploy new services and tools more quickly, to help secure your applications, and to increase productivity and confidence in the stability of your environment. Windows Insider Program for Business participants collaborate with the Windows team to build and document features, infuse innovation, and plan for what’s around the bend. We’ve architected some great features together, received amazing feedback, and we’re not done.
-
-### What Languages are available?
-Insider Preview builds are available in the following languages: English (United States), English (United Kingdom), Chinese (Simplified), Chinese (Traditional), Portuguese (Brazilian), Japanese, Russian, German, French, French (Canada), Korean, Italian, Spanish, Spanish (Latin America), Swedish, Finnish, Turkish, Arabic, Dutch, Czech, Polish, Thai, Catalan, Hindi, and Vietnamese.
-
-If your Windows build is not in one of the available base languages, you will not receive Insider Preview builds.
-
-Hindi, Catalan, and Vietnamese can only be installed as a language pack over [supported base languages](https://support.microsoft.com/help/14236/language-packs).
-
->[!NOTE]
-> To learn how to install a language pack, see [How to add an input language to your PC Additional](https://support.microsoft.com/instantanswers/60f32ff8-8697-4452-af7d-647439c38433/how-to-add-and-switch-input-languages-on-your-pc).
-
-### How do I register for the Windows Insider Program for Business?
-To register for the Windows Insider Program for Business, follow the steps below using your corporate account in Azure Active Directory (AAD). This account is the same account that you use for Office 365 and other Microsoft services.
-
-1. Visit https://insider.windows.com and click **Get Started**.
-2. Sign-in with your corporate account in AAD (username/password) and follow the on-screen registration directions.
-3. Enroll your Windows 10 PC to get the latest Windows 10 Insider Preview builds. Go to **Settings > Updates & Security > Windows Insider Program**. Click **Get Started**, enter your corporate credentials that you used to register, then follow the on-screen directions.
-
->[!NOTE]
->Make sure that you have administrator rights to your machine and that it has latest Windows updates.
-
-### Are there any management capabilities that allow an IT admin to manage settings for a corporate environment?
-Yes. Starting with Windows 10, version 1709, the Windows Insider Program for Business now enables administrators to apply the following group policies to help them manage their organization’s preview builds:
-
-**Manage preview builds:** Administrators can enable or prevent builds from installing on a device. You also have an option to disable preview builds once the release is public.
-**Branch Readiness Level:** Administrators can set the Windows readiness level, including Fast, Slow, Release Preview Rings of Windows Insider Preview) and allows administrators to defer or pause delivery of updates.
-
-See more information on the [Getting started with Windows Insider Program for Business](/windows-insider/at-work-pro/wip-4-biz-get-started) section.
-
-### How can I find out if my corporate account is on Azure Active Directory?
-On your PC, go to **Settings > Accounts > Access work or school**. If your organization has set up your corporate account in Azure Active Directory and it is connected to your PC, you will see the account listed as highlighted in the image below.
-
-
-
-### I have more than one Azure Active Directory account. Which should I use?
-Register for Windows Insider Program for Business with the same active account that you use to access your corporate email in Office 365 and other Microsoft services. To ensure you get the most benefit out of the Windows Insider Program for Business and that your company is fully represented, do not set up a separate tenant for testing activities. There will be no modifications to the AAD tenant to support Windows Insider Program for Business, and it will only be used as an authentication method.
-
-### Can I register multiple users from my organization at the same time for the Windows Insider Program for Business?
-Yes. The Windows Insider Program for Business now allows organizations to register their domain and control settings centrally rather than require each user to register individually for Insider Preview builds. In order to register, follow instructions on the [Getting started with Windows Insider Program for Business](/windows-insider/at-work-pro/wip-4-biz-get-started) section.
-
-### My account is listed in Active Directory but not Azure Active Directory. Can I still register using my Active Directory credentials?
-No. At this point, we are only supporting Azure Active Directory as a corporate authentication method. If you’d like to suggest or upvote another authentication method, please visit this [forum](https://answers.microsoft.com/en-us/insider/forum/insider_wintp).
-
-### I just want to participate as a Windows Insider. Do I still need to register with my corporate account in Azure Active Directory?
-No. You can join using your Microsoft account (MSA) by following the steps below. However, please note that if you want to access the benefits of the Windows Insider Program for Business, you will need to sign-up using your corporate account in Azure Active Directory.
-
-1. Visit https://insider.windows.com and click Get Started.
-2. Register with your Microsoft account and follow the on-screen registration directions.
-3. Enroll your Windows 10 PC to get the latest Windows 10 Insider Preview builds by going to **Settings > Updates & Security > Windows Insider Program** and entering your Microsoft account that you used to register. Now follow the on-screen directions.
-
->[!NOTE]
->Make sure that you have administrator rights to your machine and that it has latest Windows updates.
-
-### I am already a Windows Insider. I want to switch my account from my Microsoft account to my corporate account in Azure Active Directory. How do I do this?
-In just a few steps, you can switch your existing program registration from your Microsoft account to your corporate account in Azure Active Directory.
-
-1. Visit https://insider.windows.com. If you are signed in with your Microsoft account, sign out then sign back in to register with your corporate account in AAD.
-2. On your Windows 10 PC, go to **Settings > Updates & Security > Windows Insider Program**.
-3. In your account Under Windows Insider account, click **Change** to open a pop-up box.
-4. Select your corporate account and click Continue to change your account.
-
->[!NOTE]
->Your corporate account must be connected to the device for it to appear in the account list.
-
-### How do I sign into the Feedback Hub with my corporate credentials?
-Sign in to the Feedback Hub using the same AAD account you are using to flight builds.
-
-### Am I going to lose all the feedback I submitted and badges I earned with my MSA?
-No. However, your feedback will not be transferred from your MSA to your AAD account. You can switch back to your MSA account in the Feedback Hub to access feedback you’ve submitted and badges you’ve earned.
-
-### How is licensing handled for Windows 10 Insider builds?
-All PCs need to have a valid Windows 10 license. This requirement applies whether the device is joined to the Windows Insider Program using a Microsoft account or an Azure Active Directory account.
