deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-15 02:13:43 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'master' into 7087905

Browse Source
This commit is contained in:
Brian Lich
2016-05-04 13:20:16 -07:00
parent 3ba2a8517e 37da37dc47
commit 3ec059b53e
25 changed files with 386 additions and 1098 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
windows/keep-secure/audit-removable-storage.md
View File

@ -1,6 +1,6 @@
---
title: Audit Removable Storage (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Removable Storage, which determines .
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Removable Storage, which determines when there is a read or a write to a removable drive.
ms.assetid: 1746F7B3-8B41-4661-87D8-12F734AFFB26
ms.prod: W10
ms.mktglfcycl: deploy
@ -15,9 +15,9 @@ author: brianlic-msft
- Windows 10
This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Removable Storage**, which determines .
This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Removable Storage**, which determines when there is a read or a write to a removable drive.
Event volume:
Event volume: Low
Default: Not configured

4
windows/keep-secure/bitlocker-how-to-enable-network-unlock.md
View File

@ -196,7 +196,11 @@ To create a self-signed certificate, do the following:
Exportable=true
RequestType=Cert
KeyUsage="CERT_KEY_ENCIPHERMENT_KEY_USAGE"
KeyUsageProperty="NCRYPT_ALLOW_DECRYPT_FLAG"
KeyLength=2048
Keyspec="AT_KEYEXCHANGE"
SMIME=FALSE
HashAlgorithm=sha512
[Extensions]
1.3.6.1.4.1.311.21.10 = "{text}"

1
windows/keep-secure/change-history-for-keep-windows-10-secure.md
View File

@ -16,6 +16,7 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md
|New or changed topic | Description |
|----------------------|-------------|
|[Protect derived domain credentials with Credential Guard](credential-guard.md) |Clarified Credential Guard protections |
|[Windows 10 security overview](windows-10-security-guide.md) |Added SMB hardening improvements for SYSVOL and NETLOGON connections |
## March 2016

2
windows/keep-secure/index.md
View File

@ -62,7 +62,7 @@ Learn about keeping Windows 10 and Windows 10 Mobile secure.
</tr>
<tr class="odd">
<td align="left"><p>[Protect your enterprise data using enterprise data protection (EDP)](protect-enterprise-data-using-edp.md)</p></td>
<td align="left"><p>With the increase of employee-owned devices in the enterprise, theres also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprises control. For example, when an employee sends the latest engineering pictures to their personal email account, copies and pastes product info to a public Yammer group or tweet, or saves an in-progress sales report to their public cloud storage.</p></td>
<td align="left"><p>With the increase of employee-owned devices in the enterprise, theres also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprises control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md)</p></td>

2
windows/keep-secure/protect-enterprise-data-using-edp.md
View File

@ -17,7 +17,7 @@ author: eross-msft
<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
With the increase of employee-owned devices in the enterprise, theres also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprises control. For example, when an employee sends the latest engineering pictures to their personal email account, copies and pastes product info to a public Yammer group or tweet, or saves an in-progress sales report to their public cloud storage.
With the increase of employee-owned devices in the enterprise, theres also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprises control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage.
Enterprise data protection (EDP) helps to protect against this potential data leakage without otherwise interfering with the employee experience. EDP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps. Finally, another data protection technology, Azure Rights Management also works alongside EDP to extend data protection for data that leaves the device, such as when email attachments are sent from an enterprise aware version of a rights management mail client.

