Group Policy objects (GPO's) can include registry-based Administrative Template policy settings, security settings, software deployment information, scripts, folder redirection, and preferences. By using Group Policy and Intune, you can set up a policy setting once, and then copy that setting onto many computers. For example, you can set up multiple security settings in a GPO that's linked to a domain, and then apply all of those settings to every computer in the domain. | | [Use Enterprise Mode to improve compatibility](emie-to-improve-compatibility.md) | If you have specific web sites and apps that you know have compatibility problems with Microsoft Edge, you can use the Enterprise Mode site list so that the web sites will automatically open using Internet Explorer 11. Additionally, if you know that your intranet sites aren't going to work properly with Microsoft Edge, you can set all intranet sites to automatically open using IE11.
Using Enterprise Mode means that you can continue to use Microsoft Edge as your default browser, while also ensuring that your apps continue working on IE11. | diff --git a/browsers/edge/TOC.md b/browsers/edge/TOC.md index df9d4246da..fb5ad0c6f2 100644 --- a/browsers/edge/TOC.md +++ b/browsers/edge/TOC.md @@ -1,5 +1,6 @@ #[Microsoft Edge - Deployment Guide for IT Pros](index.md) ##[Change history for Microsoft Edge](change-history-for-microsoft-edge.md) +##[Enterprise guidance about using Microsoft Edge and Internet Explorer 11](enterprise-guidance-using-microsoft-edge-and-ie11.md) ##[Microsoft Edge requirements and language support](hardware-and-software-requirements.md) ##[Available policies for Microsoft Edge](available-policies.md) ##[Use Enterprise Mode to improve compatibility](emie-to-improve-compatibility.md) diff --git a/browsers/edge/available-policies.md b/browsers/edge/available-policies.md index 1b28328f38..3299ef704e 100644 --- a/browsers/edge/available-policies.md +++ b/browsers/edge/available-policies.md @@ -14,7 +14,6 @@ title: Available policies for Microsoft Edge (Microsoft Edge for IT Pros) - Windows 10 - Windows 10 Mobile -- Windows Server 2016 Microsoft Edge works with Group Policy and Microsoft Intune to help you manage your organization's computer settings. Group Policy objects (GPO's) can include registry-based Administrative Template policy settings, security settings, software deployment information, scripts, folder redirection, and preferences. diff --git a/browsers/edge/change-history-for-microsoft-edge.md b/browsers/edge/change-history-for-microsoft-edge.md index 1be3d42b37..61e8ba0de9 100644 --- a/browsers/edge/change-history-for-microsoft-edge.md +++ b/browsers/edge/change-history-for-microsoft-edge.md @@ -14,7 +14,13 @@ For a detailed feature list of what's in the current Microsoft Edge releases, th ## July 2016 |New or changed topic | Description | |----------------------|-------------| -|[Microsoft Edge - Deployment Guide for IT Pros](index.md)| Updated various topics to include support for Windows Server 2016 and a note about the Long Term Servicing Branch (LTSB) | +|[Microsoft Edge requirements and language support](hardware-and-software-requirements.md)| Updated to include a note about the Long Term Servicing Branch (LTSB). | + +## July 2016 +|New or changed topic | Description | +|----------------------|-------------| +|[Enterprise guidance about using Microsoft Edge and Internet Explorer 11](enterprise-guidance-using-microsoft-edge-and-ie11.md) | Content moved from What's New section. | +|[Available policies for Microsoft Edge](available-policies.md) |Updated | ## June 2016 diff --git a/browsers/edge/emie-to-improve-compatibility.md b/browsers/edge/emie-to-improve-compatibility.md index 10698fde4f..8e57223ba4 100644 --- a/browsers/edge/emie-to-improve-compatibility.md +++ b/browsers/edge/emie-to-improve-compatibility.md @@ -14,7 +14,6 @@ title: Use Enterprise Mode to improve compatibility (Microsoft Edge for IT Pros) **Applies to:** - Windows 10 -- Windows Server 2016 If you have specific web sites and apps that you know have compatibility problems with Microsoft Edge, you can use the Enterprise Mode site list so that the web sites will automatically open using Internet Explorer 11. Additionally, if you know that your intranet sites aren't going to work properly with Microsoft Edge, you can set all intranet sites to automatically open using IE11. diff --git a/browsers/edge/enterprise-guidance-using-microsoft-edge-and-ie11.md b/browsers/edge/enterprise-guidance-using-microsoft-edge-and-ie11.md new file mode 100644 index 0000000000..f039e2fc51 --- /dev/null +++ b/browsers/edge/enterprise-guidance-using-microsoft-edge-and-ie11.md @@ -0,0 +1,51 @@ +--- +title: Microsoft Edge and Internet Explorer 11 (Microsoft Edge for IT Pros) +description: Enterprise guidance for using Microsoft Edge and Internet Explorer 11. +ms.assetid: 3c5bc4c4-1060-499e-9905-2504ea6dc6aa +author: eross-msft +ms.prod: edge +ms.mktglfcycl: support +ms.sitesec: library +ms.pagetype: appcompat +--- + +# Browser: Microsoft Edge and Internet Explorer 11 +**Microsoft Edge content applies to:** + +- Windows 10 +- Windows 10 Mobile + +**Internet Explorer 11 content applies to:** + +- Windows 10 + +## Enterprise guidance +Microsoft Edge is the default browser experience for Windows 10 and Windows 10 Mobile. However, if you're running web apps that need ActiveX controls, we recommend that you continue to use Internet Explorer 11 for them. If you don't have IE11 installed anymore, you can download it from the Windows Store or from the [Internet Explorer 11 download page](http://go.microsoft.com/fwlink/p/?linkid=290956). + +We also recommend that you upgrade to IE11 if you're running any earlier versions of Internet Explorer. IE11 is supported on Windows 7, Windows 8.1, and Windows 10. So any legacy apps that work with IE11 will continue to work even as you migrate to Windows 10. + +### Microsoft Edge +Microsoft Edge takes you beyond just browsing to actively engaging with the web through features like Web Note, Reading View, and Cortana. + +- **Web Note.** Microsoft Edge lets you annotate, highlight, and call things out directly on webpages. +- **Reading view.** Microsoft Edge lets you enjoy and print online articles in a distraction-free layout that's optimized for your screen size. While in reading view, you can also save webpages or PDF files to your reading list, for later viewing. +- **Cortana.** Cortana is automatically enabled on Microsoft Edge. Microsoft Edge lets you highlight words for more info and gives you one-click access to things like restaurant reservations and reviews, without leaving the webpage. +- **Compatibility and security.** Microsoft Edge lets you continue to use IE11 for sites that are on your corporate intranet or that are included on your Enterprise Mode Site List. You must use IE11 to run older, less secure technology, such as ActiveX controls. + +### IE11 +IE11 offers enterprises additional security, manageability, performance, backward compatibility, and modern standards support. + +- **Backward compatibility.** IE11 supports 9 document modes that include high-fidelity emulations for older versions of IE. +- **Modern web standards.** IE11 supports modern web technologies like HTML5, CSS3, and WebGL, which help to ensure today's modern websites and apps work just as well as your old, legacy websites and apps. +- **More secure.** IE11 was designed with security in mind and is more secure than older versions. Using security features like SmartScreen and Enhanced Protected Mode can help IE11 reduce your risk. +- **Faster.** IE11 is significantly faster than previous versions of Internet Explorer, taking advantage of network optimization and hardware-accelerated text, graphics, and JavaScript rendering. +- **Easier migration to Windows 10.** IE11 is the only version of IE that runs on Windows 7, Windows 8.1, and Windows 10. Upgrading to IE11 on Windows 7 can also help your organization support the next generation of software, services, and devices. +- **Administration.** IE11 can use the Internet Explorer Administration Kit (IEAK) 11 or MSIs for deployment, and includes more than 1,600 Group Policies and preferences for granular control. + +## Related topics +- [Web Application Compatibility Lab Kit for Internet Explorer 11](https://technet.microsoft.com/en-us/browser/mt612809.aspx) +- [Download Internet Explorer 11](http://windows.microsoft.com/en-US/internet-explorer/download-ie) +- [Microsoft Edge - Deployment Guide for IT Pros](https://technet.microsoft.com/itpro/microsoft-edge/index) +- [Internet Explorer 11 - Deployment Guide for IT Pros](https://technet.microsoft.com/itpro/internet-explorer/ie11-deploy-guide/index) +- [IEAK 11 - Internet Explorer Administration Kit 11 Users Guide](https://technet.microsoft.com/en-us/itpro/internet-explorer/ie11-ieak/index) +- [Internet Explorer 11 - FAQ for IT Pros](https://technet.microsoft.com/en-us/itpro/internet-explorer/ie11-faq/faq-for-it-pros-ie11) diff --git a/browsers/edge/hardware-and-software-requirements.md b/browsers/edge/hardware-and-software-requirements.md index ad9c6edfba..169caa75ce 100644 --- a/browsers/edge/hardware-and-software-requirements.md +++ b/browsers/edge/hardware-and-software-requirements.md @@ -15,7 +15,6 @@ title: Microsoft Edge requirements and language support (Microsoft Edge for IT P - Windows 10 - Windows 10 Mobile -- Windows Server 2016 Microsoft Edge is pre-installed on all Windows 10-capable devices that meet the minimum system requirements and are on the supported language list. @@ -29,7 +28,7 @@ Some of the components in this table might also need additional system resources | Item | Minimum requirements | | ------------------ | -------------------------------------------- | | Computer/processor | 1 gigahertz (GHz) or faster (32-bit (x86) or 64-bit (x64)) | -| Operating system |
**Note**
For specific Windows 10 Mobile requirements, see the [Minimum hardware requirements for Windows 10 Mobile](http://go.microsoft.com/fwlink/p/?LinkID=699266) topic. |
+| Operating system |
**Note**
For specific Windows 10 Mobile requirements, see the [Minimum hardware requirements for Windows 10 Mobile](http://go.microsoft.com/fwlink/p/?LinkID=699266) topic. |
| Memory |
Windows Settings > Security Settings > Local Policies > Security Options
Accounts: Block Microsoft accounts
Enabled
Accounts: Block Microsoft accounts
**Note** Microsoft accounts can still be used in apps.
Enabled
Interactive logon: Do not display last user name
Enabled
Interactive logon: Sign-in last interactive user automatically after a system-initiated restart
Disabled
+Optionally, you can click **Browse** to change the default output location. + +13. Click **Next**. + +14. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.