-
-### Can I use the Software in a live operating environment?
-The software is a pre-release version, and we do not recommend that organizations run Windows Insider Preview builds outside of their test environments. This software may not work the way a final version of the software will. We may change it for the final, commercial version. We also may not release a commercial version.
-
-### Can a single MSA or AAD account be used to register more than one PC in the program?
-Yes. If each PC has a valid Windows 10 or Windows 10 Mobile license you can use your MSA on as many devices as you’d like. However, the main concern would be that within the feedback it all looks like it comes from a single user. If multiple devices are experiencing problems with a build, you’d want the ability to submit the same feedback from multiple people (or upvote the same piece of feedback).
-
-
-## Related Topics
-- [Windows Insider Program for Business](waas-windows-insider-for-business.md)
-- [Windows Insider Program for Business using Azure Active Directory](waas-windows-insider-for-business-aad.md)
\ No newline at end of file
diff --git a/windows/security/hardware-protection/tpm/change-the-tpm-owner-password.md b/windows/security/hardware-protection/tpm/change-the-tpm-owner-password.md
index 85fc58c11a..7731079b80 100644
--- a/windows/security/hardware-protection/tpm/change-the-tpm-owner-password.md
+++ b/windows/security/hardware-protection/tpm/change-the-tpm-owner-password.md
@@ -45,7 +45,7 @@ To change to a new TPM owner password, in TPM.msc, click **Change Owner Password
## Use the TPM cmdlets
-You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx).
+You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](https://docs.microsoft.com/en-us/powershell/module/trustedplatformmodule).
## Related topics
diff --git a/windows/security/hardware-protection/tpm/trusted-platform-module-overview.md b/windows/security/hardware-protection/tpm/trusted-platform-module-overview.md
index 829d773086..43699df08e 100644
--- a/windows/security/hardware-protection/tpm/trusted-platform-module-overview.md
+++ b/windows/security/hardware-protection/tpm/trusted-platform-module-overview.md
@@ -68,7 +68,7 @@ Some things that you can check on the device are:
- Is SecureBoot supported and enabled?
> [!NOTE]
-> The device must be running Windows 10 and it must support at least TPM 2.0.
+> The device must be running Windows 10 and it must support at least TPM 2.0 in order to utilize Device Health Attestation.
## Supported versions
diff --git a/windows/security/identity-protection/access-control/local-accounts.md b/windows/security/identity-protection/access-control/local-accounts.md
index cdfbc8c21a..2cc7a62ad3 100644
--- a/windows/security/identity-protection/access-control/local-accounts.md
+++ b/windows/security/identity-protection/access-control/local-accounts.md
@@ -5,7 +5,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.date: 04/19/2017
+ms.date: 07/30/2018
---
# Local Accounts
@@ -114,11 +114,11 @@ Even when the Administrator account has been disabled, it can still be used to g
### Guest account
-The Guest account (SID S-1-5-32-546) is disabled by default on installation. The Guest account lets occasional or one-time users, who do not have an account on the computer, temporarily sign in to the local server or client computer with limited user rights. By default, the Guest account has a blank password. Because the Guest account can provide anonymous access, it is a security risk. For this reason, it is a best practice to leave the Guest account disabled, unless its use is entirely necessary.
+The Guest account is disabled by default on installation. The Guest account lets occasional or one-time users, who do not have an account on the computer, temporarily sign in to the local server or client computer with limited user rights. By default, the Guest account has a blank password. Because the Guest account can provide anonymous access, it is a security risk. For this reason, it is a best practice to leave the Guest account disabled, unless its use is entirely necessary.
**Account group membership**
-By default, the Guest account is the only member of the default Guests group, which lets a user sign in to a server. On occasion, an administrator who is a member of the Administrators group can set up a user with a Guest account on one or more computers.
+By default, the Guest account is the only member of the default Guests group (SID S-1-5-32-546), which lets a user sign in to a server. On occasion, an administrator who is a member of the Administrators group can set up a user with a Guest account on one or more computers.
**Security considerations**
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
index 11d1a66100..f986fd3e0e 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
@@ -60,7 +60,7 @@ Sign-in using _Enterprise Admin_ equivalent credentials on Windows Server 2012 o
1. Open an elevated Windows PowerShell prompt.
2. Use the following command to install the Active Directory Certificate Services role.
```PowerShell
- Add-WindowsFeature Adcs-Cert-Authority -IncludeManageTools
+ add-windowsfeature adcs-cert-authority -IncludeManagementTools
```
3. Use the following command to configure the Certificate Authority using a basic certificate authority configuration.
diff --git a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
index 22c5b6361e..a57b762d3a 100644
--- a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
+++ b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
@@ -58,6 +58,15 @@ When the trigger occurs, VPN tries to connect. If an error occurs or any user in
When a device has multiple profiles with Always On triggers, the user can specify the active profile in **Settings** > **Network & Internet** > **VPN** > *VPN profile* by selecting the **Let apps automatically use this VPN connection** checkbox. By default, the first MDM-configured profile is marked as **Active**.
+Preserving user Always On preference
+
+Windows has a feature to preserve a user’s AlwaysOn preference. In the event that a user manually unchecks the “Connect automatically” checkbox, Windows will remember this user preference for this profile name by adding the profile name to the value AutoTriggerDisabledProfilesList.
+Should a management tool remove/add the same profile name back and set AlwaysOn to true, Windows will not check the box if the profile name exists in the below registry value in order to preserve user preference.
+Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Config
+Value: AutoTriggerDisabledProfilesList
+Type: REG_MULTI_SZ
+
+
## Trusted network detection
This feature configures the VPN such that it would not get triggered if a user is on a trusted corporate network. The value of this setting is a list of DNS suffices. The VPN stack will look at the DNS suffix on the physical interface and if it matches any in the configured list and the network is private or provisioned by MDM, then VPN will not get triggered.
