(New in Windows 10, version 1809) | Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\Windows Components\\Windows Update\\Display options for update notifications**
-or-
Use the MDM setting **Update/UpdateNotificationLevel** from the [**Policy/Update** configuration service provider](/windows/client-management/mdm/policy-csp-update#update-updatenotificationlevel)
-or-
Add the following registry keys as type DWORD (32-bit) in the path of **HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate**:
**\SetUpdateNotificationLevel** with a value of `1`, and **\UpdateNotificationLevel** with a value of `1` to hide all notifications except restart warnings, or value of `2` to hide all notifications, including restart warnings. -Enable and schedule automatic updates | Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\Windows Components\\Windows Update\\Configure Automatic Updates**, and select `option 4 (Auto download and schedule the install)`
-or-
Use the MDM setting **Update/AllowAutoUpdate** from the [**Policy/Update** configuration service provider](/windows/client-management/mdm/policy-csp-update#update-allowautoupdate), and select `option 3 (Auto install and restart at a specified time)`
**Note:** Installations can take from between 30 minutes and 2 hours, depending on the device, so you should schedule updates to occur when a block of 3-4 hours is available.
To schedule the automatic update, configure **Schedule Install Day**, **Schedule Install Time**, and **Schedule Install Week**. -Enable automatic restart at the scheduled time | Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\Windows Components\\Windows Update\\Always automatically restart at the scheduled time** -Replace "blue screen" with blank screen for OS errors | Add the following registry key as DWORD (32-bit) type with a value of `1`:**HKLM\SYSTEM\CurrentControlSet\Control\CrashControl\DisplayDisabled** -Put device in **Tablet mode**. | If you want users to be able to use the touch (on screen) keyboard, go to **Settings** > **System** > **Tablet mode** and choose **On.** Do not turn on this setting if users will not interact with the kiosk, such as for a digital sign. -Hide **Ease of access** feature on the sign-in screen. | See [how to disable the Ease of Access button in the registry.](/windows-hardware/customize/enterprise/complementary-features-to-custom-logon#welcome-screen) -Disable the hardware power button. | Go to **Power Options** > **Choose what the power button does**, change the setting to **Do nothing**, and then **Save changes**. -Remove the power button from the sign-in screen. | Go to **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** >**Security Options** > **Shutdown: Allow system to be shut down without having to log on** and select **Disabled.** -Disable the camera. | Go to **Settings** > **Privacy** > **Camera**, and turn off **Let apps use my camera**. -Turn off app notifications on the lock screen. | Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen**. -Disable removable media. | Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Device Installation\\Device Installation Restrictions**. Review the policy settings available in **Device Installation Restrictions** for the settings applicable to your situation.**NOTE**: To prevent this policy from affecting a member of the Administrators group, in **Device Installation Restrictions**, enable **Allow administrators to override Device Installation Restriction policies**. +- **Hide update notifications**. Starting with Windows 10 version 1809, you can hide notifications from showing on the devices. To enable this feature, you have the following options: + - **Use Group policy**: `Computer Configuration\Administrative Templates\Windows Components\Windows Update\Display options for update notifications` + + - **Use an MDM provider**: This feature uses the [Update/UpdateNotificationLevel CSP](/windows/client-management/mdm/policy-csp-update#update-updatenotificationlevel). In Endpoint Manager, you can use the [Windows update settings](/mem/intune/protect/windows-update-settings) to manage this feature. + + - **Use the registry**: + + 1. Open Registry Editor (regedit). + 2. Go to `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate`. + 3. Create a **New** > **DWORD (32-bit) Value**. Enter `SetUpdateNotificationLevel`, and set its value to `1`. + 4. Create a **New** > **DWORD (32-bit) Value**. Enter `UpdateNotificationLevel`. For value, you can enter: + + - `1`: Hides all notifications except restart warnings. + - `2`: Hides all notifications, including restart warnings. + +- **Enable and schedule automatic updates**. To enable this feature, you have the following options: + + - **Use Group policy**: `Computer Configuration\Administrative Templates\Windows Components\Windows Update\Configure Automatic Updates`. Select `4 - Auto download and schedule the install`. + - **Use an MDM provider**: This feature uses the [Update/AllowAutoUpdate CSP](/windows/client-management/mdm/policy-csp-update#update-allowautoupdate). Select `3 - Auto install and restart at a specified time`. In Endpoint Manager, you can use the [Windows update settings](/mem/intune/protect/windows-update-settings) to manage this feature. + + You can also schedule automatic updates, including **Schedule Install Day**, **Schedule Install Time**, and **Schedule Install Week**. Installations can take between 30 minutes and 2 hours, depending on the device. Schedule updates to occur when a block of 3-4 hours is available. + +- **Enable automatic restart at the scheduled time**. To enable this feature, you have the following options: + + - **Use Group policy**: `Computer Configuration\Administrative Templates\Windows Components\Windows Update\Always automatically restart at the scheduled time`. Select `4 - Auto download and schedule the install`. + + - **Use an MDM provider**: This feature uses the [Update/ActiveHoursStart](/windows/client-management/mdm/policy-csp-update#update-activehoursstart) and [Update/ActiveHoursEnd](/windows/client-management/mdm/policy-csp-update#update-activehoursend) CSPs. In Endpoint Manager, you can use the [Windows update settings](/mem/intune/protect/windows-update-settings) to manage this feature. + +- **Replace "blue screen" with blank screen for OS errors**. To enable this feature, use the Registry Editor: + + 1. Open Registry Editor (regedit). + 2. Go to `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl`. + 3. Create a **New** > **DWORD (32-bit) Value**. Enter `DisplayDisabled`, and set its value to `1`. + +- **Put device in "Tablet mode"**. If you want users to use the touch screen, without using a keyboard or mouse, then turn on tablet mode using the Settings app. If users won't interact with the kiosk, such as for a digital sign, then don't turn on this setting. + + Applies to Windows 10 only. Currently, Tablet mode isn't supported on Windows 11. + + Your options: + + - Use the **Settings** app: + 1. Open the **Settings** app. + 2. Go to **System** > **Tablet mode**. + 3. Configure the settings you want. + + - Use the **Action Center**: + 1. On your device, swipe in from the left. + 2. Select **Tablet mode**. + +- **Hide "Ease of access" feature on the sign-in screen**: To enable this feature, you have the following options: + + - **Use an MDM provider**: In Endpoint Manager, you can use the [Control Panel and Settings](/mem/intune/configuration/device-restrictions-windows-10#control-panel-and-settings) to manage this feature. + - **Use the registry**: For more information, see [how to disable the Ease of Access button in the registry](/windows-hardware/customize/enterprise/complementary-features-to-custom-logon#welcome-screen). + +- **Disable the hardware power button**: To enable this feature, you have the following options: + + - **Use the Settings app**: + 1. Open the **Settings** app. + 2. Go to **System** > **Power & Sleep** > **Additional power settings** > **Choose what the power button does**. + 3. Select **Do nothing**. + 4. **Save changes**. + + - **Use Group Policy**: Your options: + + - `Computer Configuration\Administrative Templates\System\Power Management\Button Settings`: Set `Select Power Button Action on Battery` and `Select Power Button Action on Plugged In` to **Take no action**. + - `User Configuration\Administrative Templates\Start Menu and Taskbar\Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands`: This policy hides the buttons, but doesn't disable them. + - `Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Shut down the system`: Remove the users or groups from this policy. + + To prevent this policy from affecting a member of the Administrators group, be sure to keep the Administrators group. + + - **Use an MDM provider**: In Endpoint Manager, you have some options: + + - [Settings Catalog](/mem/intune/configuration/settings-catalog): This option lists all the settings you can configure, including the administrative templates used in on-premises Group Policy. Configure the following settings: + + - `Power\Select Power Button Action on Battery`: Set to **Take no action**. + - `Power\Select Power Button Action on Plugged In`: Set to **Take no action**. + - `Start\Hide Power Button`: Set to **Enabled**. This policy hides the button, but doesn't disable it. + + - [Administrative templates](/mem/intune/configuration/administrative-templates-windows): These templates are the administrative templates used in on-premises Group Policy. Configure the following setting: + + - `\Start menu and Taskbar\Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands`: This policy hides the buttons, but doesn't disable them. + + When looking at settings, check the supported OS for each setting to make sure it applies. + + - [Start settings in a device configuration profile](/mem/intune/configuration/device-restrictions-windows-10#start): This option shows this setting, and all the Start menu settings you can manage. + +- **Remove the power button from the sign-in screen**. To enable this feature, you have the following options: + + - **Use Group Policy**: `Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Shutdown: Allow system to be shut down without having to log on`. Select **Disabled**. + + - **Use MDM**: In Endpoint Manager, you have the following option: + + - [Settings Catalog](/mem/intune/configuration/settings-catalog): This option lists all the settings you can configure, including the administrative templates used in on-premises Group Policy. Configure the following setting: + + - `Local Policies Security Options\Shutdown Allow System To Be Shut Down Without Having To Log On`: Set to **Disabled**. + +- **Disable the camera**: To enable this feature, you have the following options: + + - **Use the Settings app**: + 1. Open the **Settings** app. + 2. Go to **Privacy** > **Camera**. + 3. Select **Allow apps use my camera** > **Off**. + + - **Use Group Policy**: `Computer Configuration\Administrative Templates\Windows Components\Camera: Allow use of camera`: Select **Disabled**. + + - **Use an MDM provider**: This feature uses the [Policy CSP - Camera](/windows/client-management/mdm/policy-csp-camera). In Endpoint Manager, you have the following options: + + - [General settings in a device configuration profile](/mem/intune/configuration/device-restrictions-windows-10#general): This option shows this setting, and more settings you can manage. + - [Settings Catalog](/mem/intune/configuration/settings-catalog): This option lists all the settings you can configure, including the administrative templates used in on-premises Group Policy. Configure the following setting: + + - `Camera\Allow camera`: Set to **Not allowed**. + +- **Turn off app notifications on the lock screen**: To enable this feature, you have the following options: + + - **Use the Settings app**: + + 1. Open the **Settings** app. + 2. Go to **System** > **Notifications & actions**. + 3. In **Show notifications on the lock screen**, select **Off**. + + - **Use Group policy**: + - `Computer Configuration\Administrative Templates\System\Logon\Turn off app notifications on the lock screen`: Select **Enabled**. + - `User Configuration\Administrative Templates\Start Menu and Taskbar\Notifications\Turn off toast notifications on the lock screen`: Select **Enabled**. + + - **Use an MDM provider**: This feature uses the [AboveLock/AllowToasts CSP](/windows/client-management/mdm/policy-csp-abovelock#abovelock-allowtoasts). In Endpoint Manager, you have the following options: + + - [Locked screen experience device configuration profile](/mem/intune/configuration/device-restrictions-windows-10#locked-screen-experience): See this setting, and more settings you can manage. + + - [Administrative templates](/mem/intune/configuration/administrative-templates-windows): These templates are the administrative templates used in on-premises Group Policy. Configure the following settings: + + - `\Start Menu and Taskbar\Notifications\Turn off toast notifications on the lock screen`: Select **Enabled**. + - `\System\Logon\Turn off app notifications on the lock screen`: Select **Enabled**. + + When looking at settings, check the supported OS for each setting to make sure it applies. + + - [Settings Catalog](/mem/intune/configuration/settings-catalog): This option lists all the settings you can configure, including the administrative templates used in on-premises Group Policy. Configure the following settings: + + - `\Start Menu and Taskbar\Notifications\Turn off toast notifications on the lock screen`: Select **Enabled**. + - `\System\Logon\Turn off app notifications on the lock screen`: Select **Enabled**. + +- **Disable removable media**: To enable this feature, you have the following options: + + - **Use Group policy**: `Computer Configuration\Administrative Templates\System\Device Installation\Device Installation Restrictions`. Review the available settings that apply to your situation. + + To prevent this policy from affecting a member of the Administrators group, select `Allow administrators to override Device Installation Restriction policies` > **Enabled**. + + - **Use an MDM provider**: In Endpoint Manager, you have the following options: + + - [General settings in a device configuration profile](/mem/intune/configuration/device-restrictions-windows-10#general): See the **Removable storage** setting, and more settings you can manage. + + - [Administrative templates](/mem/intune/configuration/administrative-templates-windows): These templates are the administrative templates used in on-premises Group Policy. Configure the following settings: + + - `\System\Device Installation`: There are several policies you can manage, including restrictions in `\System\Device Installation\Device Installation Restrictions`. + + To prevent this policy from affecting a member of the Administrators group, select `Allow administrators to override Device Installation Restriction policies` > **Enabled**. + + When looking at settings, check the supported OS for each setting to make sure it applies. + + - [Settings Catalog](/mem/intune/configuration/settings-catalog): This option lists all the settings you can configure, including the administrative templates used in on-premises Group Policy. Configure the following settings: + + - `\Administrative Templates\System\Device Installation`: There are several policies you can manage, including restrictions in `\System\Device Installation\Device Installation Restrictions`. + + To prevent this policy from affecting a member of the Administrators group, select `Allow administrators to override Device Installation Restriction policies` > **Enabled**. ## Enable logging Logs can help you [troubleshoot issues](./kiosk-troubleshoot.md) kiosk issues. Logs about configuration and runtime issues can be obtained by enabling the **Applications and Services Logs\Microsoft\Windows\AssignedAccess\Operational** channel, which is disabled by default. - +:::image type="content" source="images/enable-assigned-access-log.png" alt-text="On Windows client, open Event Viewer, right-click Operational, select enable log to turn on logging to help troubleshoot."::: ## Automatic logon -In addition to the settings in the table, you may want to set up **automatic logon** for your kiosk device. When your kiosk device restarts, whether from an update or power outage, you can sign in the assigned access account manually or you can configure the device to sign in to the assigned access account automatically. Make sure that Group Policy settings applied to the device do not prevent automatic sign in. +You may also want to set up **automatic logon** for your kiosk device. When your kiosk device restarts, from an update or power outage, you can sign in the assigned access account manually. Or, you can configure the device to sign in to the assigned access account automatically. Make sure that Group Policy settings applied to the device don't prevent automatic sign in. > [!NOTE] -> If you are using a Windows 10 and later device restriction CSP to set "Preferred Azure AD tenant domain", this will break the "User logon type" auto-login feature of the Kiosk profile. +> If you are using a Windows client device restriction CSP to set "Preferred Azure AD tenant domain", this will break the "User logon type" auto-login feature of the Kiosk profile. > [!TIP] > If you use the [kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) or [XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) to configure your kiosk, you can set an account to sign in automatically in the wizard or XML. @@ -88,7 +245,7 @@ In addition to the settings in the table, you may want to set up **automatic log - *DefaultPassword*: set value as the password for the account. > [!NOTE] - > If *DefaultUserName* and *DefaultPassword* aren't there, add them as **New** > **String Value**. + > If *DefaultUserName* and *DefaultPassword* aren't there, add them as **New** > **String Value**. - *DefaultDomainName*: set value for domain, only for domain accounts. For local accounts, do not add this key. @@ -104,150 +261,56 @@ In addition to the settings in the table, you may want to set up **automatic log The following table describes some features that have interoperability issues we recommend that you consider when running assigned access. -> [!Note] -> Where applicable, the table notes which features are optional that you can configure for assigned access. +- **Accessibility**: Assigned access does not change Ease of Access settings. We recommend that you use [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter) to block the following key combinations that bring up accessibility features: -
| Feature | -Description | -||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Accessibility |
-Assigned access does not change Ease of Access settings. -We recommend that you use Keyboard Filter to block the following key combinations that bring up accessibility features: -
|
-||||||||||||||||||||||
Assigned access Windows PowerShell cmdlets |
-In addition to using the Windows UI, you can use the Windows PowerShell cmdlets to set or clear assigned access. For more information, see Assigned access Windows PowerShell reference. |
-||||||||||||||||||||||
Key sequences blocked by assigned access |
-When in assigned access, some key combinations are blocked for assigned access users. -Alt+F4, Alt+Shift+Tab, Alt+Tab are not blocked by Assigned Access, it is recommended you use Keyboard Filter to block these key combinations. -Ctrl+Alt+Delete is the key to break out of Assigned Access. If needed, you can use Keyboard Filter to configure a different key combination to break out of assigned access by setting BreakoutKeyScanCode as described in WEKF_Settings. -
- Keyboard Filter settings apply to other standard accounts. |
-||||||||||||||||||||||
Key sequences blocked by Keyboard Filter |
-If Keyboard Filter is turned ON then some key combinations are blocked automatically without you having to explicitly block them. For more information, see the Keyboard Filter reference topic. -Keyboard Filter is only available on Windows 10 Enterprise or Windows 10 Education. - |
-||||||||||||||||||||||
Power button |
-Customizations for the Power button complement assigned access, letting you implement features such as removing the power button from the Welcome screen. Removing the power button ensures the user cannot turn off the device when it is in assigned access. -For more information on removing the power button or disabling the physical power button, see Custom Logon. |
-||||||||||||||||||||||
Unified Write Filter (UWF) |
-UWFsettings apply to all users, including those with assigned access. -For more information, see Unified Write Filter. |
-||||||||||||||||||||||
WEDL_AssignedAccess class |
-Although you can use this class to configure and manage basic lockdown features for assigned access, we recommend that you use the Windows PowerShell cmdlets instead. -If you need to use assigned access API, see WEDL_AssignedAccess. |
-||||||||||||||||||||||
Welcome Screen |
-Customizations for the Welcome screen let you personalize not only how the Welcome screen looks, but for how it functions. You can disable the power or language button, or remove all user interface elements. There are many options to make the Welcome screen your own. -For more information, see Custom Logon. |
-
This method is supported on Windows 10 Pro, Enterprise, and Education. -[PowerShell](#powershell) | You can use Windows PowerShell cmdlets to set up a single-app kiosk. First, you need to [create the user account](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10) on the device and install the kiosk app for that account.
This method is supported on Windows 10 Pro, Enterprise, and Education. -[The kiosk wizard in Windows Configuration Designer](#wizard) | Windows Configuration Designer is a tool that produces a *provisioning package*, which is a package of configuration settings that can be applied to one or more devices during the first-run experience (OOBE) or after OOBE is done (runtime). You can also create the kiosk user account and install the kiosk app, as well as other useful settings, using the kiosk wizard.
This method is supported on Windows 10 Pro (version 1709 and later), Enterprise, and Education. -[Microsoft Intune or other mobile device management (MDM) provider](#mdm) | For managed devices, you can use MDM to set up a kiosk configuration.