+If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**. + +15. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
+If your build is successful, the name of the provisioning package, output directory, and project directory will be shown. + + - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build. + + - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**. + +16. Select the **output location** link to go to the location of the package. You can provide that .ppkg to others through any of the following methods: + + - Shared network folder + + - SharePoint site + + - Removable media (USB/SD) + + +**Next step** +- [Apply the provisioning package to a PC](#apply-package) + +## Apply package + +**During initial setup, from a USB drive** +1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**. + +  + +2. Insert the USB drive. Windows Setup will recognize the drive and ask if you want to set up the device. Select **Set up**. + +  + +3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**. + +  + +4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**. + +  + +5. Select **Yes, add it**. + +  + +6. Read and accept the Microsoft Software License Terms. + +  + +7. Select **Use Express settings**. + +  + +8. If the PC doesn't use a volume license, you'll see the **Who owns this PC?** screen. Select **My work or school owns it** and tap **Next**. + +  + +9. On the **Choose how you'll connect** screen, select **Join Azure AD** or **Join a domain** and tap **Next**. + +  + +10. Sign in with your domain, Azure AD, or Office 365 account and password. When you see the progress ring, you can remove the USB drive. + +  + + +**After setup, from a USB drive, network folder, or SharePoint site** + +On a desktop computer, navigate to **Settings** > **Accounts** > **Work access** > **Add or remove a management package** > **Add a package**, and select the package to install. + + + + + +## Learn more + +- [Develop Universal Windows Education apps](https://msdn.microsoft.com/windows/uwp/apps-for-education/index) + +- [Build and apply a provisioning package]( http://go.microsoft.com/fwlink/p/?LinkId=629651) + +- Watch the video: [Provisioning Windows 10 Devices with New Tools](http://go.microsoft.com/fwlink/p/?LinkId=615921) + +- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](http://go.microsoft.com/fwlink/p/?LinkId=615922) + + diff --git a/education/windows/set-up-windows-10.md b/education/windows/set-up-windows-10.md new file mode 100644 index 0000000000..fe7767a997 --- /dev/null +++ b/education/windows/set-up-windows-10.md @@ -0,0 +1,37 @@ +--- +title: Provisioning options for Windows 10 +description: Decide which option for setting up Windows 10 is right for you. +keywords: shared cart, shared PC, school +ms.prod: w10 +ms.mktglfcycl: plan +ms.sitesec: library +ms.pagetype: edu +author: jdeckerMS +--- + +# Provisioning options for Windows 10 +**Applies to:** + +- Windows 10 + +You have two tools to choose from to set up PCs for your classroom: **Set up School PCs** app and the **Provision school devices** option in Windows Imaging and Configuration Designer (ICD). Choose the tool that is appropriate for how your students will sign in (Active Directory, Azure Active Directory, or no account). The following diagram compares the tools. + + + + +## In this section + +- [Use the Set up School PCs app (Preview)](use-set-up-school-pcs-app.md) +- [Technical reference for the Set up School PCs app (Preview)](set-up-school-pcs-technical.md) +- [Set up student PCs to join domain](set-up-students-pcs-to-join-domain.md) +- [Provision student PCs with apps](set-up-students-pcs-with-apps.md) + + +## Related topics + +[Take tests in Windows 10](take-tests-in-windows-10.md) + +[Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) + + + diff --git a/education/windows/take-a-test-app-technical.md b/education/windows/take-a-test-app-technical.md index d10f638e00..7e3ed9ca0b 100644 --- a/education/windows/take-a-test-app-technical.md +++ b/education/windows/take-a-test-app-technical.md @@ -9,13 +9,12 @@ ms.pagetype: edu author: jdeckerMS --- -# Take a Test app technical reference (Preview) +# Take a Test app technical reference **Applies to:** -- Windows 10 Insider Preview +- Windows 10 -> [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ] Take a Test is an app that locks down the PC and displays an online assessment web page. @@ -32,7 +31,9 @@ When running above the lock screen: - The hardware print screen button is disabled -- Content within the app will show up as black in screen capturing/sharing software Copy/paste is disabled +- Content within the app will show up as black in screen capturing/sharing software + +- System clipboard is cleared - Web apps can query the processes currently running in the user’s device @@ -79,5 +80,7 @@ When Take a Test is running, the following functionality is available to student - Alt+F4 (**Take a Test** will restart if the student is using a dedicated test account) +## Learn more +[Take a Test API](https://msdn.microsoft.com/en-us/windows/uwp/apps-for-education/take-a-test-api) diff --git a/education/windows/take-a-test-multiple-pcs.md b/education/windows/take-a-test-multiple-pcs.md index d0d6052781..0110e7d52c 100644 --- a/education/windows/take-a-test-multiple-pcs.md +++ b/education/windows/take-a-test-multiple-pcs.md @@ -9,14 +9,12 @@ ms.pagetype: edu author: jdeckerMS --- -# Set up Take a Test on multiple PCs (Preview) +# Set up Take a Test on multiple PCs **Applies to:** -- Windows 10 Insider Preview +- Windows 10 -> [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ] - Many schools use online testing for formative and summative assessments. It's critical that students use a secure browser that prevents them from using other computer or Internet resources during the test. The **Take a Test** app in Windows 10, Version 1607, creates the right environment for taking a test: - A Microsoft Edge browser window opens, showing just the test and nothing else. diff --git a/education/windows/take-a-test-single-pc.md b/education/windows/take-a-test-single-pc.md index fece24bac1..7c05de544c 100644 --- a/education/windows/take-a-test-single-pc.md +++ b/education/windows/take-a-test-single-pc.md @@ -9,14 +9,12 @@ ms.pagetype: edu author: jdeckerMS --- -# Set up Take a Test on a single PC (Preview) +# Set up Take a Test on a single PC **Applies to:** -- Windows 10 Insider Preview +- Windows 10 -> [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ] - The **Take a Test** app in Windows 10, Version 1607, creates the right environment for taking a test: - A Microsoft Edge browser window opens, showing just the test and nothing else. diff --git a/education/windows/take-tests-in-windows-10.md b/education/windows/take-tests-in-windows-10.md index c0de33cc5b..6bf51bf7b2 100644 --- a/education/windows/take-tests-in-windows-10.md +++ b/education/windows/take-tests-in-windows-10.md @@ -9,14 +9,12 @@ ms.pagetype: edu author: jdeckerMS --- -# Take tests in Windows 10 (Preview) +# Take tests in Windows 10 **Applies to:** -- Windows 10 Insider Preview +- Windows 10 -> [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ] - Many schools use online testing for formative and summative assessments. It's critical that students use a secure browser that prevents them from using other computer or Internet resources during the test. The **Take a Test** app in Windows 10, Version 1607, creates the right environment for taking a test: - **Take a Test** shows just the test and nothing else. diff --git a/education/windows/use-set-up-school-pcs-app.md b/education/windows/use-set-up-school-pcs-app.md index 97f0a04fcb..788c6dd819 100644 --- a/education/windows/use-set-up-school-pcs-app.md +++ b/education/windows/use-set-up-school-pcs-app.md @@ -9,13 +9,12 @@ ms.pagetype: edu author: jdeckerMS --- -# Use the Set up School PCs app (Preview) +# Use the Set up School PCs app **Applies to:** -- Windows 10 Insider Preview +- Windows 10 -> [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ] Teachers and IT administrators can use the **Set up School PCs** app to quickly set up computers for students. A computer set up using the app is tailored to provide students with the tools they need for learning while removing apps and features that they don't need. diff --git a/windows/deploy/TOC.md b/windows/deploy/TOC.md index 587bb000ba..d75bd0ebe8 100644 --- a/windows/deploy/TOC.md +++ b/windows/deploy/TOC.md @@ -47,8 +47,10 @@ ## [Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) ## [Windows 10 upgrade paths](windows-10-upgrade-paths.md) ## [Windows 10 edition upgrade](windows-10-edition-upgrades.md) +## [Provisioning packages for Windows 10](provisioning-packages.md) +### [Provision PCs with common settings for initial deployment](provision-pcs-for-initial-deployment.md) +### [Provision PCs with apps and certificates for initial deployments](provision-pcs-with-apps-and-certificates.md) ## [Deploy Windows To Go in your organization](deploy-windows-to-go.md) -## [Update Windows 10 images with provisioning packages](update-windows-10-images-with-provisioning-packages.md) ## [Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management](upgrade-windows-phone-8-1-to-10.md) ## [Sideload apps in Windows 10](sideload-apps-in-windows-10.md) ## [Volume Activation [client]](volume-activation-windows-10.md) diff --git a/windows/deploy/activate-using-active-directory-based-activation-client.md b/windows/deploy/activate-using-active-directory-based-activation-client.md index dbf9a5a617..cd91b2b614 100644 --- a/windows/deploy/activate-using-active-directory-based-activation-client.md +++ b/windows/deploy/activate-using-active-directory-based-activation-client.md @@ -8,6 +8,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation author: greg-lindsay +localizationpriority: medium --- # Activate using Active Directory-based activation diff --git a/windows/deploy/activate-using-key-management-service-vamt.md b/windows/deploy/activate-using-key-management-service-vamt.md index 9681860156..3fc787f902 100644 --- a/windows/deploy/activate-using-key-management-service-vamt.md +++ b/windows/deploy/activate-using-key-management-service-vamt.md @@ -8,6 +8,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation author: jdeckerMS +localizationpriority: medium --- # Activate using Key Management Service diff --git a/windows/deploy/activate-windows-10-clients-vamt.md b/windows/deploy/activate-windows-10-clients-vamt.md index 2d77f355dc..c110f8233c 100644 --- a/windows/deploy/activate-windows-10-clients-vamt.md +++ b/windows/deploy/activate-windows-10-clients-vamt.md @@ -8,6 +8,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation author: jdeckerMS +localizationpriority: medium --- # Activate clients running Windows 10 diff --git a/windows/deploy/appendix-information-sent-to-microsoft-during-activation-client.md b/windows/deploy/appendix-information-sent-to-microsoft-during-activation-client.md index 39133a9d8c..bcf9e7aa13 100644 --- a/windows/deploy/appendix-information-sent-to-microsoft-during-activation-client.md +++ b/windows/deploy/appendix-information-sent-to-microsoft-during-activation-client.md @@ -8,6 +8,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation author: jdeckerMS +localizationpriority: medium --- # Appendix: Information sent to Microsoft during activation **Applies to** diff --git a/windows/deploy/change-history-for-deploy-windows-10.md b/windows/deploy/change-history-for-deploy-windows-10.md index 