@@ -86,4 +95,4 @@ After you add an associated app, if you select the **Only these apps can use thi
- [VPN and conditional access](vpn-conditional-access.md)
- [VPN name resolution](vpn-name-resolution.md)
- [VPN security features](vpn-security-features.md)
-- [VPN profile options](vpn-profile-options.md)
\ No newline at end of file
+- [VPN profile options](vpn-profile-options.md)
diff --git a/windows/security/identity-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md b/windows/security/identity-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md
index 4aeab49c4b..840bf5b9b7 100644
--- a/windows/security/identity-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md
+++ b/windows/security/identity-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md
@@ -6,8 +6,8 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-author: brianlic-msft
-ms.date: 04/19/2017
+author: Justinha
+ms.date: 07/30/2018
---
# Configure the Workstation Authentication Certificate Template
@@ -36,7 +36,7 @@ To complete these procedures, you must be a member of both the Domain Admins gro
6. Click the **Subject Name** tab. Make sure that **Build from this Active Directory information** is selected. In **Subject name format**, select **Fully distinguished name**.
-7. Click the **Request Handling** tab. You must determine the best minimum key size for your environment. Large key sizes provide better security, but they can affect server performance. We recommended that you use the default setting of 2048.
+7. Click the **Cryptography** tab. You must determine the best minimum key size for your environment. Large key sizes provide better security, but they can affect server performance. We recommended that you use the default setting of 2048.
8. Click the **Security** tab. In **Group or user names**, click **Domain Computers**, under **Allow**, select **Enroll** and **Autoenroll**, and then click **OK**.
diff --git a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
index 9721dffec5..691e7ec1de 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
@@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: brianlic-msft
-ms.date: 07/18/2018
+ms.date: 07/27/2018
---
# BitLocker Management for Enterprises
@@ -21,19 +21,11 @@ Though much Windows BitLocker [documentation](bitlocker-overview.md) has been pu
Companies that image their own computers using Microsoft System Center 2012 Configuration Manager SP1 (SCCM) or later can use an existing task sequence to [pre-provision BitLocker](https://technet.microsoft.com/library/hh846237.aspx#BKMK_PreProvisionBitLocker) encryption while in Windows Preinstallation Environment (WinPE) and can then [enable protection](https://technet.microsoft.com/library/hh846237.aspx#BKMK_EnableBitLocker). This can help ensure that computers are encrypted from the start, even before users receive them. As part of the imaging process, a company could also decide to use SCCM to pre-set any desired [BitLocker Group Policy](https://technet.microsoft.com/library/ee706521(v=ws.10).aspx).
-Enterprises can use [Microsoft BitLocker Administration and Management (MBAM)](https://docs.microsoft.com/microsoft-desktop-optimization-pack/mbam-v25/) to manage client computers with BitLocker that are domain-joined on-premises until [mainstream support ends in July 2019](https://support.microsoft.com/en-us/lifecycle/search?alpha=Microsoft%20BitLocker%20Administration%20and%20Monitoring%202.5%20Service%20Pack%201) or they can receive extended support until July 2024. Thus, over the next few years, a good strategy for enterprises will be to plan and move to cloud-based management for BitLocker. When moving to cloud-based management, following these steps could be helpful:
-
-1. Disable MBAM management and leave MBAM as only a database backup for the recovery key.
-2. Join the computers to Azure Active Directory (Azure AD).
-3. Use `Manage-bde -protectors -aadbackup` to backup the recovery key to Azure AD.
-
-BitLocker recovery keys can be managed from Azure AD thereafter. The MBAM database does not need to be migrated.
-
-Enterprises that choose to continue managing BitLocker on-premises after MBAM support ends can use the [BitLocker WMI provider class](https://msdn.microsoft.com/library/windows/desktop/aa376483) to create a custom management solution.
+Enterprises can use [Microsoft BitLocker Administration and Management (MBAM)](https://docs.microsoft.com/microsoft-desktop-optimization-pack/mbam-v25/) to manage client computers with BitLocker that are domain-joined on-premises until [mainstream support ends in July 2019](https://support.microsoft.com/en-us/lifecycle/search?alpha=Microsoft%20BitLocker%20Administration%20and%20Monitoring%202.5%20Service%20Pack%201) or they can receive extended support until July 2024. Thus, over the next few years, a good strategy for enterprises will be to plan and move to cloud-based management for BitLocker. Refer to the [PowerShell examples](#powershell-examples) to see how to store recovery keys in Azure Active Directory (Azure AD).
## Managing devices joined to Azure Active Directory
-Devices joined to Azure Active Directory (Azure AD) are managed using Mobile Device Management (MDM) policy from an MDM solution such as [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune). BitLocker Device Encryption status can be queried from managed machines via the [Policy Configuration Settings Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider), which reports on whether BitLocker Device Encryption is enabled on the device. Compliance with BitLocker Device Encryption policy can be a requirement for [Conditional Access](https://www.microsoft.com/cloud-platform/conditional-access) to services like Exchange Online and SharePoint Online.
+Devices joined to Azure AD are managed using Mobile Device Management (MDM) policy from an MDM solution such as [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune). BitLocker Device Encryption status can be queried from managed machines via the [Policy Configuration Settings Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider), which reports on whether BitLocker Device Encryption is enabled on the device. Compliance with BitLocker Device Encryption policy can be a requirement for [Conditional Access](https://www.microsoft.com/cloud-platform/conditional-access) to services like Exchange Online and SharePoint Online.
Starting with Windows 10 version 1703 (also known as the Windows Creators Update), the enablement of BitLocker can be triggered over MDM either by the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) or the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp). The BitLocker CSP adds policy options that go beyond ensuring that encryption has occurred, and is available on computers that run Windows 10 Business or Enterprise editions and on Windows Phones.
diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
index a293cb908b..2a988c9641 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
@@ -422,7 +422,7 @@ There are no default locations included with WIP, you must add each of your netw
| Network domains |
corp.contoso.com,region.contoso.com |
- Starting with Windows 10, version 1703, this field is optional.
Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.
If you have multiple resources, you must separate them using the "," delimiter. |
+ Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.