This method is supported on Windows 10 Pro (version 1709 and later), Enterprise, and Education. +- [Locally, in Settings](#local): The **Set up a kiosk** (previously named **Set up assigned access**) option in **Settings** is a quick and easy method to set up a single device as a kiosk for a local standard user account. + This option supports: ->[!TIP] ->You can also configure a kiosk account and app for single-app kiosk within [XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) by using a [kiosk profile](lock-down-windows-10-to-specific-apps.md#profile). + - Windows 10 Pro, Enterprise, and Education + - Windows 11 + +- [PowerShell](#powershell): You can use Windows PowerShell cmdlets to set up a single-app kiosk. First, you need to [create the user account](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10) on the device and install the kiosk app for that account. + + This option supports: + + - Windows 10 Pro, Enterprise, and Education + - Windows 11 + +- [The kiosk wizard in Windows Configuration Designer](#wizard): Windows Configuration Designer is a tool that produces a *provisioning package*. A provisioning package includes configuration settings that can be applied to one or more devices during the first-run experience (OOBE), or after OOBE is done (runtime). Using the kiosk wizard, you can also create the kiosk user account, install the kiosk app, and configure more useful settings. + + This option supports: + + - Windows 10 Pro version 1709+, Enterprise, and Education + - Windows 11 + +- [Microsoft Intune or other mobile device management (MDM) provider](#mdm): For devices managed by your organization, you can use MDM to set up a kiosk configuration. + + This option supports: + + - Windows 10 Pro version 1709+, Enterprise, and Education + - Windows 11 + +> [!TIP] +> You can also configure a kiosk account and app for single-app kiosk within [XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) by using a [kiosk profile](lock-down-windows-10-to-specific-apps.md#profile). > ->Be sure to check the [configuration recommendations](kiosk-prepare.md) before you set up your kiosk. - +> Be sure to check the [configuration recommendations](kiosk-prepare.md) before you set up your kiosk. ## Set up a kiosk in local Settings ->App type: UWP +>App type: +> - UWP > ->OS edition: Windows 10 Pro, Ent, Edu +>OS: +> - Windows 10 Pro, Ent, Edu +> - Windows 11 > ->Account type: Local standard user +>Account type: +> - Local standard user You can use **Settings** to quickly configure one or a few devices as a kiosk. -When your kiosk is a local device that is not managed by Active Directory or Azure Active Directory, there is a default setting that enables automatic sign-in after a restart. That means that when the device restarts, the last signed-in user will be signed in automatically. If the last signed-in user is the kiosk account, the kiosk app will be launched automatically after the device restarts. +When your kiosk is a local device that isn't managed by Active Directory or Azure Active Directory, there is a default setting that enables automatic sign-in after a restart. That means that when the device restarts, the last signed-in user will be signed in automatically. If the last signed-in user is the kiosk account, the kiosk app will be launched automatically after the device restarts. -- If you want the kiosk account signed in automatically and the kiosk app launched when the device restarts, there is nothing you need to do. +- If you want the kiosk account to sign in automatically, and the kiosk app launched when the device restarts, then you don't need to do anything. -- If you do not want the kiosk account signed in automatically when the device restarts, you must change the default setting before you configure the device as a kiosk. Sign in with the account that you will assign as the kiosk account, go to **Settings** > **Accounts** > **Sign-in options**, and toggle the **Use my sign-in info to automatically finish setting up my device after an update or restart** setting to **Off**. After you change the setting, you can apply the kiosk configuration to the device. +- If you don't want the kiosk account to sign in automatically when the device restarts, then you must change the default setting before you configure the device as a kiosk. Sign in with the account that you will assign as the kiosk account. Open the **Settings** app > **Accounts** > **Sign-in options**. Set the **Use my sign-in info to automatically finish setting up my device after an update or restart** setting to **Off**. After you change the setting, you can apply the kiosk configuration to the device. - +  -### Instructions for Windows 10, version 1809 +### Windows 10 version 1809+ / Windows 11 -When you set up a kiosk (also known as *assigned access*) in **Settings** for Windows 10, version 1809, you create the kiosk user account at the same time. +When you set up a kiosk (also known as *assigned access*) in **Settings** for Windows client, you create the kiosk user account at the same time. To set up assigned access in PC settings: -**To set up assigned access in PC settings** - -1. Go to **Start** > **Settings** > **Accounts** > **Other users**. +1. Open the **Settings** app > **Accounts**. Select **Other users** or **Family and other users**. 2. Select **Set up a kiosk > Assigned access**, and then select **Get started**. @@ -94,15 +115,15 @@ When you set up a kiosk (also known as *assigned access*) in **Settings** for Wi To remove assigned access, select the account tile on the **Set up a kiosk** page, and then select **Remove kiosk**. -### Instructions for Windows 10, version 1803 and earlier +### Windows 10 version 1803 and earlier -When you set up a kiosk (also known as *assigned access*) in **Settings** for Windows 10, version 1803 and earlier, you must select an existing local standard user account. [Learn how to create a local standard user account.](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10) +When you set up a kiosk (also known as *assigned access*) in **Settings** for Windows 10 version 1803 and earlier, you must select an existing local standard user account. [Learn how to create a local standard user account.](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10)  **To set up assigned access in PC settings** -1. Go to **Start** > **Settings** > **Accounts** > **Other people**. +1. Go to **Start** > **Settings** > **Accounts** > **Other people**. 2. Select **Set up assigned access**. @@ -110,26 +131,24 @@ When you set up a kiosk (also known as *assigned access*) in **Settings** for Wi 4. Choose an app. Only apps that can run above the lock screen will be available in the list of apps to choose from. For more information, see [Guidelines for choosing an app for assigned access](guidelines-for-assigned-access-app.md). -5. Close **Settings** – your choices are saved automatically, and will be applied the next time that user account logs on. +5. Close **Settings** – your choices are saved automatically, and will be applied the next time that user account signs in. To remove assigned access, choose **Turn off assigned access and sign out of the selected account**. - - - - - - ## Set up a kiosk using Windows PowerShell ->App type: UWP +>App type: +> - UWP > ->OS edition: Windows 10 Pro, Ent, Edu +>OS: +> - Windows 10 Pro, Ent, Edu +> - Windows 11 > ->Account type: Local standard user +>Account type: +> - Local standard user  @@ -137,59 +156,49 @@ You can use any of the following PowerShell cmdlets to set up assigned access on Before you run the cmdlet: -1. Log in as administrator. +1. Sign in as administrator. 2. [Create the user account](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10) for Assigned Access. -3. Log in as the Assigned Access user account. +3. Sign in as the Assigned Access user account. 4. Install the Universal Windows app that follows the assigned access/above the lock guidelines. -5. Log out as the Assigned Access user account. -6. Log in as administrator. +5. Sign out as the Assigned Access user account. +6. Sign in as administrator. -To open PowerShell on Windows 10, search for PowerShell and find **Windows PowerShell Desktop app** in the results. Run PowerShell as administrator. +To open PowerShell on Windows client, search for PowerShell, and find **Windows PowerShell Desktop app** in the results. Run PowerShell as administrator. -**Configure assigned access by AppUserModelID and user name** - -``` -Set-AssignedAccess -AppUserModelId
  Enable device setup if you want to configure settings on this page.If enabled:Enter a name for the device.(Optional) Select a license file to upgrade Windows 10 to a different edition. See the permitted upgrades.Toggle Configure devices for shared use off. This setting optimizes Windows 10 for shared use scenarios and isn't necessary for a kiosk scenario.You can also select to remove pre-installed software from the device. |  |
  Enable network setup if you want to configure settings on this page.If enabled:Toggle On or Off for wireless network connectivity. If you select On, enter the SSID, the network type (Open or WPA2-Personal), and (if WPA2-Personal) the password for the wireless network. |  |
  Enable account management if you want to configure settings on this page. If enabled:You can enroll the device in Active Directory, enroll in Azure Active Directory, or create a local administrator account on the deviceTo enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain.Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, set up Azure AD join in your organization. The maximum number of devices per user setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 180 days from the date you get the token). Click Get bulk token. In the Let's get you signed in window, enter an account that has permissions to join a device to Azure AD, and then the password. Click Accept to give Windows Configuration Designer the necessary permissions.Warning: You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards.To create a local administrator account, select that option and enter a user name and password. Important: If you create a local account in the provisioning package, you must change the password using the Settings app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. |  |
  You can provision the kiosk app in the Add applications step. You can install multiple applications, both Windows desktop applications (Win32) and Universal Windows Platform (UWP) apps, in a provisioning package. The settings in this step vary according to the application that you select. For help with the settings, see Provision PCs with appsWarning: If you click the plus button to add an application, you must specify an application for the provisioning package to validate. If you click the plus button in error, select any executable file in Installer Path, and then a Cancel button becomes available, allowing you to complete the provisioning package without an application. |  |
  To provision the device with a certificate for the kiosk app, click Add a certificate. Enter a name for the certificate, and then browse to and select the certificate to be used. |  |
  You can create a local standard user account that will be used to run the kiosk app. If you toggle No, make sure that you have an existing user account to run the kiosk app.If you want to create an account, enter the user name and password, and then toggle Yes or No to automatically sign in the account when the device starts. (If you encounter issues with auto sign-in after you apply the provisioning package, check the Event Viewer logs for auto logon issues under Applications and Services Logs\Microsoft\Windows\Authentication User Interface\Operational.)In Configure the kiosk mode app, enter the name of the user account that will run the kiosk mode app. Select the type of app to run in kiosk mode, and then enter the path or filename (for a Windows desktop application) or the AUMID (for a Universal Windows app). For a Windows desktop application, you can use the filename if the path to the file is in the PATH environment variable, otherwise the full path is required. |  |
  On this step, select your options for tablet mode, the user experience on the Welcome and shutdown screens, and the timeout settings. |  |
 You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device. |  |
- Assign [group accounts to a config profile](#config-for-group-accounts)
- Configure [an account to sign in automatically](#config-for-autologon-account) | Windows 10, version 1803 | +| New features and improvements | In update | +| --- | ---| +| - Configure [a single-app kiosk profile](#profile) in your XML file
- Assign [group accounts to a config profile](#config-for-group-accounts)
- Configure [an account to sign in automatically](#config-for-autologon-account) | Windows 10, version 1803 | | - Explicitly allow [some known folders when user opens file dialog box](#fileexplorernamespacerestrictions)
- [Automatically launch an app](#allowedapps) when the user signs in
- Configure a [display name for the autologon account](#config-for-autologon-account) | Windows 10, version 1809