49
windows/keep-secure/tpm-recommendations.md
View File

@ -31,7 +31,15 @@ Trusted Platform Module (TPM) technology is designed to provide hardware-based,
The most common TPM functions are used for system integrity measurements and for key creation and use. During the boot process of a system, the boot code that is loaded (including firmware and the operating system components) can be measured and recorded in the TPM. The integrity measurements can be used as evidence for how a system started and to make sure that a TPM-based key was used only when the correct software was used to boot the system.
Different versions of the TPM are defined in specifications by the Trusted Computing Group (TCG).
Traditionally, TPMs have been discrete chips soldered to a computers motherboard. Such implementations allow the computers original equipment manufacturer (OEM) to evaluate and certify the TPM separate from the rest of the system. Although discrete TPM implementations are still common, they can be problematic for integrated devices that are small or have low power consumption. Some newer TPM implementations integrate TPM functionality into the same chipset as other platform components while still providing logical separation similar to discrete TPM chips.
TPMs are passive: they receive commands and return responses. To realize the full benefit of a TPM, the OEM must carefully integrate system hardware and firmware with the TPM to send it commands and react to its responses. TPMs were originally designed to provide security and privacy benefits to a platforms owner and users, but newer versions can provide security and privacy benefits to the system hardware itself. Before it can be used for advanced scenarios, however, a TPM must be provisioned. Windows 10 automatically provisions a TPM, but if the user reinstalls the operating system, he or she may need to tell the operating system to explicitly provision the TPM again before it can use all the TPMs features.
The Trusted Computing Group (TCG) is the nonprofit organization that publishes and maintains the TPM specification. The TCG exists to develop, define, and promote vendor-neutral, global industry standards that support a hardware-based root of trust for interoperable trusted computing platforms. The TCG also publishes the TPM specification as the international standard ISO/IEC 11889, using the Publicly Available Specification Submission Process that the Joint Technical Committee 1 defines between the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
OEMs implement the TPM as a component in a trusted computing platform, such as a PC, tablet, or phone. Trusted computing platforms use the TPM to support privacy and security scenarios that software alone cannot achieve. For example, software alone cannot reliably report whether malware is present during the system startup process. The close integration between TPM and platform increases the transparency of the startup process and supports evaluating device health by enabling reliable measuring and reporting of the software that starts the device. Implementation of a TPM as part of a trusted computing platform provides a hardware root of trust—that is, it behaves in a trusted way. For example, if a key stored in a TPM has properties that disallow exporting the key, that key truly cannot leave the TPM.
The TCG designed the TPM as a low-cost, mass-market security solution that addresses the requirements of different customer segments. There are variations in the security properties of different TPM implementations just as there are variations in customer and regulatory requirements for different sectors. In public-sector procurement, for example, some governments have clearly defined security requirements for TPMs whereas others do not.
**Note**  
Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
@ -41,11 +49,10 @@ Some information relates to pre-released product which may be substantially modi
## TPM 1.2 vs. 2.0 comparison
From an industry standard, Microsoft has been an industry leader in moving and standardizing on TPM 2.0. As indicated in the table below, TPM 2.0 has many key realized benefits across algorithms, crypto, hierarchy, root keys, authorization and NV RAM.
From an industry standard, Microsoft has been an industry leader in moving and standardizing on TPM 2.0, which has many key realized benefits across algorithms, crypto, hierarchy, root keys, authorization and NV RAM.
## Why TPM 2.0?
TPM 2.0 products and systems have important security advantages over TPM 1.2, including:
- The TPM 1.2 spec only allows for the use of RSA and the SHA-1 hashing algorithm.
@ -65,7 +72,6 @@ TPM 2.0 products and systems have important security advantages over TPM 1.2, in
## Discrete or firmware TPM?
Windows uses discrete and firmware TPM in the same way. Windows gains no functional advantage or disadvantage from either option.
From a security standpoint, discrete and firmware share the same characteristics;