737b50de59..3d0e742f97 100644 --- a/windows/deploy/change-history-for-deploy-windows-10.md +++ b/windows/deploy/change-history-for-deploy-windows-10.md @@ -11,10 +11,18 @@ author: greg-lindsay # Change history for Deploy Windows 10 This topic lists new and updated topics in the [Deploy Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md). +## RELEASE: Windows 10, version 1607 + +The topics in this library have been updated for Windows 10, version 1607 (also known as the Anniversary Update). The following new topics have been added: + +- [Provisioning packages for Windows 10](provisioning-packages.md) +- [Provision PCs with apps and certificates for initial deployment](provision-pcs-with-apps-and-certificates.md) +- [Provision PCs with common settings for initial deployment](provision-pcs-for-initial-deployment.md) + ## July 2016 | New or changed topic | Description | |----------------------|-------------| -| [Manage Windows upgrades with Upgrade Analytics](manage-windows-upgrades-with-upgrade-analytics.md) | New | +| [Manage Windows upgrades with Upgrade Analytics](manage-windows-upgrades-with-upgrade-analytics.md) | New | ## June 2016 | New or changed topic | Description | @@ -44,12 +52,3 @@ This topic lists new and updated topics in the [Deploy Windows 10](index.md) doc - [Change history for Plan for Windows 10 deployment](../plan/change-history-for-plan-for-windows-10-deployment.md) - [Change history for Keep Windows 10 secure](../keep-secure/change-history-for-keep-windows-10-secure.md) - [Change history for Manage and update Windows 10](../manage/change-history-for-manage-and-update-windows-10.md) - - - - - - - - - diff --git a/windows/deploy/images/ICD.png b/windows/deploy/images/ICD.png new file mode 100644 index 0000000000..9cfcb845df Binary files /dev/null and b/windows/deploy/images/ICD.png differ diff --git a/windows/deploy/images/ICDstart-option.PNG b/windows/deploy/images/ICDstart-option.PNG new file mode 100644 index 0000000000..1ba49bb261 Binary files /dev/null and b/windows/deploy/images/ICDstart-option.PNG differ diff --git a/windows/deploy/images/adk-install.png b/windows/deploy/images/adk-install.png new file mode 100644 index 0000000000..c087d3bae5 Binary files /dev/null and b/windows/deploy/images/adk-install.png differ diff --git a/windows/deploy/images/checkmark.png b/windows/deploy/images/checkmark.png index 04cc421e12..f9f04cd6bd 100644 Binary files a/windows/deploy/images/checkmark.png and b/windows/deploy/images/checkmark.png differ diff --git a/windows/deploy/images/choose-package.png b/windows/deploy/images/choose-package.png new file mode 100644 index 0000000000..2bf7a18648 Binary files /dev/null and b/windows/deploy/images/choose-package.png differ diff --git a/windows/deploy/images/connect-aad.png b/windows/deploy/images/connect-aad.png new file mode 100644 index 0000000000..8583866165 Binary files /dev/null and b/windows/deploy/images/connect-aad.png differ diff --git a/windows/deploy/images/crossmark.png b/windows/deploy/images/crossmark.png index 2b267dc802..69432ff71c 100644 Binary files a/windows/deploy/images/crossmark.png and b/windows/deploy/images/crossmark.png differ diff --git a/windows/deploy/images/express-settings.png b/windows/deploy/images/express-settings.png new file mode 100644 index 0000000000..99e9c4825a Binary files /dev/null and b/windows/deploy/images/express-settings.png differ diff --git a/windows/deploy/images/icd-simple-edit.png b/windows/deploy/images/icd-simple-edit.png new file mode 100644 index 0000000000..3608dc18f3 Binary files /dev/null and b/windows/deploy/images/icd-simple-edit.png differ diff --git a/windows/deploy/images/icd-simple.PNG b/windows/deploy/images/icd-simple.PNG new file mode 100644 index 0000000000..7ae8a1728b Binary files /dev/null and b/windows/deploy/images/icd-simple.PNG differ diff --git a/windows/deploy/images/license-terms.png b/windows/deploy/images/license-terms.png new file mode 100644 index 0000000000..8dd34b0a18 Binary files /dev/null and b/windows/deploy/images/license-terms.png differ diff --git a/windows/deploy/images/oobe.jpg b/windows/deploy/images/oobe.jpg new file mode 100644 index 0000000000..53a5dab6bf Binary files /dev/null and b/windows/deploy/images/oobe.jpg differ diff --git a/windows/deploy/images/package.png b/windows/deploy/images/package.png new file mode 100644 index 0000000000..f5e975e3e9 Binary files /dev/null and b/windows/deploy/images/package.png differ diff --git a/windows/deploy/images/prov.jpg b/windows/deploy/images/prov.jpg new file mode 100644 index 0000000000..1593ccb36b Binary files /dev/null and b/windows/deploy/images/prov.jpg differ diff --git a/windows/deploy/images/setupmsg.jpg b/windows/deploy/images/setupmsg.jpg new file mode 100644 index 0000000000..12935483c5 Binary files /dev/null and b/windows/deploy/images/setupmsg.jpg differ diff --git a/windows/deploy/images/sign-in-prov.png b/windows/deploy/images/sign-in-prov.png new file mode 100644 index 0000000000..55c9276203 Binary files /dev/null and b/windows/deploy/images/sign-in-prov.png differ diff --git a/windows/deploy/images/trust-package.png b/windows/deploy/images/trust-package.png new file mode 100644 index 0000000000..8a293ea4da Binary files /dev/null and b/windows/deploy/images/trust-package.png differ diff --git a/windows/deploy/images/uwp-dependencies.PNG b/windows/deploy/images/uwp-dependencies.PNG new file mode 100644 index 0000000000..4e2563169f Binary files /dev/null and b/windows/deploy/images/uwp-dependencies.PNG differ diff --git a/windows/deploy/images/uwp-family.PNG b/windows/deploy/images/uwp-family.PNG new file mode 100644 index 0000000000..bec731eec4 Binary files /dev/null and b/windows/deploy/images/uwp-family.PNG differ diff --git a/windows/deploy/images/uwp-license.PNG b/windows/deploy/images/uwp-license.PNG new file mode 100644 index 0000000000..ccb5cf7cf4 Binary files /dev/null and b/windows/deploy/images/uwp-license.PNG differ diff --git a/windows/deploy/images/who-owns-pc.png b/windows/deploy/images/who-owns-pc.png new file mode 100644 index 0000000000..d3ce1def8d Binary files /dev/null and b/windows/deploy/images/who-owns-pc.png differ diff --git a/windows/deploy/index.md b/windows/deploy/index.md index c36f030dfd..504b8b4dc8 100644 --- a/windows/deploy/index.md +++ b/windows/deploy/index.md @@ -15,7 +15,6 @@ Learn about deploying Windows 10 for IT professionals. |Topic |Description | |------|------------| -|[Change history for Deploy Windows 10](change-history-for-deploy-windows-10.md) |This topic lists new and updated topics in the Deploy Windows 10 documentation for [Windows 10 and Windows 10 Mobile](../index.md). | |[Windows 10 deployment scenarios](windows-10-deployment-scenarios.md) |To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the key capabilities and limitations of each, is a key task. | |[Manage Windows upgrades with Upgrade Analytics](manage-windows-upgrades-with-upgrade-analytics.md) |With Upgrade Analytics, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With Windows telemetry enabled, Upgrade Analytics collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. The Upgrade Analytics workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. | |[Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md) |This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT), and MDT 2013 Update 2 specifically. | @@ -24,13 +23,15 @@ Learn about deploying Windows 10 for IT professionals. |[Upgrade to Windows 10 with System Center Configuration Manager](upgrade-to-windows-10-with-system-center-configuraton-manager.md) |The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a System Center Configuration Manager task sequence to completely automate the process. | |[Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) |This guide describes how to configure a PXE server to load Windows PE by booting a client computer from the network. | |[Windows 10 edition upgrade](windows-10-edition-upgrades.md) |With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported. | +| [Provision PCs with common settings for initial deployment](provision-pcs-for-initial-deployment.md) | Create a provisioning package to apply commonly used settings to a PC running Windows 10. | +| [Provision PCs with apps and certificates for initial deployments](provision-pcs-with-apps-and-certificates.md) | Create a provisioning package to add apps and certificates to a PC running Windows 10. | |[Windows 10 upgrade paths](windows-10-upgrade-paths.md) |You can upgrade directly to Windows 10 from a previous operating system. | |[Deploy Windows To Go in your organization](deploy-windows-to-go.md) |This topic helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you have reviewed the topics [Windows To Go: feature overview](../plan/windows-to-go-overview.md) and [Prepare your organization for Windows To Go](../plan/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this topic to start your Windows To Go deployment. | -|[Update Windows 10 images with provisioning packages](update-windows-10-images-with-provisioning-packages.md) |Use a provisioning package to apply settings, profiles, and file assets to a Windows 10 image. | |[Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management](upgrade-windows-phone-8-1-to-10.md) |This topic describes how to upgrade eligible Windows Phone 8.1 devices to Windows 10 Mobile. | |[Sideload apps in Windows 10](sideload-apps-in-windows-10.md) |Sideload line-of-business apps in Windows 10. | |[Volume Activation [client]](volume-activation-windows-10.md) |This guide is designed to help organizations that are planning to use volume activation to deploy and activate Windows 10, including organizations that have used volume activation for earlier versions of Windows. | |[Windows 10 deployment tools reference](windows-10-deployment-tools-reference.md) |Learn about the tools available to deploy Windows 10. | +|[Change history for Deploy Windows 10](change-history-for-deploy-windows-10.md) |This topic lists new and updated topics in the Deploy Windows 10 documentation for [Windows 10 and Windows 10 Mobile](../index.md). | ## Related topics - [Windows 10 and Windows 10 Mobile](../index.md) diff --git a/windows/deploy/monitor-activation-client.md b/windows/deploy/monitor-activation-client.md index 26c8257cc3..5b49e544c2 100644 --- a/windows/deploy/monitor-activation-client.md +++ b/windows/deploy/monitor-activation-client.md @@ -8,6 +8,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation author: greg-lindsay +localizationpriority: medium --- # Monitor activation diff --git a/windows/deploy/plan-for-volume-activation-client.md b/windows/deploy/plan-for-volume-activation-client.md index d5ed360f3e..3e4a114155 100644 --- a/windows/deploy/plan-for-volume-activation-client.md +++ b/windows/deploy/plan-for-volume-activation-client.md @@ -8,6 +8,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation author: jdeckerMS +localizationpriority: medium --- # Plan for volume activation diff --git a/windows/deploy/provision-pcs-for-initial-deployment.md b/windows/deploy/provision-pcs-for-initial-deployment.md new file mode 100644 index 0000000000..d3692b2073 --- /dev/null +++ b/windows/deploy/provision-pcs-for-initial-deployment.md @@ -0,0 +1,133 @@ +--- +title: Provision PCs with common settings (Windows 10) +description: Create a provisioning package to apply common settings to a PC running Windows 10. +ms.assetid: 66D14E97-E116-4218-8924-E2A326C9367E +keywords: ["runtime