If you have multiple resources, you must separate them using the "," delimiter. |
| Proxy servers |
diff --git a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
index 4e87f11954..d772192059 100644
--- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
+++ b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
-ms.date: 04/19/2017
+ms.date: 07/25/2018
---
# Apply a basic audit policy on a file or folder
@@ -32,7 +32,7 @@ To complete this procedure, you must be logged on as a member of the built-in Ad
- To audit failure events, click **Fail.**
- To audit all events, click **All.**
-> **Important:** Before setting up auditing for files and folders, you must enable object access auditing by defining auditing policy settings for the object access event category. If you do not enable object access auditing, you will receive an error message when you set up auditing for files and folders, and no files or folders will be audited.
+> **Important:** Before setting up auditing for files and folders, you must enable [object access auditing](basic-audit-object-access.md) by defining auditing policy settings for the object access event category. If you do not enable object access auditing, you will receive an error message when you set up auditing for files and folders, and no files or folders will be audited.
## Additional considerations
diff --git a/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md
index 4439eb8cb4..8e4b44e881 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md
@@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
-ms.date: 07/10/2018
+ms.date: 07/26/2018
---
@@ -83,8 +83,8 @@ Location | Setting | Description | Default setting (if not configured)
---|---|---|---
Scan | Specify the scan type to use for a scheduled scan | Quick scan
Scan | Specify the day of the week to run a scheduled scan | Specify the day (or never) to run a scan. | Never
-Scan | Specify the time of day to run a scheduled scan | Specify the number of minutes after midnight (for example, enter **60** for 1 am) | 2 am
-Root | Randomize scheduled task times | Randomize the start time of the scan to any interval plus or minus 30 minutes. This can be useful in VM or VDI deployments | Enabled
+Scan | Specify the time of day to run a scheduled scan | Specify the number of minutes after midnight (for example, enter **60** for 1 am). | 2 am
+Root | Randomize scheduled task times | Randomize the start time of the scan to any interval from 0 to 4 hours, or to any interval plus or minus 30 minutes for non-Windows Defender scans. This can be useful in VM or VDI deployments. | Enabled
**Use PowerShell cmdlets to schedule scans:**
diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
index 2754f9f13f..1aec53e4ed 100644
--- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
@@ -655,32 +655,32 @@ Microsoft recommends that you block the following Microsoft-signed applications
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/windows/security/threat-protection/windows-defender-atp/TOC.md b/windows/security/threat-protection/windows-defender-atp/TOC.md
index e0acbff6f6..193fddfef8 100644
--- a/windows/security/threat-protection/windows-defender-atp/TOC.md
+++ b/windows/security/threat-protection/windows-defender-atp/TOC.md
@@ -116,13 +116,13 @@
###### [Is domain seen in organization](is-domain-seen-in-org-windows-defender-advanced-threat-protection.md)
#####File
-###### [Block file API](block-file-windows-defender-advanced-threat-protection.md)
+###### [Block file](block-file-windows-defender-advanced-threat-protection.md)
###### [Get file information](get-file-information-windows-defender-advanced-threat-protection.md)
###### [Get file related alerts](get-file-related-alerts-windows-defender-advanced-threat-protection.md)
###### [Get file related machines](get-file-related-machines-windows-defender-advanced-threat-protection.md)
###### [Get file statistics](get-file-statistics-windows-defender-advanced-threat-protection.md)
-###### [Get FileActions collection API](get-fileactions-collection-windows-defender-advanced-threat-protection.md)
-###### [Unblock file API](unblock-file-windows-defender-advanced-threat-protection.md)
+###### [Get FileActions collection](get-fileactions-collection-windows-defender-advanced-threat-protection.md)
+###### [Unblock file](unblock-file-windows-defender-advanced-threat-protection.md)
#####IP
###### [Get IP related alerts](get-ip-related-alerts-windows-defender-advanced-threat-protection.md)
@@ -130,25 +130,25 @@
###### [Get IP statistics](get-ip-statistics-windows-defender-advanced-threat-protection.md)
###### [Is IP seen in organization](is-ip-seen-org-windows-defender-advanced-threat-protection.md)
#####Machines
-###### [Collect investigation package API](collect-investigation-package-windows-defender-advanced-threat-protection.md)
+###### [Collect investigation package](collect-investigation-package-windows-defender-advanced-threat-protection.md)
###### [Find machine information by IP](find-machine-info-by-ip-windows-defender-advanced-threat-protection.md)
###### [Get machines](get-machines-windows-defender-advanced-threat-protection.md)
-###### [Get FileMachineAction object API](get-filemachineaction-object-windows-defender-advanced-threat-protection.md)
-###### [Get FileMachineActions collection API](get-filemachineactions-collection-windows-defender-advanced-threat-protection.md)
+###### [Get FileMachineAction object](get-filemachineaction-object-windows-defender-advanced-threat-protection.md)
+###### [Get FileMachineActions collection](get-filemachineactions-collection-windows-defender-advanced-threat-protection.md)
###### [Get machine by ID](get-machine-by-id-windows-defender-advanced-threat-protection.md)
###### [Get machine log on users](get-machine-log-on-users-windows-defender-advanced-threat-protection.md)
###### [Get machine related alerts](get-machine-related-alerts-windows-defender-advanced-threat-protection.md)
-###### [Get MachineAction object API](get-machineaction-object-windows-defender-advanced-threat-protection.md)
-###### [Get MachineActions collection API](get-machineactions-collection-windows-defender-advanced-threat-protection.md)
+###### [Get MachineAction object](get-machineaction-object-windows-defender-advanced-threat-protection.md)
+###### [Get MachineActions collection](get-machineactions-collection-windows-defender-advanced-threat-protection.md)
###### [Get machines](get-machines-windows-defender-advanced-threat-protection.md)
-###### [Get package SAS URI API](get-package-sas-uri-windows-defender-advanced-threat-protection.md)
-###### [Isolate machine API](isolate-machine-windows-defender-advanced-threat-protection.md)
-###### [Release machine from isolation API](unisolate-machine-windows-defender-advanced-threat-protection.md)
-###### [Remove app restriction API](unrestrict-code-execution-windows-defender-advanced-threat-protection.md)
-###### [Request sample API](request-sample-windows-defender-advanced-threat-protection.md)
-###### [Restrict app execution API](restrict-code-execution-windows-defender-advanced-threat-protection.md)
-###### [Run antivirus scan API](run-av-scan-windows-defender-advanced-threat-protection.md)
-###### [Stop and quarantine file API](stop-quarantine-file-windows-defender-advanced-threat-protection.md)
+###### [Get package SAS URI](get-package-sas-uri-windows-defender-advanced-threat-protection.md)
+###### [Isolate machine](isolate-machine-windows-defender-advanced-threat-protection.md)
+###### [Release machine from isolation](unisolate-machine-windows-defender-advanced-threat-protection.md)
+###### [Remove app restriction](unrestrict-code-execution-windows-defender-advanced-threat-protection.md)
+###### [Request sample](request-sample-windows-defender-advanced-threat-protection.md)
+###### [Restrict app execution](restrict-code-execution-windows-defender-advanced-threat-protection.md)
+###### [Run antivirus scan](run-av-scan-windows-defender-advanced-threat-protection.md)
+###### [Stop and quarantine file](stop-quarantine-file-windows-defender-advanced-threat-protection.md)
diff --git a/windows/security/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md
index 6dfc383d4f..933ac113b2 100644
--- a/windows/security/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md
@@ -52,7 +52,7 @@ If successful, this method returns 200, Ok response code with empty body, which
## Example
-Request
+**Request**
Here is an example of the request.