**Important:** To use features released in Windows 10, version 1809, make sure that [your XML file](#create-xml-file) references `https://schemas.microsoft.com/AssignedAccess/201810/config`. | >[!WARNING] @@ -43,7 +45,10 @@ You can configure multi-app kiosks using [Microsoft Intune](#intune) or a [provi ## Configure a kiosk in Microsoft Intune -To configure a kiosk in Microsoft Intune, see [Windows 10 and Windows Holographic for Business device settings to run as a dedicated kiosk using Intune](/intune/kiosk-settings). For explanations of the specific settings, see [Windows 10 and later device settings to run as a kiosk in Intune](/intune/kiosk-settings-windows). +To configure a kiosk in Microsoft Intune, see: + +- [Windows client and Windows Holographic for Business device settings to run as a dedicated kiosk using Intune](/intune/kiosk-settings) +- [Windows client device settings to run as a kiosk in Intune](/intune/kiosk-settings-windows) @@ -59,7 +64,7 @@ Watch how to use a provisioning package to configure a multi-app kiosk. >[!VIDEO https://www.microsoft.com/videoplayer/embed/fa125d0f-77e4-4f64-b03e-d634a4926884?autoplay=false] -If you don't want to use a provisioning package, you can deploy the configuration XML file using [mobile device management (MDM)](#alternate-methods) or you can configure assigned access using the [MDM Bridge WMI Provider](kiosk-mdm-bridge.md). +If you don't want to use a provisioning package, you can deploy the configuration XML file using [mobile device management (MDM)](#use-mdm-to-deploy-the-multi-app-configuration), or you can configure assigned access using the [MDM Bridge WMI Provider](kiosk-mdm-bridge.md). ### Prerequisites @@ -114,7 +119,7 @@ You can start your file by pasting the following XML (or any other examples in t There are two types of profiles that you can specify in the XML: - **Lockdown profile**: Users assigned a lockdown profile will see the desktop in tablet mode with the specific apps on the Start screen. -- **Kiosk profile**: New in Windows 10, version 1803, this profile replaces the KioskModeApp node of the [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp). Users assigned a kiosk profile will not see the desktop, but only the kiosk app running in full-screen mode. +- **Kiosk profile**: Starting with Windows 10 version 1803, this profile replaces the KioskModeApp node of the [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp). Users assigned a kiosk profile will not see the desktop, but only the kiosk app running in full-screen mode. A lockdown profile section in the XML has the following entries: @@ -146,7 +151,7 @@ The profile **Id** is a GUID attribute to uniquely identify the profile. You can ##### AllowedApps -**AllowedApps** is a list of applications that are allowed to run. Apps can be Universal Windows Platform (UWP) apps or Windows desktop applications. In Windows 10, version 1809, you can configure a single app in the **AllowedApps** list to run automatically when the assigned access user account signs in. +**AllowedApps** is a list of applications that are allowed to run. Apps can be Universal Windows Platform (UWP) apps or Windows desktop applications. Starting with Windows 10 version 1809, you can configure a single app in the **AllowedApps** list to run automatically when the assigned access user account signs in. - For UWP apps, you need to provide the App User Model ID (AUMID). [Learn how to get the AUMID](./find-the-application-user-model-id-of-an-installed-app.md), or [get the AUMID from the Start Layout XML](#startlayout). - For desktop apps, you need to specify the full path of the executable, which can contain one or more system environment variables in the form of %variableName% (i.e. %systemroot%, %windir%). @@ -189,7 +194,7 @@ The following example allows Groove Music, Movies & TV, Photos, Weather, Calcula ##### FileExplorerNamespaceRestrictions -Starting in Windows 10, version 1809, you can explicitly allow some known folders to be accessed when the user tries to open the file dialog box in multi-app assigned access by including **FileExplorerNamespaceRestrictions** in your XML file. Currently, **Downloads** is the only folder supported. This can also be set using Microsoft Intune. +Starting in Windows 10 version 1809, you can explicitly allow some known folders to be accessed when the user tries to open the file dialog box in multi-app assigned access by including **FileExplorerNamespaceRestrictions** in your XML file. Currently, **Downloads** is the only folder supported. This can also be set using Microsoft Intune. The following example shows how to allow user access to the Downloads folder in the common file dialog box. @@ -231,7 +236,7 @@ FileExplorerNamespaceRestriction has been extended in current Windows 10 Prerele After you define the list of allowed applications, you can customize the Start layout for your kiosk experience. You can choose to pin all the allowed apps on the Start screen or just a subset, depending on whether you want the end user to directly access them on the Start screen. -The easiest way to create a customized Start layout to apply to other Windows 10 devices is to set up the Start screen on a test device and then export the layout. For detailed steps, see [Customize and export Start layout](customize-and-export-start-layout.md). +The easiest way to create a customized Start layout to apply to other Windows client devices is to set up the Start screen on a test device and then export the layout. For detailed steps, see [Customize and export Start layout](customize-and-export-start-layout.md). A few things to note here: @@ -269,7 +274,7 @@ This example pins Groove Music, Movies & TV, Photos, Weather, Calculator, Paint, ``` >[!NOTE] ->If an app is not installed for the user but is included in the Start layout XML, the app will not be shown on the Start screen. +>If an app isn't installed for the user, but is included in the Start layout XML, the app isn't shown on the Start screen.  @@ -333,7 +338,7 @@ The following example shows how to specify an account to sign in automatically. ``` -In Windows 10, version 1809, you can configure the display name that will be shown when the user signs in. The following example shows how to create an AutoLogon Account that shows the name "Hello World". +Starting with Windows 10 version 1809, you can configure the display name that will be shown when the user signs in. The following example shows how to create an AutoLogon Account that shows the name "Hello World". ```xml
- Prevents users from changing power settings
- Turns off hibernate
- Overrides all power state transitions to sleep (e.g. lid close) | | Customization: SignInOnResume | This setting specifies if the user is required to sign in with a password when the PC wakes from sleep. | | Customization: SleepTimeout | Specifies all timeouts for when the PC should sleep. Enter the amount of idle time in seconds. If you don't set sleep timeout, the default of 1 hour applies. | @@ -83,7 +84,7 @@ Shared PC mode exposes a set of customizations to tailor the behavior to your re You can configure Windows to be in shared PC mode in a couple different ways: -- Mobile device management (MDM): Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](/windows/client-management/mdm/sharedpc-csp). To setup a shared device policy for Windows 10 in Intune, complete the following steps: +- Mobile device management (MDM): Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](/windows/client-management/mdm/sharedpc-csp). To setup a shared device policy for Windows client in Intune, complete the following steps: 1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). @@ -112,12 +113,12 @@ You can configure Windows to be in shared PC mode in a couple different ways: 11. From this point on, you can configure any additional settings you’d like to be part of this policy, and then follow the rest of the set-up flow to its completion by selecting **Create** after **Step 6**. -- A provisioning package created with the Windows Configuration Designer: You can apply a provisioning package when you initially set up the PC (also known as the out-of-box-experience or OOBE), or you can apply the provisioning package to a Windows 10 PC that is already in use. The provisioning package is created in Windows Configuration Designer. Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](/windows/client-management/mdm/sharedpc-csp), exposed in Windows Configuration Designer as **SharedPC**. +- A provisioning package created with the Windows Configuration Designer: You can apply a provisioning package when you initially set up the PC (also known as the out-of-box-experience or OOBE), or you can apply the provisioning package to a Windows client that's already in use. The provisioning package is created in Windows Configuration Designer. Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](/windows/client-management/mdm/sharedpc-csp), exposed in Windows Configuration Designer as **SharedPC**.  - WMI bridge: Environments that use Group Policy can use the [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal) to configure the [MDM_SharedPC class](/windows/win32/dmwmibridgeprov/mdm-sharedpc). For all device settings, the WMI Bridge client must be executed under local system user; for more information, see [Using PowerShell scripting with the WMI Bridge Provider](/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider). For example, open PowerShell as an administrator and enter the following: - + ```powershell $sharedPC = Get-CimInstance -Namespace "root\cimv2\mdm\dmmap" -ClassName "MDM_SharedPC" $sharedPC.EnableSharedPCMode = $True diff --git a/windows/configuration/setup-digital-signage.md b/windows/configuration/setup-digital-signage.md index 80bbd5b7da..d545a5cc63 100644 --- a/windows/configuration/setup-digital-signage.md +++ b/windows/configuration/setup-digital-signage.md @@ -1,8 +1,8 @@ --- -title: Set up digital signs on Windows 10 (Windows 10) -description: A single-use device such as a digital sign is easy to set up in Windows 10 (Pro, Enterprise, and Education). +title: Set up digital signs on Windows 10/11 +description: A single-use device such as a digital sign is easy to set up in Windows 10 and Windows 11 (Pro, Enterprise, and Education). ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC -ms.reviewer: +ms.reviewer: sybruckm manager: dansimp ms.author: greglin keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage", "kiosk browser", "browser"] @@ -11,31 +11,30 @@ ms.mktglfcycl: manage ms.sitesec: library author: greg-lindsay ms.localizationpriority: medium -ms.date: 10/02/2018 +ms.date: 09/20/2021 ms.topic: article --- -# Set up digital signs on Windows 10 - +# Set up digital signs on Windows 10/11 **Applies to** -- Windows 10 Pro, Enterprise, and Education +- Windows 10 Pro, Enterprise, and Education +- Windows 11 Digital signage can be a useful and exciting business tool. Use digital signs to showcase your products and services, to display testimonials, or to advertise promotions and campaigns. A digital sign can be a static display, such as a building directory or menu, or it can be dynamic, such as repeating videos or a social media feed. -For digital signage, simply select a digital sign player as your kiosk app. You can also use [Microsoft Edge in kiosk mode](/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy) or the Kiosk Browser app (a new Microsoft app for Windows 10, version 1803) and configure it to show your online content. +For digital signage, simply select a digital sign player as your kiosk app. You can also use [Microsoft Edge in kiosk mode](/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy) or the Kiosk Browser app, and configure it to show your online content. >[!TIP] >Kiosk Browser can also be used in [single-app kiosks](kiosk-single-app.md) and [multi-app kiosk](lock-down-windows-10-to-specific-apps.md) as a web browser. For more information, see [Guidelines for web browsers](guidelines-for-assigned-access-app.md#guidelines-for-web-browsers). -Kiosk Browser must be downloaded for offline licensing using Microsoft Store for Business. You can deploy Kiosk Browser to devices running Windows 10, version 1803. +Kiosk Browser must be downloaded for offline licensing using Microsoft Store for Business. You can deploy Kiosk Browser to devices running Windows 11, and Windows 10 version 1803+. >[!NOTE] >If you haven't set up your Microsoft Store for Business yet, check out [the prerequisites](/microsoft-store/prerequisites-microsoft-store-for-business) and then [sign up](/microsoft-store/sign-up-microsoft-store-for-business). - -This procedure explains how to configure digital signage using Kiosk Browser on a device running Windows 10, version 1803, that has already been set up (completed the first-run experience). +This procedure explains how to configure digital signage using Kiosk Browser on a device running Windows client that has already been set up (completed the first-run experience). 