provisioning", "provisioning package"] +ms.prod: W10 +ms.mktglfcycl: manage +ms.sitesec: library +author: jdeckerMS +localizationpriority: medium +--- + +# Provision PCs with common settings for initial deployment (simple provisioning) + + +**Applies to** + +- Windows 10 + +This topic explains how to create and apply a simple provisioning package that contains common enterprise settings to a device running all desktop editions of Windows 10 except Windows 10 Home. + +You can apply a provisioning package on a USB drive to off-the-shelf devices during setup, making it fast and easy to configure new devices. + +## Advantages +- You can configure new devices without reimaging. + +- Works on both mobile and desktop devices. + +- No network connectivity required. + +- Simple to apply. + +[Learn more about the benefits and uses of provisioning packages.](provisioning-packages.md) + +## What does simple provisioning do? + +In a simple provisioning package, you can configure: + +- Device name +- Upgraded product edition +- Wi-Fi network +- Active Directory enrollment +- Local administrator account + +Provisioning packages can include management instructions and policies, installation of specific apps, customization of network connections and policies, and more. To learn about provisioning packages that include more than the settings in a simple provisioning package, see [Provision PCs with apps and certificates](provision-pcs-with-apps-and-certificates.md). + +> [!TIP] +> Use simple provisioning to create a package with the common settings, then switch to the advanced editor to add other settings, apps, policies, etc. + + + +## Create the provisioning package + +Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package. [Install the ADK and select **Configuration Designer**.](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) + +1. Open Windows ICD (by default, %windir%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe). + +2. Click **Simple provisioning**. + +  + +3. Name your project and click **Finish**. The screens for simple provisioning will walk you through the following steps. + +  + +4. In the **Set up device** step, enter a unique 15-character name for the device. For help generating a unique name, you can use %SERIAL%, which includes a hardware-specific serial number, or you can use %RAND:x%, which generates random characters of x length. + +5. (*Optional*) You can upgrade the following editions of Windows 10 by providing a product key for the edition to upgrade to. + - Pro to Education + - Pro to Enterprise + - Enterprise to Education + +6. Click **Set up network**. + +7. Toggle **On** or **Off** for wireless network connectivity. If you select **On**, enter the SSID, type, and (if required) password for the wireless network. + +8. Click **Enroll into Active Directory**. + +9. Toggle **Yes** or **No** for Active Directory enrollment. If you select **Yes**, enter the credentials for an account with permissions to enroll the device. (*Optional*) Enter a user name and password to create a local administrator account. + + > **Warning**: If you don't create a local administrator account and the device fails to enroll in Active Directory for any reason, you will have to reimage the device and start over. As a best practice, we recommend: + - Use a least-privileged domain account to join the device to the domain. + - Create a temporary administrator account to use for debugging or reprovisioning if the device fails to enroll successfully. + - [Use Group Policy to delete the temporary administrator account](https://blogs.technet.microsoft.com/canitpro/2014/12/10/group-policy-creating-a-standard-local-admin-account/) after the device is enrolled in Active Directory. + +10. Click **Finish**. + +11. Review your settings in the summary. You can return to previous pages to change your selections. Then, under **Protect your package**, toggle **Yes** or **No** to encrypt the provisioning package. If you select **Yes**, enter a password. This password must be entered to apply the encrypted provisioning package. + +12. Click **Create**. + +> [!IMPORTANT] +> When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. + +## Apply package + +1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**. + +  + +2. Insert the USB drive. Windows Setup will recognize the drive and ask if you want to set up the device. Select **Set up**. + +  + +3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**. + +  + +4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**. + +  + +5. Select **Yes, add it**. + +  + + + +## Learn more +- [Build and apply a provisioning package]( http://go.microsoft.com/fwlink/p/?LinkId=629651) + +- Watch the video: [Provisioning Windows 10 Devices with New Tools](http://go.microsoft.com/fwlink/p/?LinkId=615921) + +- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](http://go.microsoft.com/fwlink/p/?LinkId=615922) + + + + + + + + + diff --git a/windows/deploy/provision-pcs-with-apps-and-certificates.md b/windows/deploy/provision-pcs-with-apps-and-certificates.md new file mode 100644 index 0000000000..936f1b6f73 --- /dev/null +++ b/windows/deploy/provision-pcs-with-apps-and-certificates.md @@ -0,0 +1,227 @@ +--- +title: Provision PCs with apps and certificates (Windows 10) +description: Create a provisioning package to apply settings to a PC running Windows 10. +ms.assetid: 66D14E97-E116-4218-8924-E2A326C9367E +keywords: ["runtime provisioning", "provisioning package"] +ms.prod: W10 +ms.mktglfcycl: manage +ms.sitesec: library +author: jdeckerMS +localizationpriority: medium +--- + +# Provision PCs with apps and certificates for initial deployment (advanced provisioning) + + +**Applies to** + +- Windows 10 + + +This topic explains how to create and apply a provisioning package that contains apps and certificates to a device running all desktop editions of Windows 10 except Windows 10 Home. Provisioning packages can include management instructions and policies, installation of specific apps, customization of network connections and policies, and more. + +You can apply a provisioning package on a USB drive to off-the-shelf devices during setup, making it fast and easy to configure new devices. + +## Advantages +- You can configure new devices without reimaging. + +- Works on both mobile and desktop devices. + +- No network connectivity required. + +- Simple to apply. + +[Learn more about the benefits and uses of provisioning packages.](provisioning-packages.md) + +## Create the provisioning package + +Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package. [Install the ADK and select **Configuration Designer**.](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) + +1. Open Windows ICD (by default, %windir%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe). + +2. Click **Advanced provisioning**. + +  + +3. Name your project and click **Next**. + +3. Select **All Windows desktop editions**, click **Next**, and then click **Finish**. + + +### Add a desktop app to your package + +1. In the **Available customizations** pane, go to **Runtime settings** > **ProvisioningCommands** > **DeviceContext** > **CommandFiles**. + +2. Add all the files required for the app install, including the data files and the installer. + +3. Go to **Runtime settings** > **ProvisioningCommands** > **DeviceContext** > **CommandLine** and specify the command line that needs to be executed to install the app. This is a single command line (such as a script, executable, or msi) that triggers a silent install of your CommandFiles. Note that the install must execute silently (without displaying any UI). For MSI installers use, the `msiexec /quiet` option. + +> [!NOTE] +> If you are installing more than one app, then use CommandLine to invoke the script or batch file that orchestrates installation of the files. For more information, see [Install a Win32 app using a provisioning package](https://msdn.microsoft.com/library/windows/hardware/mt703295%28v=vs.85%29.aspx). + + +### Add a universal app to your package + +Universal apps that you can distribute in the provisioning package can be line-of-business (LOB) apps developed by your organization, Windows Store for Business apps that you acquire with [offline licensing](../manage/acquire-apps-windows-store-for-business.md), or third-party apps. This procedure will assume you are distributing apps from the Windows Store for Business. For other apps, obtain the necessary information (such as the package family name) from the app developer. + +1. In the **Available customizations** pane, go to **Runtime settings** > **UniversalAppInstall**. + +2. For **DeviceContextApp**, specify the **PackageFamilyName** for the app. In Windows Store for Business, the package family name is listed in the **Package details** section of the download page. + +  + +3. For **ApplicationFile**, click **Browse** to find and select the target app (either an \*.appx or \*.appxbundle). + +4. For **DependencyAppxFiles**, click **Browse** to find and add any dependencies for the app. In Windows Store for Business, any dependencies for the app are listed in the **Required frameworks** section of the download page. + +  + +5. For **DeviceContextAppLicense**, enter the **LicenseProductID**. In Windows Store for Business, you generate the license for the app on the app's download page. + +  + +[Learn more about distributing offline apps from the Windows Store for Business.](../manage/distribute-offline-apps.md) + +> [!NOTE] +> Removing a provisioning package will not remove any apps installed by device context in that provisioning package. + + + +### Add a certificate to your package + +1. In the **Available customizations** pane, go to **Runtime settings** > **Certificates** > **ClientCertificates**. + +2. Enter a **CertificateName** and then click **Add**. + +2. Enter the **CertificatePassword**. + +3. For **CertificatePath**, browse and select the certificate to be used. + +4. Set **ExportCertificate** to **False**. + +5. For **KeyLocation**, select **Software only**. + + +### Add other settings to your package + +For details about the settings you can customize in provisioning packages, see [Windows Provisioning settings reference]( http://go.microsoft.com/fwlink/p/?LinkId=619012). + +### Build your package + +1. When you are done configuring the provisioning package, on the **File** menu, click **Save**. + +2. Read the warning that project files may contain sensitive information, and click **OK**. +> **Important** When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. + +3. On the **Export** menu, click **Provisioning package**. + +1. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.** + +10. Set a value for **Package Version**. + + > [!TIP] + > You can make changes to existing packages and change the version number to update previously applied packages. + +11. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing. + + - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen. + + - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select...** and choosing the certificate you want to use to sign the package. + + **Important** + We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store and any package signed with that certificate thereafter can be applied silently. + +12. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location.
+Optionally, you can click **Browse** to change the default output location. + +13. Click **Next**. + +14. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.