@@ -66,7 +66,7 @@ Content-type: application/json
```
-Response
+**Response**
Here is an example of the response.
diff --git a/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md
index b9e163b603..1d19deb5cb 100644
--- a/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md
@@ -51,7 +51,7 @@ If successful, this method returns 201, Created response code and _MachineAction
## Example
-Request
+**Request**
Here is an example of the request.
@@ -63,7 +63,7 @@ Content-type: application/json
}
```
-Response
+**Response**
Here is an example of the response.
diff --git a/windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md
index 11149f97e2..fec2f15177 100644
--- a/windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md
@@ -1,7 +1,7 @@
---
title: Find machine information by internal IP API
-description: Use this API to create calls related to finding a machine entry around a specific timestamp by FQDN or internal IP.
-keywords: apis, graph api, supported apis, find machine, machine information, IP
+description: Use this API to create calls related to finding a machine entry around a specific timestamp by internal IP.
+keywords: ip, apis, graph api, supported apis, find machine, machine information
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
@@ -9,8 +9,8 @@ ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
-ms.localizationpriority: medium
-ms.date: 12/08/2017
+ms.localizationpriority: high
+ms.date: 07/25/2018
---
# Find machine information by internal IP API
@@ -20,15 +20,17 @@ ms.date: 12/08/2017
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+Find a machine entity around a specific timestamp by internal IP.
-Find a machine entity around a specific timestamp by FQDN or internal IP.
+>[!NOTE]
+>The timestamp must be within the last 30 days.
## Permissions
User needs read permissions.
## HTTP request
```
-GET /testwdatppreview/machines/find(timestamp={time},key={IP/FQDN})
+GET /testwdatppreview/machines/find(timestamp={time},key={IP})
```
## Request headers
@@ -49,19 +51,20 @@ If no machine found - 404 Not Found.
## Example
-Request
+**Request**
Here is an example of the request.
```
-GET https://graph.microsoft.com/testwdatppreview/machines/find(timestamp={time},key={IP/FQDN})
+GET https://graph.microsoft.com/testwdatppreview/machines/find(timestamp=2018-06-19T10:00:00Z,key='10.166.93.61')
Content-type: application/json
```
-Response
+**Response**
Here is an example of the response.
+The response will return a list of all machines that reported this IP address within sixteen minutes prior and after the timestamp.
```
HTTP/1.1 200 OK
diff --git a/windows/security/threat-protection/windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md
index 84dee5c7d5..11933fc1f8 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md
@@ -50,7 +50,7 @@ If actor does not exist - 404 Not Found.
## Example
-Request
+**Request**
Here is an example of the request.
@@ -59,7 +59,7 @@ GET https://graph.microsoft.com/testwdatppreview/actors/zinc
Content-type: application/json
```
-Response
+**Response**
Here is an example of the response.
diff --git a/windows/security/threat-protection/windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md
index 8a5762e665..7d607f80b0 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md
@@ -49,7 +49,7 @@ If actor does not exist or no related alerts - 404 Not Found.
## Example
-Request
+**Request**
Here is an example of the request.
@@ -58,7 +58,7 @@ GET https://graph.microsoft.com/testwdatppreview/actors/zinc/alerts
Content-type: application/json
```
-Response
+**Response**
Here is an example of the response.
diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md
index 419cb34165..7bd281c1c2 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md
@@ -49,7 +49,7 @@ If alert not found - 404 Not Found.
## Example
-Request
+**Request**
Here is an example of the request.
@@ -58,7 +58,7 @@ GET https://graph.microsoft.com/testwdatppreview/alerts/{id}
Content-type: application/json
```
-Response
+**Response**
Here is an example of the response.
diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md
index 9db57c1f3a..feb7c72977 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md
@@ -49,7 +49,7 @@ If alert not found or actor not found - 404 Not Found.
## Example
-Request
+**Request**
Here is an example of the request.
@@ -59,7 +59,7 @@ Content-type: application/json
```
-Response
+**Response**
Here is an example of the response.
diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md
index 2345c8b138..1dc2400622 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md
@@ -49,7 +49,7 @@ If alert not found or domain not found - 404 Not Found.
## Example
-Request
+**Request**
Here is an example of the request.
@@ -58,7 +58,7 @@ GET https://graph.microsoft.com/testwdatppreview/alerts/{id}/domains
Content-type: application/json
```
-Response
+**Response**
Here is an example of the response.
diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md
index df332bb31e..692038dece 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md
@@ -49,7 +49,7 @@ If alert not found or files not found - 404 Not Found.
## Example
-Request
+**Request**
Here is an example of the request.
@@ -58,7 +58,7 @@ GET https://graph.microsoft.com/testwdatppreview/alerts/{id}/files
Content-type: application/json
```
-Response
+**Response**
Here is an example of the response.
diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md
index be6ceafbb2..13d6fa451e 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md
@@ -49,7 +49,7 @@ If alert not found or IPs not found - 404 Not Found.