@ -77,20 +83,22 @@ From a security standpoint, discrete and firmware share the same characteristics
For more info, see [fTPM: A Firmware-based TPM 2.0 Implementation](http://research.microsoft.com/apps/pubs/?id=258236).
## TPM 2.0 Compliance for Windows 10 in the future
## Is there any importance for TPM for consumer?
For end consumers, TPM is behind the scenes but still very relevant for Hello, Passport and in the future, many other key features in Windows 10. It offers the best Passport experience, helps encrypt passwords, secures streaming high quality 4K content and builds on our overall Windows 10 experience story for security as a critical pillar. Using Windows on a system with a TPM enables a deeper and broader level of security coverage.
All shipping devices for Windows 10 across all SKU types must be using TPM 2.0 discrete or firmware from **July 28, 2016**. This requirement will be enforced through our Windows Hardware Certification program.
## TPM 2.0 Compliance for Windows 10
### Windows 10 for desktop editions (Home, Pro, Enterprise, and Education)
- With Windows 10 as with Windows 8, all connected standby systems are required to include TPM 2.0 support.
- For Windows 10 and later, if a SoC is chosen that includes an integrated fTPM2.0, the device must ship with the fTPM FW support or a discrete TPM 1.2 or 2.0.
- Starting **July 28th, 2016** all devices shipping with Windows 10 desktop must implement TPM 2.0 and ship with the TPM enabled.
- As of July 28, 2016, all new device models, lines or series (or if you are updating the hardware configuration of a existing model, line or series with a major update, such as CPU, graphic cards) must implement and enable by default TPM 2.0 (details in section 3.7, https://msdn.microsoft.com/library/windows/hardware/dn915086(v=vs.85).aspx)
## Two implementation options:
• Discrete TPM chip as a separate discrete component
• Firmware TPM solution using Intel PTT (platform trust technology) or AMD
### Windows 10 Mobile
- All devices shipping with Windows 10 Mobile must implement TPM 2.0 and ship with the TPM enabled.
- All devices shipping with Windows 10 Mobile must implement TPM 2.0 and ship with the TPM 2.0 enabled.
### IoT Core
@ -102,7 +110,6 @@ All shipping devices for Windows 10 across all SKU types must be using TPM 2.0 d
## TPM and Windows Features
The following table defines which Windows features require TPM support. Some features are not applicable to Windows 7/8/8.1 and are noted accordingly.
<table>
@ -124,7 +131,7 @@ The following table defines which Windows features require TPM support. Some fea
</thead>
<tbody>
<tr class="odd">
<td align="left">Measure Boot</td>
<td align="left">Measured Boot</td>
<td align="left">Required</td>
<td align="left">Required</td>
<td align="left">Required</td>
@ -147,7 +154,7 @@ The following table defines which Windows features require TPM support. Some fea
<tr class="even">
<td align="left">Passport: MSA or Local Account</td>
<td align="left">n/a</td>
<td align="left">Not Required</td>
<td align="left">Required</td>
<td align="left">Required</td>
<td align="left">TPM 2.0 is required with HMAC and EK certificate for key attestation support.</td>
</tr>
@ -175,7 +182,7 @@ The following table defines which Windows features require TPM support. Some fea
<tr class="even">
<td align="left">Device Health Attestation</td>
<td align="left">n/a</td>
<td align="left">Not Required</td>
<td align="left">Required</td>
<td align="left">Required</td>
<td align="left"></td>
</tr>
@ -240,6 +247,7 @@ There are a variety of TPM manufacturers for both discrete and firmware.
<td align="left"><ul>
<li>Infineon</li>
<li>Nuvoton</li>
<li>Atmel</li>
<li>NationZ</li>
<li>ST Micro</li>
</ul></td>
@ -274,11 +282,12 @@ There are a variety of TPM manufacturers for both discrete and firmware.
<tr class="even">
<td align="left">Intel</td>
<td align="left"><ul>
<li>Clovertrail</li>
<li>Haswell</li>
<li>Broadwell</li>
<li>Skylake</li>
<li>Atom (CloverTrail)
<li>Baytrail</li>
<li>4th generation(Haswell)</li>
<li>5th generation(Broadwell)</li>
<li>Braswell</li>
<li>Skylake</li>
</ul></td>
</tr>
<tr class="odd">
@ -301,7 +310,7 @@ There are a variety of TPM manufacturers for both discrete and firmware.
### Certified TPM parts
Government customers and enterprise customers in regulated industries may have acquisition standards that require use of common certified TPM parts. As a result, OEMs, who provide the devices, may be required to use only certified TPM components on their commercial class systems. Discrete TPM 2.0 vendors have targeted completion of certification by the end of 2015.
Government customers and enterprise customers in regulated industries may have acquisition standards that require use of common certified TPM parts. As a result, OEMs, who provide the devices, may be required to use only certified TPM components on their commercial class systems. Discrete TPM 2.0 vendors have completion certification.
### Windows 7 32-bit support