1. [Get **Kiosk Browser** in Microsoft Store for Business with offline, unencoded license type.](/microsoft-store/acquire-apps-microsoft-store-for-business#acquire-apps) 2. [Download the **Kiosk Browser** package, license file, and all required frameworks.](/microsoft-store/distribute-offline-apps#download-an-offline-licensed-app) @@ -43,24 +42,24 @@ This procedure explains how to configure digital signage using Kiosk Browser on 3. Open Windows Configuration Designer and select **Provision kiosk devices**. 4. Enter a friendly name for the project, and select **Finish**. 5. On **Set up device**, select **Disabled**, and select **Next**. -6. On **Set up network**, enable network setup. +6. On **Set up network**, enable network setup: - Toggle **On** wireless network connectivity. - Enter the SSID, the network type (**Open** or **WPA2-Personal**), and (if **WPA2-Personal**) the password for the wireless network. 7. On **Account management**, select **Disabled**, and select **Next**. -8. On **Add applications**, select **Add an application**. +8. On **Add applications**, select **Add an application**: - For **Application name**, enter `Kiosk Browser`. - For **Installer path**, browse to and select the AppxBundle that you downloaded from Microsoft Store for Business. After you select the package, additional fields are displayed. - For **License file path**, browse to and select the XML license file that you downloaded from Microsoft Store for Business. - The **Package family name** is populated automatically. - Select **Next**. 9. On **Add certificates**, select **Next**. -10. On **Configure kiosk account and app**, toggle **Yes** to create a local user account for your digital signage. +10. On **Configure kiosk account and app**, toggle **Yes** to create a local user account for your digital signage: - Enter a user name and password, and toggle **Auto sign-in** to **Yes**. - Under **Configure the kiosk mode app**, enter the user name for the account that you're creating. - For **App type**, select **Universal Windows App**. - In **Enter the AUMID for the app**, enter `Microsoft.KioskBrowser_8wekyb3d8bbwe!App`. 11. In the bottom left corner of Windows Configuration Designer, select **Switch to advanced editor**. -12. Go to **Runtime settings** > **Policies** > **KioskBrowser**. Let's assume that the URL for your digital signage content is contoso.com/menu. +12. Go to **Runtime settings** > **Policies** > **KioskBrowser**. Let's assume that the URL for your digital signage content is contoso.com/menu: - In **BlockedUrlExceptions**, enter `https://www.contoso.com/menu`. - In **BlockedUrl**, enter `*`. - In **DefaultUrl**, enter `https://www.contoso.com/menu`. @@ -79,16 +78,3 @@ This procedure explains how to configure digital signage using Kiosk Browser on 20. Copy the .ppkg file to a USB drive. 21. Attach the USB drive to the device that you want to use for your digital sign. 22. Go to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package on the USB drive. - - - - - - - - - - - - - diff --git a/windows/configuration/supported-csp-start-menu-layout-windows.md b/windows/configuration/supported-csp-start-menu-layout-windows.md index d26c7b384d..3c2d63c994 100644 --- a/windows/configuration/supported-csp-start-menu-layout-windows.md +++ b/windows/configuration/supported-csp-start-menu-layout-windows.md @@ -10,7 +10,6 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: mobile author: MandiOhlinger -ms.date: 09/13/2021 ms.localizationpriority: medium --- @@ -57,6 +56,17 @@ For information on customizing the Start menu layout using policy, see [Customiz ## Existing CSP policies that Windows 11 doesn't support - [Start/StartLayout](/windows/client-management/mdm/policy-csp-start#start-startlayout) + - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Start Layout` + - [Start/HideRecentlyAddedApps](/windows/client-management/mdm/policy-csp-start#start-hiderecentlyaddedapps) + - Group policy: `Computer Configuration\Administrative Templates\Start Menu and Taskbar\Remove "Recently added" list from Start Menu` + - [Start/HideAppList](/windows/client-management/mdm/policy-csp-start#start-hideapplist) + - Group policy: + - `Computer Configuration\Administrative Templates\Start Menu and Taskbar\Remove All Programs list from the Start menu` + - `User Configuration\Administrative Templates\Start Menu and Taskbar\Remove All Programs list from the Start menu` + - [Start/DisableContextMenus](/windows/client-management/mdm/policy-csp-start#start-disablecontextmenus) + - Group policy: + - `Computer Configuration\Administrative Templates\Start Menu and Taskbar\Disable context menus in the Start Menu` + - `User Configuration\Administrative Templates\Start Menu and Taskbar\Disable context menus in the Start Menu` diff --git a/windows/configuration/supported-csp-taskbar-windows.md b/windows/configuration/supported-csp-taskbar-windows.md new file mode 100644 index 0000000000..2d7577e32a --- /dev/null +++ b/windows/configuration/supported-csp-taskbar-windows.md @@ -0,0 +1,67 @@ +--- +title: Supported CSP policies to customize the Taskbar on Windows 11 | Microsoft Docs +description: See a list of the Policy CSP - Start items that are supported on Windows 11 to customize the Taskbar. +ms.assetid: +manager: dougeby +ms.author: mandia +ms.reviewer: chataylo +ms.prod: w11 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: mobile +author: MandiOhlinger +ms.localizationpriority: medium +--- + +# Supported configuration service provider (CSP) policies for Windows 11 taskbar + +**Applies to**: + +- Windows 11 + +The Windows OS exposes CSPs that are used by MDM providers, like [Microsoft Endpoint Manager](/mem/endpoint-manager-overview). In an MDM policy, these CSPs are settings that you configure. When the policy is ready, you deploy the policy to your devices. + +This article lists the CSPs that are available to customize the Taskbar for Windows 11 devices. Windows 11 uses the [Policy CSP - Start](/windows/client-management/mdm/policy-csp-start). + +For more general information, see [Configuration service provider (CSP) reference](/windows/client-management/mdm/configuration-service-provider-reference). + +## Existing CSP policies that Windows 11 taskbar supports + +- [Start/HideRecentJumplists CSP](/windows/client-management/mdm/policy-csp-start#start-hiderecentjumplists) + - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Do not keep history of recently opened documents` + - Local setting: Settings > Personalization > Start > Show recently opened items in Jump Lists on Start or the taskbar + +- [Start/NoPinningToTaskbar](/windows/client-management/mdm/policy-csp-start#start-nopinningtotaskbar) + - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Do not allow pinning programs to the Taskbar` + - Local setting: None + +## Existing CSP policies that Windows 11 doesn't support + +The following list includes some of the CSP policies that aren't supported on Windows 11: + +- [TaskbarLockAll CSP](/windows/client-management/mdm/policy-csp-admx-taskbar#admx-taskbar-taskbarlockall) + - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Lock all taskbar settings` + +- [TaskbarNoAddRemoveToolbar CSP](/windows/client-management/mdm/policy-csp-admx-taskbar#admx-taskbar-taskbarnoaddremovetoolbar) + - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent users from adding or removing toolbars` + +- [TaskbarNoDragToolbar CSP](/windows/client-management/mdm/policy-csp-admx-taskbar#admx-taskbar-taskbarnodragtoolbar) + - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent users from rearranging toolbars` + +- [TaskbarNoRedock CSP](/windows/client-management/mdm/policy-csp-admx-taskbar#admx-taskbar-taskbarnoredock) + - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent users from moving taskbar to another screen dock location` + +- [TaskbarNoResize CSP](/windows/client-management/mdm/policy-csp-admx-taskbar#admx-taskbar-taskbarnoresize) + - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent users from resizing the taskbar` + +- [NoToolbarsOnTaskbar CSP](/windows/client-management/mdm/policy-csp-admx-startmenu#admx-startmenu-notoolbarsontaskbar) + - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Do not display any custom toolbars in the taskbar` + +- [NoTaskGrouping CSP](/windows/client-management/mdm/policy-csp-admx-startmenu#admx-startmenu-notaskgrouping) + - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent grouping of taskbar items` + +- [HidePeopleBar CSP](/windows/client-management/mdm/policy-csp-start#start-hidepeoplebar) + - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Remove the People Bar from the taskbar` + +- [QuickLaunchEnabled CSP](/windows/client-management/mdm/policy-csp-admx-startmenu#admx-startmenu-quicklaunchenabled) + - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Show QuickLaunch on Taskbar` diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml index 8daccb955a..18817d1d38 100644 --- a/windows/deployment/TOC.yml +++ b/windows/deployment/TOC.yml @@ -52,6 +52,8 @@ items: - name: Using a proxy with Delivery Optimization href: update/delivery-optimization-proxy.md + - name: Delivery Optimization client-service communication + href: update/delivery-optimization-workflow.md - name: Best practices for feature updates on mission-critical devices href: update/feature-update-mission-critical.md - name: Windows 10 deployment considerations diff --git a/windows/deployment/update/delivery-optimization-workflow.md b/windows/deployment/update/delivery-optimization-workflow.md new file mode 100644 index 0000000000..4336f3ab23 --- /dev/null +++ b/windows/deployment/update/delivery-optimization-workflow.md @@ -0,0 +1,44 @@ +--- +title: Delivery Optimization client-service communication explained +manager: dougeby +description: Details of how Delivery Optimization communicates with the server when content is requested to download. +keywords: updates, downloads, network, bandwidth +ms.prod: w10 +ms.mktglfcycl: deploy +audience: itpro +author: carmenf +ms.localizationpriority: medium +ms.author: carmenf +ms.collection: M365-modern-desktop +ms.topic: article +--- + +# Delivery Optimization client-service communication explained + +**Applies to** + +- Windows 10 +- Windows 11 + +## Download request workflow + +This workflow allows Delivery Optimization to securely and efficiently deliver requested content to the calling device. Delivery Optimization uses content metadata to determine all available locations to pull content from, as well as content verification. + + +1. When a download starts, the Delivery Optimization client attempts to get its content metadata. This content metadata is a hash file containing the SHA-256 block-level hashes of each piece in the file (typically one piece = 1 MB). +2. The authenticity of the content metadata file itself is verified prior to any content being downloaded using a hash that is obtained via an SSL channel from the Delivery Optimization service. The same channel is used to ensure the content is curated and authorized to leverage peer-to-peer. +3. When Delivery Optimization pulls a certain piece of the hash from another peer, it verifies the hash against the known hash in the content metadata file. +4. If a peer provides an invalid piece, that piece is discarded. When a peer sends multiple bad pieces, it's banned and will no longer be used as a source by the Delivery Optimization client performing the download. +5. If Delivery Optimization is unable to obtain the content metadata file, or if the verification of the hash file itself fails, the download will fall back to “simple mode” (pulling content only from an HTTP source) and peer-to-peer won't be allowed. +6. Once downloading is complete, Delivery Optimization uses all retrieved pieces of the content to put the file together. At that point, the Delivery Optimization caller (for example, Windows Update) checks the entire file to verify the signature prior to installing it. + +## Delivery Optimization service endpoint and data information + +|Endpoint hostname|Port|Name|Description|Data sent from the computer to the endpoint +|--------------------------------------------|--------|---------------|-----------------------|------------------------| +| geover-prod.do.dsp.mp.microsoft.com
geo-prod.do.dsp.mp.microsoft.com
geo.prod.do.dsp.mp.microsoft.com
geover.prod.do.dsp.mp.microsoft.com | 443 | Geo | Service used to identify the location of the device in order to direct it to the nearest data center. | **Profile**: The device type (for example, PC or Xbox)
**doClientVersion**: The version of the DoSvc client
**groupID**: Group the device belongs to (set with DownloadMode = '2' (Group download mode) + groupID group policy / MDM policies) | +| kv\*.prod.do.dsp.mp.microsoft.com | 443| KeyValue | Bootstrap service provides endpoints for all other services as well as device configs. | **countryCode**: The country the client is connected from
**doClientVersion**: The version of the DoSvc client
**Profile**: The device type (for example, PC or Xbox)
**eId**: Client grouping Id
**CacheHost**: Cache host id | +| cp\*.prod.do.dsp.mp.microsoft.com
| 443 | Content Policy | Provides content specific policies as well as content metadata URLs. | **Profile**: The device type (for example, PC or Xbox)