## Example
-Request
+**Request**
Here is an example of the request.
@@ -58,7 +58,7 @@ GET https://graph.microsoft.com/testwdatppreview/alerts/{id}/ips
Content-type: application/json
```
-Response
+**Response**
Here is an example of the response.
diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md
index 3ef95e980b..c65563b583 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md
@@ -48,7 +48,7 @@ If alert not found or machine not found - 404 Not Found.
## Example
-Request
+**Request**
Here is an example of the request.
@@ -57,7 +57,7 @@ GET https://graph.microsoft.com/testwdatppreview/alerts/{id}/machine
Content-type: application/json
```
-Response
+**Response**
Here is an example of the response.
diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md
index 0844973f7e..0ca328f129 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md
@@ -49,7 +49,7 @@ If alert not found or user not found - 404 Not Found.
## Example
-Request
+**Request**
Here is an example of the request.
@@ -58,7 +58,7 @@ GET https://graph.microsoft.com/testwdatppreview/alerts/{id}/user
Content-type: application/json
```
-Response
+**Response**
Here is an example of the response.
diff --git a/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md
index 554f7a5466..91370e6ab4 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md
@@ -50,7 +50,7 @@ If no recent alerts found - 404 Not Found.
## Example
-Request
+**Request**
Here is an example of the request.
@@ -59,7 +59,7 @@ GET https://graph.microsoft.com/testwdatppreview/alerts
Content-type: application/json
```
-Response
+**Response**
Here is an example of the response.
diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md
index 7d08798a81..edf69b8cc2 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md
@@ -49,7 +49,7 @@ If domain or alert does not exist - 404 Not Found.
## Example
-Request
+**Request**
Here is an example of the request.
@@ -58,7 +58,7 @@ GET https://graph.microsoft.com/testwdatppreview/domains/{id}/alerts
Content-type: application/json
```
-Response
+**Response**
Here is an example of the response.
diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md
index c33a75f487..42274f276d 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md
@@ -49,7 +49,7 @@ If domain or machines do not exist - 404 Not Found.
## Example
-Request
+**Request**
Here is an example of the request.
@@ -58,7 +58,7 @@ GET https://graph.microsoft.com/testwdatppreview/domains/{id}/machines
Content-type: application/json
```
-Response
+**Response**
Here is an example of the response.
diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md
index 8fc1561fca..a8d16cda6c 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md
@@ -49,7 +49,7 @@ If domain does not exist - 404 Not Found.
## Example
-Request
+**Request**
Here is an example of the request.
@@ -58,7 +58,7 @@ GET https://graph.microsoft.com/testwdatppreview/domains/{id}/machines
Content-type: application/json
```
-Response
+**Response**
Here is an example of the response.
diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md
index 73c57db52c..3a8aecdcdc 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md
@@ -50,7 +50,7 @@ If file does not exist - 404 Not Found.
## Example
-Request
+**Request**
Here is an example of the request.
@@ -59,7 +59,7 @@ GET https://graph.microsoft.com/testwdatppreview/files/{id}
Content-type: application/json
```
-Response
+**Response**
Here is an example of the response.
diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md
index fd93bb2eae..3bc108f4c5 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md
@@ -49,7 +49,7 @@ If file or alerts do not exist - 404 Not Found.
## Example
-Request
+**Request**
Here is an example of the request.
@@ -58,7 +58,7 @@ GET https://graph.microsoft.com/testwdatppreview/files/{id}/alerts
Content-type: application/json
```
-Response
+**Response**
Here is an example of the response.
diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md
index e6c5a9365d..46a55266b9 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md
@@ -49,7 +49,7 @@ If file or machines do not exist - 404 Not Found.
## Example
-Request
+**Request**
Here is an example of the request.
@@ -58,7 +58,7 @@ GET https://graph.microsoft.com/testwdatppreview/files/{id}/machines
Content-type: application/json
```
-Response
+**Response**
Here is an example of the response.
diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md
index 64a0f6b518..379a272b7f 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md
@@ -49,7 +49,7 @@ If file do not exist - 404 Not Found.
## Example
-Request
+**Request**
Here is an example of the request.
@@ -58,7 +58,7 @@ GET https://graph.microsoft.com/testwdatppreview/files/{id}/machines
Content-type: application/json
```
-Response
+**Response**
Here is an example of the response.
diff --git a/windows/security/threat-protection/windows-defender-atp/get-fileactions-collection-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-fileactions-collection-windows-defender-advanced-threat-protection.md
index 12c0fa3996..58ec0179eb 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-fileactions-collection-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-fileactions-collection-windows-defender-advanced-threat-protection.md
@@ -51,7 +51,7 @@ If successful, this method returns 200, Ok response code with a collection of Fi
## Example
-Request
+**Request**
Here is an example of the request on an organization that has three FileActions.
@@ -59,7 +59,7 @@ Here is an example of the request on an organization that has three FileActions.
GET https://graph.microsoft.com/testwdatppreview/fileactions
```
-Response
+**Response**
Here is an example of the response.
diff --git a/windows/security/threat-protection/windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md
index 754f96f452..e30ca834b1 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md
@@ -47,7 +47,7 @@ If successful, this method returns 200, Ok response code with the *FileMachineAc
## Example
-Request
+**Request**
Here is an example of the request.
@@ -55,7 +55,7 @@ Here is an example of the request.
GET https://graph.microsoft.com/testwdatppreview/filemachineactions/3dc88ce3-dd0c-40f7-93fc-8bd14317aab6
```
-Response
+**Response**
Here is an example of the response.
diff --git a/windows/security/threat-protection/windows-defender-atp/get-filemachineactions-collection-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-filemachineactions-collection-windows-defender-advanced-threat-protection.md
index a539468085..4f981ccd54 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-filemachineactions-collection-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-filemachineactions-collection-windows-defender-advanced-threat-protection.md
@@ -47,7 +47,7 @@ If successful, this method returns 200, Ok response code with a collection of Fi
## Example 1
-Request
+**Request**
Here is an example of the request on an organization that has three FileMachineActions.
@@ -55,7 +55,7 @@ Here is an example of the request on an organization that has three FileMachineA
GET https://graph.microsoft.com/testwdatppreview/filemachineactions
```
-Response
+**Response**
Here is an example of the response.
@@ -113,7 +113,7 @@ Content-type: application/json
##Example 2
-Request
+**Request**
Here is an example of a request that filters the FileMachineActions by machine ID and shows the latest two FileMachineActions.
@@ -121,7 +121,7 @@ Here is an example of a request that filters the FileMachineActions by machine I
GET https://graph.microsoft.com/testwdatppreview/filemachineactions?$filter=machineId eq 'f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f'&$top=2
```
-Response
+**Response**
```
HTTP/1.1 200 Ok
diff --git a/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md
index 9df15443a5..b1ad30ecd5 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md
@@ -49,7 +49,7 @@ If IP and alerts do not exist - 404 Not Found.
## Example
-Request
+**Request**
Here is an example of the request.
@@ -58,7 +58,7 @@ GET https://graph.microsoft.com/testwdatppreview/ips/{id}/alerts
Content-type: application/json
```
-Response
+**Response**
Here is an example of the response.
diff --git a/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md
index 057ba3204c..1796c563b1 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md
@@ -42,7 +42,7 @@ If IP or machines do not exist - 404 Not Found.
## Example
-Request
+**Request**
Here is an example of the request.
@@ -51,7 +51,7 @@ GET https://graph.microsoft.com/testwdatppreview/ips/{id}/machines
Content-type: application/json
```
-Response
+**Response**
Here is an example of the response.
diff --git a/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md
index 2707f3e8f3..f04eee146e 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md
@@ -49,7 +49,7 @@ If domain does not exist - 404 Not Found.
## Example
-Request
+**Request**
Here is an example of the request.
@@ -58,7 +58,7 @@ GET https://graph.microsoft.com/testwdatppreview/ips/{id}/machines
Content-type: application/json
```
-Response
+**Response**
Here is an example of the response.
diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md
index 4fae64901f..cdb7691d99 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md
@@ -49,7 +49,7 @@ If no machine found - 404 Not Found.
## Example
-Request
+**Request**
Here is an example of the request.
@@ -58,7 +58,7 @@ GET https://graph.microsoft.com/testwdatppreview/machines/{id}
Content-type: application/json
```
-Response
+**Response**
Here is an example of the response.
diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md
index f63f7a4ac8..f73f0600fd 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md
@@ -50,7 +50,7 @@ If no machine found or no users found - 404 Not Found.
## Example
-Request
+**Request**
Here is an example of the request.
@@ -59,7 +59,7 @@ GET https://graph.microsoft.com/testwdatppreview/machines/{id}/logonusers
Content-type: application/json
```
-Response
+**Response**
Here is an example of the response.
diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md
index 4d8df5b6a4..2cbf47c5da 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md
@@ -49,7 +49,7 @@ If no machine or no alerts found - 404 Not Found.
## Example
-Request
+**Request**
Here is an example of the request.
@@ -58,7 +58,7 @@ GET https://graph.microsoft.com/testwdatppreview/machines/{id}/alerts
Content-type: application/json
```
-Response
+**Response**
Here is an example of the response.
diff --git a/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md
index 2fc484f7ef..21214216c0 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md
@@ -47,7 +47,7 @@ If successful, this method returns 200, Ok response code with the *MachineAction
## Example
-Request
+**Request**
Here is an example of the request.
@@ -55,7 +55,7 @@ Here is an example of the request.
GET https://graph.microsoft.com/testwdatppreview/machineactions/2e9da30d-27f6-4208-81f2-9cd3d67893ba
```
-Response
+**Response**
Here is an example of the response.
diff --git a/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection.md
index 5cd4a460b5..4f8250057a 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection.md
@@ -47,7 +47,7 @@ If successful, this method returns 200, Ok response code with a collection of Ma
## Example 1
-Request
+**Request**
Here is an example of the request on an organization that has three MachineActions.
@@ -55,7 +55,7 @@ Here is an example of the request on an organization that has three MachineActio
GET https://graph.microsoft.com/testwdatppreview/machineactions
```
-Response
+**Response**
Here is an example of the response.
@@ -107,7 +107,7 @@ Content-type: application/json
## Example 2
-Request
+**Request**
Here is an example of a request that filters the MachineActions by machine ID and shows the latest two MachineActions.
@@ -117,7 +117,7 @@ GET https://graph.microsoft.com/testwdatppreview/machineactions?$filter=machineI
-Response
+**Response**
Here is an example of the response.
diff --git a/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md
index 23858c2f48..15f5915642 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md
@@ -49,7 +49,7 @@ If no recent machines - 404 Not Found.
## Example
-Request
+**Request**
Here is an example of the request.
@@ -58,7 +58,7 @@ GET https://graph.microsoft.com/testwdatppreview/machines
Content-type: application/json
```
-Response
+**Response**
Here is an example of the response.
diff --git a/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md
index bfb9838d29..ade4afd10e 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md
@@ -48,7 +48,7 @@ If successful, this method returns 200, Ok response code with object that holds
## Example
-Request
+**Request**
Here is an example of the request.
@@ -57,7 +57,7 @@ GET https://graph.microsoft.com/testwdatppreview/machineactions/7327b54fd718525c
```
-Response
+**Response**
Here is an example of the response.
diff --git a/windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md
index 813f2d6b28..44a41412fe 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md
@@ -49,7 +49,7 @@ If user does not exist - 404 Not Found.
## Example
-Request
+**Request**
Here is an example of the request.
@@ -58,7 +58,7 @@ GET https://graph.microsoft.com/testwdatppreview/users/{id}
Content-type: application/json
```
-Response
+**Response**
Here is an example of the response.
diff --git a/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md
index 1d59e3024a..12c741d3fe 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md
@@ -49,7 +49,7 @@ If user does not exist - 404 Not Found.
## Example
-Request
+**Request**
Here is an example of the request.
@@ -58,7 +58,7 @@ GET https://graph.microsoft.com/testwdatppreview/users/{id}/alerts
Content-type: application/json
```
-Response
+**Response**
Here is an example of the response.
diff --git a/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md
index c4555f4144..80a2b92234 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md
@@ -49,7 +49,7 @@ If user or machine does not exist - 404 Not Found.
## Example
-Request
+**Request**
Here is an example of the request.
@@ -58,7 +58,7 @@ GET https://graph.microsoft.com/testwdatppreview/users/{id}/machines
Content-type: application/json
```
-Response
+**Response**
Here is an example of the response.
diff --git a/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md
index dde8702b35..3bda2052aa 100644
--- a/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md
@@ -42,7 +42,7 @@ If domain does not exist - 404 Not Found.
## Example
-Request
+**Request**
Here is an example of the request.
@@ -51,7 +51,7 @@ GET https://graph.microsoft.com/testwdatppreview/domains/{id}
Content-type: application/json
```
-Response
+**Response**
Here is an example of the response.
diff --git a/windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md
index 3071b4389d..0e5cdd372b 100644
--- a/windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md
@@ -49,7 +49,7 @@ If IP do not exist - 404 Not Found.
## Example
-Request
+**Request**
Here is an example of the request.
@@ -58,7 +58,7 @@ GET https://graph.microsoft.com/testwdatppreview/ips/{id}
Content-type: application/json
```
-Response
+**Response**
Here is an example of the response.
diff --git a/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md
index 747a0d6995..8a1af5560e 100644
--- a/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md
@@ -57,7 +57,7 @@ If successful, this method returns 201, Created response code and _MachineAction
## Example
-Request
+**Request**
Here is an example of the request.
@@ -70,7 +70,7 @@ Content-type: application/json
}
```
-Response
+**Response**
Here is an example of the response.
diff --git a/windows/security/threat-protection/windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md
index 2a77493d4a..5e12dabe3d 100644
--- a/windows/security/threat-protection/windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md
@@ -52,7 +52,7 @@ If successful, this method returns 201, Created response code and *FileMachineAc
## Example
-Request
+**Request**
Here is an example of the request.
@@ -66,7 +66,7 @@ Content-type: application/json
```
-Response
+**Response**
Here is an example of the response.
diff --git a/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md
index 86e95ef071..b7b33d60ef 100644
--- a/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md
@@ -51,7 +51,7 @@ If successful, this method returns 201, Created response code and _MachineAction
## Example
-Request
+**Request**
Here is an example of the request.
@@ -63,7 +63,7 @@ Content-type: application/json
}
```
-Response
+**Response**
Here is an example of the response.
diff --git a/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md
index ff6df83998..c6803604a8 100644
--- a/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md
@@ -59,7 +59,7 @@ If successful, this method returns 201, Created response code and _MachineAction
## Example
-Request
+**Request**
Here is an example of the request.
@@ -72,7 +72,7 @@ Content-type: application/json
}
```
-Response
+**Response**
Here is an example of the response.
diff --git a/windows/security/threat-protection/windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md
index 246a062ea3..9540e46529 100644
--- a/windows/security/threat-protection/windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md
@@ -52,7 +52,7 @@ If successful, this method returns 201, Created response code and _FileMachineAc
## Example
-Request
+**Request**
Here is an example of the request.
@@ -65,7 +65,7 @@ Content-type: application/json
}
```
-Response
+**Response**
Here is an example of the response.
diff --git a/windows/security/threat-protection/windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md
index 8a85f201ce..7ea3ec1258 100644
--- a/windows/security/threat-protection/windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md
@@ -52,7 +52,7 @@ If successful, this method returns 200, Ok response code with empty body, which
## Example
-Request
+**Request**
Here is an example of the request.
@@ -64,7 +64,7 @@ Content-type: application/json
}
```
-Response
+**Response**
Here is an example of the response.
diff --git a/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md
index 2d3ab9fbaf..c0ef9d02f6 100644
--- a/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md
@@ -51,7 +51,7 @@ If successful, this method returns 201, Created response code and _MachineAction
## Example
-Request
+**Request**
Here is an example of the request.
@@ -63,7 +63,7 @@ Content-type: application/json
}
```
-Response
+**Response**
Here is an example of the response.
diff --git a/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md
index dcd0775b9e..4c8788c337 100644
--- a/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md
@@ -51,7 +51,7 @@ If successful, this method returns 201, Created response code and _MachineAction
## Example
-Request
+**Request**
Here is an example of the request.
@@ -64,7 +64,7 @@ Content-type: application/json
```
-Response
+**Response**
Here is an example of the response.
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md
index a7574b02af..96ed1733a8 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md
@@ -53,10 +53,9 @@ You can also [enable audit mode](audit-windows-defender-exploit-guard.md) for th
>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how each of them work.
Windows Defender EG can be managed and reported on in the Windows Defender Security Center as part of the Windows Defender Advanced Threat Protection suite of threat mitigation, preventing, protection, and analysis technologies, which also includes:
-- [The Windows Defender ATP console](../windows-defender-atp/windows-defender-advanced-threat-protection.md)
+- [Windows Defender Security Center](../windows-defender-atp/windows-defender-security-center-atp.md)
- [Windows Defender Antivirus in Windows 10](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)
-- [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md)
-- Windows Defender Device Guard
+- [Windows Defender Application Control](../windows-defender-application-control/windows-defender-application-control.md)
- [Windows Defender Application Guard](../windows-defender-application-guard/wd-app-guard-overview.md)
You can use the Windows Defender ATP console to obtain detailed reporting into events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). You can [sign up for a free trial of Windows Defender ATP](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=cx-docs-msa4053440) to see how it works.
@@ -76,7 +75,7 @@ This section covers requirements for each feature in Windows Defender EG.
| Feature | Windows 10 Home | Windows 10 Professional | Windows 10 E3 | Windows 10 E5 |
| ----------------- | :------------------------------------: | :---------------------------: | :-------------------------: | :--------------------------------------: |
| Exploit protection |  |  |  |  |
-| Attack surface reduction |  |  |  |  |
+| Attack surface reduction |  |  |  |  |
| Network protection |  |  |  |  |
| Controlled folder access |  |  |  |  |