25
windows/keep-secure/windows-10-security-guide.md
View File

@ -345,17 +345,16 @@ Table 3 lists specific malware threats and the mitigation that Windows 10 provi
Table 3. Threats and Windows 10 mitigations
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Threat</th>
<th align="left">Windows 10 mitigation</th>
</tr>
</thead>
<tbody>
<tbody><tr class="odd">
<td align="left"><p>"Man in the middle" attacks, when an attacker reroutes communications between two users through the attacker's computer without the knowledge of the two communicating users</p></td>
<td align="left"><p>Client connections to the Active Directory Domain Services default SYSVOL and NETLOGON shares on domain controllers now require SMB signing and mutual authentication (such as Kerberos).</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Firmware bootkits replace the firmware with malware.</p></td>
<td align="left"><p>All certified PCs include a UEFI with Secure Boot, which requires signed firmware for updates to UEFI and Option ROMs.</p></td>
@ -395,6 +394,22 @@ Table 3. Threats and Windows 10 mitigations
The sections that follow describe these improvements in more detail.
**SMB hardening improvements for SYSVOL and NETLOGON connections**
In Windows 10 and Windows Server 2016 Technical Preview, client connections to the Active Directory Domain Services default SYSVOL and NETLOGON shares on domain controllers now require Server Message Block (SMB) signing and mutual authentication (such as Kerberos).
- **What value does this change add?**
This change reduces the likelihood of man-in-the-middle attacks.
- **What works differently?**
If SMB signing and mutual authentication are unavailable, a Windows 10 or Windows Server 2016 computer wont process domain-based Group Policy and scripts.
> **Note:** The registry values for these settings arent present by default, but the hardening rules still apply until overridden by Group Policy or other registry values.
For more information on these security improvements, (also referred to as UNC hardening), see [Microsoft Knowledge Base article 3000483](http://go.microsoft.com/fwlink/p/?LinkId=789216) and [MS15-011 & MS15-014: Hardening Group Policy](http://go.microsoft.com/fwlink/p/?LinkId=789215).
**Secure hardware**
Although Windows 10 is designed to run on almost any hardware capable of running Windows 8, Windows 7, or Windows Vista, taking full advantage of Windows 10 security requires advancements in hardware-based security, including UEFI with Secure Boot, CPU virtualization features (for example, Intel VT-x), CPU memory-protection features (for example, Intel VT-d), TPM, and biometric sensors.

4
windows/manage/TOC.md
View File

@ -37,6 +37,7 @@
#### [Settings reference: Windows Store for Business](settings-reference-windows-store-for-business.md)
### [Find and acquire apps](find-and-acquire-apps-overview.md)
#### [Apps in the Windows Store for Business](apps-in-windows-store-for-business.md)
#### [Acquire apps in the Windows Store for Business](acquire-apps-windows-store-for-business.md)
#### [Working with line-of-business apps](working-with-line-of-business-apps.md)
### [Distribute apps to your employees from the Windows Store for Business](distribute-apps-to-your-employees-windows-store-for-business.md)
#### [Distribute apps using your private store](distribute-apps-from-your-private-store.md)
@ -44,8 +45,9 @@
#### [Distribute apps with a management tool](distribute-apps-with-management-tool.md)
#### [Distribute offline apps](distribute-offline-apps.md)
### [Manage apps](manage-apps-windows-store-for-business-overview.md)
#### [Manage access to private store](manage-access-to-private-store.md)
#### [App inventory managemement for Windows Store for Business](app-inventory-managemement-windows-store-for-business.md)
#### [Manage app orders in Windows Store for Business](manage-orders-windows-store-for-business.md)
#### [Manage access to private store](manage-access-to-private-store.md)
#### [Manage private store settings](manage-private-store-settings.md)
#### [Configure MDM provider](configure-mdm-provider-windows-store-for-business.md)
### [Device Guard signing portal](device-guard-signing-portal.md)

45
windows/manage/app-inventory-managemement-windows-store-for-business.md
View File

@ -105,11 +105,6 @@ Each app in the Store for Business has an online, or an offline license. For mor
 
**Note**  
Removing apps from inventory is not currently supported.
 
The actions in the table are how you distribute apps, and manage app licenses. We'll cover those in the next sections. Working with offline-licensed apps has different steps. For more information on distributing offline-licensed apps, see [Distribute offline apps](distribute-offline-apps.md).
### Distribute apps
@ -122,15 +117,45 @@ For online-licensed apps, there are a couple of ways to distribute apps from you
If you use a management tool that supports Store for Business, you can distribute apps with your management tool. Once it is configured to work with Store for Business, your managment tool will have access to all apps in your inventory. For more information, see [Distribute apps with a management tool](distribute-apps-with-management-tool.md).
### Assign apps
Once an app is in your private store, people in your org can install the app on their devices. For more information, see [Distribute apps using your private store](distribute-apps-from-your-private-store.md).
You can assign apps directly to people in your organization. You can assign apps to individuals, a few people, or to a group. For more information, see [Assign apps to employees](assign-apps-to-employees.md).
**To make an app in inventory available in your private store**
### Private store
1. Sign in to the [Store for Business](http://businessstore.microsoft.com).
2. Click **Manage**, and then choose **Inventory**.
3. Click **Refine**, and then choose **Online**. Store for Business will update the list of apps on the **Inventory** page.
4. From an app in **Inventory**, click the ellipses under **Action**, and then choose **Add to private store**.
The private store is a feature in the Store for Business. Once an online-licensed app is in your inventory, you can make it available in your private store. When you add apps to the private store, all employees in your organization can view and download the app. Employees access the private store as a page in Windows Store app.
The value under Private store for the app will change to pending. It will take approximately twelve hours before the app is available in the private store.
For more information, see [Distribute apps using your private store](distribute-apps-from-your-private-store.md).
Employees can claim apps that admins added to the private store by doing the following.
**To claim an app from the private store**
1. Sign in to your computer with your Azure Active Directory (AD) credentials, and start the Windows Store app.
2. Click the private store tab.
3. Click the app you want to install, and then click **Install**.
Another way to distribute apps is by assigning them to people in your organization.
If you decide that you don't want an app available for employees to install on their own, you can remove it from your private store.
**To remove an app from the private store**
1. Sign in to the [Store for Business](http://businessstore.microsoft.com).
2. Click **Manage**, and then choose **Inventory**.
3. Find an app, click the ellipses under **Action**, and then choose **Remove from private store**, and then click **Remove**.
The app will still be in your inventory, but your employees will not have access to the app from your private store.
**To assign an app to an employee**
1. Sign in to the [Store for Business](http://businessstore.microsoft.com).
2. Click **Manage**, and then choose **Inventory**.
3. Find an app, click the ellipses under **Action**, and then choose **Assign to people**.
4. Type the email address for the employee that you're assigning the app to, and click **Confirm**.
Employees will receive an email with a link that will install the app on their device. Click the link to start the Windows Store app, and then click **Install**. Also, in the Windows Store app, they can find the app under **My Library**.
### Manage app licenses

7
windows/manage/apps-in-windows-store-for-business.md
View File

@ -47,6 +47,13 @@ Apps in your inventory will have at least one of these supported platforms liste
Apps that you acquire from the Store for Business only work on Windows 10-based devices. Even though an app might list Windows 8 as its supported platform, that tells you what platform the app was originally written for. Apps developed for Windows 8, or Windows phone 8 will work on Windows 10.
Some apps are free, and some apps charge a price. Currently, you can pay for apps with a credit card. We'll be adding more payment options over time.
Some apps which are available to consumers in the Windows Store might not be available to organizations in the Windows Store for Business. App developers can opt-out their apps, and they also need to meet eligibility requirements for Windows Store for Business. For more information, read this info on [Organizational licensing options](https://msdn.microsoft.com/en-us/windows/uwp/publish/organizational-licensing).
**Note**<br>
We are still setting up the catalog of apps for Windows Store for Business. If you are searching for an app and it isnt available, please check again in a couple of days.
Line-of-business (LOB) apps are also supported using the Store for Business. Admins can invite IT devs and ISVs to be LOB publishers. Apps developed by your LOB publishers that are submitted to the Store are only available to your organization. Once an administrator accepts an app submitted by one of their LOB publishers, the app can be distributed just like any other app from Store for Business. For more information, see Working with Line-of-Business apps.
## <a href="" id="iap"></a>In-app purchases

2
windows/manage/assign-apps-to-employees.md
View File

@ -28,7 +28,7 @@ Administrators can assign online-licensed apps to employees in their organizatio
4. Type the email address for the employee that you're assigning the app to, and click **Confirm**.
Employees will receive an email with a link that will install the app on their device. Click the link to start the Windows Store app, and then click **Install**.
Employees will receive an email with a link that will install the app on their device. Click the link to start the Windows Store app, and then click **Install**. Also, in the Windows Store app, they can find the app under **My Library**.
 

5
windows/manage/change-history-for-manage-and-update-windows-10.md
View File

@ -13,6 +13,11 @@ author: jdeckerMS
This topic lists new and updated topics in the [Manage and update Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
## May 2016
New or changed topic | Description |
---|---|
[Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) | Corrected script for setting a custom shell using Shell Launcher |
## April 2016

2
windows/manage/distribute-offline-apps.md
View File

@ -34,7 +34,7 @@ Offline-licensed apps offer an alternative to online apps, and provide additiona
You can't distribute offline-licensed apps directly from the Store for Business. Once you download the items for the offline-licensed app, you have three options for distributing the apps:
- **Deployment Image Servicing and Management**. DISM is a command-line tool that is used to mount and service Microsoft WindowsWindows images before deployment. You can also use DISM to install, uninstall, configure, and update Windows features, packages, drivers, and international settings in a .wim file or VHD using the DISM servicing commands. DISM commands are used on offline images. For more information, see [Deployment Image Servicing and Management](https://msdn.microsoft.com/library/windows/hardware/dn898558.aspx).
- **Deployment Image Servicing and Management**. DISM is a command-line tool that is used to mount and service Microsoft WindowsWindows images before deployment. You can also use DISM to install, uninstall, configure, and update Windows features, packages, drivers, and international settings in a .wim file or VHD using the DISM servicing commands. DISM commands are used on offline images. For more information, see [Deployment Image Servicing and Management](https://msdn.microsoft.com/windows/hardware/commercialize/manufacture/desktop/dism---deployment-image-servicing-and-management-technical-reference-for-windows).
- **Windows ICD**. ICD is GUI tool that you can use to create Windows provisioning answer files, and add third-party drivers, apps, or other assets to an answer file. For more information, see [Windows Imaging and Configuration Designer](https://msdn.microsoft.com/library/windows/hardware/dn916113.aspx).

3
windows/manage/manage-inventory-windows-store-for-business.md
View File

@ -1,6 +1,7 @@
---
title: Manage inventory in Windows Store for Business (Windows 10)
description: When you acquire apps from the Windows Store for Business, we add them to the Inventory for your organization. Once an app is part of your inventory, you can distribute the app, and manage licenses.
redirect_url: https://technet.microsoft.com/en-us/itpro/windows/manage/app-inventory-management-windows-store-for-business
ms.prod: W10
ms.mktglfcycl: manage
ms.sitesec: library
@ -38,7 +39,7 @@ Another way to distribute apps is by assigning them to people in your organizati
3. Find an app, click the ellipses under **Action**, and then choose **Assign to people**.
4. Type the email address for the employee that you're assigning the app to, and click **Confirm**.
Employees will receive an email with a link that will install the app on their device. Click the link to start the Windows Store app, and then click **Install**. Also, in the Windows Store app, they can find the app under **MyLibrary**.
Employees will receive an email with a link that will install the app on their device. Click the link to start the Windows Store app, and then click **Install**. Also, in the Windows Store app, they can find the app under **My Library**.
## Manage licenses
For apps in inventory, when you assign an app to an employee, a license for the app is assigned to them. You can manage these licenses, either by assigning them, or reclaiming them so you can assign them to another employee. You can also remove an app from the private store.

4
windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
View File

@ -350,7 +350,9 @@ Modify the following PowerShell script as appropriate. The comments in the sampl
$ShellLauncherClass.SetEnabled($TRUE)
“`nEnabled is set to “ + $DefaultShellObject.IsEnabled()
$IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled()
“`nEnabled is set to “ + $IsShellLauncherEnabled.Enabled
# Remove the new custom shells.

1
windows/manage/settings-reference-windows-store-for-business.md
View File

@ -5,6 +5,7 @@ ms.assetid: 34F7FA2B-B848-454B-AC00-ECA49D87B678
ms.prod: W10
ms.mktglfcycl: manage
ms.sitesec: library
author: TrudyHa
---
# Settings reference: Windows Store for Business

2
windows/manage/update-windows-store-for-business-account-settings.md
View File

@ -133,6 +133,6 @@ Offline licensing is a new licensing option for Windows 10. With offline license
You have the following distribution options for offline-licensed apps:
- Include the app in a provisioning package, and then use it as part of imaging a device.
- Distribute the app through a management tool.
For more information, see Distribute apps to your employees from the Store for Business.
For more information, see [Distribute apps to your employees from the Store for Business](distribute-apps-with-management-tool.md).