**ContentId**: The content identifier
**doClientVersion**: The version of the DoSvc client
**countryCode**: The country the client is connected from
**altCatalogId**: If ContentId isn't available, use the download URL instead
**eId**: Client grouping Id
**CacheHost**: Cache host id | +| disc\*.prod.do.dsp.mp.microsoft.com | 443 | Discovery | Directs clients to a particular instance of the peer matching service (Array), ensuing that clients are collocated by factors, such as content, groupId and external IP. | **Profile**: The device type (for example, PC or Xbox)
**ContentId**: The content identifier
**doClientVersion**: The version of the DoSvc client
**partitionId**: Client partitioning hint
**altCatalogId**: If ContentId isn't available, use the download URL instead
**eId**: Client grouping Id | +| array\*.prod.do.dsp.mp.microsoft.com | 443 | Arrays | Provides the client with list of peers that have the same content and belong to the same peer group. | **Profile**: The device type (for example, PC or Xbox)
**ContentId**: The content identifier
**doClientVersion**: The version of the DoSvc client
**altCatalogId**: If ContentId isn't available, use the download URL instead
**PeerId**: Identified of the device running DO client
**ReportedIp**: The internal / private IP Address
**IsBackground**: Is the download interactive or background
**Uploaded**: Total bytes uploaded to peers
**Downloaded**: Total bytes downloaded from peers
**DownloadedCdn**: Total bytes downloaded from CDN
**Left**: Bytes left to download
**Peers Wanted**: Total number of peers wanted
**Group Id**: Group the device belongs to (set via DownloadMode 2 + Group ID GP / MDM policies)
**Scope**: The Download mode
**UploadedBPS**: The upload speed in bytes per second
**DownloadBPS**: The download speed in Bytes per second
**eId**: Client grouping Id | +| dl.delivery.mp.microsoft.com
emdl.ws.microsoft.com | 80 | Delivery Optimization metadata file hosting | CDN hostnames for Delivery Optimization content metadata files | Metadata download can come from different hostnames, but it's required for peer to peer. | diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index 405b6710ad..d2bee6b47c 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -71,7 +71,7 @@ sections: - question: Can I use an external Windows Hello compatible camera when my laptop is closed or docked? answer: | - Yes. Starting with Windows 10, version 21H2 an external Windows Hello compatible camera can be used if a device already supports an internal Windows Hello camera. When both cameras are present, the external camera will be be used for face authentication. For more information see [IT tools to support Windows 10, version 21H1](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/it-tools-to-support-windows-10-version-21h1/ba-p/2365103). + Yes. Starting with Windows 10, version 21H1 an external Windows Hello compatible camera can be used if a device already supports an internal Windows Hello camera. When both cameras are present, the external camera will be be used for face authentication. For more information see [IT tools to support Windows 10, version 21H1](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/it-tools-to-support-windows-10-version-21h1/ba-p/2365103). - question: Why does authentication fail immediately after provisioning hybrid key trust? answer: | diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index 61eb44f8f8..ccb1a890ff 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -33,6 +33,7 @@ If you plan to use certificates for on-premises single-sign on, then follow thes > Ensure you have performed the configurations in [Azure AD joined devices for On-premises Single-Sign On](hello-hybrid-aadj-sso-base.md) before you continue. Steps you will perform include: + - [Prepare Azure AD Connect](#prepare-azure-ad-connect) - [Prepare the Network Device Enrollment Services Service Account](#prepare-the-network-device-enrollment-services-ndes-service-account) - [Prepare Active Directory Certificate Services](#prepare-active-directory-certificate-authority) @@ -42,12 +43,14 @@ Steps you will perform include: - [Create and Assign a Simple Certificate Enrollment Protocol (SCEP) Certificate Profile](#create-and-assign-a-simple-certificate-enrollment-protocol-scep-certificate-profile) ## Requirements + You need to install and configure additional infrastructure to provide Azure AD joined devices with on-premises single-sign on. - An existing Windows Server 2012 R2 or later Enterprise Certificate Authority - A Windows Server 2012 R2 domain joined server that hosts the Network Device Enrollment Services role ### High Availability + The Network Device Enrollment Services (NDES) server role acts as a certificate registration authority. Certificate registration servers enroll certificates on behalf of the user. Users request certificates from the NDES service rather than directly from the issuing certificate authority. The architecture of the NDES server prevents it from being clustered or load balanced for high availability. To provide high availability, you need to install more than one identically configured NDES servers and use Microsoft Intune to load balance then (in round-robin fashion). @@ -61,9 +64,11 @@ The Network Device Enrollment Service (NDES) server role can issue up to three u If you need to deploy more than three types of certificates to the Azure AD joined device, you need additional NDES servers. Alternatively, consider consolidating certificate templates to reduce the number of certificate templates. ### Network Requirements + All communication occurs securely over port 443. ## Prepare Azure AD Connect + Successful authentication to on-premises resources using a certificate requires the certificate to provide a hint about the on-premises domain. The hint can be the user's Active Directory distinguished name as the subject of the certificate, or the hint can be the user's user principal name where the suffix matches the Active Directory domain name. Most environments change the user principal name suffix to match the organization's external domain name (or vanity domain), which prevents the user principal name as a hint to locate a domain controller. Therefore, the certificate needs the user's on-premises distinguished name in the subject to properly locate a domain controller. @@ -71,6 +76,7 @@ Most environments change the user principal name suffix to match the organizatio To include the on-premises distinguished name in the certificate's subject, Azure AD Connect must replicate the Active Directory **distinguishedName** attribute to the Azure Active Directory **onPremisesDistinguishedName** attribute. Azure AD Connect version 1.1.819 includes the proper synchronization rules needed for these attributes. ### Verify AAD Connect version + Sign-in to computer running Azure AD Connect with access equivalent to _local administrator_. 1. Open **Synchronization Services** from the **Azure AD Connect** folder. @@ -78,6 +84,7 @@ Sign-in to computer running Azure AD Connect with access equivalent to _local ad 3. If the version number is not **1.1.819** or later, then upgrade Azure AD Connect to the latest version. ### Verify the onPremisesDistinguishedName attribute is synchronized + The easiest way to verify the onPremisesDistingushedNamne attribute is synchronized is to use Azure AD Graph Explorer. 1. Open a web browser and navigate to https://graphexplorer.azurewebsites.net/ @@ -89,6 +96,7 @@ The easiest way to verify the onPremisesDistingushedNamne attribute is synchroni ## Prepare the Network Device Enrollment Services (NDES) Service Account ### Create the NDES Servers global security group + The deployment uses the **NDES Servers** security group to assign the NDES service the proper user right assignments. Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_. @@ -100,6 +108,7 @@ Sign-in to a domain controller or management workstation with access equivalent 5. Click **OK**. ### Add the NDES server to the NDES Servers global security group + Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_. 1. Open **Active Directory Users and Computers**. @@ -111,6 +120,7 @@ Sign-in to a domain controller or management workstation with access equivalent > For high-availability, you should have more than one NDES server to service Windows Hello for Business certificate requests. You should add additional Windows Hello for Business NDES servers to this group to ensure they receive the proper configuration. ### Create the NDES Service Account + The Network Device Enrollment Services (NDES) role runs under a service account. Typically, it is preferential to run services using a Group Managed Service Account (GMSA). While the NDES role can be configured to run using a GMSA, the Intune Certificate Connector was not designed nor tested using a GMSA and is considered an unsupported configuration. The deployment uses a normal services account. Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_. @@ -124,6 +134,7 @@ Sign-in to a domain controller or management workstation with access equivalent > Configuring the service's account password to **Password never expires** may be more convenient, but it presents a security risk. Normal service account passwords should expire in accordance with the organizations user password expiration policy. Create a reminder to change the service account's password two weeks before it will expire. Share the reminder with others that are allowed to change the password to ensure the password is changed before it expires. ### Create the NDES Service User Rights Group Policy object + The Group Policy object ensures the NDES Service account has the proper user right to assign all the NDES servers in the **NDES Servers** group. As you add new NDES servers to your environment and this group, the service account automatically receives the proper user rights through the Group Policy. Sign-in a domain controller or management workstations with _Domain Admin_ equivalent credentials. @@ -141,6 +152,7 @@ Sign-in a domain controller or management workstations with _Domain Admin_ equiv 11. Close the **Group Policy Management Editor**. ### Configure security for the NDES Service User Rights Group Policy object + The best way to deploy the **NDES Service User Rights** Group Policy object is to use security group filtering. This enables you to easily manage the computers that receive the Group Policy settings by adding them to a group. Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_. @@ -153,6 +165,7 @@ Sign-in to a domain controller or management workstation with access equivalent 6. In the **Group or User names** list, select **Authenticated Users**. In the **Permissions for Authenticated Users** list, clear the **Allow** check box for the **Apply Group Policy** permission. Click **OK**. ### Deploy the NDES Service User Rights Group Policy object + The application of the **NDES Service User Rights** Group Policy object uses security group filtering. This enables you to link the Group Policy object at the domain, ensuring the Group Policy object is within scope to all computers. However, the security group filtering ensures only computers included in the **NDES Servers** global security group receive and apply the Group Policy object, which results in providing the **NDESSvc** service account with the proper user rights. Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_. @@ -165,6 +178,7 @@ Sign-in to a domain controller or management workstation with access equivalent > Linking the **NDES Service User Rights** Group Policy object to the domain ensures the Group Policy object is in scope for all computers. However, not all computers will have the policy settings applied to them. Only computers that are members of the **NDES Servers** global security group receive the policy settings. All others computers ignore the Group Policy object. ## Prepare Active Directory Certificate Authority + You must prepare the public key infrastructure and the issuing certificate authority to support issuing certificates using Microsoft Intune and the Network Devices Enrollment Services (NDES) server role. In this task, you will - Configure the certificate authority to let Intune provide validity periods @@ -173,6 +187,7 @@ You must prepare the public key infrastructure and the issuing certificate autho - Publish certificate templates ### Configure the certificate authority to let Intune provide validity periods + When deploying certificates using Microsoft Intune, you have the option of providing the validity period in the SCEP certificate profile rather than relying on the validity period in the certificate template. If you need to issue the same certificate with different validity periods, it may be advantageous to use the SCEP profile, given the limited number of certificates a single NDES server can issue. > [!NOTE] @@ -181,12 +196,15 @@ When deploying certificates using Microsoft Intune, you have the option of provi Sign-in to the issuing certificate authority with access equivalent to _local administrator_. 