+If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**. + +15. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
+If your build is successful, the name of the provisioning package, output directory, and project directory will be shown. + + - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build. + + - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**. + +16. Select the **output location** link to go to the location of the package. You can provide that .ppkg to others through any of the following methods: + + - Shared network folder + + - SharePoint site + + - Removable media (USB/SD) + + - Email + + - USB tether (mobile only) + + - NFC (mobile only) + + + +## Apply package + +### During initial setup, from a USB drive + +1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**. + +  + +2. Insert the USB drive. Windows Setup will recognize the drive and ask if you want to set up the device. Select **Set up**. + +  + +3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**. + +  + +4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**. + +  + +5. Select **Yes, add it**. + +  + +6. Read and accept the Microsoft Software License Terms. + +  + +7. Select **Use Express settings**. + +  + +8. If the PC doesn't use a volume license, you'll see the **Who owns this PC?** screen. Select **My work or school owns it** and tap **Next**. + +  + +9. On the **Choose how you'll connect** screen, select **Join Azure AD** or **Join a domain** and tap **Next**. + +  + +10. Sign in with your domain, Azure AD, or Office 365 account and password. When you see the progress ring, you can remove the USB drive. + +  + + +### After setup, from a USB drive, network folder, or SharePoint site + +On a desktop computer, navigate to **Settings** > **Accounts** > **Work access** > **Add or remove a management package** > **Add a package**, and select the package to install. + + + +## Learn more +- [Build and apply a provisioning package]( http://go.microsoft.com/fwlink/p/?LinkId=629651) + +- Watch the video: [Provisioning Windows 10 Devices with New Tools](http://go.microsoft.com/fwlink/p/?LinkId=615921) + +- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](http://go.microsoft.com/fwlink/p/?LinkId=615922) + + + + + + diff --git a/windows/deploy/provisioning-packages.md b/windows/deploy/provisioning-packages.md new file mode 100644 index 0000000000..4630340ba6 --- /dev/null +++ b/windows/deploy/provisioning-packages.md @@ -0,0 +1,141 @@ +--- +title: Provisioning packages (Windows 10) +description: With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. +ms.assetid: 287706E5-063F-4AB5-902C-A0DF6D0730BC +ms.prod: w10 +ms.mktglfcycl: explore +ms.sitesec: library +ms.pagetype: mobile +author: jdeckerMS +--- + +# Provisioning packages for Windows 10 + + +**Applies to** + +- Windows 10 +- Windows 10 Mobile + +Windows provisioning makes it easy for IT administrators to configure end-user devices without imaging. Using Windows Provisioning, an IT administrator can easily specify desired configuration and settings required to enroll the devices into management (through a wizard-driven user interface) and then apply that configuration to target devices in a matter of minutes. It is best suited for small- to medium-sized businesses with deployments that range from tens to a few hundred computers. + +With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. + +Provisioning packages are simple enough that with a short set of written instructions, a student or non-technical employee can use them to configure their device. This can result in a significant reduction in the time required to configure multiple devices in your organization. + +## New in Windows 10, Version 1607 + +The Windows Assessment and Deployment Kit (ADK) for Windows 10 includes the Imaging and Configuration Designer (ICD), a tool for configuring images and runtime settings which are then built into provisioning packages. Windows ICD for Windows 10, Version 1607, simplifies common provisioning scenarios. + + + +Windows ICD in Windows 10, Version 1607, supports the following scenarios for IT administrators: + +* **Simple provisioning** – Enables IT administrators to define a desired configuration in Windows ICD and then apply that configuration on target devices. The simple provisioning wizard makes the entire process quick and easy by guiding an IT administrator through common configuration settings in a step-by-step manner. + + > [Learn how to use simple provisioning to configure Windows 10 computers.](provision-pcs-for-initial-deployment.md) + +* **Advanced provisioning (deployment of classic (Win32) and Universal Windows Platform (UWP) apps, and certificates)** – Allows an IT administrator to use Windows ICD to open provisioning packages in the advanced settings editor and include apps for deployment on end-user devices. + + > [Learn how to use advanced provisioning to configure Windows 10 computers with apps and certificates.](provision-pcs-with-apps-and-certificates.md) + +* **Mobile device enrollment into management** - Enables IT administrators to purchase off-the-shelf retail Windows 10 Mobile devices and enroll them into mobile device management (MDM) before handing them to end-users in the organization. IT administrators can use Windows ICD to specify the management end-point and apply the configuration on target devices by connecting them to a Windows PC (tethered deployment) or through an SD card. Supported management end-points include: + + * System Center Configuration Manager and Microsoft Intune hybrid (certificate-based enrollment) + * AirWatch (password-string based enrollment) + * Mobile Iron (password-string based enrollment) + * Other MDMs (cert-based enrollment) + +> [!NOTE] +> Windows ICD in Windows 10, Version 1607, also provides a wizard to create provisioning packages for school PCs. To learn more, see [Set up students' PCs to join domain](https://technet.microsoft.com/edu/windows/index). + +## Benefits of provisioning packages + + +Provisioning packages let you: + +- Quickly configure a new device without going through the process of installing a new image. + +- Save time by configuring multiple devices using one provisioning package. + +- Quickly configure employee-owned devices in an organization without a mobile device management (MDM) infrastructure. + +- Set up a device without the device having network connectivity. + +Provisioning packages can be: + +- Installed using removable media such as an SD card or USB flash drive. + +- Attached to an email. + +- Downloaded from a network share. + +## What you can configure + + +The following table provides some examples of what can be configured using provisioning packages. + +| Customization options | Examples | +|--------------------------|-----------------------------------------------------------------------------------------------| +| Bulk Active Directory join and device name | Join devices to Active Directory domain and assign device names using hardware-specific serial numbers or random characters | +| Applications | Windows apps, line-of-business applications | +| Bulk enrollment into MDM | Automatic enrollment into a third-party MDM service\* | +| Certificates | Root certification authority (CA), client certificates | +| Connectivity profiles | Wi-Fi, proxy settings, Email | +| Enterprise policies | Security restrictions (password, device lock, camera, and so on), encryption, update settings | +| Data assets | Documents, music, videos, pictures | +| Start menu customization | Start menu layout, application pinning | +| Other | Home and lock screen wallpaper, computer name, domain join, DNS settings, and so on | +\* Using a provisioning package for auto-enrollment to System Center Configuration Manager or Configuration Manager/Intune hybrid is not supported. Use the Configuration Manager console to enroll devices. + + +For details about the settings you can customize in provisioning packages, see [Windows Provisioning settings reference]( http://go.microsoft.com/fwlink/p/?LinkId=619012). + +## Creating a provisioning package + + +With Windows 10, you can use the Windows Imaging and Configuration Designer (ICD) tool to create provisioning packages. To install Windows ICD and create provisioning packages, you must [install the Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). + +When you run ADKsetup.exe for Windows 10, version 1607, select the following feature from the **Select the features you want to install** dialog box: + +- **Configuration Designer** + + + +> [!NOTE] +> In previous versions of the Windows 10 ADK, you had to install additional features for Windows ICD to run. Starting in version 1607, you can install Windows ICD without other ADK features. + +After you install Windows ICD, you can use it to create a provisioning package. For detailed instructions on how to create a provisioning package, see [Build and apply a provisioning package](http://go.microsoft.com/fwlink/p/?LinkID=629651). + +## Applying a provisioning package to a device + + +Provisioning packages can be applied both during image deployment and during runtime. For information on how to apply a provisioning package to a Windows 10-based device, see [Build and apply a provisioning package](http://go.microsoft.com/fwlink/p/?LinkID=629651). + +## Learn more + + +[Windows 10: Deployment](http://go.microsoft.com/fwlink/p/?LinkId=533708) + +## Related topics + +- [Provision PCs with common settings for initial deployment](provision-pcs-for-initial-deployment.md) +- [Provision PCs with apps and certificates for initial deployments](provision-pcs-with-apps-and-certificates.md) +- [Configure devices without MDM](../manage/configure-devices-without-mdm.md) +- [Set up a shared or guest PC with Windows 10](../manage/set-up-shared-or-guest-pc.md) +- [Configure devices without MDM](../manage/configure-devices-without-mdm.md) +- [Set up a device for anyone to use (kiosk mode)](../manage/set-up-a-device-for-anyone-to-use.md) +- [Customize Windows 10 Start and taskbar with ICD and provisioning packages](../manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) +- [Set up student PCs to join domain](https://technet.microsoft.com/edu/windows/set-up-students-pcs-to-join-domain) + + + + + + + + + + + + diff --git a/windows/deploy/use-the-volume-activation-management-tool-client.md b/windows/deploy/use-the-volume-activation-management-tool-client.md index 1e4f5c32b2..6eed17adf5 100644 --- a/windows/deploy/use-the-volume-activation-management-tool-client.md +++ b/windows/deploy/use-the-volume-activation-management-tool-client.md @@ -8,6 +8,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation author: jdeckerMS +localizationpriority: medium --- # Use the Volume Activation Management Tool diff --git a/windows/deploy/volume-activation-windows-10.md b/windows/deploy/volume-activation-windows-10.md index eda56e2651..f1bda40ad4 100644 --- a/windows/deploy/volume-activation-windows-10.md +++ b/windows/deploy/volume-activation-windows-10.md @@ -8,6 +8,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation author: jdeckerMS +localizationpriority: medium --- # Volume Activation for Windows 10 diff --git a/windows/deploy/windows-10-upgrade-paths.md b/windows/deploy/windows-10-upgrade-paths.md index 2503ea6a25..7ee695086b 100644 --- a/windows/deploy/windows-10-upgrade-paths.md +++ b/windows/deploy/windows-10-upgrade-paths.md @@ -31,6 +31,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
Physical PC
For PCs running Windows 10, you cannot run Credential Guard on a virtual machine.
For PCs running Windows 10, version 1511 and Windows 10, version 1507, you cannot run Credential Guard on a virtual machine.
Virtual machine
For PCs running Windows 10, version 1607, you can run Credential Guard on a Generation 2 virtual machine.
1. If present, hypervisor support is available.
2. If present, Secure Boot is available.
3. If present, DMA protection is available.
4. If present, Secure Memory Overwrite is available.
5. If present, NX protections are available.
6. If present, SMM mitigations are available.
Note: 4, 5, and 6 were added as of Windows 10, version 1607.
+0. Nothing is required.
1. If present, Secure Boot is needed.
2. If present, DMA protection is needed.
3. If present, both Secure Boot and DMA protection are needed.
1. If present, hypervisor support is needed.
2. If present, Secure Boot is needed.
3. If present, DMA protection is needed.
4. If present, Secure Memory Overwrite is needed.
5. If present, NX protections are needed.
6. If present, SMM mitigations are needed.
Note: 4, 5, and 6 were added as of Windows 10, version 1607.
+| Policy | Options | ||
|---|---|---|---|
| Use Microsoft Passport for Work | +Use Windows Hello for Business |
- Not configured: Users can provision Passport for Work, which encrypts their domain password. -Enabled: Device provisions Passport for Work using keys or certificates for all users. -Disabled: Device does not provision Passport for Work for any user. +Not configured: Users can provision Windows Hello for Business, which encrypts their domain password. +Enabled: Device provisions Windows Hello for Business using keys or certificates for all users. +Disabled: Device does not provision Windows Hello for Business for any user. |
|
| Use a hardware security device |
- Not configured: Passport for Work will be provisioned using TPM if available, and will be provisioned using software if TPM is not available. -Enabled: Passport for Work will only be provisioned using TPM. -Disabled: Passport for Work will be provisioned using TPM if available, and will be provisioned using software if TPM is not available. +Not configured: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available. +Enabled: Windows Hello for Business will only be provisioned using TPM. +Disabled: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available. |
||
| Remote Passport | +Phone Sign-in |
- Use Remote Passport +Use Phone Sign-in Note Applies to desktop only. Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.
|
- Not configured: Remote Passport is disabled. +Not configured: Phone sign-in is disabled. Enabled: Users can use a portable, registered device as a companion device for desktop authentication. -Disabled: Remote Passport is disabled. +Disabled: Phone sign-in is disabled. |
| Policy | @@ -152,9 +155,9 @@ The following table lists the MDM policy settings that you can configure for PasDevice | True |
- True: Passport will be provisioned for all users on the device. -False: Users will not be able to provision Passport. -Note If Passport is enabled, and then the policy is changed to False, users who previously set up Passport can continue to use it, but will not be able to set up Passport on other devices.
+True: Windows Hello for Business will be provisioned for all users on the device. +False: Users will not be able to provision Windows Hello for Business. +Note If Windows Hello for Business is enabled, and then the policy is changed to False, users who previously set up Windows Hello for Business can continue to use it, but will not be able to set up Windows Hello for Business on other devices.
|
Device | False |
- True: Passport will only be provisioned using TPM. -False: Passport will be provisioned using TPM if available, and will be provisioned using software if TPM is not available. +True: Windows Hello for Business will only be provisioned using TPM. +False: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available. |
|---|---|---|---|---|
| Device | False |
- True: Biometrics can be used as a gesture in place of a PIN for domain logon. -False: Only a PIN can be used as a gesture for domain logon. +True: Biometrics can be used as a gesture in place of a PIN for domain sign-in. +False: Only a PIN can be used as a gesture for domain sign-in. |
||
| Device or user | False |
- True: Remote Passport is enabled. -False: Remote Passport is disabled. +True: Phone sign-in is enabled. +False: Phone sign-in is disabled. |
||
| Microsoft Passport mode | +Windows Hello for Business mode | Azure AD | -Active Directory (AD) on-premises (available with production release of Windows Server 2016 Technical Preview) | -Azure AD/AD hybrid (available with production release of Windows Server 2016 Technical Preview) | +Active Directory (AD) on-premises (available with production release of Windows Server 2016) | +Azure AD/AD hybrid (available with production release of Windows Server 2016) | Key-based authentication | Azure AD subscription |
|
|
@@ -328,8 +331,8 @@ You’ll need this software to set Microsoft Passport policies in your enterpris
|
@@ -337,20 +340,22 @@ You’ll need this software to set Microsoft Passport policies in your enterpris
|---|
| Topic | -Description | -
|---|---|
[Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md) |
-IT professionals can manage Windows Defender on Windows 10 endpoints in their organization using Active Directory or WSUS, apply updates to endpoints, and manage scans using: -
|
-
[Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md) |
-IT professionals can configure definition updates and cloud-based protection in Windows Defender in Windows 10 through Active Directory and WSUS. |
-
[Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md) |
-IT professionals can review information about event IDs in Windows Defender for Windows 10 and see any relevant action they can take. |
-
| XML | +
|---|
|
+
[Change history for Manage and update Windows 10](change-history-for-manage-and-update-windows-10.md)
This topic lists new and updated topics in the Manage and update Windows 10 documentation for [Windows 10 and Windows 10 Mobile](../index.md).
[Administrative Tools in Windows 10](administrative-tools-in-windows-10.md)
Administrative Tools is a folder in Control Panel that contains tools for system administrators and advanced users.
You can use the same management tools to manage all device types running Windows 10 : desktops, laptops, tablets, and phones. And your current management tools, such as Group Policy, Windows Management Instrumentation (WMI), PowerShell scripts, Orchestrator runbooks, System Center tools, and so on, will continue to work for Windows 10 on desktop editions.
[Windows Spotlight on the lock screen](windows-spotlight.md)
Windows Spotlight is an option for the lock screen background that displays different background images and occasionally offers suggestions on the lock screen.
[Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md)
Organizations might want to deploy a customized Start screen and menu to devices running Windows 10 Enterprise or Windows 10 Education. A standard Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes.
[Windows Store for Business](windows-store-for-business.md)
Welcome to the Windows Store for Business! You can use the Store for Business, to find, acquire, distribute, and manage apps for your organization.
[Change history for Manage and update Windows 10](change-history-for-manage-and-update-windows-10.md)
This topic lists new and updated topics in the Manage and update Windows 10 documentation for [Windows 10 and Windows 10 Mobile](../index.md).
[Lockdown features from Windows Embedded 8.1 Industry](lockdown-features-windows-10.md)
Many of the lockdown features available in Windows Embedded 8.1 Industry have been modified in some form for Windows 10.
[Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md)
Windows 10, Version 1607, introduces *shared PC mode*, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail.
[Set up a device for anyone to use (kiosk mode)](set-up-a-device-for-anyone-to-use.md)
You can configure a device running Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile, or Windows 10 Mobile Enterprise as a kiosk device, so that users can only interact with a single application that you select.
| Windows Embedded 8.1 Industry lockdown feature | +Windows 10 feature | +Changes | +
|---|---|---|
[Hibernate Once/Resume Many (HORM)](http://go.microsoft.com/fwlink/p/?LinkId=626758): Quick boot to device |
+N/A | +HORM is supported in Windows 10, version 1607. |
+
[Unified Write Filter](http://go.microsoft.com/fwlink/p/?LinkId=626757): protect a device's physical storage media |
+[Unified Write Filter](http://go.microsoft.com/fwlink/p/?LinkId=626607) | +The Unified Write Filter is continued in Windows 10, with the exception of HORM which has been deprecated. |
+
[Keyboard Filter]( http://go.microsoft.com/fwlink/p/?LinkId=626761): block hotkeys and other key combinations |
+[Keyboard Filter](http://go.microsoft.com/fwlink/p/?LinkId=708391) | +Keyboard filter is added in Windows 10, version 1511. As in Windows Embedded Industry 8.1, Keyboard Filter is an optional component that can be turned on via Turn Windows Features On/Off. Keyboard Filter (in addition to the WMI configuration previously available) will be configurable through Windows Imaging and Configuration Designer (ICD) in the SMISettings path. |
+
[Shell Launcher](http://go.microsoft.com/fwlink/p/?LinkId=626676): launch a Classic Windows application on sign-on |
+[Shell Launcher](http://go.microsoft.com/fwlink/p/?LinkId=618603) | +Shell Launcher continues in Windows 10. It is now configurable in Windows ICD under the SMISettings category. +Learn [how to use Shell Launcher to create a kiosk device](http://go.microsoft.com/fwlink/p/?LinkId=626922) that runs a Classic Windows application. |
+
[Application Launcher]( http://go.microsoft.com/fwlink/p/?LinkId=626675): launch a Universal Windows Platform (UWP) app on sign-on |
+[Assigned Access](http://go.microsoft.com/fwlink/p/?LinkId=626608) | +The Windows 8 Application Launcher has been consolidated into Assigned Access. Application Launcher enabled launching a Windows 8 app and holding focus on that app. Assigned Access offers a more robust solution for ensuring that apps retain focus. |
+
[Dialog Filter](http://go.microsoft.com/fwlink/p/?LinkId=626762): suppress system dialogs and control which processes can run |
+[AppLocker](../keep-secure/applocker-overview.md) | +Dialog Filter has been deprecated for Windows 10. Dialog Filter provided two capabilities; the ability to control which processes were able to run, and the ability to prevent dialogs (in practice, system dialogs) from appearing. +
|
+
[Toast Notification Filter]( http://go.microsoft.com/fwlink/p/?LinkId=626673): suppress toast notifications |
+Mobile device management (MDM) and Group Policy | +Toast Notification Filter has been replaced by MDM and Group Policy settings for blocking the individual components of non-critical system toasts that may appear. For example, to prevent a toast from appearing when a USB drive is connected, ensure that USB connections have been blocked using the USB-related policies, and turn off notifications from apps. +Group Policy: User Configuration > Administrative Templates > Start Menu and Taskbar > Notifications +MDM policy name may vary depending on your MDM service. In Microsoft Intune, use Allow action center notifications and a [custom OMA-URI setting](http://go.microsoft.com/fwlink/p/?LinkID=616317) for AboveLock/AllowActionCenterNotifications. |
+
[Embedded Lockdown Manager](http://go.microsoft.com/fwlink/p/?LinkId=626763): configure lockdown features |
+[Windows Imaging and Configuration Designer (ICD)](http://go.microsoft.com/fwlink/p/?LinkID=525483) | +The Embedded Lockdown Manager has been deprecated for Windows 10 and replaced by the Windows ICD. Windows ICD is the consolidated tool for Windows imaging and provisioning scenarios and enables configuration of all Windows settings, including the lockdown features previously configurable through Embedded Lockdown Manager. |
+
[USB Filter](http://go.microsoft.com/fwlink/p/?LinkId=626674): restrict USB devices and peripherals on system |
+MDM and Group Policy | +The USB Filter driver has been replaced by MDM and Group Policy settings for blocking the connection of USB devices. +Group Policy: Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions +MDM policy name may vary depending on your MDM service. In Microsoft Intune, use Allow removable storage or Allow USB connection (Windows 10 Mobile only). |
+
[Assigned Access](http://go.microsoft.com/fwlink/p/?LinkID=613653): launch a UWP app on sign-in and lock access to system |
+[Assigned Access](http://go.microsoft.com/fwlink/p/?LinkId=626608) | +Assigned Access has undergone significant improvement for Windows 10. In Windows 8.1, Assigned Access blocked system hotkeys and edge gestures, and non-critical system notifications, but it also applied some of these limitations to other accounts on the device. +In Windows 10, Assigned Access no longer affects accounts other than the one being locked down. Assigned Access now restricts access to other apps or system components by locking the device when the selected user account logs in and launching the designated app above the lock screen, ensuring that no unintended functionality can be accessed. +Learn [how to use Assigned Access to create a kiosk device](http://go.microsoft.com/fwlink/p/?LinkId=626922) that runs a Universal Windows app. |
+
[Gesture Filter](http://go.microsoft.com/fwlink/p/?LinkId=626672): block swipes from top, left, and right edges of screen |
+[Assigned Access](http://go.microsoft.com/fwlink/p/?LinkId=626608) | +The capabilities of Gesture Filter have been consolidated into Assigned Access for Windows 10. In Windows 8.1, gestures provided the ability to close an app, to switch apps, and to reach the Charms. For Windows 10, Charms have been removed, and blocking the closing or switching of apps is part of Assigned Access. |
+
[Custom Logon]( http://go.microsoft.com/fwlink/p/?LinkId=626759): suppress Windows UI elements during Windows sign-on, sign-off, and shutdown |
+[Embedded Logon](http://go.microsoft.com/fwlink/p/?LinkId=626760) | +No changes. Applies only to Windows 10 Enterprise and Windows 10 Education. |
+
[Unbranded Boot](http://go.microsoft.com/fwlink/p/?LinkId=626872): custom brand a device by removing or replacing Windows boot UI elements |
+[Unbranded Boot](http://go.microsoft.com/fwlink/p/?LinkId=626873) | +No changes. Applies only to Windows 10 Enterprise and Windows 10 Education. |
+
None. Turns off Delivery Optimization.
Group. Gets or sends updates and apps to PCs on the same local network domain.
Internet. Gets or sends updates and apps to PCs on the Internet.
LAN. Gets or sends updates and apps to PCs on the same NAT only.
None. Turns off Delivery Optimization.
Group. Gets or sends updates and apps to PCs on the same local network domain.
Internet. Gets or sends updates and apps to PCs on the Internet.
LAN. Gets or sends updates and apps to PCs on the same NAT only.
Simple. Simple download mode with no peering.
Bypass. Use BITS instead of Windows Update Delivery Optimization.
0. Turns off Delivery Optimization.
1. Gets or sends updates and apps to PCs on the same NAT only.
2. Gets or sends updates and apps to PCs on the same local network domain.
3. Gets or sends updates and apps to PCs on the Internet.
0. Turns off Delivery Optimization.
1. Gets or sends updates and apps to PCs on the same NAT only.
2. Gets or sends updates and apps to PCs on the same local network domain.
3. Gets or sends updates and apps to PCs on the Internet.
99. Simple download mode with no peering.
100. Use BITS instead of Windows Update Delivery Optimization.
[Microsoft System Center Configuration Manager Technical Preview](http://go.microsoft.com/fwlink/p/?LinkId=613622)
[Microsoft System Center Configuration Manager 2016](http://go.microsoft.com/fwlink/p/?LinkId=613622)
Client deployment, upgrade, and management with new and existing features
Policy name | Value | When set? |
|---|---|---|
Admin Templates > Control Panel > Personalization | ||
Prevent enabling lock screen slide show | Enabled | Always |
Prevent changing lock screen and logon image | Enabled | Always |
Admin Templates > System > Power Management > Button Settings | ||
Select the Power button action (plugged in) | Sleep | SetPowerPolicies=True |
Select the Power button action (on battery) | Sleep | SetPowerPolicies=True |
Select the Sleep button action (plugged in) | Sleep | SetPowerPolicies=True |
Select the lid switch action (plugged in) | Sleep | SetPowerPolicies=True |
Select the lid switch action (on battery) | Sleep | SetPowerPolicies=True |
Admin Templates > System > Power Management > Sleep Settings | ||
Require a password when a computer wakes (plugged in) | Enabled | SignInOnResume=True |
Require a password when a computer wakes (on battery) | Enabled | SignInOnResume=True |
Specify the system sleep timeout (plugged in) | *SleepTimeout* | SetPowerPolicies=True |
Specify the system sleep timeout (on battery) | *SleepTimeout* | SetPowerPolicies=True |
| Turn off hybrid sleep (plugged in) | Enabled | SetPowerPolicies=True |
| Turn off hybrid sleep (on battery) | Enabled | SetPowerPolicies=True |
| Specify the unattended sleep timeout (plugged in) | *SleepTimeout* | SetPowerPolicies=True |
| Specify the unattended sleep timeout (on battery) | *SleepTimeout* | SetPowerPolicies=True |
| Allow standby states (S1-S3) when sleeping (plugged in) | Enabled | SetPowerPolicies=True |
| Allow standby states (S1-S3) when sleeping (on battery) | Enabled | SetPowerPolicies=True |
| Specify the system hibernate timeout (plugged in) | Enabled, 0 | SetPowerPolicies=True |
| Specify the system hibernate timeout (on battery) | Enabled, 0 | SetPowerPolicies=True |
| Admin Templates>System>Power Management>Video and Display Settings | ||
| Turn off the display (plugged in) | *SleepTimeout* | SetPowerPolicies=True |
| Turn off the display (on battery | *SleepTimeout* | SetPowerPolicies=True |
| Admin Templates>System>Logon | ||
| Show first sign-in animation | Disabled | Always |
| Hide entry points for Fast User Switching | Enabled | Always |
| Turn on convenience PIN sign-in | Disabled | Always |
| Turn off picture password sign-in | Enabled | Always |
| Turn off app notification on the lock screen | Enabled | Always |
| Allow users to select when a password is required when resuming from connected standby | Disabled | SignInOnResume=True |
+
| Block user from showing account details on sign-in | Enabled | Always |
| Admin Templates>System>User Profiles | ||
| Turn off the advertising ID | Enabled | SetEduPolicies=True |
| Admin Templates>Windows Components | ||
| Do not show Windows Tips *Only on Pro, Enterprise, Pro Education, and Education* | Enabled | SetEduPolicies=True |
| Turn off Microsoft consumer experiences *Only on Pro, Enterprise, Pro Education, and Education* | Enabled | SetEduPolicies=True |
| Microsoft Passport for Work | Disabled | Always |
| Prevent the usage of OneDrive for file storage | Enabled | Always |
| Admin Templates>Windows Components>Biometrics | ||
| Allow the use of biometrics | Disabled | Always |
| Allow users to log on using biometrics | Disabled | Always |
| Allow domain users to log on using biometrics | Disabled | Always |
| Admin Templates>Windows Components>Data Collection and Preview Builds | ||
| Toggle user control over Insider builds | Disabled | Always |
| Disable pre-release features or settings | Disabled | Always |
| Do not show feedback notifications | Enabled | Always |
| Admin Templates>Windows Components>File Explorer | ||
| Show lock in the user tile menu | Disabled | Always |
| Admin Templates>Windows Components>Maintenance Scheduler | ||
| Automatic Maintenance Activation Boundary | *MaintenanceStartTime* | Always |
| Automatic Maintenance Random Delay | Enabled, 2 hours | Always |
| Automatic Maintenance WakeUp Policy | Enabled | Always |
| Admin Templates>Windows Components>Microsoft Edge | ||
| Open a new tab with an empty tab | Disabled | SetEduPolicies=True |
| Configure corporate home pages | Enabled, about:blank | SetEduPolicies=True |
| Admin Templates>Windows Components>Search | ||
| Allow Cortana | Disabled | SetEduPolicies=True |
| Windows Settings>Security Settings>Local Policies>Security Options |
+||
| Interactive logon: Do not display last user name | Enabled, Disabled when account model is only guest | Always |
| Interactive logon: Sign-in last interactive user automatically after a system-initiated restart | Disabled | Always |
+
| Shutdown: Allow system to be shut down without having to log on | Disabled | Always |
| User Account Control: Behavior of the elevation prompt for standard users | Auto deny | Always |
Kid's corner
-(disabled in Assigned Access)
Apps corner
(disabled in Assigned Access)
[Windows Store for Business overview](windows-store-for-business-overview.md)
Learn about Windows Store for Business.
[Prerequisites for Windows Store for Business](prerequisites-windows-store-for-business.md)
There are a few prerequisites for using Store for Business.
[Sign up for Windows Store for Business](sign-up-windows-store-for-business.md)
Before you sign up for Store for Business, at a minimum, you'll need an Azure Active Directory (AD) account for your organization, and you'll need to be the global administrator for your organization. If your organization is already using Azure AD, you can go ahead and sign up for Store for Business. If not, we'll help you create an Azure AD account and directory as part of the sign up process.
[Roles and permissions in the Windows Store for Business](roles-and-permissions-windows-store-for-business.md)
The first person to sign in to Store for Business must be a Global Admin of the Azure Active Directory (AD) tenant. Once the Global Admin has signed in, they can give permissions to others employees.
[Settings reference: Windows Store for Business](settings-reference-windows-store-for-business.md)
The Store for Business has a group of settings that admins use to manage the store.
| Start | @@ -93,8 +91,8 @@ The following table lists the different parts of Start and any applicable policy
|---|
| Permission | +Account settings | +Acquire apps | +Distribute apps | +Device Guard signing | +
|---|---|---|---|---|
Admin |
+X |
+X |
+X |
++ |
Purchaser |
++ | X |
+X |
++ |
Device Guard signer |
++ | + | + | X |
+
| Topic | -Description | -
|---|---|
[Change history for What's new in Windows 10](change-history-for-what-s-new-in-windows-10.md) |
-This topic lists new and updated topics in the What's new in Windows 10 documentation for [Windows 10 and Windows 10 Mobile](../index.md). |
-
[AppLocker](applocker.md) |
-AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers. |
-
[BitLocker](bitlocker.md) |
-BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. |
-
[Browser: Microsoft Edge and Internet Explorer 11](edge-ie11-whats-new-overview.md) |
-Resources to help you explore the Windows 10 browsing options for your enterprise. |
-
[Credential Guard](credential-guard.md) |
-Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. |
-
[Device Guard](device-guard-overview.md) |
-Device Guard is a combination of enterprise-related hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications. If the app isn’t trusted it can’t run, period. It also means that even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to be able to run malicious executable code after the computer restarts because of how decisions are made about what can run and when. |
-
[Enterprise data protection (EDP)](edp-whats-new-overview.md) |
-With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data disclosure through apps and services that are outside of the enterprise’s control like email, social media, and the public cloud. |
-
[Enterprise management for Windows 10 devices](device-management.md) |
-Windows 10 provides mobile device management (MDM) capabilities for PCs, laptops, tablets, and phones that enable enterprise-level management of corporate-owned and personal devices. |
-
[Lockdown features from Windows Embedded Industry 8.1](lockdown-features-windows-10.md) |
-Many of the lockdown features available in Windows Embedded 8.1 Industry have been modified in some form for Windows 10. This table maps Windows Embedded Industry 8.1 features to Windows 10 Enterprise features, along with links to documentation. |
-
[Microsoft Passport](microsoft-passport.md) |
-In Windows 10, Microsoft Passport replaces passwords with strong two-factor authentication that consists of an enrolled device and a Windows Hello (biometric) or PIN. |
-
[Provisioning packages](new-provisioning-packages.md) |
-With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. |
-
[Security](security.md) |
-There are several key client security improvements Microsoft has made in Windows 10. These improvements focus on three key areas — threat resistance, information protection, and identity protection and access control. In addition to an overview of the features themselves, this article discusses the hardware requirements for each new feature and offers configuration recommendations and links to more detailed resources. |
-
[Security auditing](security-auditing.md) |
-Security auditing is one of the most powerful tools that you can use to maintain the integrity of your system. As part of your overall security strategy, you should determine the level of auditing that is appropriate for your environment. Auditing should identify attacks (successful or not) that pose a threat to your network, and attacks against resources that you have determined to be valuable in your risk assessment. |
-
[Trusted Platform Module](trusted-platform-module.md) |
-This topic for the IT professional describes new features for the Trusted Platform Module (TPM) in Windows 10. |
-
[User Account Control](user-account-control.md) |
-User Account Control (UAC) helps prevent malware from damaging a computer and helps organizations deploy a better-managed desktop environment. |
-
[Windows spotlight on the lock screen](windows-spotlight.md) |
-Windows spotlight is an option for the lock screen background that displays different background images and occasionally offers suggestions on the lock screen. Windows spotlight is now available in Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education. For managed devices running Windows 10 Enterprise and Windows 10 Education, enterprise administrators can configure a mobile device management (MDM) or Group Policy setting to prevent users from using the Windows spotlight background. |
-
[Windows Store for Business overview](windows-store-for-business-overview.md) |
-With the new Windows Store for Business, organizations can make volume purchases of Windows apps. The Store for Business provides app purchases based on organizational identity, flexible distribution options, and the ability to reclaim or re-use licenses. Organizations can also use the Store for Business to create a private store for their employees that includes apps from the Store, as well private Line-of-Business (LOB) apps. |
-
[Windows Update for Business](windows-update-for-business.md) |
-Windows Update for Business enables information technology administrators to keep the Windows 10-based devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Microsoft’s Windows Update service. |
-
| Windows Embedded 8.1 Industry lockdown feature | -Windows 10 feature | -Changes | -
|---|---|---|
[Hibernate Once/Resume Many (HORM)](http://go.microsoft.com/fwlink/p/?LinkId=626758): Quick boot to device |
-N/A | -HORM is not supported in Windows 10. However, with enhancements to the Windows boot process and Unified Extensible Firmware Interface (UEFI) hardware, startup times can be dramatically reduced compared to previous versions. |
-
[Unified Write Filter](http://go.microsoft.com/fwlink/p/?LinkId=626757): protect a device's physical storage media |
-[Unified Writer Filter](http://go.microsoft.com/fwlink/p/?LinkId=626607) | -The Unified Write Filter is continued in Windows 10, with the exception of HORM which has been deprecated. |
-
[Keyboard Filter]( http://go.microsoft.com/fwlink/p/?LinkId=626761): block hotkeys and other key combinations |
-[Keyboard Filter](http://go.microsoft.com/fwlink/p/?LinkId=708391) | -Keyboard filter is added in Windows 10, version 1511. As in Windows Embedded Industry 8.1, Keyboard Filter is an optional component that can be turned on via Turn Windows Features On/Off. Keyboard Filter (in addition to the WMI configuration previously available) will be configurable through Windows Imaging and Configuration Designer (ICD) in the SMISettings path. |
-
[Shell Launcher](http://go.microsoft.com/fwlink/p/?LinkId=626676): launch a Classic Windows application on sign-on |
-[Shell Launcher](http://go.microsoft.com/fwlink/p/?LinkId=618603) | -Shell Launcher continues in Windows 10. It is now configurable in Windows ICD under the SMISettings category. -Learn [how to use Shell Launcher to create a kiosk device](http://go.microsoft.com/fwlink/p/?LinkId=626922) that runs a Classic Windows application. |
-
[Application Launcher]( http://go.microsoft.com/fwlink/p/?LinkId=626675): launch a Universal Windows Platform (UWP) app on sign-on |
-[Assigned Access](http://go.microsoft.com/fwlink/p/?LinkId=626608) | -The Windows 8 Application Launcher has been consolidated into Assigned Access. Application Launcher enabled launching a Windows 8 app and holding focus on that app. Assigned Access offers a more robust solution for ensuring that apps retain focus. |
-
[Dialog Filter](http://go.microsoft.com/fwlink/p/?LinkId=626762): suppress system dialogs and control which processes can run |
-[AppLocker](../keep-secure/applocker-overview.md) | -Dialog Filter has been deprecated for Windows 10. Dialog Filter provided two capabilities; the ability to control which processes were able to run, and the ability to prevent dialogs (in practice, system dialogs) from appearing. -
|
-
[Toast Notification Filter]( http://go.microsoft.com/fwlink/p/?LinkId=626673): suppress toast notifications |
-Mobile device management (MDM) and Group Policy | -Toast Notification Filter has been replaced by MDM and Group Policy settings for blocking the individual components of non-critical system toasts that may appear. For example, to prevent a toast from appearing when a USB drive is connected, ensure that USB connections have been blocked using the USB-related policies, and turn off notifications from apps. -Group Policy: User Configuration > Administrative Templates > Start Menu and Taskbar > Notifications -MDM policy name may vary depending on your MDM service. In Microsoft Intune, use Allow action center notifications and a [custom OMA-URI setting](http://go.microsoft.com/fwlink/p/?LinkID=616317) for AboveLock/AllowActionCenterNotifications. |
-
[Embedded Lockdown Manager](http://go.microsoft.com/fwlink/p/?LinkId=626763): configure lockdown features |
-[Windows Imaging and Configuration Designer (ICD)](http://go.microsoft.com/fwlink/p/?LinkID=525483) | -The Embedded Lockdown Manager has been deprecated for Windows 10 and replaced by the Windows ICD. Windows ICD is the consolidated tool for Windows imaging and provisioning scenarios and enables configuration of all Windows settings, including the lockdown features previously configurable through Embedded Lockdown Manager. |
-
[USB Filter](http://go.microsoft.com/fwlink/p/?LinkId=626674): restrict USB devices and peripherals on system |
-MDM and Group Policy | -The USB Filter driver has been replaced by MDM and Group Policy settings for blocking the connection of USB devices. -Group Policy: Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions -MDM policy name may vary depending on your MDM service. In Microsoft Intune, use Allow removable storage or Allow USB connection (Windows 10 Mobile only). |
-
[Assigned Access](http://go.microsoft.com/fwlink/p/?LinkID=613653): launch a UWP app on sign-in and lock access to system |
-[Assigned Access](http://go.microsoft.com/fwlink/p/?LinkId=626608) | -Assigned Access has undergone significant improvement for Windows 10. In Windows 8.1, Assigned Access blocked system hotkeys and edge gestures, and non-critical system notifications, but it also applied some of these limitations to other accounts on the device. -In Windows 10, Assigned Access no longer affects accounts other than the one being locked down. Assigned Access now restricts access to other apps or system components by locking the device when the selected user account logs in and launching the designated app above the lock screen, ensuring that no unintended functionality can be accessed. -Learn [how to use Assigned Access to create a kiosk device](http://go.microsoft.com/fwlink/p/?LinkId=626922) that runs a Universal Windows app. |
-
[Gesture Filter](http://go.microsoft.com/fwlink/p/?LinkId=626672): block swipes from top, left, and right edges of screen |
-[Assigned Access](http://go.microsoft.com/fwlink/p/?LinkId=626608) | -The capabilities of Gesture Filter have been consolidated into Assigned Access for Windows 10. In Windows 8.1, gestures provided the ability to close an app, to switch apps, and to reach the Charms. For Windows 10, Charms have been removed, and blocking the closing or switching of apps is part of Assigned Access. |
-
[Custom Logon]( http://go.microsoft.com/fwlink/p/?LinkId=626759): suppress Windows UI elements during Windows sign-on, sign-off, and shutdown |
-[Embedded Logon](http://go.microsoft.com/fwlink/p/?LinkId=626760) | -No changes. Applies only to Windows 10 Enterprise and Windows 10 Education. |
-
[Unbranded Boot](http://go.microsoft.com/fwlink/p/?LinkId=626872): custom brand a device by removing or replacing Windows boot UI elements |
-[Unbranded Boot](http://go.microsoft.com/fwlink/p/?LinkId=626873) | -No changes. Applies only to Windows 10 Enterprise and Windows 10 Education. |
-
| Permission | -Account settings | -Acquire apps | -Distribute apps | -Device Guard signing | -
|---|---|---|---|---|
Admin |
-X |
-X |
-X |
-- |
Purchaser |
-- | X |
-X |
-- |
Device Guard signer |
-- | - | - | X |
-