2
windows/manage/windows-10-start-layout-options-and-policies.md
View File

@ -57,7 +57,7 @@ The following table lists the different parts of Start and any applicable policy
<p>-and-</p>
<p>Dynamically inserted app tile</p></td>
<td align="left"><p>MDM: <strong>Allow Windows Consumer Features</strong></p>
<p>Group Policy: <strong>Computer Configuration</strong>\<strong>Administrative Templates</strong>\<strong>Windows Components</strong>\<strong>Cloud Content</strong>\<strong>Turn off Microsoft consumer experiences</strong></p>
<p>Group Policy: <strong>Computer Configuration</strong>\\<strong>Administrative Templates</strong>\\<strong>Windows Components</strong>\\<strong>Cloud Content</strong>\\<strong>Turn off Microsoft consumer experiences</strong></p>
<div class="alert">
<strong>Note</strong>  
<p>This policy also enables or disables notifications for a user's Microsoft account and app tiles from Microsoft dynamically inserted in the default Start menu.</p>

142
windows/whats-new/windows-store-for-business-overview.md
View File

@ -85,7 +85,7 @@ For more information, see [Sign up for the Store for Business](../manage/sign-up
### Set up
After your admin signs up for the Store for Business, they can assign roles to other employees in your company. These are the roles and their permissions.
After your admin signs up for the Store for Business, they can assign roles to other employees in your company. The admin needs Azure AD User Admin permissions to assign WSFB roles. These are the roles and their permissions.
<table>
<colgroup>
@ -137,7 +137,7 @@ Also, if your organization plans to use a management tool, youll need to conf
### Get apps and content
Once signed in to the Store for Business, you can browse and search for all products in the Store for Business catalog. For now, apps in the Store for Business are free. Over time, when paid apps are available, youll have more options for paying for apps.
Once signed in to the Store for Business, you can browse and search for all products in the Store for Business catalog. Some apps are free, and some apps charge a price. We're continuing to add more paid apps to the Store for Business. Check back if you don't see the app that you're looking for. Currently, you can pay for apps with a credit card. We'll be adding more payment options over time.
**App types** -- These app types are supported in the Store for Business:
@ -212,96 +212,54 @@ For more information, see [Manage settings in the Store for Business](../manage/
Store for Business is currently available in these markets.
- Argentina
- Australia
- Austria
- Belgium (Dutch, French)
- Brazil
- Canada (English, French)
- Chile
- Columbia
- Croatia
- Czech Republic
- Denmark
- Finland
- France
- Germany
- Greece
- Hong Kong SAR
- Hungary
- India
- Indonesia
- Ireland
- Italy
- Japan
- Malaysia
- Mexico
- Netherlands
- New Zealand
- Norway
- Philippines
- Poland
- Portugal
- Romania
- Russia
- Singapore
- Slovakia
- South Africa
- Spain
- Sweden
- Switzerland (French, German)
- Taiwan
- Thailand
- Turkey
- Ukraine
- United Kingdom
- United States
- Vietnam
|Country or locale|Paid apps|Free apps|
|-----------------|---------|---------|
|Argentina|X|X|
|Australia|X|X|
|Austria|X|X|
|Belgium (Dutch, French)|X|X|
|Brazil| |X|
|Canada (English, French)|X|X|
|Chile|X|X|
|Columbia|X|X|
|Croatia|X|X|
|Czech Republic|X|X|
|Denmark|X|X|
|Finland|X|X|
|France|X|X|
|Germany|X|X|
|Greece|X|X|
|Hong Kong SAR|X|X|
|Hungary|X|X|
|India| |X|
|Indonesia|X|X|
|Ireland|X|X|
|Italy|X|X|
|Japan|X|X|
|Malaysia|X|X|
|Mexico|X|X|
|Netherlands|X|X|
|New Zealand|X|X|
|Norway|X|X|
|Philippines|X|X|
|Poland|X|X|
|Portugal|X|X|
|Romania|X|X|
|Russia| |X|
|Singapore|X|X|
|Slovakia|X|X|
|South Africa|X|X|
|Spain|X|X|
|Sweden|X|X|
|Switzerland (French, German)|X|X|
|Taiwan| |X|
|Thailand|X|X|
|Turkey|X|X|
|Ukraine| |X|
|United Kingdom|X|X|
|United States|X|X|
|Vietnam|X|X|
## <a href="" id="isv-wsfb"></a>ISVs and the Store for Business