1. Open an elevated command prompt and type the following command: + ``` certutil -setreg Policy\EditFlags +EDITF_ATTRIBUTEENDDATE ``` -2. Restart the **Active Directory Certificate Services** service. + +1. Restart the **Active Directory Certificate Services** service. ### Create an NDES-Intune authentication certificate template + NDES uses a server authentication certificate to authenticate the server endpoint, which encrypts the communication between it and the connecting client. The Intune Certificate Connector uses a client authentication certificate template to authenticate to the certificate registration point. Sign-in to the issuing certificate authority or management workstations with _Domain Admin_ equivalent credentials. @@ -207,6 +225,7 @@ Sign-in to the issuing certificate authority or management workstations with _Do 10. Click on the **Apply** to save changes and close the console. ### Create an Azure AD joined Windows Hello for Business authentication certificate template + During Windows Hello for Business provisioning, Windows requests an authentication certificate from Microsoft Intune, which requests the authentication certificate on behalf of the user. This task configures the Windows Hello for Business authentication certificate template. You use the name of the certificate template when configuring the NDES Server. Sign in a certificate authority or management workstations with _Domain Admin equivalent_ credentials. @@ -225,10 +244,11 @@ Sign in a certificate authority or management workstations with _Domain Admin eq 8. On the **Subject** tab, select **Supply in the request**. 9. On the **Request Handling** tab, select **Signature and encryption** from the **Purpose** list. Select the **Renew with same key** check box. Select **Enroll subject without requiring any user input**. 10. On the **Security** tab, click **Add**. Type **NDESSvc** in the **Enter the object names to select** text box and click **OK**. -12. Select **NDESSvc** from the **Group or users names** list. In the **Permissions for NDES Servers** section, select the **Allow** check box for **Read** and **Enroll**. Clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared. Click **OK**. -13. Close the console. +11. Select **NDESSvc** from the **Group or users names** list. In the **Permissions for NDES Servers** section, select the **Allow** check box for **Read** and **Enroll**. Clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared. Click **OK**. +12. Close the console. ### Publish certificate templates + The certificate authority may only issue certificates for certificate templates that are published to that certificate authority. If you have more than one certificate authority and you want that certificate authority to issue certificates based on a specific certificate template, then you must publish the certificate template to all certificate authorities that are expected to issue the certificate. > [!Important] @@ -244,16 +264,19 @@ Sign-in to the certificate authority or management workstations with an _Enterpr 6. Close the console. ## Install and Configure the NDES Role + This section includes the following topics: -* Install the Network Device Enrollment Service Role -* Configure the NDES service account -* Configure the NDES role and Certificate Templates -* Create a Web Application Proxy for the Internal NDES URL. -* Enroll for an NDES-Intune Authentication Certificate -* Configure the Web Server Certificate for NDES -* Verify the configuration + +- Install the Network Device Enrollment Service Role +- Configure the NDES service account +- Configure the NDES role and Certificate Templates +- Create a Web Application Proxy for the Internal NDES URL. +- Enroll for an NDES-Intune Authentication Certificate +- Configure the Web Server Certificate for NDES +- Verify the configuration ### Install the Network Device Enrollment Services Role + Install the Network Device Enrollment Service role on a computer other than the issuing certificate authority. Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credentials. @@ -272,11 +295,13 @@ Sign-in to the certificate authority or management workstations with an _Enterpr  7. Click **Next** on the **Web Server Role (IIS)** page. 8. On the **Select role services** page for the Web Serve role, Select the following additional services if they are not already selected and then click **Next**. - * **Web Server > Security > Request Filtering** - * **Web Server > Application Development > ASP.NET 3.5**. - * **Web Server > Application Development > ASP.NET 4.5**. . - * **Management Tools > IIS 6 Management Compatibility > IIS 6 Metabase Compatibility** - * **Management Tools > IIS 6 Management Compatibility > IIS 6 WMI Compatibility** + + - **Web Server > Security > Request Filtering** + - **Web Server > Application Development > ASP.NET 3.5**. + - **Web Server > Application Development > ASP.NET 4.5**. . + - **Management Tools > IIS 6 Management Compatibility > IIS 6 Metabase Compatibility** + - **Management Tools > IIS 6 Management Compatibility > IIS 6 WMI Compatibility** +  9. Click **Install**. When the installation completes, continue with the next procedure. **Do not click Close**. > [!IMPORTANT] @@ -284,9 +309,11 @@ Sign-in to the certificate authority or management workstations with an _Enterpr  ### Configure the NDES service account + This task adds the NDES service account to the local IIS_USRS group. The task also configures the NDES service account for Kerberos authentication and delegation #### Add the NDES service account to the IIS_USRS group + Sign-in the NDES server with access equivalent to _local administrator_. 1. Start the **Local Users and Groups** management console (`lusrmgr.msc`). @@ -295,10 +322,12 @@ Sign-in the NDES server with access equivalent to _local administrator_. 4. Close the management console. #### Register a Service Principal Name on the NDES Service account + Sign-in the NDES server with access equivalent to _Domain Admins_. 1. Open an elevated command prompt. 2. Type the following command to register the service principal name + ``` setspn -s http/[FqdnOfNdesServer] [DomainName\\NdesServiceAccount] ``` @@ -313,6 +342,7 @@ Sign-in the NDES server with access equivalent to _Domain Admins_.  #### Configure the NDES Service account for delegation + The NDES service enrolls certificates on behalf of users. Therefore, you want to limit the actions it can perform on behalf of the user. You do this through delegation. Sign-in a domain controller with a minimum access equivalent to _Domain Admins_. @@ -332,9 +362,11 @@ Sign-in a domain controller with a minimum access equivalent to _Domain Admins_. 10. Click **OK**. Close **Active Directory Users and Computers**. ### Configure the NDES Role and Certificate Templates + This task configures the NDES role and the certificate templates the NDES server issues. #### Configure the NDES Role + Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credentials. > [!NOTE] @@ -355,13 +387,15 @@ Sign-in to the certificate authority or management workstations with an _Enterpr 7. On the **Cryptography for NDES** page, click **Next**. 8. Review the **Confirmation** page. Click **Configure**.  -8. Click **Close** after the configuration completes. +9. Click **Close** after the configuration completes. #### Configure Certificate Templates on NDES + A single NDES server can request a maximum of three certificate templates. The NDES server determines which certificate to issue based on the incoming certificate request that is assigned in the Microsoft Intune SCEP certificate profile. The Microsoft Intune SCEP certificate profile has three values. -* Digital Signature -* Key Encipherment -* Key Encipherment, Digital Signature + +- Digital Signature +- Key Encipherment +- Key Encipherment, Digital Signature Each value maps to a registry value name in the NDES server. The NDES server translates an incoming SCEP provided value into the corresponding certificate template. The table below shows the SCEP profile values of the NDES certificate template registry value names. @@ -380,6 +414,7 @@ Sign-in to the NDES Server with _local administrator_ equivalent credentials. 1. Open an elevated command prompt. 2. Using the table above, decide which registry value name you will use to request Windows Hello for Business authentication certificates for Azure AD joined devices. 3. Type the following command: + ``` reg add HKLM\Software\Microsoft\Cryptography\MSCEP /v [registryValueName] /t REG_SZ /d [certificateTemplateName] ``` @@ -387,6 +422,7 @@ Sign-in to the NDES Server with _local administrator_ equivalent credentials. ``` reg add HKLM\Software\Microsoft\Cryptography\MSCEP /v SignatureTemplate /t REG_SZ /d AADJWHFBAuthentication ``` + 4. Type **Y** when the command asks for permission to overwrite the existing value. 5. Close the command prompt. @@ -394,6 +430,7 @@ Sign-in to the NDES Server with _local administrator_ equivalent credentials. > Use the **name** of the certificate template; not the **display name**. The certificate template name does not include spaces. You can view the certificate names by looking at the **General** tab of the certificate template's properties in the **Certificates Templates** management console (`certtmpl.msc`). ### Create a Web Application Proxy for the internal NDES URL. + Certificate enrollment for Azure AD joined devices occurs over the Internet. As a result, the internal NDES URLs must be accessible externally. You can do this easily and securely using Azure Active Directory Application Proxy. Azure AD Application Proxy provides single sign-on and secure remote access for web applications hosted on-premises, such as Network Device Enrollment Services. Ideally, you configure your Microsoft Intune SCEP certificate profile to use multiple external NDES URLs. This enables Microsoft Intune to round-robin load balance the certificate requests to identically configured NDES Servers (each NDES server can accommodate approximately 300 concurrent requests). Microsoft Intune sends these requests to Azure AD Application Proxies. @@ -403,6 +440,7 @@ Azure AD Application proxies are serviced by lightweight Application Proxy Conne Connector group automatically round-robin, load balance the Azure AD Application proxy requests to the connectors within the assigned connector group. This ensures Windows Hello for Business certificate requests have multiple dedicated Azure AD Application Proxy connectors exclusively available to satisfy enrollment requests. Load balancing the NDES servers and connectors should ensure users enroll their Windows Hello for Business certificates in a timely manner. #### Download and Install the Application Proxy Connector Agent + Sign-in a workstation with access equivalent to a _domain user_. 1. Sign-in to the [Azure Portal](https://portal.azure.com/) with access equivalent to **Global Administrator**. @@ -424,6 +462,7 @@ Sign-in a workstation with access equivalent to a _domain user_. 10. Repeat steps 5 - 10 for each device that will run the Azure AD Application Proxy connector for Windows Hello for Business certificate deployments. #### Create a Connector Group + Sign-in a workstation with access equivalent to a _domain user_. 1. Sign-in to the [Azure Portal](https://portal.azure.com/) with access equivalent to **Global Administrator**. @@ -436,6 +475,7 @@ Sign-in a workstation with access equivalent to a _domain user_. 6. Click **Save**. #### Create the Azure Application Proxy + Sign-in a workstation with access equivalent to a _domain user_. 1. Sign-in to the [Azure Portal](https://portal.azure.com/) with access equivalent to **Global Administrator**. @@ -456,6 +496,7 @@ Sign-in a workstation with access equivalent to a _domain user_. > Write down the internal and external URLs. You will need this information when you enroll the NDES-Intune Authentication certificate. ### Enroll the NDES-Intune Authentication certificate + This task enrolls a client and server authentication certificate used by the Intune connector and the NDES server. Sign-in the NDES server with access equivalent to _local administrators_. @@ -470,10 +511,11 @@ Sign-in the NDES server with access equivalent to _local administrators_.  8. Under **Subject name**, select **Common Name** from the **Type** list. Type the internal URL used in the previous task (without the https://, for example **ndes.corp.mstepdemo.net**) and then click **Add**. 9. Under **Alternative name**, select **DNS** from the **Type** list. Type the internal URL used in the previous task (without the https://, for example **ndes.corp.mstepdemo.net**). Click **Add**. Type the external URL used in the previous task (without the https://, for example **ndes-mstephendemo.msappproxy.net**). Click **Add**. Click **OK** when finished. -9. Click **Enroll** -10. Repeat these steps for all NDES Servers used to request Windows Hello for Business authentication certificates for Azure AD joined devices. +10. Click **Enroll** +11. Repeat these steps for all NDES Servers used to request Windows Hello for Business authentication certificates for Azure AD joined devices. ### Configure the Web Server Role + This task configures the Web Server role on the NDES server to use the server authentication certificate. Sign-in the NDES server with access equivalent to _local administrator_. @@ -491,19 +533,23 @@ Sign-in the NDES server with access equivalent to _local administrator_. 8. Close **Internet Information Services (IIS) Manager**. ### Verify the configuration + This task confirms the TLS configuration for the NDES server. Sign-in the NDES server with access equivalent to _local administrator_. #### Disable Internet Explorer Enhanced Security Configuration + 1. Open **Server Manager**. Click **Local Server** from the navigation pane. 2. Click **On** next to **IE Enhanced Security Configuration** in the **Properties** section. 3. In the **Internet Explorer Enhanced Security Configuration** dialog, under **Administrators**, select **Off**. Click **OK**. 4. Close **Server Manager**. #### Test the NDES web server + 1. Open **Internet Explorer**. 2. In the navigation bar, type + ``` https://[fqdnHostName]/certsrv/mscep/mscep.dll ``` @@ -516,16 +562,18 @@ A web page similar to the following should appear in your web browser. If you d Confirm the web site uses the server authentication certificate.  - ## Configure Network Device Enrollment Services to work with Microsoft Intune + You have successfully configured the Network Device Enrollment Services. You must now modify the configuration to work with the Intune Certificate Connector. In this task, you will enable the NDES server and http.sys to handle long URLs. - Configure NDES to support long URLs ### Configure NDES and HTTP to support long URLs + Sign-in the NDES server with access equivalent to _local administrator_. #### Configure the Default Web Site + 1. Start **Internet Information Services (IIS) Manager** from **Administrative Tools**. 2. Expand the node that has the name of the NDES server. Expand **Sites** and select **Default Web Site**. 3. In the content pane, double-click **Request Filtering**. Click **Edit Feature Settings...** in the action pane. @@ -539,18 +587,23 @@ Sign-in the NDES server with access equivalent to _local administrator_. 10. Click **OK**. Close **Internet Information Services (IIS) Manager**. #### Configure Parameters for HTTP.SYS + 1. Open an elevated command prompt. 2. Run the following commands: + ``` reg add HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters /v MaxFieldLength /t REG_DWORD /d 65534 reg add HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters /v MaxRequestBytes /t REG_DWORD /d 65534 ``` + 3. Restart the NDES server. ## Download, Install and Configure the Intune Certificate Connector + The Intune Certificate Connector application enables Microsoft Intune to enroll certificates using your on-premises PKI for users on devices managed by Microsoft Intune. ### Download Intune Certificate Connector + Sign-in a workstation with access equivalent to a _domain user_. 1. Sign-in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/). @@ -561,6 +614,7 @@ Sign-in a workstation with access equivalent to a _domain user_. 5. Sign-out of the Microsoft Endpoint Manager admin center. ### Install the Intune Certificate Connector + Sign-in the NDES server with access equivalent to _domain administrator_. 1. Copy the Intune Certificate Connector Setup (NDESConnectorSetup.exe) downloaded in the previous task locally to the NDES server. @@ -588,6 +642,7 @@ Sign-in the NDES server with access equivalent to _domain administrator_.  ### Configure the Intune Certificate Connector + Sign-in the NDES server with access equivalent to _domain administrator_. 1. The **NDES Connector** user interface should be open from the last task. @@ -608,9 +663,11 @@ Sign-in the NDES server with access equivalent to _domain administrator_. ### Configure the NDES Connector for certificate revocation (**Optional**) + Optionally (not required), you can configure the Intune connector for certificate revocation when a device is wiped, unenrolled, or when the certificate profile falls out of scope for the targeted user (users is removed, deleted, or the profile is deleted). #### Enabling the NDES Service account for revocation + Sign-in the certificate authority used by the NDES Connector with access equivalent to _domain administrator_. 1. Start the **Certification Authority** management console. @@ -620,6 +677,7 @@ Sign-in the certificate authority used by the NDES Connector with access equival 4. Close the **Certification Authority** #### Enable the NDES Connector for certificate revocation + Sign-in the NDES server with access equivalent to _domain administrator_. 1. Open the **NDES Connector** user interface (**\
## Follow the Windows Hello for Business hybrid key trust deployment guide -1. [Overview](hello-hybrid-cert-trust.md) +1. [Overview](hello-hybrid-key-trust.md) 2. [Prerequisites](hello-hybrid-key-trust-prereqs.md) 3. [New Installation Baseline](hello-hybrid-key-new-install.md) 4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md) diff --git a/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md b/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md index bbb6ddc586..907bcfc24c 100644 --- a/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md +++ b/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md @@ -1,5 +1,5 @@ --- -title: How to configure Diffie Hellman protocol over IKEv2 VPN connections (Windows 10) +title: How to configure Diffie Hellman protocol over IKEv2 VPN connections (Windows 10 and Windows 11) description: Learn how to update the Diffie Hellman configuration of VPN servers and clients by running VPN cmdlets to secure connections. ms.prod: w10 ms.mktglfcycl: deploy @@ -8,16 +8,17 @@ ms.pagetype: security, networking author: dansimp ms.author: dansimp ms.localizationpriority: medium -ms.date: 02/08/2018 +ms.date: 09/23/2021 ms.reviewer: manager: dansimp --- # How to configure Diffie Hellman protocol over IKEv2 VPN connections ->Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016, Windows 10 +>Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016, Windows 10, Windows 11 + +In IKEv2 VPN connections, the default configuration for Diffie Hellman group is Group 2, which is not secure for IKE exchanges. -In IKEv2 VPN connections, the default configuration for Diffie Hellman group is Group 2, which is not secure for IKE exchanges. To secure the connections, update the configuration of VPN servers and clients by running VPN cmdlets. ## VPN server @@ -28,7 +29,7 @@ For VPN servers that run Windows Server 2012 R2 or later, you need to run [Set-V Set-VpnServerConfiguration -TunnelType IKEv2 -CustomPolicy ``` -On an earlier versions of Windows Server, run [Set-VpnServerIPsecConfiguration](/previous-versions/windows/powershell-scripting/hh918373(v=wps.620)). Since `Set-VpnServerIPsecConfiguration` doesn’t have `-TunnelType`, the configuration applies to all tunnel types on the server. +On an earlier version of Windows Server, run [Set-VpnServerIPsecConfiguration](/previous-versions/windows/powershell-scripting/hh918373(v=wps.620)). Since `Set-VpnServerIPsecConfiguration` doesn’t have `-TunnelType`, the configuration applies to all tunnel types on the server. ```powershell Set-VpnServerIPsecConfiguration -CustomPolicy diff --git a/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md b/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md index 21c295bad1..510a5a9e76 100644 --- a/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md +++ b/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md @@ -1,12 +1,12 @@ --- -title: How to use Single Sign-On (SSO) over VPN and Wi-Fi connections (Windows 10) +title: How to use Single Sign-On (SSO) over VPN and Wi-Fi connections (Windows 10 and Windows 11) description: Explains requirements to enable Single Sign-On (SSO) to on-premises domain resources over WiFi or VPN connections. ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security author: dansimp -ms.date: 04/19/2017 +ms.date: 09/23/2021 ms.reviewer: manager: dansimp ms.author: dansimp diff --git a/windows/security/identity-protection/vpn/vpn-authentication.md b/windows/security/identity-protection/vpn/vpn-authentication.md index 2c0a581e8d..77824138a9 100644 --- a/windows/security/identity-protection/vpn/vpn-authentication.md +++ b/windows/security/identity-protection/vpn/vpn-authentication.md @@ -1,5 +1,5 @@ --- -title: VPN authentication options (Windows 10) +title: VPN authentication options (Windows 10 and Windows 11) description: Learn about the EAP authentication methods that Windows supports in VPNs to provide secure authentication using username/password and certificate-based methods. ms.prod: w10 ms.mktglfcycl: deploy @@ -7,7 +7,7 @@ ms.sitesec: library ms.pagetype: security, networking author: dansimp ms.localizationpriority: medium -ms.date: 07/27/2017 +ms.date: 09/23/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -17,7 +17,7 @@ ms.author: dansimp **Applies to** - Windows 10 -- Windows 10 Mobile +- Windows 11 In addition to older and less-secure password-based authentication methods (which should be avoided), the built-in VPN solution uses Extensible Authentication Protocol (EAP) to provide secure authentication using both user name and password, and certificate-based methods. You can only configure EAP-based authentication if you select a built-in VPN type (IKEv2, L2TP, PPTP or Automatic). @@ -27,7 +27,7 @@ Windows supports a number of EAP authentication methods.
- User name and password authentication
- Winlogon credentials - can specify authentication with computer sign-in credentials
- Supports the following types of certificate authentication
- Certificate with keys in the software Key Storage Provider (KSP)
- Certificate with keys in Trusted Platform Module (TPM) KSP
- Smart card certficates
- Windows Hello for Business certificate
- Certificate filtering
- Certificate filtering can be enabled to search for a particular certificate to use to authenticate with
- Filtering can be Issuer-based or Enhanced Key Usage (EKU)-based
- Server validation - with TLS, server validation can be toggled on or off
- Server name - specify the server to validate
- Server certificate - trusted root certificate to validate the server
- Notification - specify if the user should get a notification asking whether to trust the server or not
- Supports the following types of certificate authentication
- Certificate with keys in the software Key Storage Provider (KSP)
- Certificate with keys in Trusted Platform Module (TPM) KSP
- Smart card certificates
- Windows Hello for Business certificate
- Certificate filtering
- Certificate filtering can be enabled to search for a particular certificate to use to authenticate with
- Filtering can be Issuer-based or Enhanced Key Usage (EKU)-based
- Server validation - with TLS, server validation can be toggled on or off
- Server name - specify the server to validate
- Server certificate - trusted root certificate to validate the server
- Notification - specify if the user should get a notification asking whether to trust the server or not
- Server validation - with PEAP, server validation can be toggled on or off
- Server name - specify the server to validate
- Server certificate - trusted root certificate to validate the server
- Notification - specify if the user should get a notification asking whether to trust the server or not
- Inner method - the outer method creates a secure tunnel inside while the inner method is used to complete the authentication
- EAP-MSCHAPv2
- EAP-TLS
- Fast Reconnect: reduces the delay between an authentication request by a client and the response by the Network Policy Server (NPS) or other Remote Authentication Dial-in User Service (RADIUS) server. This reduces resource requirements for both client and server, and minimizes the number of times that users are prompted for credentials.
- Cryptobinding: By deriving and exchanging values from the PEAP phase 1 key material (Tunnel Key) and from the PEAP phase 2 inner EAP method key material (Inner Session Key), it is possible to prove that the two authentications terminate at the same two entities (PEAP peer and PEAP server). This process, termed "cryptobinding", is used to protect the PEAP negotiation against "Man in the Middle" attacks.
- Inner method
- Non-EAP
- Password Authentication Protocol (PAP)
- CHAP
- MSCHAP
- MSCHAPv2
- EAP
- MSCHAPv2
- TLS
- Non-EAP
- Server validation: in TTLS, the server must be validated. The following can be configured:
- Server name
- Trusted root certificate for server certificate
- Whether there should be a server validation notification
+Source: Microsoft-Windows-AppLocker
+Date: 11/11/2020 1:18:11 PM
+Event ID: 8036
+Task Category: None
+Level: Error
+Keywords:
+User: S-1-5-21-3340858017-3068726007-3466559902-3647
+Computer: contoso.com
+Description: {f8d253d9-89a4-4daa-87b6-1168369f0b21} was prevented from running due to Config CI policy.
Event XML: @@ -122,7 +127,7 @@ Event XML: