deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-15 10:23:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'refs/remotes/origin/master' into wsfb-6366597

Browse Source
This commit is contained in:
Trudy Hakala
2016-08-01 11:18:42 -07:00
parent 98e30c249b 92ef5ebaaa
commit 4f9927735e
362 changed files with 5617 additions and 2055 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
windows/manage/TOC.md
View File

@ -1,23 +1,28 @@
# [Manage and update Windows 10](index.md)
## [Change history for Manage and update Windows 10](change-history-for-manage-and-update-windows-10.md)
## [Administrative Tools in Windows 10](administrative-tools-in-windows-10.md)
## [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md)
## [Manage corporate devices](manage-corporate-devices.md)
### [Connect to remote Azure Active Directory-joined PC](connect-to-remote-aadj-pc.md)
### [Manage Windows 10 and Windows Store tips, tricks, and suggestions](manage-tips-and-suggestions.md)
### [New policies for Windows 10](new-policies-for-windows-10.md)
### [Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education](group-policies-for-enterprise-and-education-editions.md)
### [Changes to Group Policy settings for Windows 10 Start](changes-to-start-policies-in-windows-10.md)
### [Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md)
### [Introduction to configuration service providers (CSPs)](how-it-pros-can-use-configuration-service-providers.md)
## [Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md)
## [Windows Spotlight on the lock screen](windows-spotlight.md)
## [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md)
### [Configure Windows 10 taskbar](configure-windows-10-taskbar.md)
### [Customize and export Start layout](customize-and-export-start-layout.md)
### [Customize Windows 10 Start with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
### [Customize Windows 10 Start with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
### [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
### [Customize Windows 10 Start and taskbar with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
### [Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
## [Lock down Windows 10](lock-down-windows-10.md)
### [Lockdown features from Windows Embedded 8.1 Industry](lockdown-features-windows-10.md)
### [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md)
### [Set up a device for anyone to use (kiosk mode)](set-up-a-device-for-anyone-to-use.md)
#### [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md)
#### [Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](set-up-a-kiosk-for-windows-10-for-mobile-edition.md)
#### [Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md)
### [Lock down Windows 10 to specific apps](lock-down-windows-10-to-specific-apps.md)
### [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
### [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md)
@ -33,6 +38,7 @@
## [Application development for Windows as a service](application-development-for-windows-as-a-service.md)
## [Windows Store for Business](windows-store-for-business.md)
### [Sign up and get started](sign-up-windows-store-for-business-overview.md)
####[Windows Store for Business overview](windows-store-for-business-overview.md)
#### [Prerequisites for Windows Store for Business](prerequisites-windows-store-for-business.md)
#### [Sign up for Windows Store for Business](sign-up-windows-store-for-business.md)
#### [Roles and permissions in the Windows Store for Business](roles-and-permissions-windows-store-for-business.md)
@ -59,4 +65,4 @@
#### [Update Windows Store for Business account settings](update-windows-store-for-business-account-settings.md)
#### [Manage user accounts in Windows Store for Business](manage-users-and-groups-windows-store-for-business.md)
### [Troubleshoot Windows Store for Business](troubleshoot-windows-store-for-business.md)
## [Change history for Manage and update Windows 10](change-history-for-manage-and-update-windows-10.md)

11
windows/manage/change-history-for-manage-and-update-windows-10.md
View File

@ -12,6 +12,16 @@ author: jdeckerMS
This topic lists new and updated topics in the [Manage and update Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
## RELEASE: Windows 10, version 1607
The topics in this library have been updated for Windows 10, version 1607 (also known as the Anniversary Update). The following new topics have been added:
- [Connect to remote Azure Active Directory-joined PC](connect-to-remote-aadj-pc.md)
- [Configure Windows 10 taskbar](configure-windows-10-taskbar.md)
- [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md)
- [Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md)
## July 2016
| New or changed topic | Description |
@ -19,6 +29,7 @@ This topic lists new and updated topics in the [Manage and update Windows 10](in
| [Manage Windows 10 and Windows Store tips, tricks, and suggestions](manage-tips-and-suggestions.md) | New |
| [Windows 10 servicing options](introduction-to-windows-10-servicing.md) | Added detailed content on servicing branches, moved from [Windows 10 servicing overview](../plan/windows-10-servicing-options.md). |
## June 2016
| New or changed topic | Description |

1
windows/manage/changes-to-start-policies-in-windows-10.md
View File

@ -7,6 +7,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
localizationpriority: medium
---
# Changes to Group Policy settings for Windows 10 Start

109
windows/manage/configure-devices-without-mdm.md
View File

@ -8,6 +8,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: mobile, devices
author: jdeckerMS
localizationpriority: medium
---
# Configure devices without MDM
@ -24,7 +25,7 @@ Sometimes mobile device management (MDM) isn't available to you for setting up a
Rather than wiping a device and applying a new system image, in Windows 10 you can apply a provisioning package at any time. A provisioning package can include management instructions and policies, installation of specific apps, customization of network connections and policies, and more.
You can provide provisioning packages on a network shared folder that employees can access to configure their devices. Or you can put a provisioning package on a USB flash drive or SD card to hand out. You can even send the provisioning package to someone in email.
You can provide provisioning packages on a network shared folder that employees can access to configure their devices. Or you can put a provisioning package on a USB flash drive or SD card to hand out.
Provisioning packages are simple for employees to install. And when they remove a provisioning package, policies that the package applied to their device are removed.
@ -56,8 +57,8 @@ Provisioning packages are simple for employees to install. And when they remove
Package might include company root certificate, Wi-Fi profiles, security policies, or company application.
**Note**  
Test to make sure that removing the provisioning package from a personal device removes everything that the package installed. Some settings are not reverted when a provisioning package is removed from the device.
> [!NOTE]  
> Test to make sure that removing the provisioning package from a personal device removes everything that the package installed. Some settings are not reverted when a provisioning package is removed from the device.
 
@ -65,81 +66,93 @@ Provisioning packages are simple for employees to install. And when they remove
Package might include computer name, company root certificate, Wi-Fi profile, or company application.
**Note**  
To return the **Start** menu to a specific state, you must reset the device. When you reset the device, you can apply the provisioning package during the first-run experience.
> [!NOTE]  
> To return the **Start** menu to a specific state, you must reset the device. When you reset the device, you can apply the provisioning package during the first-run experience.
 
For details about the settings you can customize in provisioning packages, see [Windows Provisioning settings reference]( http://go.microsoft.com/fwlink/p/?LinkId=619012).
## Create package
## Create a provisioning package
Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a runtime provisioning package. [Install the ADK.](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit)
When you run Windows ICD, you have several options for creating your package.
![Simple or advanced provisioning](images/ICDstart-option.png).
- Choose **Simple provisioning** to define a desired configuration in Windows ICD and then apply that configuration on target devices. The simple provisioning wizard makes the entire process quick and easy by guiding an IT administrator through common configuration settings in a step-by-step manner.
- Choose **Provision school devices** to quickly create provisioning packages that configure settings and policies tailored for students. Learn more about using Windows ICD to provision student PCs (link tb added).
- Choose **Advanced provisioning** to create provisioning packages in the advanced settings editor and include classic (Win32) and Universal Windows Platform (UWP) apps for deployment on end-user devices.
> [!IMPORTANT]
> When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
### Using Simple provisioning
1. Open Windows ICD (by default, `%windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe`).
2. Click **Simple provisioning**.
2. Name your project and click **Finish**.
3. In the **Set up device** step, enter a unique 15-character name for the device. For help generating a unique name, you can use %SERIAL%, which includes a hardware-specific serial number, or you can use %RAND:x%, which generates random characters of x length.
4. (Optional) You can upgrade the following editions of Windows 10 by providing a product key for the edition to upgrade to.
- Home to Education
- Pro to Education
- Pro to Enterprise
- Enterprise to Education
- Mobile to Mobile Enterprise
5. Click **Set up network**.
6. Toggle **On** or **Off** for wireless network connectivity. If you select **On**, enter the SSID, type, and (if required) password for the wireless network.
7. Click **Enroll into Active Directory**.
8. Toggle **Yes** or **No** for Active Directory enrollment. If you select **Yes**, enter the credentials for an account with permissions to enroll the device. (Optional) Enter a user name and password to create a local administrator account.
> [!WARNING]
> If you don't create a local administrator account and the device fails to enroll in Active Directory for any reason, you will have to reimage the device and start over. As a best practice, we recommend:
- Use a least-privileged domain account to join the device to the domain.
- Create a temporary administrator account to use for debugging or reprovisioning if the device fails to enroll successfully.
- [Use Group Policy to delete the temporary administrator account](https://blogs.technet.microsoft.com/canitpro/2014/12/10/group-policy-creating-a-standard-local-admin-account/) after the device is enrolled in Active Directory.
9. Click **Finish**.
10. Review your settings in the summary. You can return to previous pages to change your selections. Then, under **Protect your package**, toggle **Yes** or **No** to encrypt the provisioning package. If you select **Yes**, enter a password. This password must be entered to apply the encrypted provisioning package.
11. Click **Create**.
### Using Advanced provisioning
Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a runtime provisioning package. [Install the ADK.](http://go.microsoft.com/fwlink/p/?LinkId=526740)
1. Open Windows ICD (by default, %windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe).
2. Choose **New provisioning package**.
2. Click **Advanced provisioning**.
3. Choose **New provisioning package**.
3. Name your project, and click **Next**.
4. Choose **Common to all Windows editions**, **Common to all Windows desktop editions**, or **Common to all Windows mobile editions**, depending on the devices you intend to provision, and click **Next**.
4. Choose **All Windows editions**, **All Windows desktop editions**, or **All Windows mobile editions**, depending on the devices you intend to provision, and click **Next**.
5. On **New project**, click **Finish**. The workspace for your package opens.
6. Configure settings. [Learn more about specific settings in provisioning packages.]( http://go.microsoft.com/fwlink/p/?LinkId=615916)
7. On the **File** menu, select **Save.**
8. On the **Export** menu, select **Provisioning package**.
9. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.**
10. Set a value for **Package Version**.
**Tip**  
You can make changes to existing packages and change the version number to update previously applied packages.
 
> [!TIP]  
> You can make changes to existing packages and change the version number to update previously applied packages.
 
11. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing.
- **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
- **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select...** and choosing the certificate you want to use to sign the package.
**Important**  
We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store and any package signed with that certificate thereafter can be applied silently.
 
> [!IMPORTANT]  
> We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store and any package signed with that certificate thereafter can be applied silently.
 
12. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location.
Optionally, you can click **Browse** to change the default output location.
13. Click **Next**.
14. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.
If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
15. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
- If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
- If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
16. Select the **output location** link to go to the location of the package. You can provide that .ppkg to others through any of the following methods:
- Shared network folder
- SharePoint site
- Removable media (USB/SD)
- Email
- USB tether (mobile only)
Learn more: [Build and apply a provisioning package](http://go.microsoft.com/fwlink/p/?LinkID=629651)
@ -147,11 +160,11 @@ Learn more: [Build and apply a provisioning package](http://go.microsoft.com/fwl
## Apply package
On a desktop computer, the employee goes to **Settings** > **Accounts** > **Work access** > **Add or remove a management package** > **Add a package**, and selects the package to install. The user can also add a provisioning package simply by double-clicking the .ppkg file in email, in local storage, on removable media, or at a URL.
On a desktop computer, the employee goes to **Settings** > **Accounts** > **Work access** > **Add or remove a management package** > **Add a package**, and selects the package to install. The user can also add a provisioning package simply by double-clicking the .ppkg file in local storage, on removable media, or at a URL.
![add a package option](images/package.png)
On a mobile device, the employee goes to **Settings** > **Accounts** > **Provisioning.** > **Add a package**, and selects the package on removable media to install. The user can also add a provisioning package simply by double-tapping the .ppkg file in email.
On a mobile device, the employee goes to **Settings** > **Accounts** > **Provisioning.** > **Add a package**, and selects the package on removable media to install.
![add provisioning package on phone](images/phoneprovision.png)
@ -168,7 +181,7 @@ On a mobile device, the employee goes to **Settings** > **Accounts** > **P
- Optionally, keep packages when you reset a mobile device. When you reset a desktop, runtime packages are removed.
![](images/resetdevice.png)
![reset a device](images/resetdevice.png)
## Learn more

294
windows/manage/configure-windows-10-taskbar.md Normal file
View File

@ -0,0 +1,294 @@
---
title: Configure Windows 10 taskbar (Windows 10)
description: Admins can pin apps to users' taskbars.
keywords: ["taskbar layout","pin apps"]
ms.prod: W10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
localizationpriority: medium
---
# Configure Windows 10 taskbar
Starting in Windows 10, version 1607, administrators can pin additional apps to the taskbar and remove default pinned apps from the taskbar by adding a `<TaskbarLayout>` section to a layout modification XML file. This method never removes user-pinned apps from the taskbar.
> [!NOTE]
> The only aspect of the taskbar that can currently be configured by the layout modification XML file is the layout.
You can specify different taskbar configurations based on device locale and region. There is no limit on the number of apps that you can pin. You specify apps using the [Application User Model ID (AUMID)](http://go.microsoft.com/fwlink/p/?LinkId=614867) or Desktop Application Link Path (the local path to the application).
If you specify an app to be pinned that is not installed on the computer, it won't appear on the taskbar.
The order of apps in the xml file dictates order of apps on taskbar from left to right, to the right of any existing apps pinned by user.
> [!NOTE]
> In operating systems configured to use a right-to-left language, the taskbar order will be reversed.
The following example shows how apps will be pinned: Windows default apps to the left (blue circle), apps pinned by the user in the center (orange triangle), and apps that you pin using XML to the right (green square).
![Windows left, user center, enterprise to the right](images/taskbar-generic.png)
## Configure taskbar (general)
To configure the taskbar:
1. Create the XML file.
* If you are also [customizing the Start layout](customize-and-export-start-layout.md), use `Export-StartLayout` to create the XML, and then add the `<CustomTaskbarLayoutCollection>` section from the following sample to the file.
* If you are only configuring the taskbar, use the following sample to create a layout modification XML file.
2. Edit and save the XML file. You can use [AUMID](http://go.microsoft.com/fwlink/p/?LinkId=614867) or Desktop Application Link Path to identify the apps to pin to the taskbar.
* Use `<taskbar:UWA>` and [AUMID](http://go.microsoft.com/fwlink/p/?LinkId=614867) to pin Universal Windows Platform apps.
* Use `<taskbar:DesktopApp>` and Desktop Application Link Path to pin desktop applications.
3. Apply the layout modification XML file to devices using [Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) or a [provisioning package created in Windows Imaging and Configuration Designer (Windows ICD)](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md).
### Tips for finding AUMID and Desktop Application Link Path
In the layout modification XML file, you will need to add entries for applications in the XML markup. In order to pin an application, you need either its AUMID or Desktop Application Link Path.
The easiest way to find this data for an application is to:
1. Pin the application to the Start menu
2. Open Windows PowerShell and run the `Export-StartLayout` cmdlet.
3. Open the generated XML file.
4. Look for an entry corresponding to the app you pinned .
5. Look for a property labeled `AppUserModelID` or `DesktopApplicationLinkPath`.
### Sample taskbar configuration XML
```xml
<?xml version="1.0" encoding="utf-8"?>
<LayoutModificationTemplate
xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"
xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout"
xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout"
xmlns:taskbar="http://schemas.microsoft.com/Start/2014/TaskbarLayout"
Version="1">
<CustomTaskbarLayoutCollection>
<defaultlayout:TaskbarLayout>
<taskbar:TaskbarPinList>
<taskbar:UWA AppUserModelID="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge" />
<taskbar:DesktopApp DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools\File Explorer.lnk" />
</taskbar:TaskbarPinList>
</defaultlayout:TaskbarLayout>
</CustomTaskbarLayoutCollection>
</LayoutModificationTemplate>
```
### Sample taskbar configuration added to Start layout XML
```xml
<LayoutModificationTemplate Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification">
<DefaultLayoutOverride>
<StartLayoutCollection>
<defaultlayout:StartLayout GroupCellWidth="6" xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout">
<start:Group Name="Life at a glance" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout">
<start:Tile Size="2x2" Column="0" Row="0" AppUserModelID="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge" />
<start:Tile Size="2x2" Column="4" Row="0" AppUserModelID="Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI" />
<start:Tile Size="2x2" Column="2" Row="0" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
</start:Group>
</defaultlayout:StartLayout>
</StartLayoutCollection>
<CustomTaskbarLayoutCollection>
<defaultlayout:TaskbarLayout>
<taskbar:TaskbarPinList>
<taskbar:UWA AppUserModelID="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge" />
<taskbar:DesktopApp DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools\File Explorer.lnk" />
</taskbar:TaskbarPinList>
</defaultlayout:TaskbarLayout>
</CustomTaskbarLayoutCollection>
</DefaultLayoutOverride>
</LayoutModificationTemplate>
```
##Keep default apps and add your own
The `<CustomTaskbarLayoutCollection>` section will append listed apps to the taskbar by default. The following sample keeps the default apps pinned and adds pins for Paint, Microsoft Reader, and a command prompt.
```xml
<?xml version="1.0" encoding="utf-8"?>
<LayoutModificationTemplate
xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"
xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout"
xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout"
xmlns:taskbar="http://schemas.microsoft.com/Start/2014/TaskbarLayout"
Version="1">
<CustomTaskbarLayoutCollection>
<defaultlayout:TaskbarLayout>
<taskbar:TaskbarPinList>
<taskbar:DesktopApp DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk" />
<taskbar:UWA AppUserModelID="Microsoft.Reader_8wekyb3d8bbwe!Microsoft.Reader" />
<taskbar:DesktopApp DesktopApplicationLinkPath="%appdata%\Microsoft\Windows\Start Menu\Programs\System Tools\Command Prompt.lnk" />
</taskbar:TaskbarPinList>
</defaultlayout:TaskbarLayout>
</CustomTaskbarLayoutCollection>
</LayoutModificationTemplate>
```
**Before:**
![default apps pinned to taskbar](images/taskbar-default.png)
**After:**
![additional apps pinned to taskbar](images/taskbar-default-plus.png)
##Remove default apps and add your own
By adding `PinListPlacement="Replace"` to `<CustomTaskbarLayoutCollection>`, you remove all default pinned apps; only the apps that you specify will be pinned to the taskbar.
If you only want to remove some of the default pinned apps, you would use this method to remove all default pinned apps and then include the default app that you want to keep in your list of pinned apps.
```xml
<?xml version="1.0" encoding="utf-8"?>
<LayoutModificationTemplate
xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"
xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout"
xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout"
xmlns:taskbar="http://schemas.microsoft.com/Start/2014/TaskbarLayout"
Version="1">
<CustomTaskbarLayoutCollection PinListPlacement="Replace">
<defaultlayout:TaskbarLayout>
<taskbar:TaskbarPinList>
<taskbar:DesktopApp DesktopApplicationLinkPath=”%APPDATA%Microsoft\Windows\Start Menu\Programs\Accessories\Internet Explorer.lnk”/>
<taskbar:DesktopApp DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk" />
<taskbar:UWA AppUserModelID="Microsoft.Office.Word_8wekyb3d8bbwe!microsoft.word" />
</taskbar:TaskbarPinList>
</defaultlayout:TaskbarLayout>
</CustomTaskbarLayoutCollection>
</LayoutModificationTemplate>
```
**Before:**
![Taskbar with default apps](images/taskbar-default.png)
**After:**
![Taskbar with default apps removed](images/taskbar-default-removed.png)
## Configure taskbar by country or region
The following example shows you how to configure taskbars by country or region. When you specify one or more country or region in `<taskbar:TaskbarPinList>`, the pinned apps in that section are only pinned on computers that are configured for that country or region. When specifying taskbar configuration by country or region, the taskbar will concatenate pinlists together so long as the target computer meets the country or region requirements. If no country or region is specified for a `<TaskbarPinList>` node, it will apply to every country and region.
```xml
<?xml version="1.0" encoding="utf-8"?>
<LayoutModificationTemplate
xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"
xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout"
xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout"
xmlns:taskbar="http://schemas.microsoft.com/Start/2014/TaskbarLayout"
Version="1">
<CustomTaskbarLayoutCollection PinListPlacement="Replace">
<defaultlayout:TaskbarLayout region="US|UK">
<taskbar:TaskbarPinList >
<taskbar:UWA AppUserModelID="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge" />
<taskbar:DesktopApp DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools\File Explorer.lnk" />
<taskbar:UWA AppUserModelID="Microsoft.Office.Word_8wekyb3d8bbwe!microsoft.word" />
<taskbar:DesktopApp DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk"/>
<taskbar:UWA AppUserModelID="Microsoft.Reader_8wekyb3d8bbwe!Microsoft.Reader" />
</taskbar:TaskbarPinList>
</defaultlayout:TaskbarLayout>
<defaultlayout:TaskbarLayout region="DE|FR">
<taskbar:TaskbarPinList>
<taskbar:DesktopApp DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools\File Explorer.lnk" />
<taskbar:UWA AppUserModelID="Microsoft.Office.Word_8wekyb3d8bbwe!microsoft.word" />
<taskbar:UWA AppUserModelID="Microsoft.Office.Excel_8wekyb3d8bbwe!microsoft.excel" />
<taskbar:DesktopApp DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk"/>
<taskbar:UWA AppUserModelID="Microsoft.Reader_8wekyb3d8bbwe!Microsoft.Reader" />
</taskbar:TaskbarPinList>
</defaultlayout:TaskbarLayout>
<defaultlayout:TaskbarLayout>
<taskbar:TaskbarPinList>
<taskbar:DesktopApp DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools\File Explorer.lnk" />
<taskbar:UWA AppUserModelID="Microsoft.Office.Word_8wekyb3d8bbwe!microsoft.word" />
<taskbar:DesktopApp DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk"/>
<taskbar:UWA AppUserModelID="Microsoft.Reader_8wekyb3d8bbwe!Microsoft.Reader" />
</taskbar:TaskbarPinList>
</defaultlayout:TaskbarLayout>
</CustomTaskbarLayoutCollection>
</LayoutModificationTemplate>
```
When the preceding example XML is applied, the resulting taskbar for computers in the US or UK:
![taskbar for US and UK locale](images/taskbar-region-usuk.png)
The resulting taskbar for computers in Germany or France:
![taskbar for DE and FR locale](images/taskbar-region-defr.png)
The resulting taskbar for computers in any other country region:
![taskbar for all other regions](images/taskbar-region-other.png)
> [!NOTE]
> [Look up country and region codes (use the ISO Short column)](http://go.microsoft.com/fwlink/p/?LinkId=786445)
## Layout Modification Template schema definition
```xml
<?xml version="1.0" encoding="utf-8"?>
<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:local="http://schemas.microsoft.com/Start/2014/TaskbarLayout"
targetNamespace="http://schemas.microsoft.com/Start/2014/TaskbarLayout"
elementFormDefault="qualified">
<xsd:complexType name="ct_PinnedUWA">
<xsd:attribute name="AppUserModelID" type="xsd:string" />
</xsd:complexType>
<xsd:complexType name="ct_PinnedDesktopApp">
<xsd:attribute name="DesktopApplicationID" type="xsd:string" />
<xsd:attribute name="DesktopApplicationLinkPath" type="xsd:string" />
</xsd:complexType>
<xsd:complexType name="ct_TaskbarPinList">
<xsd:sequence>
<xsd:choice minOccurs="1" maxOccurs="unbounded">
<xsd:element name="UWA" type="local:ct_PinnedUWA" />
<xsd:element name="DesktopApp" type="local:ct_PinnedDesktopApp" />
</xsd:choice>
</xsd:sequence>
<xsd:attribute name="Region" type="xsd:string" use="optional" />
</xsd:complexType>
<xsd:simpleType name="st_TaskbarPinListPlacement">
<xsd:restriction base="xsd:string">
<xsd:enumeration value="Append" />
<xsd:enumeration value="Replace" />
</xsd:restriction>
</xsd:simpleType>
<xsd:attributeGroup name="ag_SelectionAttributes">
<xsd:attribute name="SKU" type="xsd:string" use="optional"/>
<xsd:attribute name="Region" type="xsd:string" use="optional"/>
</xsd:attributeGroup>
<xsd:complexType name="ct_TaskbarLayout">
<xsd:sequence>
<xsd:element name="TaskbarPinList" type="local:ct_TaskbarPinList" minOccurs="1" maxOccurs="1" />
</xsd:sequence>
<xsd:attributeGroup ref="local:ag_SelectionAttributes"/>
</xsd:complexType>
</xsd:schema>
```
## Related topics
[Manage Windows 10 Start and taskbar layout ](windows-10-start-layout-options-and-policies.md)[Customize and export Start layout](customize-and-export-start-layout.md)
[Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
[Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
[Customize Windows 10 Start and taskbar with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
[Changes to Group Policy settings for Windows 10 Start](changes-to-start-policies-in-windows-10.md)

2
windows/manage/configure-windows-telemetry-in-your-organization.md
View File

@ -123,7 +123,7 @@ The Upgrade Analytics workflow steps you through the discovery and rationalizati
### Data collection
Windows 10 and Windows Server 2016 Technical Preview includes the Connected User Experience and Telemetry component, which uses Event Tracing for Windows (ETW) tracelogging technology that gathers and stores telemetry events and data. The operating system and some Microsoft management solutions, such as System Center, use the same logging technology.
Windows 10 and Windows Server 2016 includes the Connected User Experience and Telemetry component, which uses Event Tracing for Windows (ETW) tracelogging technology that gathers and stores telemetry events and data. The operating system and some Microsoft management solutions, such as System Center, use the same logging technology.
1. Operating system features and some management applications are instrumented to publish events and data. Examples of management applications include Virtual Machine Manager (VMM), Server Manager, and Storage Spaces.
2. Events are gathered using public operating system event logging and tracing APIs.

81
windows/manage/connect-to-remote-aadj-pc.md Normal file
View File

@ -0,0 +1,81 @@
---
title: Connect to remote Azure Active Directory-joined PC (Windows 10)
description: You can use Remote Desktop Connection to connect to an Azure AD-joined PC.
ms.assetid: 62D6710C-E59C-4077-9C7E-CE0A92DFC05D
keywords: ["MDM", "device management", "RDP", "AADJ"]
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: devices
author: jdeckerMS
localizationpriority: medium
---
# Connect to remote Azure Active Directory-joined PC
**Applies to**
- Windows 10
From its release, Windows 10 has supported remote connections to PCs that are joined to Active Directory. Starting in Windows 10, version 1607, you can also connect to a remote PC that is joined to Azure Active Directory (Azure AD).
![Remote Desktop Connection client](images/rdp.png)
## Set up
- Both PCs (local and remote) must be running Windows 10, version 1607. Remote connection to an Azure AD-joined PC that is running earlier versions of Windows 10 is not supported.
- Ensure [Remote Credential Guard](../keep-secure/remote-credential-guard.md), a new feature in Windows 10, version 1607, is turned off on the client PC.
- On the PC that you want to connect to:
1. Open system properties for the remote PC.
2. Enable **Allow remote connections to this computer** and select **Allow connections only from computers running Remote Desktop with Network Level Authentication**.
![Allow remote connections to this computer](images/allow-rdp.png)
3. If the user who joined the PC to Azure AD is the only one who is going to connect remotely, no additional configuration is needed. To allow additional users, click **Select Users**.
4. Enter **Authenticated Users**, then click **Check Names**. If the **Name Not Found** window opens, click **Locations** and select this PC.
## Supported configurations
In organizations that have integrated Active Directory and Azure AD, you can connect from a domain-joined PC to an Azure AD-joined PC using:
- Password
- Smartcards
- Windows Hello for Business, if the domain is managed by System Center Configuration Manager
In organizations that have integrated Active Directory and Azure AD, you can connect from an Azure AD-joined PC to an AD-joined PC when the Azure AD-joined PC is on the corporate network using:
- Password
- Smartcards
- Windows Hello for Business, if the organization has a mobile device management (MDM) subscription.
In organizations that have integrated Active Directory and Azure AD, you can connect from an Azure AD-joined PC to another Azure AD-joined PC using:
- Password
- Smartcards
- Windows Hello for Business, with or without an MDM subscription.
In organizations using only Azure AD, you can connect from an Azure AD-joined PC to another Azure AD-joined PC using:
- Password
- Windows Hello for Business, with or without an MDM subscription.
## Related topics
[How to use Remote Desktop](https://support.microsoft.com/instantanswers/ff521c86-2803-4bc0-a5da-7df445788eb9/how-to-use-remote-desktop)
 
 

45
windows/manage/customize-and-export-start-layout.md
View File

@ -7,6 +7,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
localizationpriority: medium
---
# Customize and export Start layout
@ -49,12 +50,7 @@ To prepare a Start layout for export, you simply customize the Start layout on a
1. Set up a test computer on which to customize the Start layout. Your test computer should have the operating system that is installed on the users computers (Windows 10 Enterprise or Windows 10 Education). Install all apps and services that the Start layout should display.
**Important**  
**Start layout** can only be applied to a device using the same architecture (32-bit or 64-bit) as the device on which **Start layout** was created.
 
2. Create a new user account that you will use to customize the Start layout.
2. Create a new user account that you will use to customize the Start layout.
<a href="" id="bmk-customize-start"></a>
**To customize Start**
@ -91,6 +87,37 @@ When you have the Start layout that you want your users to see, use the [Export-
In the previous command, `-path` is a required parameter that specifies the path and file name for the export file. You can specify a local path or a UNC path (for example, \\\\FileServer01\\StartLayouts\\StartLayoutMarketing.xml).
Use a file name of your choice—for example, StartLayoutMarketing.xml. Include the .xml file name extension. The [Export-StartLayout](http://go.microsoft.com/fwlink/p/?LinkId=620879) cmdlet does not append the file name extension, and the policy settings require the extension.
Example of a layout file produced by `Export-StartLayout`:
<span codelanguage="XML"></span>
<table>
<colgroup>
<col width="100%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">XML</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><pre><code>&lt;LayoutModificationTemplate Version=&quot;1&quot; xmlns=&quot;http://schemas.microsoft.com/Start/2014/LayoutModification&quot;&gt;
&lt;DefaultLayoutOverride&gt;
&lt;StartLayoutCollection&gt;
&lt;defaultlayout:StartLayout GroupCellWidth=&quot;6&quot; xmlns:defaultlayout=&quot;http://schemas.microsoft.com/Start/2014/FullDefaultLayout&quot;&gt;
&lt;start:Group Name=&quot;Life at a glance&quot; xmlns:start=&quot;http://schemas.microsoft.com/Start/2014/StartLayout&quot;&gt;
&lt;start:Tile Size=&quot;2x2&quot; Column=&quot;0&quot; Row=&quot;0&quot; AppUserModelID=&quot;Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge&quot; /&gt;
&lt;start:Tile Size=&quot;2x2&quot; Column=&quot;4&quot; Row=&quot;0&quot; AppUserModelID=&quot;Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI&quot; /&gt;
&lt;start:Tile Size=&quot;2x2&quot; Column=&quot;2&quot; Row=&quot;0&quot; AppUserModelID=&quot;Microsoft.BingWeather_8wekyb3d8bbwe!App&quot; /&gt;
&lt;/start:Group&gt;
&lt;/defaultlayout:StartLayout&gt;
&lt;/StartLayoutCollection&gt;
&lt;/DefaultLayoutOverride&gt;
&lt;/LayoutModificationTemplate&gt;</code></pre></td>
</tr>
</tbody>
</table>
## Configure a partial Start layout
@ -123,9 +150,11 @@ If the Start layout is applied by Group Policy or MDM, and the policy is removed
[Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md)
[Customize Windows 10 Start with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
[Configure Windows 10 taskbar](configure-windows-10-taskbar.md)
[Customize Windows 10 Start with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
[Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
[Customize Windows 10 Start and taskbar with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
[Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)

43
windows/manage/customize-windows-10-start-screens-by-using-group-policy.md
View File

@ -7,9 +7,10 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
localizationpriority: medium
---
# Customize Windows 10 Start with Group Policy
# Customize Windows 10 Start and taskbar with Group Policy
**Applies to**
@ -20,12 +21,12 @@ author: jdeckerMS
- [Customize the Start menu](http://go.microsoft.com/fwlink/p/?LinkId=623630)
In Windows 10 Enterprise and Windows 10 Education, you can use a Group Policy Object (GPO) to deploy a customized Start layout to users in a domain. No reimaging is required, and the Start layout can be updated simply by overwriting the .xml file that contains the layout. This enables you to customize Start layouts for different departments or organizations, with minimal management overhead.
In Windows 10 Enterprise and Windows 10 Education, you can use a Group Policy Object (GPO) to deploy a customized Start and taskbar layout to users in a domain. No reimaging is required, and the layout can be updated simply by overwriting the .xml file that contains the layout. This enables you to customize Start and taskbar layouts for different departments or organizations, with minimal management overhead.
This topic describes how to update Group Policy settings to display a customized Start layout when the users sign in. By creating a domain-based GPO with these settings, you can deploy a customized Start layout to users in a domain.
This topic describes how to update Group Policy settings to display a customized Start and taskbar layout when the users sign in. By creating a domain-based GPO with these settings, you can deploy a customized Start and taskbar layout to users in a domain.
**Warning**  
When a full Start layout is applied with this method, the users cannot pin, unpin, or uninstall apps from Start. Users can view and open all apps in the **All Apps** view, but they cannot pin any apps to Start. When a partial Start layout is applied, the contents of the specified tile groups cannot be changed, but users can move those groups, and can also create and customize their own groups.
When a full Start layout is applied with this method, the users cannot pin, unpin, or uninstall apps from Start. Users can view and open all apps in the **All Apps** view, but they cannot pin any apps to Start. When a partial Start layout is applied, the contents of the specified tile groups cannot be changed, but users can move those groups, and can also create and customize their own groups. When you apply a taskbar layout, users will still be able to pin and unpin apps, and change the order of pinned apps.
 
@ -34,23 +35,23 @@ When a full Start layout is applied with this method, the users cannot pin, unpi
## Operating system requirements
Start layout control using Group Policy is supported in Windows 10 Enterprise and Windows 10 Education. Start layout control is not supported in Windows 10 Pro.
Start and taskbar layout control using Group Policy is supported in Windows 10 Enterprise and Windows 10 Education, Version 1607. Start and taskbar layout control is not supported in Windows 10 Pro.
The GPO can be configured from any computer on which the necessary ADMX and ADML files (StartMenu.admx and StartMenu.adml) for Windows 10 are installed. In Group Policy, ADMX files are used to define Registry-based policy settings in the Administrative Templates category. To find out how to create a central store for Administrative Templates files, see [article 929841](http://go.microsoft.com/fwlink/p/?LinkId=691687) in the Microsoft Knowledge Base.
The GPO can be configured from any computer on which the necessary ADMX and ADML files (StartMenu.admx and StartMenu.adml) for Windows 10 are installed. In Group Policy, ADMX files are used to define Registry-based policy settings in the Administrative Templates category. To find out how to create a central store for Administrative Templates files, see [article 929841, written for Windows Vista and still applicable](http://go.microsoft.com/fwlink/p/?LinkId=691687) in the Microsoft Knowledge Base.
## <a href="" id="bkmk-howstartscreencontrolworks"></a>How Start layout control works
Two features enable Start layout control:
Three features enable Start and taskbar layout control:
- The [Export-StartLayout](http://go.microsoft.com/fwlink/p/?LinkID=620879) cmdlet in Windows PowerShell exports a description of the current Start layout in .xml file format. **Start layout** can only be applied to a device using the same architecture (32-bit or 64-bit) as the device on which **Start layout** was created.
- The [Export-StartLayout](http://go.microsoft.com/fwlink/p/?LinkID=620879) cmdlet in Windows PowerShell exports a description of the current Start layout in .xml file format.
**Note**  
To import the layout of Start to a mounted Windows image, use the [Import-StartLayout](http://go.microsoft.com/fwlink/p/?LinkId=623707) cmdlet.
 
- [You can modify the Start .xml file](configure-windows-10-taskbar.md) to include `<CustomTaskbarLayoutCollection>` or create an .xml file just for the taskbar configuration.
- In Group Policy, you use the **Start Layout** settings for the **Start Menu and Taskbar** administrative template to set a Start layout from an .xml file when the policy is applied.
- In Group Policy, you use the **Start Layout** settings for the **Start Menu and Taskbar** administrative template to set a Start and taskbar layout from an .xml file when the policy is applied.
**Note**  
To learn how customize Start to include your line-of-business apps when you deploy Windows 10, see [Customize the Windows 10 Start layout]( http://go.microsoft.com/fwlink/p/?LinkId=620863).
@ -60,29 +61,29 @@ To learn how customize Start to include your line-of-business apps when you depl
## <a href="" id="bkmk-domaingpodeployment"></a>Use Group Policy to apply a customized Start layout in a domain
To apply the Start layout to users in a domain, use the Group Policy Management Console (GPMC) to configure a domain-based Group Policy Object (GPO) that sets **Start Layout** policy settings in the **Start Menu and Taskbar** administrative template for users in a domain.
To apply the Start and taskbar layout to users in a domain, use the Group Policy Management Console (GPMC) to configure a domain-based Group Policy Object (GPO) that sets **Start Layout** policy settings in the **Start Menu and Taskbar** administrative template for users in a domain.
The GPO applies the Start layout at the next user sign-in. Each time the user signs in, the timestamp of the .xml file with the Start layout is checked and if a newer version of the file is available, the settings in the latest version of the file are applied.
The GPO applies the Start and taskbar layout at the next user sign-in. Each time the user signs in, the timestamp of the .xml file with the Start and taskbar layout is checked and if a newer version of the file is available, the settings in the latest version of the file are applied.
The GPO can be configured from any computer on which the necessary ADMX and ADML files (StartMenu.admx and StartMenu.adml) for Windows 10 are installed.
The .xml file with the Start layout must be located on shared network storage that is available to the users computers when they sign in and the users must have Read-only access to the file. If the file is not available at sign-in, Start is not customized during the session, and the user can make changes to Start.
The .xml file with the Start and taskbar layout must be located on shared network storage that is available to the users computers when they sign in and the users must have Read-only access to the file. If the file is not available at sign-in, Start and the taskbar are not customized during the session, and the user can make changes to Start.
For information about deploying GPOs in a domain, see [Working with Group Policy Objects](http://go.microsoft.com/fwlink/p/?LinkId=620889).
## <a href="" id="bkmk-localgpimport"></a>Use Group Policy to apply a customized Start layout on the local computer
You can use the Local Group Policy Editor to provide a customized Start layout for any user who signs in on the local computer. To display the customized Start layout for any user who signs in, configure **Start Layout** policy settings for the **Start Menu and Taskbar** administrative template. You can use the **Start Menu and Taskbar** administrative template in **User Configuration** or **Computer Configuration**.
You can use the Local Group Policy Editor to provide a customized Start and taskbar layout for any user who signs in on the local computer. To display the customized Start and taskbar layout for any user who signs in, configure **Start Layout** policy settings for the **Start Menu and Taskbar** administrative template. You can use the **Start Menu and Taskbar** administrative template in **User Configuration** or **Computer Configuration**.
**Note**  
This procedure applies the policy settings on the local computer only. For information about deploying the Start layout to users in a domain, see [Use Group Policy to deploy a customized Start layout in a domain](#bkmk-domaingpodeployment), later in this topic.
This procedure applies the policy settings on the local computer only. For information about deploying the Start and taskbar layout to users in a domain, see [Use Group Policy to deploy a customized Start layout in a domain](#bkmk-domaingpodeployment), later in this topic.
This procedure creates a Local Group Policy that applies to all users on the computer. To configure Local Group Policy that applies to a specific user or group on the computer, see [Step-by-Step Guide to Managing Multiple Local Group Policy Objects](http://go.microsoft.com/fwlink/p/?LinkId=620881). The guide was written for Windows Vista and the procedures still apply to Windows 10.
 
This procedure adds the customized Start layout to the user configuration, which overrides any Start layout settings in the local computer configuration when a user signs in on the computer.
This procedure adds the customized Start and taskbar layout to the user configuration, which overrides any Start layout settings in the local computer configuration when a user signs in on the computer.
**To configure Start Layout policy settings in Local Group Policy Editor**
@ -102,9 +103,9 @@ This procedure adds the customized Start layout to the user configuration, which
1. Select **Enabled**.
2. Under **Options**, specify the path to the .xml file that contains the Start layout. For example, type **C:\\Users\\Test01\\StartScreenMarketing.xml**.
2. Under **Options**, specify the path to the .xml file that contains the Start and taskbar layout. For example, type **C:\\Users\\Test01\\StartScreenMarketing.xml**.
3. Optionally, enter a comment to identify the Start layout.
3. Optionally, enter a comment to identify the Start and taskbar layout.
**Important**  
If you disable Start Layout policy settings that have been in effect and then re-enable the policy, users will not be able to make changes to Start, however the layout in the .xml file will not be reapplied unless the file has been updated. In Windows PowerShell, you can update the timestamp on a file by running the following command:
@ -116,16 +117,16 @@ This procedure adds the customized Start layout to the user configuration, which
## <a href="" id="bkmk-updatestartscreenlayout"></a>Update a customized Start layout
After you use Group Policy to apply a customized Start layout on a computer or in a domain, you can update the layout simply by replacing the .xml file that is specified in the Start Layout policy settings with a file with a newer timestamp.
After you use Group Policy to apply a customized Start and taskbar layout on a computer or in a domain, you can update the layout simply by replacing the .xml file that is specified in the Start Layout policy settings with a file with a newer timestamp.
## Related topics
[Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md)
[Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md)
[Customize and export Start layout](customize-and-export-start-layout.md)
[Customize Windows 10 Start with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
[Customize Windows 10 Start and taskbar with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
[Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)

13
windows/manage/customize-windows-10-start-screens-by-using-mobile-device-management.md
View File

@ -7,6 +7,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
localizationpriority: medium
---
# Customize Windows 10 Start with mobile device management (MDM)
@ -22,6 +23,8 @@ author: jdeckerMS
In Windows 10 Enterprise and Windows 10 Education, you can use a mobile device management (MDM) policy to deploy a customized Start layout to users. No reimaging is required, and the Start layout can be updated simply by overwriting the .xml file that contains the layout. This enables you to customize Start layouts for different departments or organizations, with minimal management overhead.
> **Note:** Customized taskbar configuration cannot be applied using MDM at this time.
**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md)
**Warning**  
@ -34,7 +37,7 @@ When a full Start layout is applied with this method, the users cannot pin, unpi
Two features enable Start layout control:
- The **Export-StartLayout** cmdlet in Windows PowerShell exports a description of the current Start layout in .xml file format. **Start layout** can only be applied to a device using the same architecture (32-bit or 64-bit) as the device on which **Start layout** was created.
- The **Export-StartLayout** cmdlet in Windows PowerShell exports a description of the current Start layout in .xml file format.
**Note**  
To import the layout of Start to a mounted Windows image, use the [Import-StartLayout](http://go.microsoft.com/fwlink/p/?LinkId=623707) cmdlet.
@ -126,13 +129,15 @@ This example uses Microsoft Intune to configure an MDM policy that applies a cus
## Related topics
[Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md)
[Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md)
[Customize and export Start layout](customize-and-export-start-layout.md)
[Customize Windows 10 Start with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
[Configure Windows 10 taskbar](configure-windows-10-taskbar.md)
[Customize Windows 10 Start with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
[Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
[Customize Windows 10 Start and taskbar with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
[Use Windows 10 custom policies to manage device settings with Microsoft Intune](http://go.microsoft.com/fwlink/p/?LinkID=616316)

26
windows/manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
View File

@ -7,9 +7,10 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
localizationpriority: medium
---
# Customize Windows 10 Start with ICD and provisioning packages
# Customize Windows 10 Start and taskbar with ICD and provisioning packages
**Applies to**
@ -20,32 +21,37 @@ author: jdeckerMS
- [Customize the Start menu](http://go.microsoft.com/fwlink/p/?LinkId=623630)
In Windows 10 Enterprise and Windows 10 Education, you can use a provisioning package that you create with Windows Imaging and Configuration Designer (ICD) tool to deploy a customized Start layout to users. No reimaging is required, and the Start layout can be updated simply by overwriting the .xml file that contains the layout. The provisioning package can be applied to a running device. This enables you to customize Start layouts for different departments or organizations, with minimal management overhead.
In Windows 10 Enterprise and Windows 10 Education, version 1607, you can use a provisioning package that you create with Windows Imaging and Configuration Designer (ICD) tool to deploy a customized Start and taskbar layout to users. No reimaging is required, and the Start and taskbar layout can be updated simply by overwriting the .xml file that contains the layout. The provisioning package can be applied to a running device. This enables you to customize Start and taskbar layouts for different departments or organizations, with minimal management overhead.
**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md)
## <a href="" id="bkmk-howstartscreencontrolworks"></a>How Start layout control works
Two features enable Start layout control:
Three features enable Start and taskbar layout control:
- The **Export-StartLayout** cmdlet in Windows PowerShell exports a description of the current Start layout in .xml file format. **Start layout** can only be applied to a device using the same architecture (32-bit or 64-bit) as the device on which **Start layout** was created.
- The **Export-StartLayout** cmdlet in Windows PowerShell exports a description of the current Start layout in .xml file format.
**Note**  
To import the layout of Start to a mounted Windows image, use the [Import-StartLayout](http://go.microsoft.com/fwlink/p/?LinkId=623707) cmdlet.
 
- [You can modify the Start .xml file](configure-windows-10-taskbar.md) to include `<CustomTaskbarLayoutCollection>` or create an .xml file just for the taskbar configuration.
- In ICD, you use the **Start/StartLayout** setting to set the path to the .xml file that defines the Start layout.
- In ICD, you use the **Start/StartLayout** setting to set the path to the .xml file that defines the Start and taskbar layout.
## <a href="" id="bkmk-domaingpodeployment"></a>Create a provisioning package that contains a customized Start layout
Use the [Imaging and Configuration Designer (ICD) tool](http://go.microsoft.com/fwlink/p/?LinkID=525483) included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package that applies a customized Start layout. [Install the ADK.](http://go.microsoft.com/fwlink/p/?LinkId=526740)
Use the [Imaging and Configuration Designer (ICD) tool](http://go.microsoft.com/fwlink/p/?LinkID=525483) included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package that applies a customized Start and taskbar layout. [Install the ADK.](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit)
> **Important**
When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
1. Open ICD (by default, %systemdrive%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe).
2. Choose **Advanced provisioning**.
2. Choose **New provisioning package**.
3. Name your project, and click **Next**.
@ -93,11 +99,11 @@ Use the [Imaging and Configuration Designer (ICD) tool](http://go.microsoft.com/
## Related topics
[Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md)
[Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md)
[Customize and export Start layout](customize-and-export-start-layout.md)
[Customize Windows 10 Start with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
[Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
[Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)

102
windows/manage/diagnostics-for-mdm-devices.md Normal file
View File

@ -0,0 +1,102 @@
---
title: Diagnostics for Windows 10 devices (Windows 10)
description: Device Policy State log in Windows 10, Version 1607, collects info about policies.
keywords: ["mdm", "udiag", "device policy", "mdmdiagnostics"]
ms.prod: W10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
---
# Diagnostics for Windows 10 devices
**Applies to**
- Windows 10
- Windows 10 Mobile
(which SKUs?)
(this isn't really MDM-managed only, is it? It can be done locally/email?)
Two new diagnostic tools for Windows 10, version 1607, help IT administrators diagnose and resolve issues with remote devices enrolled in mobile device management (MDM): the [Device Policy State Log](#device-policy-state-log) and [UDiag](#udiag). Windows 10 for desktop editions and Windows 10 Mobile make it simple for users to export log files that you can then analyze with these tools.
## Export management log files
Go to **Settings > Accounts > Work access > Export your management log files**.
![Export your management log files](images/export-mgt-desktop.png)
- On desktop devices, the file is saved to C:/Users/Public/Public Documents/MDMDiagnostics/MDMDiagReport.xml
- On phones, the file is saved to *phone*/Documents/MDMDiagnostics/MDMDiagReport.xml
The MDMDiagReport.xml can be used with [Device Policy State Log](#device-policy-state-log) and [UDiag](#udiag) to help you resolve issues.
## Device Policy State Log
The Device Policy State Log collects information on the state of policies applied to the device to help you determine which sources are applying policies or configurations to the device. Help desk personnel can use this log to diagnose and resolve issues with a remote device.
After you obtain the management log file from the user's device, run the mdmReportGenerator.ps1 script on log to create report. (download mdmReportGenerator.ps1 and mdmDiagnoseHelpers.psm1) This PowerShell script asks you to enter the name of the management log file and a name for the report that it will create, as shown in the following example:
![Enter file name for input and output](images/mdm-diag-report-powershell.png)
The script produces the report in html format. There are two sections to the report, Configuration and Policy Information.
The configuration section lists the GUID of the sources that are applying configurations to the device.
![Configuration source Exachange ActiveSync](images/config-source.png)
The policy information section displays information about the specific policies that are being enforced and on the device. For each policy, you will see the Area grouping, the Policy name, its default and current value, and the configuration source. You can compare the configuration source GUID in the policy information section to the GUIDs in the configuration section to identify the source of the policy.
![Policies applied by a configuration source](images/config-policy.png)
## UDiag
The UDiag tool applies rules to Event Tracing for Windows (ETW) files to help determine the root cause of an issue.
(download UDiag)
To analyze MDMDiagReport.xml using UDiag
1. Open UDiag, and select Device Management.
2. Select your source for the log files ("cab of logs" or "directory of logs")
Investigating log content, identifying patterns, and adding a root cause analysis to the database (Advanced users/providers)
1. While at the 'Root Causes List' panel, click the 'Diagnose' button at the bottom.
2. You will then be brought to the Diagnosis panel where you can investigate and tag root causes from the content
- Evidence Groups: When a set of logs are loaded into UDiag, the contents are processed (e.g. ETW) and organized into evidence groups.
- Decision Tree View: This view shows the loaded decision tree for the current topic/topic area. When a decision node is selected, a user can modify the regular expression and add/edit/delete an RCA for that node. Any RCA matches found in the current log set will have an 'RCA' label that is either Red or Yellow.
- Evidence View: Selecting an evidence group loads its content into this evidence view. Use this view to investigate issues and determine root causes. Drag and drop lines from the Evidence View into the Decision Tree View, to build your root cause analysis pattern. ([Learn more about techniques for root cause analysis.](https://technet.microsoft.com/en-us/library/cc543298.aspx))
Can admin pull logs without user action? [DK] Yes via the diagnostic log CSP
"Run PowerShell script to process the file" is that the user doing it? How can this workflow work in an enterprise where employees aren't computer-savvy? [DK] This is intended to be done by the help desk guy.
Where did (user|admin) get mdmReportGenerator.ps1? [DK] Publishing on DLC later this summer
In Viewing the report, how does the admin make sense of the source GUIDs? [DK] Correlates the value in the table with the entries at the top of the page.
UDiag where does admin get this? [DK] Publishing on DLC later this summer
Can admins create custom rule sets? [DK] Right now, no. but open to feedback on this.
Link to [Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/en-us/library/windows/hardware/mt632120%28v=vs.85%29.aspx)
[Diagnostics capability for devices managed by any MDM provider.](https://microsoft.sharepoint.com/teams/osg_core_ens/mgmt/OSMan Wiki/MDM Diagnostics - Generating and Processing Log files.aspx)
[Redstone spec](https://microsoft.sharepoint.com/teams/specstore/_layouts/15/WopiFrame.aspx?sourcedoc=%7b7E8742A2-03A1-451C-BA07-F2573B044CBF%7d&file=DM%20-%20MDM%20Diagnostics-RS.docx&action=default&DefaultItemOpen=1)
## Related topics
[DiagnosticLog CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt219118.aspx)
[Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/en-us/library/windows/hardware/mt632120.aspx)

23
windows/manage/group-policies-for-enterprise-and-education-editions.md
View File

@ -5,6 +5,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: brianlic-msft
localizationpriority: high
---
# Group Policies that apply only to Windows 10 Enterprise and Education Editions
@ -13,11 +14,21 @@ author: brianlic-msft
- Windows 10
In Windows 10, version 1511, the following Group Policies apply only to Windows 10 Enterprise and Windows 10 Education.
In Windows 10, version 1607, the following Group Policies apply only to Windows 10 Enterprise and Windows 10 Education.
| Policy name | Policy path | Comments |
| - | - | - |
| Turn off the Store application | Computer Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application<br><br>User Configuration > Administrative Templates > Windows Components > Store > Turn off the Store | For more info, see [Knowledge Base article# 3135657](https://support.microsoft.com/en-us/kb/3135657). |
| Start layout | User Configuration\Administrative Templates\Start Menu and Taskbar | For more info, see [Manage Windows 10 Start layout options and policies](windows-10-start-layout-options-and-policies.md) |
| Force a specific default lock screen image | Computer Configuration > Administrative Templates > Control Panel > Personalization | For more info, see [Windows spotlight on the lock screen](https://technet.microsoft.com/en-us/itpro/windows/whats-new/windows-spotlight) |
| --- | --- | --- |
| **Configure Spotlight on lock screen** | User Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](windows-spotlight.md). Note that an additional **Cloud Content** policy, **Do not suggest third-party content in Windows spotlight**, does apply to Windows 10 Pro. |
| **Turn off all Windows Spotlight features** | User Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](windows-spotlight.md) |
| **Turn off Microsoft consumer features** | Computer Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](windows-spotlight.md) |
| **Do not display the lock screen** | Computer Configuration > Administrative Templates > Control Panel > Personalization | For more info, see [Windows spotlight on the lock screen](windows-spotlight.md) |
| **Do not require CTRL+ALT+DEL** </br>combined with</br>**Turn off app notifications on the lock screen** | Computer Configuration > Administrative Templates > System > Logon </br>and</br>Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Interactive logon | When both of these policy settings are enabled, the combination will also disable lock screen apps ([assigned access](set-up-a-device-for-anyone-to-use.md)) on Windows 10 Enterprise and Windows 10 Education only. These policy settings can be applied to Windows 10 Pro, but lock screen apps will not be disabled on Windows 10 Pro. </br></br>**Important:** The description for **Interactive logon: Do not require CTRL+ALT+DEL** in the Group Policy Editor incorrectly states that it only applies to Windows 10 Enterprise and Education. The description will be corrected in a future release.|
| **Do not show Windows Tips** | Computer Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](windows-spotlight.md |
| **Force a specific default lock screen image** | Computer Configuration > Administrative Templates > Control Panel > Personalization | For more info, see [Windows spotlight on the lock screen](windows-spotlight.md) |
| **Start layout** | User Configuration\Administrative Templates\Start Menu and Taskbar | For more info, see [Manage Windows 10 Start layout options and policies](windows-10-start-layout-options-and-policies.md) |
| **Turn off the Store application** | Computer Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application<br><br>User Configuration > Administrative Templates > Windows Components > Store > Turn off the Store | For more info, see [Knowledge Base article# 3135657](https://support.microsoft.com/kb/3135657). |
| **Don't search the web or display web results** | Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results | For more info, see [Cortana integration in your enterprise](manage-cortana-in-enterprise.md) |

104
windows/manage/guidelines-for-assigned-access-app.md Normal file
View File

@ -0,0 +1,104 @@
---
title: Guidelines for choosing an app for assigned access (Windows 10)
description: You can configure Windows 10 as a kiosk device, so that users can only interact with a single app.
ms.assetid: F1F4FF19-188C-4CDC-AABA-977639C53CA8
keywords: ["kiosk", "lockdown", "assigned access"]
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
localizationpriority: high
---
# Guidelines for choosing an app for assigned access (kiosk mode)
**Applies to**
- Windows 10
You can use assigned access to restrict customers at your business to using only one Windows app so your device acts like a kiosk. Administrators can use assigned access to restrict a selected user account to access a single Windows app. You can choose almost any Windows app for assigned access; however, some apps may not provide a good user experience.
The following guidelines may help you choose an appropriate Windows app for your assigned access experience in Windows 10, Version 1607.
## General guidelines
- Windows apps must be provisioned or installed for the assigned access account before they can be selected as the assigned access app. [Learn how to provision and install apps](https://msdn.microsoft.com/library/windows/hardware/mt228170.aspx#install_your_apps).
- Updating a Windows app can sometimes change the Application User Model ID (AUMID) of the app. If this happens, you must update the assigned access settings to launch the updated app, because assigned access uses the AUMID to determine which app to launch.
## Guidelines for Windows apps that launch other apps
Some Windows apps can launch other apps. Assigned access prevents Windows apps from launching other apps.
Avoid selecting Windows apps that are designed to launch other apps as part of their core functionality.
## Guidelines for web browsers
Microsoft Edge and any third-party web browsers that can be set as a default browser have special permissions beyond that of most Windows apps.
If you use a web browser as your assigned access app, consider the following tips:
- You can download browsers that are optimized to be used as a kiosk from the Microsoft Store.
- You can use Group Policy to block access to the file system (network shares, local drives, and local folders) from Internet Explorers web address bar.
- You can create your own web browser Windows app by using the WebView class. Learn more about developing your own web browser app:
- [Creating your own browser with HTML and JavaScript](https://blogs.windows.com/msedgedev/2015/08/27/creating-your-own-browser-with-html-and-javascript/)
- [WebView class](https://msdn.microsoft.com/library/windows/apps/windows.ui.xaml.controls.webview.aspx)
- [A web browser built with JavaScript as a Windows app](https://github.com/MicrosoftEdge/JSBrowser/tree/v1.0)
**To block access to the file system from Internet Explorer's web address bar**
1. On the Start screen, type the following:
`gpedit.msc`
2. Press **Enter** or click the gpedit icon to launch the group policy editor.
3. In the group policy editor, navigate to **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar**.
4. Select **Remove Run menu from Start Menu**, select **Disabled**, and click **Apply**. Disabling this policy prevents users from entering the following into the Internet Explorer Address Bar:
- A UNC path (\\<server>\<share>)
- A local drive (C:\)
- A local folder (\temp)
## Secure your information
Avoid selecting Windows apps that may expose the information you dont want to show in your kiosk, since kiosk usually means anonymous access and locates in a public setting like a shopping mall. For example, an app that has a file picker allows the user to gain access to files and folders on the user's system, avoid selecting this type of apps if they provide unnecessary data access.
## App configuration
Some apps may require additional configurations before they can be used appropriately in assigned access . For example, Microsoft OneNote requires you to set up a Microsoft account for the assigned access user account before OneNote will open in assigned access.
Check the guidelines published by your selected app and do the setup accordingly.
## Develop your kiosk app
Assigned access in Windows 10 leverages the new lock framework. When an assigned access user signs in, the selected kiosk app is launched above lock . The kiosk app is actually running as an above lock screen app.
Follow the [best practices guidance for developing a kiosk app for assigned access](https://msdn.microsoft.com/library/windows/hardware/mt633799%28v=vs.85%29.aspx).
## Test your assigned access experience
The above guidelines may help you select or develop an appropriate Windows app for your assigned access experience. Once you have selected your app, we recommend that you thoroughly test the assigned access experience to ensure that your device provides a good customer experience.
 ## Learn more
[Customizing Your Device Experience with Assigned Access](https://channel9.msdn.com/Events/Build/2016/P508)
## Related topics
[Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md)
[Set up a device for anyone to use (kiosk mode)](set-up-a-device-for-anyone-to-use.md)
[Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md)
[Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](set-up-a-kiosk-for-windows-10-for-mobile-edition.md)
[Lock down Windows 10 to specific apps](lock-down-windows-10-to-specific-apps.md)
 
 

4
windows/manage/how-it-pros-can-use-configuration-service-providers.md
View File

@ -6,6 +6,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
localizationpriority: medium
---
# Introduction to configuration service providers (CSPs) for IT pros
@ -23,7 +24,7 @@ The CSPs are documented on the [Hardware Dev Center](http://go.microsoft.com/fwl
**Note**  
The explanation of CSPs and CSP documentation also apply to Windows Mobile 5, Windows Mobile 6, Windows Phone 7, and Windows Phone 8, but links to current CSPs are for Windows 10 and Windows 10 Mobile.
 
 [See what's new for CSPs in Windows 10, version 1607.](https://msdn.microsoft.com/library/windows/hardware/mt299056.aspx#whatsnew_1607)
## What is a CSP?
@ -215,6 +216,7 @@ Here is a list of CSPs supported on Windows 10 Enterprise, Windows 10 Mobile E
## Related topics
[What's new in MDM enrollment and management in Windows 10, version 1607](https://msdn.microsoft.com/library/windows/hardware/mt299056.aspx#whatsnew_1607)
[Lock down Windows 10](lock-down-windows-10.md)

BIN
windows/manage/images/ActionCenterXML.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 18 KiB

BIN
windows/manage/images/AppsXML.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 24 KiB

BIN
windows/manage/images/AppsXML.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 42 KiB

BIN
windows/manage/images/ButtonsXML.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 27 KiB

BIN
windows/manage/images/CSPRunnerXML.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 11 KiB

BIN
windows/manage/images/ICDstart-option.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 13 KiB

BIN
windows/manage/images/MenuItemsXML.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.0 KiB

BIN
windows/manage/images/SettingsXML.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 10 KiB

BIN
windows/manage/images/StartGrid.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 15 KiB

BIN
windows/manage/images/StartGridPinnedApps.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 14 KiB

BIN
windows/manage/images/TilesXML.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 927 B

BIN
windows/manage/images/allow-rdp.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 15 KiB

BIN
windows/manage/images/checkmark.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 1.2 KiB

After

Width:  |  Height:  |  Size: 20 KiB

BIN
windows/manage/images/choose-package.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 20 KiB

BIN
windows/manage/images/config-policy.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 19 KiB

BIN
windows/manage/images/config-source.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 6.6 KiB

BIN
windows/manage/images/connect-aad.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 70 KiB

BIN
windows/manage/images/crossmark.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 1.5 KiB

After

Width:  |  Height:  |  Size: 20 KiB

BIN
windows/manage/images/export-mgt-desktop.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 58 KiB

BIN
windows/manage/images/export-mgt-mobile.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 40 KiB

BIN
windows/manage/images/express-settings.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 108 KiB

BIN
windows/manage/images/funfacts.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 4.5 KiB

BIN
windows/manage/images/icd-adv-shared-pc.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 44 KiB

BIN
windows/manage/images/icd-school.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 14 KiB

BIN
windows/manage/images/icd-simple.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 12 KiB

BIN
windows/manage/images/license-terms.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 180 KiB

BIN
windows/manage/images/lockscreen.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 305 KiB

BIN
windows/manage/images/lockscreenpolicy.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 217 KiB

BIN
windows/manage/images/mdm-diag-report-powershell.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 11 KiB

BIN
windows/manage/images/oma-uri-shared-pc.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 211 KiB

BIN
windows/manage/images/oobe.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 27 KiB

BIN
windows/manage/images/prov.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 17 KiB

BIN
windows/manage/images/rdp.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 15 KiB

BIN
windows/manage/images/settings-table.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 52 KiB

After

Width:  |  Height:  |  Size: 59 KiB

BIN
windows/manage/images/setupmsg.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 22 KiB

BIN
windows/manage/images/sign-in-prov.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 49 KiB

BIN
windows/manage/images/spotlight.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 145 KiB

BIN
windows/manage/images/taskbar-blank.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 7.4 KiB

BIN
windows/manage/images/taskbar-default-plus.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 20 KiB

BIN
windows/manage/images/taskbar-default-removed.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 12 KiB

BIN
windows/manage/images/taskbar-default.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 12 KiB

BIN
windows/manage/images/taskbar-generic.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 8.0 KiB

BIN
windows/manage/images/taskbar-region-defr.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 14 KiB

BIN
windows/manage/images/taskbar-region-other.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 13 KiB

BIN
windows/manage/images/taskbar-region-usuk.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 15 KiB

BIN
windows/manage/images/taskbarSTARTERBLANK.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 8.7 KiB

BIN
windows/manage/images/trust-package.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 42 KiB

BIN
windows/manage/images/who-owns-pc.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 37 KiB

11
windows/manage/index.md
View File

@ -24,10 +24,6 @@ Learn about managing and updating Windows 10.
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>[Change history for Manage and update Windows 10](change-history-for-manage-and-update-windows-10.md)</p></td>
<td align="left"><p>This topic lists new and updated topics in the Manage and update Windows 10 documentation for [Windows 10 and Windows 10 Mobile](../index.md).</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Administrative Tools in Windows 10](administrative-tools-in-windows-10.md)</p></td>
<td align="left"><p>Administrative Tools is a folder in Control Panel that contains tools for system administrators and advanced users.</p></td>
@ -41,6 +37,10 @@ Learn about managing and updating Windows 10.
<td align="left"><p>You can use the same management tools to manage all device types running Windows 10 : desktops, laptops, tablets, and phones. And your current management tools, such as Group Policy, Windows Management Instrumentation (WMI), PowerShell scripts, Orchestrator runbooks, System Center tools, and so on, will continue to work for Windows 10 on desktop editions.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Windows Spotlight on the lock screen](windows-spotlight.md)</p></td>
<td align="left"><p>Windows Spotlight is an option for the lock screen background that displays different background images and occasionally offers suggestions on the lock screen.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md)</p></td>
<td align="left"><p>Organizations might want to deploy a customized Start screen and menu to devices running Windows 10 Enterprise or Windows 10 Education. A standard Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes.</p></td>
</tr>
@ -67,6 +67,9 @@ Learn about managing and updating Windows 10.
<tr class="odd">
<td align="left"><p>[Windows Store for Business](windows-store-for-business.md)</p></td>
<td align="left"><p>Welcome to the Windows Store for Business! You can use the Store for Business, to find, acquire, distribute, and manage apps for your organization.</p></td>
</tr><tr class="odd">
<td align="left"><p>[Change history for Manage and update Windows 10](change-history-for-manage-and-update-windows-10.md)</p></td>
<td align="left"><p>This topic lists new and updated topics in the Manage and update Windows 10 documentation for [Windows 10 and Windows 10 Mobile](../index.md).</p></td>
</tr>
</tbody>
</table>

1
windows/manage/join-windows-10-mobile-to-azure-active-directory.md
View File

@ -7,6 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: mobile
author: jdeckerMS
localizationpriority: high
---
# Join Windows 10 Mobile to Azure Active Directory

5
windows/manage/lock-down-windows-10-to-specific-apps.md
View File

@ -8,6 +8,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: edu, security
author: jdeckerMS
localizationpriority: high
---
# Lock down Windows 10 to specific apps
@ -114,6 +115,10 @@ To learn more about locking down features, see [Customizations for Windows 10 En
Configure the Start menu on the device to only show tiles for the permitted apps. You will make the changes manually, export the layout to an .xml file, and then apply that file to devices to prevent users from making changes. For instructions, see [Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md).
## Related topics
- [Provisioning packages for Windows 10](../deploy/provisioning-packages.md)
 
 

10
windows/manage/lock-down-windows-10.md
View File

@ -8,16 +8,11 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security, mobile
author: jdeckerMS
localizationpriority: high
---
# Lock down Windows 10
**Applies to**
- Windows 10
- Windows 10 Mobile
Enterprises often need to manage how people use corporate devices. Windows 10 provides a number of features and methods to help you lock down specific parts of a Windows 10 device.
## In this section
@ -34,7 +29,8 @@ Enterprises often need to manage how people use corporate devices. Windows 10 p
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tbody><tr><td><p>[Lockdown features from Windows Embedded 8.1 Industry](lockdown-features-windows-10.md)</p></td><td><p>Many of the lockdown features available in Windows Embedded 8.1 Industry have been modified in some form for Windows 10.</p></td></tr>
<tr><td align="left"><p>[Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md)</p></td><td align="left"><p>Windows 10, Version 1607, introduces *shared PC mode*, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail.</p></td></tr>
<tr class="odd">
<td align="left"><p>[Set up a device for anyone to use (kiosk mode)](set-up-a-device-for-anyone-to-use.md)</p></td>
<td align="left"><p>You can configure a device running Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile, or Windows 10 Mobile Enterprise as a kiosk device, so that users can only interact with a single application that you select.</p></td>

116
windows/manage/lockdown-features-windows-10.md Normal file
View File

@ -0,0 +1,116 @@
---
title: Lockdown features from Windows Embedded 8.1 Industry (Windows 10)
description: Many of the lockdown features available in Windows Embedded 8.1 Industry have been modified in some form for Windows 10.
ms.assetid: 3C006B00-535C-4BA4-9421-B8F952D47A14
keywords: lockdown, embedded
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: jdeckerMS
localizationpriority: high
---
# Lockdown features from Windows Embedded 8.1 Industry
**Applies to**
- Windows 10
Many of the lockdown features available in Windows Embedded 8.1 Industry have been modified in some form for Windows 10. This table maps Windows Embedded Industry 8.1 features to Windows 10 Enterprise features, along with links to documentation.
<table>
<colgroup>
<col width="33%" />
<col width="33%" />
<col width="33%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Windows Embedded 8.1 Industry lockdown feature</th>
<th align="left">Windows 10 feature</th>
<th align="left">Changes</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>[Hibernate Once/Resume Many (HORM)](http://go.microsoft.com/fwlink/p/?LinkId=626758): Quick boot to device</p></td>
<td align="left">N/A</td>
<td align="left"><p>HORM is supported in Windows 10, version 1607. </p></td>
</tr>
<tr class="even">
<td align="left"><p>[Unified Write Filter](http://go.microsoft.com/fwlink/p/?LinkId=626757): protect a device's physical storage media</p></td>
<td align="left">[Unified Write Filter](http://go.microsoft.com/fwlink/p/?LinkId=626607)</td>
<td align="left"><p>The Unified Write Filter is continued in Windows 10, with the exception of HORM which has been deprecated.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Keyboard Filter]( http://go.microsoft.com/fwlink/p/?LinkId=626761): block hotkeys and other key combinations</p></td>
<td align="left">[Keyboard Filter](http://go.microsoft.com/fwlink/p/?LinkId=708391)</td>
<td align="left"><p>Keyboard filter is added in Windows 10, version 1511. As in Windows Embedded Industry 8.1, Keyboard Filter is an optional component that can be turned on via <strong>Turn Windows Features On/Off</strong>. Keyboard Filter (in addition to the WMI configuration previously available) will be configurable through Windows Imaging and Configuration Designer (ICD) in the SMISettings path.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Shell Launcher](http://go.microsoft.com/fwlink/p/?LinkId=626676): launch a Classic Windows application on sign-on</p></td>
<td align="left">[Shell Launcher](http://go.microsoft.com/fwlink/p/?LinkId=618603)</td>
<td align="left"><p>Shell Launcher continues in Windows 10. It is now configurable in Windows ICD under the <strong>SMISettings</strong> category.</p>
<p>Learn [how to use Shell Launcher to create a kiosk device](http://go.microsoft.com/fwlink/p/?LinkId=626922) that runs a Classic Windows application.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Application Launcher]( http://go.microsoft.com/fwlink/p/?LinkId=626675): launch a Universal Windows Platform (UWP) app on sign-on</p></td>
<td align="left">[Assigned Access](http://go.microsoft.com/fwlink/p/?LinkId=626608)</td>
<td align="left"><p>The Windows 8 Application Launcher has been consolidated into Assigned Access. Application Launcher enabled launching a Windows 8 app and holding focus on that app. Assigned Access offers a more robust solution for ensuring that apps retain focus.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Dialog Filter](http://go.microsoft.com/fwlink/p/?LinkId=626762): suppress system dialogs and control which processes can run</p></td>
<td align="left">[AppLocker](../keep-secure/applocker-overview.md)</td>
<td align="left"><p>Dialog Filter has been deprecated for Windows 10. Dialog Filter provided two capabilities; the ability to control which processes were able to run, and the ability to prevent dialogs (in practice, system dialogs) from appearing.</p>
<ul>
<li><p>Control over which processes are able to run will now be provided by AppLocker.</p></li>
<li><p>System dialogs in Windows 10 have been replaced with system toasts. To see more on blocking system toasts, see Toast Notification Filter below.</p></li>
</ul></td>
</tr>
<tr class="odd">
<td align="left"><p>[Toast Notification Filter]( http://go.microsoft.com/fwlink/p/?LinkId=626673): suppress toast notifications</p></td>
<td align="left">Mobile device management (MDM) and Group Policy</td>
<td align="left"><p>Toast Notification Filter has been replaced by MDM and Group Policy settings for blocking the individual components of non-critical system toasts that may appear. For example, to prevent a toast from appearing when a USB drive is connected, ensure that USB connections have been blocked using the USB-related policies, and turn off notifications from apps.</p>
<p>Group Policy: <strong>User Configuration</strong> &gt; <strong>Administrative Templates</strong> &gt; <strong>Start Menu and Taskbar</strong> &gt; <strong>Notifications</strong></p>
<p>MDM policy name may vary depending on your MDM service. In Microsoft Intune, use <strong>Allow action center notifications</strong> and a [custom OMA-URI setting](http://go.microsoft.com/fwlink/p/?LinkID=616317) for <strong>AboveLock/AllowActionCenterNotifications</strong>.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Embedded Lockdown Manager](http://go.microsoft.com/fwlink/p/?LinkId=626763): configure lockdown features</p></td>
<td align="left">[Windows Imaging and Configuration Designer (ICD)](http://go.microsoft.com/fwlink/p/?LinkID=525483)</td>
<td align="left"><p>The Embedded Lockdown Manager has been deprecated for Windows 10 and replaced by the Windows ICD. Windows ICD is the consolidated tool for Windows imaging and provisioning scenarios and enables configuration of all Windows settings, including the lockdown features previously configurable through Embedded Lockdown Manager.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[USB Filter](http://go.microsoft.com/fwlink/p/?LinkId=626674): restrict USB devices and peripherals on system</p></td>
<td align="left">MDM and Group Policy</td>
<td align="left"><p>The USB Filter driver has been replaced by MDM and Group Policy settings for blocking the connection of USB devices.</p>
<p>Group Policy: <strong>Computer Configuration</strong> &gt; <strong>Administrative Templates</strong> &gt; <strong>System</strong> &gt; <strong>Device Installation</strong> &gt; <strong>Device Installation Restrictions</strong></p>
<p>MDM policy name may vary depending on your MDM service. In Microsoft Intune, use <strong>Allow removable storage</strong> or <strong>Allow USB connection (Windows 10 Mobile only)</strong>.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Assigned Access](http://go.microsoft.com/fwlink/p/?LinkID=613653): launch a UWP app on sign-in and lock access to system</p></td>
<td align="left">[Assigned Access](http://go.microsoft.com/fwlink/p/?LinkId=626608)</td>
<td align="left"><p>Assigned Access has undergone significant improvement for Windows 10. In Windows 8.1, Assigned Access blocked system hotkeys and edge gestures, and non-critical system notifications, but it also applied some of these limitations to other accounts on the device.</p>
<p>In Windows 10, Assigned Access no longer affects accounts other than the one being locked down. Assigned Access now restricts access to other apps or system components by locking the device when the selected user account logs in and launching the designated app above the lock screen, ensuring that no unintended functionality can be accessed.</p>
<p>Learn [how to use Assigned Access to create a kiosk device](http://go.microsoft.com/fwlink/p/?LinkId=626922) that runs a Universal Windows app.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Gesture Filter](http://go.microsoft.com/fwlink/p/?LinkId=626672): block swipes from top, left, and right edges of screen</p></td>
<td align="left">[Assigned Access](http://go.microsoft.com/fwlink/p/?LinkId=626608)</td>
<td align="left"><p>The capabilities of Gesture Filter have been consolidated into Assigned Access for Windows 10. In Windows 8.1, gestures provided the ability to close an app, to switch apps, and to reach the Charms. For Windows 10, Charms have been removed, and blocking the closing or switching of apps is part of Assigned Access.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Custom Logon]( http://go.microsoft.com/fwlink/p/?LinkId=626759): suppress Windows UI elements during Windows sign-on, sign-off, and shutdown</p></td>
<td align="left">[Embedded Logon](http://go.microsoft.com/fwlink/p/?LinkId=626760)</td>
<td align="left"><p>No changes. Applies only to Windows 10 Enterprise and Windows 10 Education.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Unbranded Boot](http://go.microsoft.com/fwlink/p/?LinkId=626872): custom brand a device by removing or replacing Windows boot UI elements</p></td>
<td align="left">[Unbranded Boot](http://go.microsoft.com/fwlink/p/?LinkId=626873)</td>
<td align="left"><p>No changes. Applies only to Windows 10 Enterprise and Windows 10 Education.</p></td>
</tr>
</tbody>
</table>
 
 
 

556
windows/manage/lockdown-xml.md
View File

@ -7,6 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security, mobile
author: jdeckerMS
localizationpriority: high
---
# Configure Windows 10 Mobile using Lockdown XML
@ -20,105 +21,464 @@ Windows 10 Mobile allows enterprises to lock down a device, define multiple use
This topic provides example XML that you can use in your own lockdown XML file that can be included in a provisioning package or when using a mobile device management (MDM) solution to push lockdown settings to enrolled devices.
After you apply the lockdown settings, the lockdown configuration is stored in a wehlockdown.xml file on the device.
Lockdown XML is an XML file that contains settings for Windows 10 Mobile. When you deploy the lockdown XML file to a device, it is saved on the device as **wehlockdown.xml**. When the device boots, it looks for wehlockdown.xml and applies any settings configured in the file. In this topic, you'll learn how to create an XML file that contains all lockdown entries available in the AssignedAccessXml area of the [EnterpriseAssignedAccess configuration service provider (CSP)](http://go.microsoft.com/fwlink/p/?LinkID=618601).
For details on each of the configuration items, see the AssignedAccess/AssignedAccessXml section of the [EnterpriseAssignedAccess configuration service provider (CSP) reference](http://go.microsoft.com/fwlink/p/?LinkID=618601).
> [!NOTE]
> On Windows 10 desktop editions, *assigned access* is a feature that lets you configure the device to run a single app above the lockscreen ([kiosk mode](set-up-a-device-for-anyone-to-use.md)). On a Windows 10 Mobile device, assigned access refers to the lockdown settings in AssignedAccessXml in the [EnterpriseAssignedAccess configuration service provider (CSP)](http://go.microsoft.com/fwlink/p/?LinkID=618601).
## Order of lockdown settings
If you're not familiar with CSPs, read [Introduction to configuration service providers (CSPs)](how-it-pros-can-use-configuration-service-providers.md) first.
## Overview of the lockdown XML file
The configuration items must be in the following order when you lock down settings:
- Default profile
- ActionCenter
- Apps
- Application product ID, as described in [Product IDs in Windows 10 Mobile](http://go.microsoft.com/fwlink/p/?LinkId=698449)
- App User Model ID, as described in [Configuring Multiple App Packages](#bmk-map)
- PinToStart
- Size
- Location
- Buttons
- ButtonLockdownList
- Button name
- ButtonRemapList
- Button name
- Button event name
- Application product ID, as described in [Product IDs in Windows 10 Mobile](http://go.microsoft.com/fwlink/p/?LinkId=698449)
- CSPRunner
- SyncML
- MenuItems
- Disable menu items
- Settings
- System name, as described in [Settings and quick actions that can be locked down](settings-that-can-be-locked-down.md)
- Tiles
- Enable tile manipulation
- StartScreenSize
- RoleList
- Role (repeat for each role)
- ActionCenter
- Apps
- Application product ID, as described in [Product IDs in Windows 10 Mobile](http://go.microsoft.com/fwlink/p/?LinkId=698449)
- App User Model ID (AUMID), as described in [Configuring Multiple App Packages](#bmk-map)
- PinToStart
- Size
- Location
- Buttons
- ButtonLockdownList
- Button name
- ButtonRemapList
- Button name
- Button event name
- Application product ID, as described in [Product IDs in Windows 10 Mobile](http://go.microsoft.com/fwlink/p/?LinkId=698449)
- CSPRunner
- SyncML
- MenuItems
- Disable menu items
- Settings
- System name, as described in [Settings and quick actions that can be locked down](settings-that-can-be-locked-down.md)
- Tiles
- Enable tile manipulation
- StartScreenSize
## <a href="" id="bmk-map"></a>Configuring multiple app packages
Multiple app packages enable multiple apps to exist inside the same package. Since product IDs identify packages and not applications, specifying a product ID is not enough to distinguish between individual apps inside a multiple app package. Trying to pin application tiles from a multiple app package with just a product ID can result in unexpected behavior.
To support pinning applications in multiple app packages, an AUMID parameter can be specified in lockdown.xml.
The following example shows how to pin both Outlook Mail and Outlook Calendar:
Let's start by looking at the basic structure of the lockdown XML file. You can start your file by pasting the following XML (or any other examples in this topic) into a text or XML editor, and saving the file as *filename*.xml.
```xml
<?xml version "1.0" encoding "utf-8"?>
<HandheldLockdown version "1.0" >
<Default>
<ActionCenter>
<Apps>
<Buttons>
<CSPRunner>
<MenuItems>
<Settings>
<Tiles>
<StartScreenSize>
</Default>
</HandheldLockdown>
```
**Default** and the entries beneath it establish the default device settings that are applied for every user. The device will always boot to this Default role. You can create additional roles on the device, each with its own settings, in the same XML file. [Learn how to add roles.](#configure-additional-roles)
The settings for the Default role and other roles must be listed in your XML file in the order presented in this topic. All of the entries are optional. If you don't include a setting, that aspect of the device will operate as it would for an nonconfigured device.
> **Tip**&nbsp;&nbsp;Keep your XML file easy to work with and to understand by using proper indentation and adding comments for each setting you configure.
## Action Center
![XML for Action Center](images/ActionCenterXML.jpg)
The Action Center setting controls whether the user can open the Action Center on the device. When the Action Center is disabled, notifications on the lockscreen and toasts are also disabled. You can use optional attributes with the Action Center element to change that behavior for either notifications, toasts, or both.
In the following example, the Action Center is enabled and both policies are disabled.
```xml
<ActionCenter enabled="true" aboveLockToastEnabled="0" actionCenterNotificationEnabled="0"/>
```
In the following example, Action Center and the toast policy are enabled, and the notifications policy is disabled.
```xml
<ActionCenter enabled="true" aboveLockToastEnabled="1" actionCenterNotificationEnabled="0"/>
```
The following example is a complete lockdown XML file that disables Action Center, notifications, and toasts.
```xml
<?xml version="1.0" encoding="utf-8"?>
<HandheldLockdown version="1.0" >
<Default>
<!-- disable Action Center -->
<ActionCenter enabled="false" />
</Default>
</HandheldLockdown>
```
## Apps
![XML for Apps](images/AppsXML.png)
The Apps setting serves as an allow list and specifies the applications that will be available in the All apps list. Apps that are not included in this setting are hidden from the user and blocked from running. If you don't include the Apps setting in the file, all apps on the device are available to the user.
You provide the product ID for each app in your file. The product ID identifies an app package, and an app package can contain multiple apps, so you should also provide the App User Model ID (AUMID) to differentiate the app. Optionally, you can set an app to run automatically. [Get product ID and AUMID for apps in Windows 10 Mobile.](product-ids-in-windows-10-mobile.md)
The following example makes Outlook Calendar available on the device.
```xml
<Apps>
<!-- Outlook Calendar -->
<Application productId="{A558FEBA-85D7-4665-B5D8-A2FF9C19799B}" aumid="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.calendar">
</Application>
</Apps>
```
When you list an app, you can also set the app to be pinned to the Start screen by specifying the tile size and location. Tip: draw a grid and mark your app tiles on it to make sure you get the result you want. The width (X axis) in the following example is the limit for Windows 10 Mobile, but the length (Y axis) is unlimited. The number of columns available to you depends on the value for [StartScreenSize](#start-screen-size).
![Grid to lay out tiles for Start](images/StartGrid.jpg)
Tile sizes are:
* Small: 1x1
* Medium: 2x2
* Large: 2x4
Based on 6 columns, you can pin six small tiles or three medium tiles on a single row. A large tile can be combined with two small tiles or one medium tile on the same row. Obviously, you cannot set a medium tile for LocationX=5, or a large tile for LocationX=3, 4, or 5.
If the tile configuration in your file exceeds the available width, such as setting a large tile to start at position 3 on the X axis, that tile is appended to the bottom of the Start screen. Also, if the tile configuration in your file would result in tiles overlapping each other, the overlapping tiles are instead appended to the bottom of the Start screen.
In the following example, Outlook Calendar and Outlook Mail are pinned to the Start screen, and the Store app is allowed but is not pinned to Start.
```xml
<Apps>
<!-- Outlook Calendar -->
<Application productId="{A558FEBA-85D7-4665-B5D8-A2FF9C19799B}" aumid="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.calendar">
<PinToStart>
<Size>Large</Size>
<Location>
<LocationX>1</LocationX>
<LocationY>4</LocationY>
<LocationX>0</LocationX>
<LocationY>0</LocationY>
</Location>
</PinToStart>
</Application>
<!-- Outlook Mail-->
<Application productId="{A558FEBA-85D7-4665-B5D8-A2FF9C19799B}" aumid="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.mail">
<PinToStart>
<Size>Large</Size>
<Size>Medium</Size>
<Location>
<LocationX>1</LocationX>
<LocationY>6</LocationY>
<LocationX>4</LocationX>
<LocationY>0</LocationY>
</Location>
</PinToStart>
</Application>
<!-- Store -->
<Application productId="7D47D89A-7900-47C5-93F2-46EB6D94C159" aumid="Microsoft.WindowsStore_8wekyb3d8bbwe!App" />
</Apps>
```
That layout would appear on a device like this:
![Example of the layout on a Start screen](images/StartGridPinnedApps.jpg)
You can create and pin folders to Start by using the Apps setting. Each folder requires a **folderId**, which must be a consecutive positive integer starting with `1`. You can also specify a **folderName** (optional) which will be displayed on Start.
```xml
<Apps>
<!-- Management folder -->
<Application folderId="1" folderName="Management">
<PinToStart>
<Size>Medium</Size>
<Location>
<LocationX>4</LocationX>
<LocationY>0</LocationY>
</Location>
</PinToStart>
</Application>
</Apps>
```
## Lockdown example to use in a lockdown XML file
The XML example can be used as a lockdown file that is contained in a provisioning package created in Windows Imaging and Configuration Designer (ICD). However, if you use MDM to push the lockdown file directly to devices, the XML example must use escaped characters for lockdown (such as &lt; in place of &lt;) as a result of XML embedded in XML. You can easily find an online escape tool to help you with this process.
To add apps to the folder, include **ParentFolderId** in the application XML, as shown in the following example:
```xml
<Apps>
<!-- Outlook Calendar -->
<Application productId="{A558FEBA-85D7-4665-B5D8-A2FF9C19799B}" aumid="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.calendar">
<PinToStart>
<Size>Large</Size>
<Location>
<LocationX>0</LocationX>
<LocationY>0</LocationY>
</Location>
<ParentFolderId>1</ParentFolderId>
</PinToStart>
</Application>
<!-- Outlook Mail-->
<Application productId="{A558FEBA-85D7-4665-B5D8-A2FF9C19799B}" aumid="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.mail">
<PinToStart>
<Size>Medium</Size>
<Location>
<LocationX>4</LocationX>
<LocationY>0</LocationY>
</Location>
<ParentFolderId>1</ParentFolderId>
</PinToStart>
</Application>
</Apps>
```
When an app is contained in a folder, its **PinToStart** configuration (tile size and location) applies to its appearance when the folder is opened.
## Buttons
![XML for buttons](images/ButtonsXML.jpg)
In the Buttons setting, you use ButtonLockdownList to disable hardware buttons and ButtonRemapList to change button events to open an app that you specify.
### ButtonLockdownList
When a user taps a button that is in the lockdown list, nothing will happen. The following table lists which events can be disabled for each button.
Button | Press | PressAndHold | All
---|:---:|:---:|:--:|-
Start | ![no](images/crossmark.png) | ![yes](images/checkmark.png) | ![no](images/crossmark.png)
Back | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![yes](images/checkmark.png)
Search | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![yes](images/checkmark.png)
Camera | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![yes](images/checkmark.png)
Custom 1, 2, and 3 | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![yes](images/checkmark.png)
> [!NOTE]
> Custom buttons are hardware buttons that can be added to devices by OEMs.
In the following example, press-and-hold is disabled for the Back button.
```xml
<Buttons>
<ButtonLockdownList>
<Button name="Back">
<ButtonEvent name="PressAndHold" />
</Button>
</ButtonLockdownList>
</Buttons>
```
If you don't specify a button event, all actions for the button are disabled. In the next example, all actions are disabled for the camera button.
```xml
<Buttons>
<ButtonLockdownList>
<Button name="Camera">
</Button>
</ButtonLockdownList>
</Buttons>
```
### ButtonRemapList
ButtonRemapList lets you change the app that a button will run. You can remap the Search button and any custom buttons included by the OEM. You can't remap the Back, Start, or Camera buttons.
> [!WARNING]
> Button remapping can enable a user to open an application that is not in the allow list for that user role. Use button lock down to prevent application access for a user role.
To remap a button, you specify the button, the event, and the product ID for the app that you want the event to open.
In the following example, when a user presses the Search button, the phone dialer will open instead of the Search app.
```xml
<Buttons>
<ButtonRemapList>
<Button name="Search">
<ButtonEvent name="Press">
<!-- Phone dialer -->
<Application productID="{F41B5D0E-EE94-4F47-9CFE-3D3934C5A2C7 }" parameters="" />
</ButtonEvent>
</Button>
</ButtonRemapList>
</Buttons>
```
## CSPRunner
![XML for CSP Runner](images/CSPRunnerXML.jpg)
You can use CSPRunner to include settings that are not defined in AssignedAccessXML. For example, you can include settings from other sections of EnterpriseAssignedAccess CSP, such as lockscreen, theme, and time zone. You can also include settings from other CSPs, such as [Wi-Fi CSP](http://go.microsoft.com/fwlink/p/?LinkID=717460) or [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962%28v=vs.85%29.aspx).
CSPRunner is helpful when you are configuring a device to support multiple roles. It lets you apply different policies according to the role that is signed on. For example, Wi-Fi could be enabled for a supervisor role and disabled for a stocking clerk role.
In CSPRunner, you specify the CSP and settings using SyncML, a standardized markup language for device management. A SyncML section can include multiple settings, or you can use multiple SyncML sections -- it's up to you how you want to organize settings in this section.
> [!NOTE]
> This description of SyncML is just the information that you need to use SyncML in a lockdown XML file. To learn more about SyncML, see [Structure of OMA DM provisioning files](https://msdn.microsoft.com/windows/hardware/dn914774.aspx).
Let's start with the structure of SyncML in the following example:
```xml
SyncML>
<SyncBody>
<Add>|<Replace>
<CmdID>#</CmdID>
<Item>
<Target>
<LocURI>CSP Path</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">Data Type</Format>
</Meta>
<Data>Value</Data>
</Item>
</Add>|</Replace>
<Final/>
</SyncBody>
</SyncML>
```
This table explains the parts of the SyncML structure.
SyncML entry | Description
---|---
**Add** or **Replace** | Use **Add** to apply a setting or policy that is not already configured. Use **Replace** to change an existing setting or policy.
**CmdID** | SyncBody can contain multiple commands. Each command in a lockdown XML file must have a different **CmdID** value.
**Item** | **Item** is a wrapper for a single setting. You can include multiple items for the command if they all use the same **Add** or **Replace** operation.
**Target > LocURI** | **LocURI** is the path to the CSP.
**Meta > Format** | The data format required by the CSP.
**Data** | The value for the setting.
## Menu items
![XML for menu items](images/MenuItemsXML.png)
Use DisableMenuItems to prevent use of the context menu, which is displayed when a user presses and holds an application in the All Apps list. You can include this entry in the default profile and in any additional user role profiles that you create.
```xml
<MenuItems>
<DisableMenuItems/>
</MenuItems>
```
## Settings
![XML for settings](images/SettingsXML.png)
The **Settings** section contains an `allow` list of pages in the Settings app. The following example allows all settings.
```xml
<Settings>
<!-- Allow all settings -->
</Settings>
```
In the following example, all system setting pages are enabled.
```xml
<Settings>
<System name="SettingsPageGroupPCSystem" />
<System name="SettingsPageDisplay" />
<System name="SettingsPageAppsNotifications" />
<System name="SettingsPageCalls" />
<System name="SettingsPageMessaging" />
<System name="SettingsPageBatterySaver" />
<System name="SettingsPageStorageSenseStorageOverview" />
<System name="SettingsPageGroupPCSystemDeviceEncryption" />
<System name="SettingsPageDrivingMode" />
<System name="SettingsPagePCSystemInfo" />
</Settings>
```
If you list a setting or quick action in **Settings**, all settings and quick actions that are not listed are blocked. To remove access to all of the settings in the system, do not include the settings application in [Apps](#apps).
For a list of the settings and quick actions that you can allow or block, see [Settings and quick actions that can be locked down in Windows 10 Mobile](settings-that-can-be-locked-down.md).
## Tiles
![XML for tiles](images/TilesXML.png)
By default, under Assigned Access, tile manipulation is turned off (blocked) and only available if enabled in the users profile. If tile manipulation is enabled in the users profile, they can pin/unpin, move, and resize tiles based on their preferences. When multiple people use one device and you want to enable tile manipulation for multiple users, you must enable it for each user in their user profile.
> [!IMPORTANT]
> If a device is turned off then back on, the tiles reset to their predefined layout. If a device has only one profile, the only way to reset the tiles is to turn off then turn on the device. If a device has multiple profiles, the device resets the tiles to the predefined layout based on the logged-in users profile.
```xml
<Tiles>
<EnableTileManipulation/>
</Tiles>
```
## Start screen size
Specify the size of the Start screen. In addition to 4/6 columns, you can also use 4/6/8 depending on screen resolutions. Valid values:
* Small sets the width to 4 columns on devices with short axis (less than 400epx) or 6 columns on devices with short axis (greater than or equal to 400epx).
* Large sets the width to 6 columns on devices with short axis (less than 400epx) or 8 columns on devices with short axis (greater than or equal to 400epx).
If you have existing lockdown xml, you must update start screen size if your device has >=400epx on its short axis so that tiles on Start can fill all 8 columns if you want to use all 8 columns instead of 6, or use 6 columns instead of 4.
[Learn about effective pixel width (epx) for different device size classes.](http://go.microsoft.com/fwlink/p/?LinkId=733340)
## Configure additional roles
You can add custom configurations by role. In addition to the role configuration, you must also install a login application on the device. The app displays a list of available roles on the device; the user taps a role, such as "Manager"; the configuration defined for the "Manager" role is applied.
[Learn how to create a login application that will work with your Lockdown XML file.](https://github.com/Microsoft/Windows-universal-samples/tree/master/Samples/DeviceLockdownAzureLogin)
In the XML file, you define each role with a GUID and name, as shown in the following example:
```xml
<Role guid="{7bb62e8c-81ba-463c-b691-74af68230b42}" name="Manager">
```
You can create a GUID using a GUID generator -- free tools are available online. The GUID needs to be unique within this XML file.
You can configure the same settings for each role as you did for the default role, except Start screen size which can only be configured for the default role. If you use CSPRunner with roles, be aware that the last CSP setting applied will be retained across roles unless explicitly changed in each role configuration. CSP settings applied by CSPRunner may conflict with settings applied by MDM.
```xml
<?xml version "1.0" encoding "utf-8"?>
<HandheldLockdown version "1.0" >
<Default>
<ActionCenter>
<Apps>
<Buttons>
<CSPRunner>
<MenuItems>
<Settings>
<Tiles>
<StartScreenSize>
</Default>
<RoleList>
<Role>
<ActionCenter>
<Apps>
<Buttons>
<CSPRunner>
<MenuItems>
<Settings>
<Tiles>
</Role>
</RoleList>
</Default>
</HandheldLockdown>
```
## Add lockdown XML to a provisioning package
Use the Windows ICD tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package. [Install the ADK.](http://go.microsoft.com/fwlink/p/?LinkId=526740)
1. Follow the instructions at [Build and apply a provisioning package](http://go.microsoft.com/fwlink/p/?LinkID=629651) to create a project, selecting **Common to all Windows mobile editions** for your project.
2. In **Available customizations**, go to **Runtime settings** &gt; **EmbeddedLockdownProfiles** &gt; **AssignedAccessXml**.
3. In the center pane, click **Browse** to locate and select the lockdown XML file that you created.
![browse button](images/icdbrowse.png)
4. On the **File** menu, select **Save.**
5. On the **Export** menu, select **Provisioning package**.
6. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.**
7. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing.
- **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
- **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select** and choosing the certificate you want to use to sign the package.
8. Click **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows ICD uses the project folder as the output location.
Optionally, you can click **Browse** to change the default output location.
9. Click **Next**.
10. Click **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status.
If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
11. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
- If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
- If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
After you build the provisioning package, follow the instructions for [applying a provisioning package at runtime to Windows 10 Mobile](http://go.microsoft.com/fwlink/p/?LinkID=619164).
## Push lockdown XML using MDM
After you deploy your devices, you can still configure lockdown settings through your MDM solution if it supports the [EnterpriseAssignedAccess CSP](http://go.microsoft.com/fwlink/p/?LinkID=618601).
To push lockdown settings to enrolled devices, use the AssignedAccessXML setting and use the lockdown XML as the value. The lockdown XML will be in a HandheldLockdown section that becomes XML embedded in XML, so the XML that you enter must use escaped characters (such as &lt; in place of &lt;). After the MDM provider pushes your lockdown settings to the device, the CSP processes the file and updates the device.
## Full Lockdown.xml example
```xml
<?xml version="1.0" encoding="utf-8"?>
<HandheldLockdown version="1.0" >
<Default>
@ -486,59 +846,9 @@ The XML example can be used as a lockdown file that is contained in a provisioni
</Role>
</RoleList>
</HandheldLockdown>
```
## Add lockdown XML to a provisioning package
Use the Windows ICD tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package. [Install the ADK.](http://go.microsoft.com/fwlink/p/?LinkId=526740)
1. Follow the instructions at [Build and apply a provisioning package](http://go.microsoft.com/fwlink/p/?LinkID=629651) to create a project, selecting **Common to all Windows mobile editions** for your project.
2. In **Available customizations**, go to **Runtime settings** &gt; **EmbeddedLockdownProfiles** &gt; **AssignedAccessXml**.
3. In the center pane, click **Browse** to locate and select the lockdown XML file that you created.
![browse button](images/icdbrowse.png)
4. On the **File** menu, select **Save.**
5. On the **Export** menu, select **Provisioning package**.
6. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.**
7. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing.
- **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
- **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select** and choosing the certificate you want to use to sign the package.
8. Click **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows ICD uses the project folder as the output location.
Optionally, you can click **Browse** to change the default output location.
9. Click **Next**.
10. Click **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status.
If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
11. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
- If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
- If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
After you build the provisioning package, follow the instructions for [applying a provisioning package at runtime to Windows 10 Mobile](http://go.microsoft.com/fwlink/p/?LinkID=619164).
## Push lockdown XML using MDM
After you deploy your devices, you can still configure lockdown settings through your MDM solution if it supports the [EnterpriseAssignedAccess CSP](http://go.microsoft.com/fwlink/p/?LinkID=618601).
To push lockdown settings to enrolled devices, use the AssignedAccessXML setting and use the lockdown XML as the value. The lockdown XML will be in a HandheldLockdown section that becomes XML embedded in XML, so the XML that you enter must use escaped characters (such as &lt; in place of &lt;). After the MDM provider pushes your lockdown settings to the device, the CSP processes the file and updates the device.
## Learn more
[Customizing Your Device Experience with Assigned Access](https://channel9.msdn.com/Events/Build/2016/P508)

526
windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
View File

@ -22,9 +22,9 @@ Learn about the network connections that Windows components make to Microsoft an
If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, this article covers the settings that you could consider. You can configure telemetry at the lowest level for your edition of Windows, and also evaluate which other connections Windows makes to Microsoft services you want to turn off in your environment from the list in this article.
Some of the network connections discussed in this article can be managed in Windows 10 Mobile, Windows 10 Mobile Enterprise, and the July release of Windows 10. However, you must use Windows 10 Enterprise, version 1511 or Windows 10 Education, version 1511 to manage them all.
Some of the network connections discussed in this article can be managed in Windows 10 Mobile, Windows 10 Mobile Enterprise, Windows 10, version 1507, and Windows 10, version 1511. However, you must use Windows 10 Enterprise, version 1607 or Windows 10 Education, version 1607 to manage them all.
In Windows 10 Enterprise, version 1511 or Windows 10 Education, version 1511, you can configure telemetry at the Security level, turn off Windows Defender telemetry and MSRT reporting, and turn off all other connections to Microsoft services as described in this article to prevent Windows from sending any data to Microsoft. We strongly recommend against this, as this data helps us deliver a secure, reliable, and more delightful personalized experience.
You can configure telemetry at the Security level, turn off Windows Defender telemetry and MSRT reporting, and turn off all other connections to Microsoft services as described in this article to prevent Windows from sending any data to Microsoft. We strongly recommend against this, as this data helps us deliver a secure, reliable, and more delightful personalized experience.
We are always working on improving Windows 10 for our customers. We invite IT pros to join the [Windows Insider Program](http://insider.windows.com) to give us feedback on what we can do to make Windows 10 work better for your organization.
@ -32,224 +32,167 @@ Here's what's covered in this article:
- [Info management settings](#bkmk-othersettings)
- [1. Cortana](#bkmk-cortana)
- [1. Certificate trust lists](#certificate-trust-lists)
- [1.1 Cortana Group Policies](#bkmk-cortana-gp)
- [2. Cortana](#bkmk-cortana)
- [1.2 Cortana MDM policies](#bkmk-cortana-mdm)
- [2.1 Cortana Group Policies](#bkmk-cortana-gp)
- [1.3 Cortana Windows Provisioning](#bkmk-cortana-prov)
- [2.2 Cortana MDM policies](#bkmk-cortana-mdm)
- [2. Date & Time](#bkmk-datetime)
- [2.3 Cortana Windows Provisioning](#bkmk-cortana-prov)
- [3. Device metadata retrieval](#bkmk-devinst)
- [3. Date & Time](#bkmk-datetime)
- [4. Font streaming](#font-streaming)
- [4. Device metadata retrieval](#bkmk-devinst)
- [5. Insider Preview builds](#bkmk-previewbuilds)
- [5. Font streaming](#font-streaming)
- [6. Internet Explorer](#bkmk-ie)
- [6. Insider Preview builds](#bkmk-previewbuilds)
- [6.1 Internet Explorer Group Policies](#bkmk-ie-gp)
- [7. Internet Explorer](#bkmk-ie)
- [6.2 ActiveX control blocking](#bkmk-ie-activex)
- [7.1 Internet Explorer Group Policies](#bkmk-ie-gp)
- [7. Live Tiles](#live-tiles)
- [7.2 ActiveX control blocking](#bkmk-ie-activex)
- [8. Live Tiles](#live-tiles)
- [8. Mail synchronization](#bkmk-mailsync)
- [9. Mail synchronization](#bkmk-mailsync)
- [9. Microsoft Edge](#bkmk-edge)
- [10. Microsoft Account](#bkmk-microsoft-account)
- [9.1 Microsoft Edge Group Policies](#bkmk-edgegp)
- [11. Microsoft Edge](#bkmk-edge)
- [9.2 Microsoft Edge MDM policies](#bkmk-edge-mdm)
- [11.1 Microsoft Edge Group Policies](#bkmk-edgegp)
- [9.3 Microsoft Edge Windows Provisioning](#bkmk-edge-prov)
- [11.2 Microsoft Edge MDM policies](#bkmk-edge-mdm)
- [10. Network Connection Status Indicator](#bkmk-ncsi)
- [11.3 Microsoft Edge Windows Provisioning](#bkmk-edge-prov)
- [11. Offline maps](#bkmk-offlinemaps)
- [12. Network Connection Status Indicator](#bkmk-ncsi)
- [12. OneDrive](#bkmk-onedrive)
- [13. Offline maps](#bkmk-offlinemaps)
- [13. Preinstalled apps](#bkmk-preinstalledapps)
- [14. OneDrive](#bkmk-onedrive)
- [14. Settings &gt; Privacy](#bkmk-settingssection)
- [15. Preinstalled apps](#bkmk-preinstalledapps)
- [14.1 General](#bkmk-priv-general)
- [16. Settings &gt; Privacy](#bkmk-settingssection)
- [14.2 Location](#bkmk-priv-location)
- [16.1 General](#bkmk-priv-general)
- [14.3 Camera](#bkmk-priv-camera)
- [16.2 Location](#bkmk-priv-location)
- [14.4 Microphone](#bkmk-priv-microphone)
- [16.3 Camera](#bkmk-priv-camera)
- [14.5 Speech, inking, & typing](#bkmk-priv-speech)
- [16.4 Microphone](#bkmk-priv-microphone)
- [14.6 Account info](#bkmk-priv-accounts)
- [16.5 Notifications](#bkmk-priv-notifications)
- [14.7 Contacts](#bkmk-priv-contacts)
- [16.6 Speech, inking, & typing](#bkmk-priv-speech)
- [14.8 Calendar](#bkmk-priv-calendar)
- [16.7 Account info](#bkmk-priv-accounts)
- [14.9 Call history](#bkmk-priv-callhistory)
- [16.8 Contacts](#bkmk-priv-contacts)
- [14.10 Email](#bkmk-priv-email)
- [16.9 Calendar](#bkmk-priv-calendar)
- [14.11 Messaging](#bkmk-priv-messaging)
- [16.10 Call history](#bkmk-priv-callhistory)
- [14.12 Radios](#bkmk-priv-radios)
- [16.11 Email](#bkmk-priv-email)
- [14.13 Other devices](#bkmk-priv-other-devices)
- [16.12 Messaging](#bkmk-priv-messaging)
- [14.14 Feedback & diagnostics](#bkmk-priv-feedback)
- [16.13 Radios](#bkmk-priv-radios)
- [14.15 Background apps](#bkmk-priv-background)
- [16.14 Other devices](#bkmk-priv-other-devices)
- [15. Software Protection Platform](#bkmk-spp)
- [16.15 Feedback & diagnostics](#bkmk-priv-feedback)
- [16. Sync your settings](#bkmk-syncsettings)
- [16.16 Background apps](#bkmk-priv-background)
- [17. Teredo](#bkmk-teredo)
- [17. Software Protection Platform](#bkmk-spp)
- [18. Wi-Fi Sense](#bkmk-wifisense)
- [18. Sync your settings](#bkmk-syncsettings)
- [19. Windows Defender](#bkmk-defender)
- [19. Teredo](#bkmk-teredo)
- [20. Windows Media Player](#bkmk-wmp)
- [20. Wi-Fi Sense](#bkmk-wifisense)
- [21. Windows spotlight](#bkmk-spotlight)
- [21. Windows Defender](#bkmk-defender)
- [22. Windows Store](#bkmk-windowsstore)
- [22. Windows Media Player](#bkmk-wmp)
- [23. Windows Update Delivery Optimization](#bkmk-updates)
- [23. Windows spotlight](#bkmk-spotlight)
- [23.1 Settings &gt; Update & security](#bkmk-wudo-ui)
- [24. Windows Store](#bkmk-windowsstore)
- [23.2 Delivery Optimization Group Policies](#bkmk-wudo-gp)
- [25. Windows Update Delivery Optimization](#bkmk-updates)
- [23.3 Delivery Optimization MDM policies](#bkmk-wudo-mdm)
- [25.1 Settings &gt; Update & security](#bkmk-wudo-ui)
- [23.4 Delivery Optimization Windows Provisioning](#bkmk-wudo-prov)
- [25.2 Delivery Optimization Group Policies](#bkmk-wudo-gp)
- [24. Windows Update](#bkmk-wu)
- [25.3 Delivery Optimization MDM policies](#bkmk-wudo-mdm)
## What's new in Windows 10, version 1511
- [25.4 Delivery Optimization Windows Provisioning](#bkmk-wudo-prov)
- [26. Windows Update](#bkmk-wu)
Here's a list of changes that were made to this article for Windows 10, version 1511:
## What's new in Windows 10, version 1607
- Added the following new sections:
Here's a list of changes that were made to this article for Windows 10, version 1607:
- [Mail synchronization](#bkmk-mailsync)
- Added instructions on how to turn off speech recognition and speech synthesis model updates in [14.5 Speech, inking, & typing](#bkmk-priv-speech).
- Added instructions on how to turn off flip ahead with an Internet Explorer Group Policy.
- Added a section on how to turn off automatic root updates to stop updating the certificate trust list in [1. Certificate trust lists](#certificate-trust-lists).
- Added a new setting in [25. Windows Update](#bkmk-wu).
- Changed the NCSI URL in [11. Network Connection Status Indicator](#bkmk-ncsi).
- Added a section on how to turn off features that depend on Microsoft Account cloud authentication service [10. Microsoft Account](#bkmk-microsoft-account).
- [Offline maps](#bkmk-offlinemaps)
- Added the following Group Policies:
- [Windows spotlight](#bkmk-spotlight)
- [Windows Store](#bkmk-windowsstore)
- Added the following Group Policies:
- Open a new tab with an empty tab
- Configure corporate Home pages
- Let Windows apps access location
- Let Windows apps access the camera
- Let Windows apps access the microphone
- Let Windows apps access account information
- Let Windows apps access contacts
- Let Windows apps access the calendar
- Let Windows apps access messaging
- Let Windows apps control radios
- Let Windows apps access trusted devices
- Do not show feedback notifications
- Turn off Automatic Download and Update of Map Data
- Force a specific default lock screen image
- Added the AllowLinguisticDataCollection MDM policy.
- Added steps in the [Cortana](#bkmk-cortana) section on how to disable outbound traffic using Windows Firewall.
- Changed the Windows Update section to apply system-wide settings, and not just per user.
- Turn off unsolicited network traffic on the Offline Maps settings page
- Turn off all Windows spotlight features
## <a href="" id="bkmk-othersettings"></a>Info management settings
This section lists the components that make network connections to Microsoft services automatically. You can configure these settings to control the data that is sent to Microsoft. To prevent Windows from sending any data to Microsoft, configure telemetry at the Security level, turn off Windows Defender telemetry and MSRT reporting, and turn off all of these connections. We strongly recommend against this, as this data helps us deliver a secure, reliable, and more delightful personalized experience.
The settings in this section assume you are using Windows 10, version 1511 (currently available in the Current Branch and Current Branch for Business). They will also be included in the next update for the Long Term Servicing Branch.
- [1. Cortana](#bkmk-cortana)
- [2. Date & Time](#bkmk-datetime)
- [3. Device metadata retrieval](#bkmk-devinst)
- [4. Font streaming](#font-streaming)
- [5. Insider Preview builds](#bkmk-previewbuilds)
- [6. Internet Explorer](#bkmk-ie)
- [7. Live Tiles](#live-tiles)
- [8. Mail synchronization](#bkmk-mailsync)
- [9. Microsoft Edge](#bkmk-edge)
- [10. Network Connection Status Indicator](#bkmk-ncsi)
- [11. Offline maps](#bkmk-offlinemaps)
- [12. OneDrive](#bkmk-onedrive)
- [13. Preinstalled apps](#bkmk-preinstalledapps)
- [14. Settings &gt; Privacy](#bkmk-settingssection)
- [15. Software Protection Platform](#bkmk-spp)
- [16. Sync your settings](#bkmk-syncsettings)
- [17. Teredo](#bkmk-teredo)
- [18. Wi-Fi Sense](#bkmk-wifisense)
- [19. Windows Defender](#bkmk-defender)
- [20. Windows Media Player](#bkmk-wmp)
- [21. Windows spotlight](#bkmk-spotlight)
- [22. Windows Store](#bkmk-windowsstore)
- [23. Windows Update Delivery Optimization](#bkmk-updates)
- [24. Windows Update](#bkmk-wu)
The settings in this section assume you are using Windows 10, version 1607. They will also be included in the next update for the Long Term Servicing Branch.
See the following table for a summary of the management settings. For more info, see its corresponding section.
![Management settings table](images/settings-table.png)
### <a href="" id="bkmk-cortana"></a>1. Cortana
### <a href="" id="certificate-trust-lists"></a>1. Certificate trust lists
A certificate trust list is a predefined list of items, such as a list of certificate hashes or a list of file name, that are signed by a trusted entity. Windows automatically downloads an updated certificate trust list when it is available.
To turn off the automatic download of an updated certificate trust list, you can turn off automatic root updates, which also includes the disallowed certificate list and the pin rules list.
- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Internet Communication Management** > **Internet Communication Settings** > **Turn off Automatic Root Certificates Update**
-or-
- Create a REG\_DWORD registry setting called **DisableRootAutoUpdate** in **HKEY\_LOCAL\_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot\DisableRootAutoUpdate**, with a value of 1.
After that, do the following in a Group Policy:
1. Navigate to **Computer Configuration** > **Windows Settings** > **Security Settings** > **Public Key Policies**.
2. Double-click **Certificate Path Validation Settings**.
3. On the **Network Retrieval** tab, select the **Define these policy settings** check box.
4. Clear the **Automatically update certificates in the Microsoft Root Certificate Program (recommended)** check box, and then click **OK**.
### <a href="" id="bkmk-cortana"></a>2. Cortana
Use either Group Policy or MDM policies to manage settings for Cortana. For more info, see [Cortana, Search, and privacy: FAQ](http://go.microsoft.com/fwlink/p/?LinkId=730683).
### <a href="" id="bkmk-cortana-gp"></a>1.1 Cortana Group Policies
### <a href="" id="bkmk-cortana-gp"></a>2.1 Cortana Group Policies
Find the Cortana Group Policy objects under **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Search**.
@ -261,7 +204,10 @@ Find the Cortana Group Policy objects under **Computer Configuration** &gt; **Ad
| Don't search the web or display web results in Search| Choose whether to search the web from Cortana. |
| Set what information is shared in Search | Control what information is shared with Bing in Search. |
When you enable the **Don't search the web or display web results in Search** Group Policy, you can control the behavior of whether Cortana searches the web to display web results. However, this policy only covers whether or not web search is performed. There could still be a small amount of network traffic to Bing.com to evaluate if certain Cortana components are up-to-date or not. In order to turn off that network activity completely, you can create a Windows Firewall rule to prevent outbound traffic.
In Windows 10, version 1507 and Windows 10, version 1511, When you enable the **Don't search the web or display web results in Search** Group Policy, you can control the behavior of whether Cortana searches the web to display web results. However, this policy only covers whether or not web search is performed. There could still be a small amount of network traffic to Bing.com to evaluate if certain Cortana components are up-to-date or not. In order to turn off that network activity completely, you can create a Windows Firewall rule to prevent outbound traffic.
>[!IMPORTANT]
>These steps are not required for devices running Windows 10, version 1607.
1. Expand **Computer Configuration** &gt; **Windows Settings** &gt; **Security Settings** &gt; **Windows Firewall with Advanced Security** &gt; **Windows Firewall with Advanced Security - &lt;LDAP name&gt;**, and then click **Outbound Rules**.
@ -287,9 +233,9 @@ When you enable the **Don't search the web or display web results in Search** Gr
- For **Remote port**, choose **All ports**.
> **Note:** If your organization tests network traffic, you should not use Fiddler to test Windows Firewall settings. Fiddler is a network proxy and Windows Firewall does not block proxy traffic. You should use a network traffic analyzer, such as WireShark or Message Analyzer.
If your organization tests network traffic, you should not use Fiddler to test Windows Firewall settings. Fiddler is a network proxy and Windows Firewall does not block proxy traffic. You should use a network traffic analyzer, such as WireShark or Message Analyzer.
### <a href="" id="bkmk-cortana-mdm"></a>1.2 Cortana MDM policies
### <a href="" id="bkmk-cortana-mdm"></a>2.2 Cortana MDM policies
The following Cortana MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
@ -298,11 +244,11 @@ The following Cortana MDM policies are available in the [Policy CSP](http://msdn
| Experience/AllowCortana | Choose whether to let Cortana install and run on the device. |
| Search/AllowSearchToUseLocation | Choose whether Cortana and Search can provide location-aware search results. <br /> Default: Allowed|
### <a href="" id="bkmk-cortana-prov"></a>1.3 Cortana Windows Provisioning
### <a href="" id="bkmk-cortana-prov"></a>2.3 Cortana Windows Provisioning
To use Windows Imaging and Configuration Designer (ICD) to create a provisioning package with the settings for these policies, go to **Runtime settings** &gt; **Policies** to find **Experience** &gt; **AllowCortana** and **Search** &gt; **AllowSearchToUseLocation**.
### <a href="" id="bkmk-datetime"></a>2. Date & Time
### <a href="" id="bkmk-datetime"></a>3. Date & Time
You can prevent Windows from setting the time automatically.
@ -312,19 +258,20 @@ You can prevent Windows from setting the time automatically.
- Create a REG\_SZ registry setting in **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\Parameters\\Type** with a value of **NoSync**.
### <a href="" id="bkmk-devinst"></a>3. Device metadata retrieval
### <a href="" id="bkmk-devinst"></a>4. Device metadata retrieval
To prevent Windows from retrieving device metadata from the Internet, apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **System** &gt; **Device Installation** &gt; **Prevent device metadata retrieval from the Internet**.
### <a href="" id="font-streaming"></a>4. Font streaming
### <a href="" id="font-streaming"></a>5. Font streaming
Starting with Windows 10, fonts that are included in Windows but that are not stored on the local device can be downloaded on demand.
To turn off font streaming, create a REG\_DWORD registry setting called **DisableFontProviders** in **HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Services\\FontCache\\Parameters**, with a value of 1.
> **Note:** This may change in future versions of Windows.
> [!NOTE]
> This may change in future versions of Windows.
### <a href="" id="bkmk-previewbuilds"></a>5. Insider Preview builds
### <a href="" id="bkmk-previewbuilds"></a>6. Insider Preview builds
To turn off Insider Preview builds if you're running a released version of Windows 10. If you're running a preview version of Windows 10, you must roll back to a released version before you can turn off Insider Preview builds.
@ -354,11 +301,11 @@ To turn off Insider Preview builds if you're running a released version of Windo
- **2**. (default) Not configured. Users can make their devices available for download and installing preview software.
### <a href="" id="bkmk-ie"></a>6. Internet Explorer
### <a href="" id="bkmk-ie"></a>7. Internet Explorer
Use Group Policy to manage settings for Internet Explorer.
### <a href="" id="bkmk-ie-gp"></a>6.1 Internet Explorer Group Policies
### <a href="" id="bkmk-ie-gp"></a>7.1 Internet Explorer Group Policies
Find the Internet Explorer Group Policy objects under **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Internet Explorer**.
@ -370,19 +317,26 @@ Find the Internet Explorer Group Policy objects under **Computer Configuration**
| Disable Periodic Check for Internet Explorer software updates| Choose whether Internet Explorer periodically checks for a new version. <br /> Default: Enabled |
| Turn off browser geolocation | Choose whether websites can request location data from Internet Explorer. <br /> Default: Disabled|
### <a href="" id="bkmk-ie-activex"></a>6.2 ActiveX control blocking
There are two more Group Policy objects that are used by Internet Explorer:
| Path | Policy | Description |
| - | - | - |
| **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Internet Control Panel** > **Advanced Page** | Turn off the flip ahead with page prediction feature | Choose whether an employee can swipe across a screen or click forward to go to the next pre-loaded page of a website. <br /> Default: Enabled |
| **Computer Configuration** > **Administrative Templates** > **Windows Components** > **RSS Feeds** | Turn off background synchronization for feeds and Web Slices | Choose whether to have background synchronization for feeds and Web Slices. <br /> Default: Enabled |
### <a href="" id="bkmk-ie-activex"></a>7.2 ActiveX control blocking
ActiveX control blocking periodically downloads a new list of out-of-date ActiveX controls that should be blocked. You can turn this off by changing the REG\_DWORD registry setting **HKEY\_CURRENT\_USER\\Software\\Microsoft\\Internet Explorer\\VersionManager\\DownloadVersionList** to 0 (zero).
For more info, see [Out-of-date ActiveX control blocking](http://technet.microsoft.com/library/dn761713.aspx).
### <a href="" id="live-tiles"></a>7. Live Tiles
### <a href="" id="live-tiles"></a>8. Live Tiles
To turn off Live Tiles:
- Apply the Group Policy: **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Notifications** > **Turn Off notifications network usage**
### <a href="" id="bkmk-mailsync"></a>8. Mail synchronization
### <a href="" id="bkmk-mailsync"></a>9. Mail synchronization
To turn off mail synchronization for Microsoft Accounts that are configured on a device:
@ -400,15 +354,36 @@ To turn off the Windows Mail app:
- Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Windows Mail** &gt; **Turn off Windows Mail application**
### <a href="" id="bkmk-edge"></a>9. Microsoft Edge
### <a href="" id="bkmk-microsoft-account"></a>10. Microsoft Account
To prevent communication to the Microsoft Account cloud authentication service. Many apps and system components that depend on Microsoft Account authentication may lose functionality. Some of them could be in unexpected ways.
- Change the **Start** REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentControlSet\\Services\\wlidsvc** to 4.
### <a href="" id="bkmk-edge"></a>11. Microsoft Edge
Use either Group Policy or MDM policies to manage settings for Microsoft Edge. For more info, see [Microsoft Edge and privacy: FAQ](http://go.microsoft.com/fwlink/p/?LinkId=730682).
### <a href="" id="bkmk-edgegp"></a>9.1 Microsoft Edge Group Policies
### <a href="" id="bkmk-edgegp"></a>11.1 Microsoft Edge Group Policies
Find the Microsoft Edge Group Policy objects under **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Microsoft Edge**.
> **Note:** The Microsoft Edge Group Policy names were changed in Windows 10, version 1511. The table below reflects those changes.
> [!NOTE]
> The Microsoft Edge Group Policy names were changed in Windows 10, version 1607. The table below reflects those changes.
| Policy | Description |
|------------------------------------------------------|-----------------------------------------------------------------------------------------------------|
| Configure autofill | Choose whether employees can use autofill on websites. <br /> Default: Enabled |
| Configure Do Not Track | Choose whether employees can send Do Not Track headers.<br /> Default: Disabled |
| Configure password manager | Choose whether employees can save passwords locally on their devices. <br /> Default: Enabled |
| Configure search suggestions in Address bar | Choose whether the address bar shows search suggestions. <br /> Default: Enabled |
| Configure SmartScreen Filter | Choose whether SmartScreen is turned on or off. <br /> Default: Enabled |
| Allow web content on New Tab page | Choose whether a new tab page appears. <br /> Default: Enabled |
| Configure Home pages | Choose the corporate Home page for domain-joined devices. <br /> Set this to **about:blank** |
The Windows 10, version 1511 Microsoft Edge Group Policy names are:
| Policy | Description |
|------------------------------------------------------|-----------------------------------------------------------------------------------------------------|
@ -420,7 +395,7 @@ Find the Microsoft Edge Group Policy objects under **Computer Configuration** &g
| Open a new tab with an empty tab | Choose whether a new tab page appears. <br /> Default: Enabled |
| Configure corporate Home pages | Choose the corporate Home page for domain-joined devices. <br /> Set this to **about:blank** |
### <a href="" id="bkmk-edge-mdm"></a>9.2 Microsoft Edge MDM policies
### <a href="" id="bkmk-edge-mdm"></a>11.2 Microsoft Edge MDM policies
The following Microsoft Edge MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
@ -432,35 +407,42 @@ The following Microsoft Edge MDM policies are available in the [Policy CSP](http
| Browser/AllowSearchSuggestionsinAddressBar | Choose whether the address bar shows search suggestions.. <br /> Default: Allowed |
| Browser/AllowSmartScreen | Choose whether SmartScreen is turned on or off. <br /> Default: Allowed |
### <a href="" id="bkmk-edge-prov"></a>9.3 Microsoft Edge Windows Provisioning
### <a href="" id="bkmk-edge-prov"></a>11.3 Microsoft Edge Windows Provisioning
Use Windows ICD to create a provisioning package with the settings for these policies, go to **Runtime settings** &gt; **Policies**.
For a complete list of the Microsoft Edge policies, see [Available policies for Microsoft Edge](http://technet.microsoft.com/library/mt270204.aspx).
### <a href="" id="bkmk-ncsi"></a>10. Network Connection Status Indicator
### <a href="" id="bkmk-ncsi"></a>12. Network Connection Status Indicator
Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to http://www.msftncsi.com to determine if the device can communicate with the Internet. For more info about NCIS, see [The Network Connection Status Icon](http://blogs.technet.com/b/networking/archive/2012/12/20/the-network-connection-status-icon.aspx).
Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to http://www.msftconnecttest.com/connecttest.txt to determine if the device can communicate with the Internet. For more info about NCIS, see [The Network Connection Status Icon](http://blogs.technet.com/b/networking/archive/2012/12/20/the-network-connection-status-icon.aspx).
In versions of Windows 10 prior to Windows 10, version 1607, the URL was http://www.msftncsi.com.
You can turn off NCSI through Group Policy:
- Enable the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **System** &gt; **Internet Communication Management** &gt; **Internet Communication Settings** &gt; **Turn off Windows Network Connectivity Status Indicator active tests**
> **Note** After you apply this policy, you must restart the device for the policy setting to take effect.
> [!NOTE]
> After you apply this policy, you must restart the device for the policy setting to take effect.
### <a href="" id="bkmk-offlinemaps"></a>11. Offline maps
### <a href="" id="bkmk-offlinemaps"></a>13. Offline maps
You can turn off the ability to download and update offline maps.
- Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Maps** &gt; **Turn off Automatic Download and Update of Map Data**
### <a href="" id="bkmk-onedrive"></a>12. OneDrive
-and-
- In Windows 10, version 1607 and later, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Maps** > **Turn off unsolicited network traffic on the Offline Maps settings page**
### <a href="" id="bkmk-onedrive"></a>14. OneDrive
To turn off OneDrive in your organization:
- Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **OneDrive** &gt; **Prevent the usage of OneDrive for file storage**
### <a href="" id="bkmk-preinstalledapps"></a>13. Preinstalled apps
### <a href="" id="bkmk-preinstalledapps"></a>15. Preinstalled apps
Some preinstalled apps get content before they are opened to ensure a great experience. You can remove these using the steps in this section.
@ -572,47 +554,50 @@ To remove the Get Skype app:
Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.SkypeApp | Remove-AppxPackage**
### <a href="" id="bkmk-settingssection"></a>14. Settings &gt; Privacy
### <a href="" id="bkmk-settingssection"></a>16. Settings &gt; Privacy
Use Settings &gt; Privacy to configure some settings that may be important to your organization. Except for the Feedback & Diagnostics page, these settings must be configured for every user account that signs into the PC.
- [14.1 General](#bkmk-general)
- [16.1 General](#bkmk-general)
- [14.2 Location](#bkmk-priv-location)
- [16.2 Location](#bkmk-priv-location)
- [14.3 Camera](#bkmk-priv-camera)
- [16.3 Camera](#bkmk-priv-camera)
- [14.4 Microphone](#bkmk-priv-microphone)
- [16.4 Microphone](#bkmk-priv-microphone)
- [14.5 Speech, inking, & typing](#bkmk-priv-speech)
- [16.5 Notifications](#bkmk-priv-notifications)
- [14.6 Account info](#bkmk-priv-accounts)
- [16.6 Speech, inking, & typing](#bkmk-priv-speech)
- [14.7 Contacts](#bkmk-priv-contacts)
- [16.7 Account info](#bkmk-priv-accounts)
- [14.8 Calendar](#bkmk-priv-calendar)
- [16.8 Contacts](#bkmk-priv-contacts)
- [14.9 Call history](#bkmk-priv-callhistory)
- [16.9 Calendar](#bkmk-priv-calendar)
- [14.10 Email](#bkmk-priv-email)
- [16.10 Call history](#bkmk-priv-callhistory)
- [14.11 Messaging](#bkmk-priv-messaging)
- [16.11 Email](#bkmk-priv-email)
- [14.12 Radios](#bkmk-priv-radios)
- [16.12 Messaging](#bkmk-priv-messaging)
- [14.13 Other devices](#bkmk-priv-other-devices)
- [16.13 Radios](#bkmk-priv-radios)
- [14.14 Feedback & diagnostics](#bkmk-priv-feedback)
- [16.14 Other devices](#bkmk-priv-other-devices)
- [14.15 Background apps](#bkmk-priv-background)
- [16.15 Feedback & diagnostics](#bkmk-priv-feedback)
### <a href="" id="bkmk-general"></a>14.1 General
- [16.16 Background apps](#bkmk-priv-background)
### <a href="" id="bkmk-general"></a>16.1 General
**General** includes options that don't fall into other areas.
To turn off **Let apps use my advertising ID for experiences across apps (turning this off will reset your ID)**:
> **Note:** When you turn this feature off in the UI, it turns off the advertising ID, not just resets it.
> [!NOTE]
> When you turn this feature off in the UI, it turns off the advertising ID, not just resets it.
- Turn off the feature in the UI.
@ -648,11 +633,12 @@ To turn off **Turn on SmartScreen Filter to check web content (URLs) that Window
-or-
- Create a REG\_DWORD registry setting called **Enabled** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppHost\\EnableWebContentEvaluation**, with a value of 0 (zero).
- Create a REG\_DWORD registry setting called **EnableWebContentEvaluation** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppHost**, with a value of 0 (zero).
To turn off **Send Microsoft info about how I write to help us improve typing and writing in the future**:
> **Note: ** If the telemetry level is set to either **Basic** or **Security**, this is turned off automatically.
> [!NOTE]
> If the telemetry level is set to either **Basic** or **Security**, this is turned off automatically.
@ -674,7 +660,15 @@ To turn off **Let websites provide locally relevant content by accessing my lang
- Create a new REG\_DWORD registry setting called **HttpAcceptLanguageOptOut** in **HKEY\_CURRENT\_USER\\Control Panel\\International\\User Profile**, with a value of 1.
### <a href="" id="bkmk-priv-location"></a>14.2 Location
To turn off **Let apps on my other devices open apps and continue experiences on this devices**:
- Turn off the feature in the UI.
To turn off **Let apps on my other devices use Bluetooth to open apps and continue experiences on this device**:
- Turn off the feature in the UI.
### <a href="" id="bkmk-priv-location"></a>16.2 Location
In the **Location** area, you choose whether devices have access to location-specific sensors and which apps have access to the device's location.
@ -696,8 +690,8 @@ To turn off **Location for this device**:
- **2**. Turned on and the employee can't turn it off.
**Note**
You can also set this MDM policy in System Center Configuration Manager using the [WMI Bridge Provider](http://msdn.microsoft.com/library/dn905224.aspx).
> [!NOTE]
> You can also set this MDM policy in System Center Configuration Manager using the [WMI Bridge Provider](http://msdn.microsoft.com/library/dn905224.aspx).
-or-
@ -725,7 +719,7 @@ To turn off **Choose apps that can use your location**:
- Turn off each app using the UI.
### <a href="" id="bkmk-priv-camera"></a>14.3 Camera
### <a href="" id="bkmk-priv-camera"></a>16.3 Camera
In the **Camera** area, you can choose which apps can access a device's camera.
@ -747,8 +741,8 @@ To turn off **Let apps use my camera**:
- **1**. Apps can use the camera.
**Note**
You can also set this MDM policy in System Center Configuration Manager using the [WMI Bridge Provider](http://msdn.microsoft.com/library/dn905224.aspx).
> [!NOTE]
> You can also set this MDM policy in System Center Configuration Manager using the [WMI Bridge Provider](http://msdn.microsoft.com/library/dn905224.aspx).
-or-
@ -762,7 +756,7 @@ To turn off **Choose apps that can use your camera**:
- Turn off the feature in the UI for each app.
### <a href="" id="bkmk-priv-microphone"></a>14.4 Microphone
### <a href="" id="bkmk-priv-microphone"></a>16.4 Microphone
In the **Microphone** area, you can choose which apps can access a device's microphone.
@ -780,13 +774,26 @@ To turn off **Choose apps that can use your microphone**:
- Turn off the feature in the UI for each app.
### <a href="" id="bkmk-priv-speech"></a>14.5 Speech, inking, & typing
### <a href="" id="bkmk-priv-notifications"></a>16.5 Notifications
In the **Notifications** area, you can choose which apps have access to notifications.
To turn off **Let apps access my notifications**:
- Turn off the feature in the UI.
-or-
- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access my notifications**
- Set the **Select a setting** box to **Force Deny**.
### <a href="" id="bkmk-priv-speech"></a>16.6 Speech, inking, & typing
In the **Speech, Inking, & Typing** area, you can let Windows and Cortana better understand your employee's voice and written input by sampling their voice and writing, and by comparing verbal and written input to contact names and calendar entrees.
> **Note:** For more info on how to disable Cortana in your enterprise, see [Cortana](#bkmk-cortana) in this article.
> [!NOTE]
> For more info on how to disable Cortana in your enterprise, see [Cortana](#bkmk-cortana) in this article.
To turn off the functionality:
@ -802,9 +809,21 @@ To turn off the functionality:
-and-
Create a REG\_DWORD registry setting called **HarvestContacts** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\InputPersonalization\\TrainedDataStore**, with a value of 0 (zero).
- Create a REG\_DWORD registry setting called **HarvestContacts** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\InputPersonalization\\TrainedDataStore**, with a value of 0 (zero).
### <a href="" id="bkmk-priv-accounts"></a>14.6 Account info
If you're running at least Windows 10, version 1607, you can turn off updates to the speech recognition and speech synthesis models:
Apply the Speech/AllowSpeechModelUpdate MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962(v=vs.85).aspx#Speech_AllowSpeechModelUpdate), where:
- **0** (default). Not allowed.
- **1**. Allowed.
-or-
- Create a REG\_DWORD registry setting called **AllowSpeechModelUpdate** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\Current\\Device\\Speech**, with a value of 0 (zero).
### <a href="" id="bkmk-priv-accounts"></a>16.7 Account info
In the **Account Info** area, you can choose which apps can access your name, picture, and other account info.
@ -822,7 +841,7 @@ To turn off **Choose the apps that can access your account info**:
- Turn off the feature in the UI for each app.
### <a href="" id="bkmk-priv-contacts"></a>14.7 Contacts
### <a href="" id="bkmk-priv-contacts"></a>16.8 Contacts
In the **Contacts** area, you can choose which apps can access an employee's contacts list.
@ -836,7 +855,7 @@ To turn off **Choose apps that can access contacts**:
- Set the **Select a setting** box to **Force Deny**.
### <a href="" id="bkmk-priv-calendar"></a>14.8 Calendar
### <a href="" id="bkmk-priv-calendar"></a>16.9 Calendar
In the **Calendar** area, you can choose which apps have access to an employee's calendar.
@ -854,7 +873,7 @@ To turn off **Choose apps that can access calendar**:
- Turn off the feature in the UI for each app.
### <a href="" id="bkmk-priv-callhistory"></a>14.9 Call history
### <a href="" id="bkmk-priv-callhistory"></a>16.10 Call history
In the **Call history** area, you can choose which apps have access to an employee's call history.
@ -868,7 +887,7 @@ To turn off **Let apps access my call history**:
- Set the **Select a setting** box to **Force Deny**.
### <a href="" id="bkmk-priv-email"></a>14.10 Email
### <a href="" id="bkmk-priv-email"></a>16.11 Email
In the **Email** area, you can choose which apps have can access and send email.
@ -882,7 +901,7 @@ To turn off **Let apps access and send email**:
- Set the **Select a setting** box to **Force Deny**.
### <a href="" id="bkmk-priv-messaging"></a>14.11 Messaging
### <a href="" id="bkmk-priv-messaging"></a>16.12 Messaging
In the **Messaging** area, you can choose which apps can read or send messages.
@ -900,7 +919,7 @@ To turn off **Choose apps that can read or send messages**:
- Turn off the feature in the UI for each app.
### <a href="" id="bkmk-priv-radios"></a>14.12 Radios
### <a href="" id="bkmk-priv-radios"></a>16.13 Radios
In the **Radios** area, you can choose which apps can turn a device's radio on or off.
@ -918,7 +937,7 @@ To turn off **Choose apps that can control radios**:
- Turn off the feature in the UI for each app.
### <a href="" id="bkmk-priv-other-devices"></a>14.13 Other devices
### <a href="" id="bkmk-priv-other-devices"></a>16.14 Other devices
In the **Other Devices** area, you can choose whether devices that aren't paired to PCs, such as an Xbox One, can share and sync info.
@ -936,14 +955,14 @@ To turn off **Let your apps use your trusted devices (hardware you've already co
- Set the **Select a setting** box to **Force Deny**.
### <a href="" id="bkmk-priv-feedback"></a>14.14 Feedback & diagnostics
### <a href="" id="bkmk-priv-feedback"></a>16.15 Feedback & diagnostics
In the **Feedback & Diagnostics** area, you can choose how often you're asked for feedback and how much diagnostic and usage information is sent to Microsoft.
To change how frequently **Windows should ask for my feedback**:
**Note**
Feedback frequency only applies to user-generated feedback, not diagnostic and usage data sent from the device.
> [!NOTE]
> Feedback frequency only applies to user-generated feedback, not diagnostic and usage data sent from the device.
@ -977,7 +996,8 @@ To change the level of diagnostic and usage data sent when you **Send your devic
- To change from **Enhanced**, use the drop-down list in the UI. The other levels are **Basic** and **Full**.
> **Note:** You can't use the UI to change the telemetry level to **Security**.
> [!NOTE]
> You can't use the UI to change the telemetry level to **Security**.
@ -1009,7 +1029,7 @@ To change the level of diagnostic and usage data sent when you **Send your devic
- **3**. Maps to the **Full** level.
### <a href="" id="bkmk-priv-background"></a>14.15 Background apps
### <a href="" id="bkmk-priv-background"></a>16.16 Background apps
In the **Background Apps** area, you can choose which apps can run in the background.
@ -1017,15 +1037,19 @@ To turn off **Let apps run in the background**:
- Turn off the feature in the UI for each app.
### <a href="" id="bkmk-spp"></a>15. Software Protection Platform
### <a href="" id="bkmk-spp"></a>17. Software Protection Platform
Enterprise customers can manage their Windows activation status with volume licensing using an on-premise Key Management Server. You can opt out of sending KMS client activation data to Microsoft automatically by applying the following Group Policy:
Enterprise customers can manage their Windows activation status with volume licensing using an on-premise Key Management Server. You can opt out of sending KMS client activation data to Microsoft automatically by doing one of the following:
**Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Software Protection Platform** &gt; **Turn off KMS Client Online AVS Activation**
- Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Software Protection Platform** &gt; **Turn off KMS Client Online AVS Activation**
-or-
- Apply the Licensing/DisallowKMSClientOnlineAVSValidation MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is disabled (default) and 1 is enabled.
The Windows activation status will be valid for a rolling period of 180 days with weekly activation status checks to the KMS.
### <a href="" id="bkmk-syncsettings"></a>16. Sync your settings
### <a href="" id="bkmk-syncsettings"></a>18. Sync your settings
You can control if your settings are synchronized:
@ -1051,13 +1075,13 @@ To turn off Messaging cloud sync:
- Create a REG\_DWORD registry setting called **CloudServiceSyncEnabled** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Messaging**, with a value of 0 (zero).
### <a href="" id="bkmk-teredo"></a>17. Teredo
### <a href="" id="bkmk-teredo"></a>19. Teredo
You can disable Teredo by using the netsh.exe command. For more info on Teredo, see [Internet Protocol Version 6, Teredo, and Related Technologies](http://technet.microsoft.com/library/cc722030.aspx).
- From an elevated command prompt, run **netsh interface teredo set state disabled**
### <a href="" id="bkmk-wifisense"></a>18. Wi-Fi Sense
### <a href="" id="bkmk-wifisense"></a>20. Wi-Fi Sense
Wi-Fi Sense automatically connects devices to known hotspots and to the wireless networks the persons contacts have shared with them.
@ -1083,7 +1107,7 @@ To turn off **Connect to suggested open hotspots** and **Connect to networks sha
When turned off, the Wi-Fi Sense settings still appear on the Wi-Fi Settings screen, but theyre non-functional and they cant be controlled by the employee.
### <a href="" id="bkmk-defender"></a>19. Windows Defender
### <a href="" id="bkmk-defender"></a>21. Windows Defender
You can disconnect from the Microsoft Antimalware Protection Service.
@ -1127,11 +1151,15 @@ You can stop downloading definition updates:
-and-
- Enable the Group Policy **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Windows Defender** &gt; **Signature Updates** &gt; **Define file shares for downloading definition updates** and set it to nothing.
- Disable the Group Policy **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Windows Defender** &gt; **Signature Updates** &gt; **Define file shares for downloading definition updates** and set it to nothing.
You can stop Enhanced Notifications:
- Turn off the feature in the UI.
You can also use the registry to turn off Malicious Software Reporting Tool telemetry by setting the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\MRT\\DontReportInfectionInformation** to 1.
### <a href="" id="bkmk-wmp"></a>20. Windows Media Player
### <a href="" id="bkmk-wmp"></a>22. Windows Media Player
To remove Windows Media Player:
@ -1141,9 +1169,15 @@ To remove Windows Media Player:
- Run the following DISM command from an elevated command prompt: **dism /online /Disable-Feature /FeatureName:WindowsMediaPlayer**
### <a href="" id="bkmk-spotlight"></a>21. Windows spotlight
### <a href="" id="bkmk-spotlight"></a>23. Windows spotlight
Windows spotlight provides different background images and text on the lock screen. You can control it by using the user interface or through Group Policy.
Windows spotlight provides features such as different background images and text on the lock screen, suggested apps, Microsoft account notifications, and Windows tips. You can control it by using the user interface or through Group Policy.
If you're running Windows 10, version 1607 or later, you only need to enable the following Group Policy:
- **User Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Turn off all Windows spotlight features**
If you're not running Windows 10, version 1607 or later, you can use the other options in this section.
- Configure the following in **Settings**:
@ -1162,7 +1196,8 @@ Windows spotlight provides different background images and text on the lock scre
- Set the **Turn off fun facts, tips, tricks, and more on lock screen** check box.
**Note** This will only take effect if the policy is applied before the first logon. If you cannot apply the **Force a specific default lock screen image** policy before the first logon to the device, you can apply this policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Control Panel** &gt; **Personalization** &gt; **Do not display the lock screen**.
> [!NOTE]
> This will only take effect if the policy is applied before the first logon. If you cannot apply the **Force a specific default lock screen image** policy before the first logon to the device, you can apply this policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Control Panel** &gt; **Personalization** &gt; **Do not display the lock screen**.
@ -1170,15 +1205,15 @@ Windows spotlight provides different background images and text on the lock scre
- **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Cloud Content** &gt; **Turn off Microsoft consumer experiences**.
For more info, see [Windows spotlight on the lock screen](../whats-new/windows-spotlight.md).
For more info, see [Windows Spotlight on the lock screen](../manage/windows-spotlight.md).
### <a href="" id="bkmk-windowsstore"></a>22. Windows Store
### <a href="" id="bkmk-windowsstore"></a>24. Windows Store
You can turn off the ability to launch apps from the Windows Store that were preinstalled or downloaded. This will also turn off automatic app updates, and the Windows Store will be disabled.
- Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Store** &gt; **Disable all apps from Windows Store**.
### <a href="" id="bkmk-updates"></a>23. Windows Update Delivery Optimization
### <a href="" id="bkmk-updates"></a>25. Windows Update Delivery Optimization
Windows Update Delivery Optimization lets you get Windows updates and Windows Store apps from sources in addition to Microsoft, which not only helps when you have a limited or unreliable Internet connection, but can also help you reduce the amount of bandwidth needed to keep all of your organization's PCs up-to-date. If you have Delivery Optimization turned on, PCs on your network may send and receive updates and apps to other PCs on your local network, if you choose, or to PCs on the Internet.
@ -1186,38 +1221,40 @@ By default, PCs running Windows 10 Enterprise and Windows 10 Education will only
Use the UI, Group Policy, MDM policies, or Windows Provisioning to set up Delivery Optimization.
### <a href="" id="bkmk-wudo-ui"></a>23.1 Settings &gt; Update & security
In Windows 10, version 1607, you can stop network traffic related to Windows Update Delivery Optimization by setting **Download Mode** to **Simple** (99) or **Bypass** (100), as described below.
### <a href="" id="bkmk-wudo-ui"></a>25.1 Settings &gt; Update & security
You can set up Delivery Optimization from the **Settings** UI.
- Go to **Settings** &gt; **Update & security** &gt; **Windows Update** &gt; **Advanced options** &gt; **Choose how updates are delivered**.
### <a href="" id="bkmk-wudo-gp"></a>23.2 Delivery Optimization Group Policies
### <a href="" id="bkmk-wudo-gp"></a>25.2 Delivery Optimization Group Policies
You can find the Delivery Optimization Group Policy objects under **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Delivery Optimization**.
| Policy | Description |
|---------------------------|-----------------------------------------------------------------------------------------------------|
| Download Mode | Lets you choose where Delivery Optimization gets or sends updates and apps, including <ul><li><p><strong>None</strong>. Turns off Delivery Optimization.</p></li><li><p><strong>Group</strong>. Gets or sends updates and apps to PCs on the same local network domain.</p></li><li><p><strong>Internet</strong>. Gets or sends updates and apps to PCs on the Internet.</p></li><li><p><strong>LAN</strong>. Gets or sends updates and apps to PCs on the same NAT only.</p></li></ul>|
| Group ID | Lets you provide a Group ID that limits which PCs can share apps and updates. <br /> ** Note** This ID must be a GUID.|
| Download Mode | Lets you choose where Delivery Optimization gets or sends updates and apps, including <ul><li><p><strong>None</strong>. Turns off Delivery Optimization.</p></li><li><p><strong>Group</strong>. Gets or sends updates and apps to PCs on the same local network domain.</p></li><li><p><strong>Internet</strong>. Gets or sends updates and apps to PCs on the Internet.</p></li><li><p><strong>LAN</strong>. Gets or sends updates and apps to PCs on the same NAT only.</p></li><li><p><strong>Simple</strong>. Simple download mode with no peering.</p></li><li><p><strong>Bypass</strong>. Use BITS instead of Windows Update Delivery Optimization.</p></li></ul>|
| Group ID | Lets you provide a Group ID that limits which PCs can share apps and updates. <br /> **Note:** This ID must be a GUID.|
| Max Cache Age | Lets you specify the maximum time (in seconds) that a file is held in the Delivery Optimization cache. <br /> The default value is 259200 seconds (3 days).|
| Max Cache Size | Lets you specify the maximum cache size as a percentage of disk size. <br /> The default value is 20, which represents 20% of the disk.|
| Max Upload Bandwidth | Lets you specify the maximum upload bandwidth (in KB/second) that a device uses across all concurrent upload activity. <br /> The default value is 0, which means unlimited possible bandwidth.|
### <a href="" id="bkmk-wudo-mdm"></a>23.3 Delivery Optimization MDM policies
### <a href="" id="bkmk-wudo-mdm"></a>25.3 Delivery Optimization MDM policies
The following Delivery Optimization MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
| Policy | Description |
|---------------------------|-----------------------------------------------------------------------------------------------------|
| DeliveryOptimization/DODownloadMode | Lets you choose where Delivery Optimization gets or sends updates and apps, including <ul><li><p><strong>0</strong>. Turns off Delivery Optimization.</p></li><li><p><strong>1</strong>. Gets or sends updates and apps to PCs on the same NAT only.</p></li><li><p><strong>2</strong>. Gets or sends updates and apps to PCs on the same local network domain.</p></li><li><p><strong>3</strong>. Gets or sends updates and apps to PCs on the Internet.</p></li></ul>|
| DeliveryOptimization/DODownloadMode | Lets you choose where Delivery Optimization gets or sends updates and apps, including <ul><li><p><strong>0</strong>. Turns off Delivery Optimization.</p></li><li><p><strong>1</strong>. Gets or sends updates and apps to PCs on the same NAT only.</p></li><li><p><strong>2</strong>. Gets or sends updates and apps to PCs on the same local network domain.</p></li><li><p><strong>3</strong>. Gets or sends updates and apps to PCs on the Internet.</p></li><li><p><strong>99</strong>. Simple download mode with no peering.</p></li><li><p><strong>100</strong>. Use BITS instead of Windows Update Delivery Optimization.</p></li></ul>|
| DeliveryOptimization/DOGroupID | Lets you provide a Group ID that limits which PCs can share apps and updates. <br /> **Note** This ID must be a GUID.|
| DeliveryOptimization/DOMaxCacheAge | Lets you specify the maximum time (in seconds) that a file is held in the Delivery Optimization cache. <br /> The default value is 259200 seconds (3 days).|
| DeliveryOptimization/DOMaxCacheSize | Lets you specify the maximum cache size as a percentage of disk size. <br /> The default value is 20, which represents 20% of the disk.|
| DeliveryOptimization/DOMaxUploadBandwidth | Lets you specify the maximum upload bandwidth (in KB/second) that a device uses across all concurrent upload activity. <br /> The default value is 0, which means unlimited possible bandwidth.|
### <a href="" id="bkmk-wudo-prov"></a>23.4 Delivery Optimization Windows Provisioning
### <a href="" id="bkmk-wudo-prov"></a>25.4 Delivery Optimization Windows Provisioning
If you don't have an MDM server in your enterprise, you can use Windows Provisioning to configure the Delivery Optimization policies
@ -1233,7 +1270,7 @@ Use Windows ICD, included with the [Windows Assessment and Deployment Kit (Windo
For more info about Delivery Optimization in general, see [Windows Update Delivery Optimization: FAQ](http://go.microsoft.com/fwlink/p/?LinkId=730684).
### <a href="" id="bkmk-wu"></a>24. Windows Update
### <a href="" id="bkmk-wu"></a>26. Windows Update
You can turn off Windows Update by setting the following registry entries:
@ -1243,6 +1280,11 @@ You can turn off Windows Update by setting the following registry entries:
- Add a REG\_DWORD value called **DisableWindowsUpdateAccess** to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and set the value to 1.
-and-
- Add a REG\_DWORD value called **UseWUServer** to **HKEY\_LOCAL\_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU** and set the value to 1.
You can turn off automatic updates by doing one of the following. This is not recommended.
- Add a REG\_DWORD value called **AutoDownload** to **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\WindowsStore\\WindowsUpdate** and set the value to 5.

16
windows/manage/manage-corporate-devices.md
View File

@ -8,6 +8,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: devices
author: jdeckerMS
localizationpriority: medium
---
# Manage corporate devices
@ -48,7 +49,7 @@ Desktop devices running Windows 10 that are joined to an Active Directory domai
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>[Microsoft System Center Configuration Manager Technical Preview](http://go.microsoft.com/fwlink/p/?LinkId=613622)</p></td>
<td align="left"><p>[Microsoft System Center Configuration Manager 2016](http://go.microsoft.com/fwlink/p/?LinkId=613622)</p></td>
<td align="left"><p>Client deployment, upgrade, and management with new and existing features</p></td>
</tr>
<tr class="even">
@ -117,15 +118,14 @@ Microsoft Virtual Academy course: [System Center 2012 R2 Configuration Manager &
[Manage Windows 10 and Windows Store tips, tricks, and suggestions](manage-tips-and-suggestions.md)
[New policies for Windows 10](new-policies-for-windows-10.md)
- [Connect to remote Azure Active Directory-joined PC](connect-to-remote-aadj-pc.md) 
- [New policies for Windows 10](new-policies-for-windows-10.md)
- [Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education](group-policies-for-enterprise-and-education-editions.md)
- [Changes to Group Policy settings for Start in Windows 10](changes-to-start-policies-in-windows-10.md)
- [Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md)
- [Introduction to configuration service providers (CSPs) for IT pros](how-it-pros-can-use-configuration-service-providers.md)
[Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education](group-policies-for-enterprise-and-education-editions.md)
[Changes to Group Policy settings for Start in Windows 10](changes-to-start-policies-in-windows-10.md)
[Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md)
 
 

2
windows/manage/manage-tips-and-suggestions.md
View File

@ -7,6 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: devices
author: jdeckerMS
localizationpriority: medium
---
# Manage Windows 10 and Windows Store tips, tricks, and suggestions
@ -16,7 +17,6 @@ author: jdeckerMS
- Windows 10
> <span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ]</span>
Since its inception, Windows 10 has included a number of user experience features that provide useful tips, tricks, and suggestions as you use Windows, as well as app suggestions from the Windows Store. These features are designed to help people get the most out of their Windows 10 experience by, for example, sharing new features, providing more details on the features they use, or sharing content available in the Windows Store. Examples of such user experiences include:

1
windows/manage/manage-wifi-sense-in-enterprise.md
View File

@ -8,6 +8,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: mobile
author: eross-msft
localizationpriority: high
---
# Manage Wi-Fi Sense in your company

1
windows/manage/new-policies-for-windows-10.md
View File

@ -7,6 +7,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
localizationpriority: medium
---
# New policies for Windows 10

1
windows/manage/product-ids-in-windows-10-mobile.md
View File

@ -8,6 +8,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: mobile
author: jdeckerMS
localizationpriority: high
---
# Product IDs in Windows 10 Mobile

1
windows/manage/reset-a-windows-10-mobile-device.md
View File

@ -7,6 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: mobile
author: jdeckerMS
localizationpriority: high
---
# Reset a Windows 10 Mobile device

5
windows/manage/set-up-a-device-for-anyone-to-use.md
View File

@ -7,6 +7,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
localizationpriority: high
---
# Set up a device for anyone to use (kiosk mode)
@ -33,8 +34,8 @@ Do you need a computer that can only do one thing? For example:
The following table identifies the type of application that can be used on each Windows 10 edition to create a kiosk device.
**Note**  
A Universal Windows app is built on the Universal Windows Platform (UWP), which was first introduced in Windows 8 as the Windows Runtime. A Classic Windows application uses the Classic Windows Platform (CWP) (e.g., COM, Win32, WPF, WinForms, etc.) and is typically launched using an .EXE or .DLL file.
> [!NOTE]  
> A Universal Windows app is built on the Universal Windows Platform (UWP), which was first introduced in Windows 8 as the Windows Runtime. A Classic Windows application uses the Classic Windows Platform (CWP) (e.g., COM, Win32, WPF, WinForms, etc.) and is typically launched using an .EXE or .DLL file.
 

54
windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
View File

@ -7,6 +7,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
localizationpriority: high
---
# Set up a kiosk on Windows 10 Pro, Enterprise, or Education
@ -18,7 +19,7 @@ author: jdeckerMS
> **Looking for Windows Embedded 8.1 Industry information?** See [Assigned Access]( http://go.microsoft.com/fwlink/p/?LinkId=613653)
A single-use device is easy to set up in Windows 10 for desktop editions (Pro, Enterprise, and Education). For a kiosk device to run a Universal Windows app, use the **assigned access** feature. For a kiosk device (Windows 10 Enterprise or Education) to run a Classic Windows application, use **Shell Launcher** to set a custom user interface as the shell. To return the device to the regular shell, see [Sign out of assigned access](#sign-out-of-assigned-access).
A single-use or *kiosk* device is easy to set up in Windows 10 for desktop editions (Pro, Enterprise, and Education). For a kiosk device to run a Universal Windows app, use the **assigned access** feature. For a kiosk device (Windows 10 Enterprise or Education) to run a Classic Windows application, use **Shell Launcher** to set a custom user interface as the shell. To return the device to the regular shell, see [Sign out of assigned access](#sign-out-of-assigned-access).
**Note**  
A Universal Windows app is built on the Universal Windows Platform (UWP), which was first introduced in Windows 8 as the Windows Runtime. A Classic Windows application uses the Classic Windows Platform (CWP) (e.g., COM, Win32, WPF, WinForms, etc.) and is typically launched using an .EXE or .DLL file.
@ -68,21 +69,20 @@ For a more secure kiosk experience, we recommend that you make the following con
Using assigned access, Windows 10 runs the designated Universal Windows app above the lockscreen, so that the assigned access account has no access to any other functionality on the device. You have these choices for setting up assigned access:
- [Use Settings on the PC](#set-up-assigned-access-in-pc-settings) - Windows 10 Pro, Enterprise, and Education
| Method | Account type | Windows 10 edition |
| --- | --- | --- |
| [Use Settings on the PC](#set-up-assigned-access-in-pc-settings) | Local standard | Pro, Enterprise, Education |
| [Apply a mobile device management (MDM) policy](#set-up-assigned-access-in-mdm) | All (domain, local standard, local administrator, etc) | Enterprise, Education |
| [Create a provisioning package using Windows Imaging and Configuration Designer (ICD)](#icd) | All (domain, local standard, local administrator, etc) | Enterprise, Education |
| [Run a PowerShell script](#set-up-assigned-access-using-windows-powershell) | Local standard | Pro, Enterprise, Education |
- [Apply a mobile device management (MDM) policy](#set-up-assigned-access-in-mdm) - Windows 10 Enterprise and Education
- [Create a provisioning package using Windows Imaging and Configuration Designer (ICD)](#icd) - Windows 10 Enterprise and Education
- [Run a PowerShell script](#set-up-assigned-access-using-windows-powershell) - Windows 10 Pro, Enterprise, and Education
### Requirements
- A domain or local user account.
The user account must have logged on at least once before you set up assigned access, or no apps will be available for that account. To set up assigned access using MDM, you need the user account (domain\\account).
- A Universal Windows app that is installed for that account and is an above lock screen app. For details on building an above lock screen app, see [Kiosk apps for assigned access: Best practices](http://go.microsoft.com/fwlink/p/?LinkId=708386).
- A domain or local user account.
- A Universal Windows app that is installed or provisioned for that account and is an above lock screen app. For more information, see [Guidelines for choosing an app for assigned access](guidelines-for-assigned-access-app.md). For details on building an above lock screen app, see [Kiosk apps for assigned access: Best practices](http://go.microsoft.com/fwlink/p/?LinkId=708386).
The app can be your own company app that you have made available in your own app Store. To set up assigned access using MDM or PowerShell, you also need the Application User Model ID (AUMID) for the app. [Learn how to get the AUMID](http://go.microsoft.com/fwlink/p/?LinkId=614867).
@ -101,7 +101,7 @@ Assigned access does not work on a device that is connected to more than one mon
3. Choose an account.
4. Choose an app. Only apps that can run above the lock screen will be displayed.
4. Choose an app. Only apps that can run above the lock screen will be displayed. For more information, see [Guidelines for choosing an app for assigned access](guidelines-for-assigned-access-app.md).
5. Close **Settings** your choices are saved automatically, and will be applied the next time that user account logs on.
@ -117,17 +117,20 @@ Assigned Access has one setting, KioskModeApp. In the KioskModeApp setting, you
### <a href="" id="icd"></a>Set up assigned access using Windows Imaging and Configuration Designer (ICD)
Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package that configures a device as a kiosk. [Install the ADK.](http://go.microsoft.com/fwlink/p/?LinkId=526740)
Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package that configures a device as a kiosk. [Install the ADK.](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit)
> **Important**
When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
**Create a provisioning package for a kiosk device**
1. Open Windows ICD (by default, %windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe).
2. Choose **New provisioning package**.
2. Choose **Advanced provisioning**.
3. Name your project, and click **Next**.
4. Choose **Common to all Windows desktop editions** and click **Next**.
4. Choose **All Windows desktop editions** and click **Next**.
5. On **New project**, click **Finish**. The workspace for your package opens.
@ -178,7 +181,9 @@ Use the Windows Imaging and Configuration Designer (ICD) tool included in the Wi
### Set up assigned access using Windows PowerShell
You can use any of the following PowerShell cmdlets to set up assigned access on multiple devices. To open PowerShell on Windows 10, search for PowerShell and find **Windows PowerShell Desktop app** in the results.
You can use any of the following PowerShell cmdlets to set up assigned access on multiple devices.
To open PowerShell on Windows 10, search for PowerShell and find **Windows PowerShell Desktop app** in the results. Run PowerShell as administrator.
```
Set-AssignedAccess -AppUserModelId <AUMID> -UserName <username>
@ -196,8 +201,11 @@ Set-AssignedAccess -AppName <CustomApp> -UserName <username>
Set-AssignedAccess -AppName <CustomApp> -UserSID <usersid>
```
> **Note:** To set up assigned access using `-AppName`, the user account that you specify for assigned access must have logged on at least once.
[Learn how to get the AUMID](http://go.microsoft.com/fwlink/p/?LinkId=614867).
[Learn how to get the AppName](https://msdn.microsoft.com/library/windows/hardware/mt620046%28v=vs.85%29.aspx) (see **Parameters**).
[Learn how to get the SID](http://go.microsoft.com/fwlink/p/?LinkId=615517).
To remove assigned access, using PowerShell, run the following cmdlet.
@ -209,7 +217,7 @@ Clear-AssignedAccess
### Set up automatic logon
When your kiosk device restarts, whether from an update or power outage, you can log on the assigned access account manually or you can configure the device to log on to the assigned access account automatically.
When your kiosk device restarts, whether from an update or power outage, you can log on the assigned access account manually or you can configure the device to log on to the assigned access account automatically. Make sure that Group Policy settings applied to the device do not prevent automatic logon.
Edit the registry to have an account automatically logged on.
@ -217,12 +225,11 @@ Edit the registry to have an account automatically logged on.
**Note**  
If you are not familiar with Registry Editor, [learn how to modify the Windows registry](http://go.microsoft.com/fwlink/p/?LinkId=615002).
 
 
2. Go to
****HKEY\_LOCAL\_MACHINE**\\**SOFTWARE**\\**Microsoft**\\**WindowsNT**\\**CurrentVersion**\\**Winlogon****
**HKEY\_LOCAL\_MACHINE\SOFTWARE\\Microsoft\WindowsNT\CurrentVersion\Winlogon**
3. Set the values for the following keys.
@ -232,10 +239,7 @@ Edit the registry to have an account automatically logged on.
- *DefaultPassword*: set value as the password for the account.
**Note**  
If *DefaultUserName* and *DefaultPassword* aren't there, add them as **New** &gt; **String Value**.
 
> **Note**  If *DefaultUserName* and *DefaultPassword* aren't there, add them as **New** &gt; **String Value**.
- *DefaultDomainName*: set value for domain, only for domain accounts. For local accounts, do not add this key.
@ -247,7 +251,7 @@ To sign out of an assigned access account, press **Ctrl + Alt + Del**, and then
If you press **Ctrl + Alt + Del** and do not sign in to another account, after a set time, assigned access will resume. The default time is 30 seconds, but you can change that in the following registry key:
****HKEY\_LOCAL\_MACHINE**\\**SOFTWARE**\\**Microsoft**\\**Windows**\\**CurrentVersion**\\**Authentication**\\**LogonUI****
**HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI**
To change the default time for assigned access to resume, add *IdleTimeOut* (DWORD) and enter the value data as milliseconds in hexadecimal.

11
windows/manage/set-up-a-kiosk-for-windows-10-for-mobile-edition.md
View File

@ -8,6 +8,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: mobile
author: jdeckerMS
localizationpriority: high
---
# Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise
@ -73,6 +74,9 @@ In AssignedAccessXml, for Application, you enter the product ID for the app to r
### Set up assigned access using Windows Imaging and Configuration Designer (ICD)
> **Important**
When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
**To create and apply a provisioning package for a kiosk device**
1. Create an *AssignedAccess*.xml file that specifies the app the device will run. (You can name use any file name.) For instructions on AssignedAccessXml, see [EnterpriseAssignedAccess CSP](http://go.microsoft.com/fwlink/p/?LinkID=618601).
@ -82,13 +86,14 @@ In AssignedAccessXml, for Application, you enter the product ID for the app to r
 
2. Open Windows ICD (by default, %windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe).
2. Open Windows ICD (by default, `%windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe`).
3. Choose **Advanced provisioning**.
3. Choose **New provisioning package**.
4. Name your project, and click **Next**.
5. Choose **Common to all Windows mobile editions** and click **Next**.
5. Choose **All Windows mobile editions** and click **Next**.
6. On **New project**, click **Finish**. The workspace for your package opens.

301
windows/manage/set-up-shared-or-guest-pc.md Normal file
View File

@ -0,0 +1,301 @@
---
title: Set up a shared or guest PC with Windows 10 (Windows 10)
description: Windows 10, version 1607, introduces *shared PC mode*, which optimizes Windows 10 for shared use scenarios.
keywords: ["shared pc mode"]
ms.prod: W10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
localizationpriority: high
---
# Set up a shared or guest PC with Windows 10
**Applies to**
- Windows 10
Windows 10, version 1607, introduces *shared PC mode*, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. You can apply shared PC mode to Windows 10 Pro, Pro Education, Education, and Enterprise.
> [!NOTE]
> If you're interested in using Windows 10 for shared PCs in a school, see [Use Set up School PCs app](https://technet.microsoft.com/edu/windows/use-set-up-school-pcs-app) which provides a simple way to configure PCs with shared PC mode plus additional settings specific for education.
##Shared PC mode concepts
A Windows 10 PC in shared PC mode is designed to be management- and maintenance-free with high reliability. In shared PC mode, only one user can be signed in at a time. When the PC is locked, the currently signed in user can always be signed out at the lock screen. Users who sign-in are signed in as standard users, not admin users.
###Account models
It is intended that shared PCs are joined to an Active Directory or Azure Active Directory domain by a user with the necessary rights to perform a domain join as part of a setup process. This enables any user that is part of the directory to sign-in to the PC as a standard user. The user who originally joined the PC to the domain will have administrative rights when they sign in. If using Azure Active Directory Premium, any domain user can also be configured to sign in with administrative rights. Additionally, shared PC mode can be configured to enable a **Start without an account** option on the sign-in screen, which doesn't require any user credentials or authentication and creates a new local account.
###Account management
When the account management service is turned on in shared PC mode, accounts are automatically deleted. Account deletion applies to Active Directory, Azure Active Directory, and local accounts that are created by the **Start without an account** option. Account management is performed both at sign-off time (to make sure there is enough disk space for the next user) as well as during system maintenance time periods. Shared PC mode can be configured to delete accounts immediately at sign-out or when disk space is low.
###Maintenance and sleep
Shared PC mode is configured to take advantage of maintenance time periods which run while the PC is not in use. Therefore, sleep is strongly recommended so that the PC can wake up when it is not is use to perform maintenance, clean up accounts, and run Windows Update. The recommended settings can be set by choosing **SetPowerPolicies** in the list of shared PC options. Additionally, on devices without Advanced Configuration and Power Interface (ACPI) wake alarms, shared PC mode will always override real-time clock (RTC) wake alarms to be allowed to wake the PC from sleep (by default, RTC wake alarms are off). This ensures that the widest variety of hardware will take advantage of maintenance periods.
While shared PC mode does not configure Windows Update itself, it is strongly recommended to configure Windows Update to automatically install updates and reboot (if necessary) during maintenance hours. This will help ensure the PC is always up to date and not interrupting users with updates. Use one of the following methods to configure Windows Update:
- Group Policy: Set **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure Automatic Updates** to `4` and check **Install during automatic maintenance**.
- MDM: Set **Update/AllowAutoUpdate** to `4`.
- Provisioning: In Windows Imaging and Configuration Designer (ICD), set **Policies/Update/AllowAutoUpdate** to `4`.
[Learn more about the AllowAutoUpdate settings](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_AllowAutoUpdate)
###App behavior
Apps can take advantage of shared PC mode by changing their app behavior to align with temporary use scenarios. For example, an app might only download content on demand on a device in shared PC mode, or might skip first run experiences. For information on how an app can query for shared PC mode, see [SharedModeSettings class](https://msdn.microsoft.com/en-us/library/windows/apps/windows.system.profile.sharedmodesettings.aspx).
###Customization
Shared PC mode exposes a set of customizations to tailor the behavior to your requirements. These customizations are the options that you'll set either using MDM or a provisioning package as explained in [Configuring shared PC mode on Windows](#configuring-shared-pc-mode-on-windows). The options are listed in the following table.
| Setting | Value |
|:---|:---|
| EnableSharedPCMode | Set as **True**. If this is not set to **True**, shared PC mode is not turned on and none of the other settings apply. Some of the remaining settings in **SharedPC** are optional, but we strongly recommend that you also set `EnableAccountManager` to **True**. |
| AccountManagement: AccountModel | This option controls how users can sign-in on the PC. Choosing domain-joined will enable any user in the domain to sign-in. Specifying the guest option will add the **Start without an account** option to the sign-in screen and enable anonymous guest access to the PC. <br/> - **Only guest** allows anyone to use the PC as a local standard (non-admin) account.<br/> - **Domain-joined only** allows users to sign in with an Active Directory or Azure AD account.<br/>- **Domain-joined and guest** allows users to sign in with an Active Directory, Azure AD, or local standard account. |
| AccountManagement: DeletionPolicy | - **Delete immediately** will delete the account on sign-out. <br/>- **Delete at disk space threshold** will start deleting accounts when available disk space falls below the threshold you set for **DiskLevelDeletion**, and it will stop deleting accounts when the available disk space reaches the threshold you set for **DiskLevelCaching**. Accounts are deleted in order of oldest accessed to most recently accessed. <br/><br/>Example: The caching number is 50 and the deletion number is 25. Accounts will be cached while the free disk space is above 25%. When the free disk space is less than 25% (the deletion number) at a maintenance period, accounts will be deleted (oldest last used first) until the free disk space is above 50% (the caching number). Accounts will be deleted immediately at sign off of an account if free space is under the deletion threshold and disk space is very low, regardless if the PC is actively in use or not. |
| AccountManagement: DiskLevelCaching | If you set **DeletionPolicy** to **Delete at disk space threshold**, set the percent of total disk space to be used as the disk space threshold for account caching. |
| AccountManagement: DiskLevelDeletion | If you set **DeletionPolicy** to **Delete at disk space threshold**, set the percent of total disk space to be used as the disk space threshold for account deletion. |
| AccountManagement: EnableAccountManager | Set as **True** to enable automatic account management. If this is not set to true, no automatic account management will be done. |
| Customization: MaintenanceStartTime | By default, the maintenance start time (which is when automatic maintenance tasks run, such as Windows Update) is midnight. You can adjust the start time in this setting by entering a new start time in minutes from midnight. For example, if you want maintenance to begin at 2 AM, enter `120` as the value. |
| Customization: SetEduPolicies | Set to **True** for PCs that will be used in a school. When **SetEduPolicies** is **True**, the following additional settings are applied:<br/>- Local storage locations are restricted. Users can only save files to the cloud. <br/>- Custom Start and taskbar layouts are set.\* <br/>- A custom sign-in screen background image is set.\* <br/>- Additional educational policies are applied (see full list below).<br/><br/>\*Only applies to Windows 10 Pro Education, Enterprise, and Education |
| Customization: SetPowerPolicies | When set as **True**:<br/>- Prevents users from changing power settings<br/>- Turns off hibernate<br/>- Overrides all power state transitions to sleep (e.g. lid close) |
| Customization: SignInOnResume | This setting specifies if the user is required to sign in with a password when the PC wakes from sleep. |
| Customization: SleepTimeout | Specifies all timeouts for when the PC should sleep. Enter the amount of idle time in seconds. If you don't set sleep timeout, the default of 1 hour applies. |
##Configuring shared PC mode on Windows
You can configure Windows to be in shared PC mode in a couple different ways:
- Mobile device management (MDM): Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/mt723294.aspx). Your MDM policy can contain any of the options listed in the [Customization](#customization) section. The following image shows a Microsoft Intune policy with the shared PC options added as OMA-URI settings. [Learn more about Windows 10 policy settings in Microsoft Intune.](https://docs.microsoft.com/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune)
![custom OMA-URI policy in Intune](images/oma-uri-shared-pc.png)
- A provisioning package created with the Windows Imaging and Configuration Designer (ICD): You can apply a provisioning package when you initially set up the PC (also known as the out-of-box-experience or OOBE), or you can apply the provisioning package to a Windows 10 PC that is already in use. The provisioning package is created in Windows Imaging and Configuration Designer (ICD). Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/mt723294.aspx), exposed in ICD as SharedPC.
![Shared PC settings in ICD](images/icd-adv-shared-pc.png)
### Create a provisioning package for shared use
Use the Windows ICD tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package that configures a device for shared PC mode. [Install the ADK and select **Configuration Designer**.](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit)
1. Open Windows ICD (by default, %windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe).
2. On the **Start page**, select **Advanced provisioning**.
3. Enter a name and (optionally) a description for the project, and click **Next**.
4. Select **All Windows desktop editions**, and click **Next**.
5. Click **Finish**. Your project opens in Windows ICD.
6. Go to **Runtime settings** > **SharedPC**. [Select the desired settings for shared PC mode.](#customization)
7. On the **File** menu, select **Save.**
8. On the **Export** menu, select **Provisioning package**.
9. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.**
10. Set a value for **Package Version**.
> [!TIP]
> You can make changes to existing packages and change the version number to update previously applied packages.
 
11. (*Optional*) In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing.
- **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
- **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select...** and choosing the certificate you want to use to sign the package.
> [!IMPORTANT]  
> We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store and any package signed with that certificate thereafter can be applied silently.
 
12. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location.
Optionally, you can click **Browse** to change the default output location.
13. Click **Next**.
14. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.
If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
15. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
- If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
- If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
16. Select the **output location** link to go to the location of the package. You can provide that .ppkg to others through any of the following methods:
- Shared network folder
- SharePoint site
- Removable media (USB/SD) (select this option to apply to a PC during initial setup)
### Apply the provisioning package
You can apply the provisioning package to a PC during initial setup or to a PC that has already been set up.
**During initial setup**
1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.
![The first screen to set up a new PC](images/oobe.jpg)
2. Insert the USB drive and press the Windows key five times. Windows Setup will recognize the drive and ask if you want to set up the device. If there is only one provisioning package on the USB drive, you don't need to press the Windows key five times, Windows will automatically ask you if you want to set up the device. Select **Set up**.
![Set up device?](images/setupmsg.jpg)
3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**.
![Provision this device](images/prov.jpg)
4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**.
![Choose a package](images/choose-package.png)
5. Select **Yes, add it**.
![Do you trust this package?](images/trust-package.png)
6. Read and accept the Microsoft Software License Terms.
![Sign in](images/license-terms.png)
7. Select **Use Express settings**.
![Get going fast](images/express-settings.png)
8. If the PC doesn't use a volume license, you'll see the **Who owns this PC?** screen. Select **My work or school owns it** and tap **Next**.
![Who owns this PC?](images/who-owns-pc.png)
9. On the **Choose how you'll connect** screen, select **Join Azure AD** or **Join a domain** and tap **Next**.
![Connect to Azure AD](images/connect-aad.png)
10. Sign in with your domain, Azure AD, or Office 365 account and password. When you see the progress ring, you can remove the USB drive.
![Sign in](images/sign-in-prov.png)
**After setup**
On a desktop computer, navigate to **Settings** &gt; **Accounts** &gt; **Work access** &gt; **Add or remove a management package** &gt; **Add a package**, and selects the package to install.
![add a package option](images/package.png)
> [!NOTE]
> If you apply the setup file to a computer that has already been set up, existing accounts and data might be lost.
## Guidance for accounts on shared PCs
* We recommend no local admin accounts on the PC to improve the reliability and security of the PC.
* When a PC is set up in shared PC mode, accounts will be cached automatically until disk space is low. Then, accounts will be deleted to reclaim disk space. This account managment happens automatically. Both Azure AD and Active Directory domain accounts are managed in this way. Any accounts created through **Start without an account** will also be deleted automatically at sign out.
* On a Windows PC joined to Azure Active Directory:
* By default, the account that joined the PC to Azure AD will have an admin account on that PC. Global administrators for the Azure AD domain will also have admin accounts on the PC.
* With Azure AD Premium, you can specify which accounts have admin accounts on a PC using the **Additional administrators on Azure AD Joined devices** setting on the Azure portal.
* Local accounts that already exist on a PC wont be deleted when turning on shared PC mode. New local accounts that are created using **Settings > Accounts > Other people > Add someone else to this PC** after shared PC mode is turned on won't be deleted. However, any new local accounts created by the **Start without an account** selection on the sign-in screen (if enabled) will automatically be deleted at sign-out.
* If admin accounts are necessary on the PC
* Ensure the PC is joined to a domain that enables accounts to be signed on as admin, or
* Create admin accounts before setting up shared PC mode, or
* Create exempt accounts before signing out when turning shared pc mode on.
* The account management service supports accounts that are exempt from deletion.
* An account can be marked exempt from deletion by adding the account SID to the `HKEY_LOCAL_MACHINE\SOFTARE\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\` registry key.
* To add the account SID to the registry key using PowerShell:<br/>
```
$adminName = "LocalAdmin"
$adminPass = 'Pa$$word123'
iex "net user /add $adminName $adminPass"
$user = New-Object System.Security.Principal.NTAccount($adminName)
$sid = $user.Translate([System.Security.Principal.SecurityIdentifier])
$sid = $sid.Value;
New-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\$sid" -Force
```
## Policies set by shared PC mode
Shared PC mode sets local group policies to configure the device. Some of these are configurable using the shared pc mode options.
> [!IMPORTANT]
> It is not recommended to set additional policies on PCs configured for **Shared PC Mode**. The shared PC mode has been optimized to be fast and reliable over time with minimal to no manual maintenance required.
<table border="1">
<tr><th><p>Policy name</p></th><th><p>Value</p></th><th><p>When set?</p></th></tr> </thead>
<tbody>
<tr><td colspan="3"><p><strong>Admin Templates</strong> > <strong>Control Panel</strong> > <strong>Personalization</strong></p></td></tr>
<tr><td><p>Prevent enabling lock screen slide show</p></td><td><p>Enabled</p></td><td><p>Always</p></td></tr>
<tr><td><p>Prevent changing lock screen and logon image</p></td><td><p>Enabled</p></td><td><p>Always</p></td></tr>
<tr><td colspan="3"><p><strong>Admin Templates</strong> > <strong>System</strong> > <strong>Power Management</strong> > <strong>Button Settings</strong></p></td></tr>
<tr><td><p>Select the Power button action (plugged in)</p></td><td><p>Sleep</p></td><td><p>SetPowerPolicies=True</p></td></tr>
<tr><td><p>Select the Power button action (on battery)</p></td><td><p>Sleep</p></td><td><p>SetPowerPolicies=True</p></td></tr>
<tr><td><p>Select the Sleep button action (plugged in)</p></td><td><p>Sleep</p></td><td><p>SetPowerPolicies=True</p></td></tr>
<tr><td><p>Select the lid switch action (plugged in)</p></td><td><p>Sleep</p></td><td><p>SetPowerPolicies=True</p></td></tr>
<tr><td><p>Select the lid switch action (on battery)</p></td><td><p>Sleep</p></td><td><p>SetPowerPolicies=True</p></td></tr>
<tr><td colspan="3"><p><strong>Admin Templates</strong> > <strong>System</strong> > <strong>Power Management</strong> > <strong>Sleep Settings</strong></p></td></tr>
<tr><td><p>Require a password when a computer wakes (plugged in)</p></td><td><p>Enabled</p></td><td><p>SignInOnResume=True</p></td></tr>
<tr><td><p>Require a password when a computer wakes (on battery)</p></td><td><p>Enabled</p></td><td><p>SignInOnResume=True</p></td></tr>
<tr><td><p>Specify the system sleep timeout (plugged in)</p></td><td><p>*SleepTimeout*</p></td><td><p>SetPowerPolicies=True</p></td></tr>
<tr><td><p>Specify the system sleep timeout (on battery)</p></td><td><p>*SleepTimeout*</p></td><td><p>SetPowerPolicies=True</p></td></tr>
<tr> <td> <p>Turn off hybrid sleep (plugged in)</p></td> <td> <p>Enabled</p></td><td><p>SetPowerPolicies=True</p></td></tr>
<tr> <td> <p>Turn off hybrid sleep (on battery)</p></td> <td> <p>Enabled</p></td><td><p>SetPowerPolicies=True</p></td></tr>
<tr> <td> <p>Specify the unattended sleep timeout (plugged in)</p></td> <td> <p>*SleepTimeout*</p> </td><td><p>SetPowerPolicies=True</p></td></tr>
<tr> <td> <p>Specify the unattended sleep timeout (on battery)</p></td> <td> <p>*SleepTimeout*</p> </td><td><p>SetPowerPolicies=True</p></td></tr>
<tr> <td> <p>Allow standby states (S1-S3) when sleeping (plugged in)</p></td> <td> <p>Enabled</p></td><td><p>SetPowerPolicies=True</p></td></tr>
<tr> <td> <p>Allow standby states (S1-S3) when sleeping (on battery)</p></td> <td> <p>Enabled</p></td> <td><p>SetPowerPolicies=True</p></td></tr>
<tr> <td> <p>Specify the system hibernate timeout (plugged in)</p></td> <td> <p>Enabled, 0</p></td><td><p>SetPowerPolicies=True</p></td></tr>
<tr> <td> <p>Specify the system hibernate timeout (on battery)</p></td> <td> <p>Enabled, 0</p></td><td><p>SetPowerPolicies=True</p></td></tr>
<tr> <td colspan="3"> <p><strong>Admin Templates</strong>><strong>System</strong>><strong>Power Management</strong>><strong>Video and Display Settings</strong></p></td></tr>
<tr> <td> <p>Turn off the display (plugged in)</p></td> <td> <p>*SleepTimeout*</p> </td></td><td><p>SetPowerPolicies=True</p></td></tr>
<tr> <td> <p>Turn off the display (on battery</p></td> <td> <p>*SleepTimeout*</p> </td></td><td><p>SetPowerPolicies=True</p></td></tr>
<tr> <td colspan="3"> <p><strong>Admin Templates</strong>><strong>System</strong>><strong>Logon</strong></p></td></tr>
<tr> <td> <p>Show first sign-in animation</p></td> <td> <p>Disabled</p></td><td><p>Always</p></td></tr>
<tr> <td> <p>Hide entry points for Fast User Switching</p></td> <td> <p>Enabled</p></td><td><p>Always</p></td></tr>
<tr> <td> <p>Turn on convenience PIN sign-in</p></td> <td> <p>Disabled</p></td><td><p>Always</p></td></tr>
<tr> <td> <p>Turn off picture password sign-in</p></td> <td> <p>Enabled</p></td><td><p>Always</p></td></tr>
<tr> <td> <p>Turn off app notification on the lock screen</p></td> <td> <p>Enabled</p></td><td><p>Always</p></td></tr>
<tr> <td> <p>Allow users to select when a password is required when resuming from connected standby</p></td> <td> <p>Disabled</p></td><td><p>SignInOnResume=True</p></td>
</tr>
<tr> <td> <p>Block user from showing account details on sign-in</p></td> <td> <p>Enabled</p></td><td><p>Always</p></td></tr>
<tr> <td colspan="3"> <p><strong>Admin Templates</strong>><strong>System</strong>><strong>User Profiles</strong></p></td></tr>
<tr> <td> <p>Turn off the advertising ID</p></td> <td> <p>Enabled</p></td><td><p>SetEduPolicies=True</p></td></tr>
<tr> <td colspan="3"> <p><strong>Admin Templates</strong>><strong>Windows Components </strong></p></td></tr>
<tr> <td> <p>Do not show Windows Tips </p>*Only on Pro, Enterprise, Pro Education, and Education* </td> <td> <p>Enabled</p></td><td><p>SetEduPolicies=True</p></td></tr>
<tr> <td> <p>Turn off Microsoft consumer experiences </p>*Only on Pro, Enterprise, Pro Education, and Education* </td> <td> <p>Enabled</p></td><td><p>SetEduPolicies=True</p></td></tr>
<tr> <td> <p>Microsoft Passport for Work</p></td> <td> <p>Disabled</p></td><td><p>Always</p></td></tr>
<tr> <td> <p>Prevent the usage of OneDrive for file storage</p></td> <td> <p>Enabled</p></td><td><p>Always</p></td></tr>
<tr> <td colspan="3"> <p><strong>Admin Templates</strong>><strong>Windows Components</strong>><strong>Biometrics</strong></p></td></tr>
<tr> <td> <p>Allow the use of biometrics</p></td> <td> <p>Disabled</p></td><td><p>Always</p></td></tr>
<tr> <td> <p>Allow users to log on using biometrics</p></td> <td> <p>Disabled</p></td><td><p>Always</p></td></tr>
<tr> <td> <p>Allow domain users to log on using biometrics</p></td> <td> <p>Disabled</p></td><td><p>Always</p></td></tr>
<tr> <td colspan="3"> <p><strong>Admin Templates</strong>><strong>Windows Components</strong>><strong>Data Collection and Preview Builds</strong></p></td></tr>
<tr> <td> <p>Toggle user control over Insider builds</p></td> <td> <p>Disabled</p></td><td><p>Always</p></td></tr>
<tr> <td> <p>Disable pre-release features or settings</p></td> <td> <p>Disabled</p></td><td><p>Always</p></td></tr>
<tr> <td> <p>Do not show feedback notifications</p></td> <td> <p>Enabled</p></td><td><p>Always</p></td></tr>
<tr> <td colspan="3"> <p><strong>Admin Templates</strong>><strong>Windows Components</strong>><strong>File Explorer</strong></p></td></tr>
<tr> <td> <p>Show lock in the user tile menu</p></td> <td> <p>Disabled</p></td><td><p>Always</p></td></tr>
<tr> <td colspan="3"> <p><strong>Admin Templates</strong>><strong>Windows Components</strong>><strong>Maintenance Scheduler</strong></p></td></tr>
<tr> <td> <p>Automatic Maintenance Activation Boundary</p></td> <td> <p>*MaintenanceStartTime*</p></td><td><p>Always</p></td></tr>
<tr> <td> <p>Automatic Maintenance Random Delay</p></td> <td> <p>Enabled, 2 hours</p></td><td><p>Always</p></td></tr>
<tr> <td> <p>Automatic Maintenance WakeUp Policy</p></td> <td> <p>Enabled</p></td><td><p>Always</p></td></tr>
<tr> <td colspan="3"> <p><strong>Admin Templates</strong>><strong>Windows Components</strong>><strong>Microsoft Edge</strong></p></td></tr>
<tr> <td> <p>Open a new tab with an empty tab</p></td> <td> <p>Disabled</p></td><td><p>SetEduPolicies=True</p></td></tr>
<tr> <td> <p>Configure corporate home pages</p></td> <td> <p>Enabled, about:blank</p></td><td><p>SetEduPolicies=True</p></td></tr>
<tr> <td colspan="3"> <p><strong>Admin Templates</strong>><strong>Windows Components</strong>><strong>Search</strong></p></td></tr>
<tr> <td> <p>Allow Cortana</p> </td> <td> <p>Disabled</p> </td><td><p>SetEduPolicies=True</p></td></tr>
<tr> <td colspan="3"> <p><strong>Windows Settings</strong>><strong>Security Settings</strong>><strong>Local Policies</strong>><strong>Security Options</strong></p></td>
</tr>
<tr> <td> <p>Interactive logon: Do not display last user name</p> </td> <td> <p>Enabled, Disabled when account model is only guest</p> </td><td><p>Always</p></td></tr>
<tr> <td> <p>Interactive logon: Sign-in last interactive user automatically after a system-initiated restart</p> </td> <td> <p>Disabled</p> </td> <td><p>Always</p></td>
</tr>
<tr> <td> <p>Shutdown: Allow system to be shut down without having to log on</p> </td> <td> <p>Disabled</p> </td><td><p>Always</p></td></tr>
<tr> <td> <p>User Account Control: Behavior of the elevation prompt for standard users</p> </td> <td> <p>Auto deny</p> </td><td><p>Always</p></td></tr>
</tbody>
</table> </br></br>
## Related topics
[Set up a device for anyone to use (kiosk)](set-up-a-device-for-anyone-to-use.md)
 
 

149
windows/manage/settings-that-can-be-locked-down.md
View File

@ -8,6 +8,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: mobile
author: jdeckerMS
localizationpriority: high
---
# Settings and quick actions that can be locked down in Windows 10 Mobile
@ -48,7 +49,7 @@ The following table lists the settings pages and page groups. Use the page name
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Notifications and actions</td>
<td align="left">Notifications & actions</td>
<td align="left">SettingsPageAppsNotifications</td>
</tr>
<tr class="even">
@ -58,24 +59,24 @@ The following table lists the settings pages and page groups. Use the page name
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Message</td>
<td align="left">Messaging</td>
<td align="left">SettingsPageMessaging</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Battery saver</td>
<td align="left">Battery</td>
<td align="left">SettingsPageBatterySaver</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Apps for websites</td>
<td align="left">SettingsPageAppsForWebsites</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Storage</td>
<td align="left">SettingsPageStorageSenseStorageOverview</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Device encryption</td>
<td align="left">SettingsPageGroupPCSystemDeviceEncryption</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Driving mode</td>
@ -128,7 +129,7 @@ The following table lists the settings pages and page groups. Use the page name
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Cellular and sim</td>
<td align="left">Cellular & SIM</td>
<td align="left">SettingsPageNetworkCellular</td>
</tr>
<tr class="even">
@ -149,7 +150,7 @@ The following table lists the settings pages and page groups. Use the page name
<tr class="odd">
<td align="left"></td>
<td align="left">Mobile hotspot</td>
<td align="left">SettingsPageInternetSharing</td>
<td align="left">SettingsPageNetworkMobileHotspot</td>
</tr>
<tr class="even">
<td align="left"></td>
@ -181,10 +182,15 @@ The following table lists the settings pages and page groups. Use the page name
<td align="left">Lock screen</td>
<td align="left">SettingsPageLockscreen</td>
</tr>
<tr class="even">
<tr class="odd">
<td align="left"></td>
<td align="left">Theme</td>
<td align="left">SettingsPageStartTheme</td>
<td align="left">Glance screen</td>
<td align="left">SettingsPageGlance</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Navigation bar</td>
<td align="left">SettingsNagivationBar</td>
</tr>
<tr class="odd">
<td align="left">Accounts</td>
@ -193,7 +199,7 @@ The following table lists the settings pages and page groups. Use the page name
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Your account</td>
<td align="left">Your info</td>
<td align="left">SettingsPageAccountsPicture</td>
</tr>
<tr class="odd">
@ -203,39 +209,33 @@ The following table lists the settings pages and page groups. Use the page name
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Work access</td>
<td align="left">SettingsPageAccountsWorkplace</td>
<td align="left">Email & app accounts</td>
<td align="left">SettingsPageAccountsEmailApp</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Access work or school</td>
<td align="left">SettingsPageWorkAccess</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Sync your settings</td>
<td align="left">SettingsPageAccountsSync</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left"><p>Kid's corner</p>
<p>(disabled in Assigned Access)</p></td>
<td align="left">SettingsPageKidsCorner</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left"><p>Apps corner</p>
<p>(disabled in Assigned Access)</p></td>
<td align="left">SettingsPageAppsCorner</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Provisioning</td>
<td align="left">SettingsPageProvisioningPage</td>
</tr>
<tr class="odd">
<td align="left">Time and language</td>
<td align="left">Time & language</td>
<td align="left"></td>
<td align="left">SettingsPageGroupTimeRegion</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Date and time</td>
<td align="left">Date & time</td>
<td align="left">SettingsPageTimeRegionDateTime</td>
</tr>
<tr class="odd">
@ -275,7 +275,7 @@ The following table lists the settings pages and page groups. Use the page name
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">High contracts</td>
<td align="left">High contrast</td>
<td align="left">SettingsPageEaseoOfAccessHighContrast</td>
</tr>
<tr class="odd">
@ -315,7 +315,12 @@ The following table lists the settings pages and page groups. Use the page name
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Speech inking and typing</td>
<td align="left">Notifications</td>
<td align="left">SettingsPagePrivacyNotifications</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Speech. inking, & typing</td>
<td align="left">SettingsPagePrivacyPersonalization</td>
</tr>
<tr class="odd">
@ -335,6 +340,20 @@ The following table lists the settings pages and page groups. Use the page name
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Phone calls</td>
<td align="left">SettingsPagePrivacyPhoneCall</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Call history</td>
<td align="left">SettingsPagePrivacyCallHistory</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Email</td>
<td align="left">SettingsPagePrivacyEmail</td>
</tr><tr class="even">
<td align="left"></td>
<td align="left">Messaging</td>
<td align="left">SettingsPagePrivacyMessaging</td>
</tr>
@ -345,13 +364,18 @@ The following table lists the settings pages and page groups. Use the page name
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Continue App Experiences</td>
<td align="left">SettingsPagePrivacyCDP</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Background apps</td>
<td align="left">SettingsPagePrivacyBackgroundApps</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Accessory app0s</td>
<td align="left">SettingsPagePrivacyAccessories</td>
<td align="left">Accessory apps</td>
<td align="left">SettingsPageAccessories</td>
</tr>
<tr class="even">
<td align="left"></td>
@ -378,6 +402,16 @@ The following table lists the settings pages and page groups. Use the page name
<td align="left">Phone update</td>
<td align="left">SettingsPageRestoreMusUpdate</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Windows Insider Program</td>
<td align="left">SettingsPageFlights</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Device encryption</td>
<td align="left">SettingsPageGroupPCSystemDeviceEncryption</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Backup</td>
@ -391,7 +425,7 @@ The following table lists the settings pages and page groups. Use the page name
<tr class="odd">
<td align="left"></td>
<td align="left">For developers</td>
<td align="left">SettingsSystemDeveloperOptions</td>
<td align="left">SettingsPageSystemDeveloperOptions</td>
</tr>
<tr class="even">
<td align="left">OEM</td>
@ -426,19 +460,16 @@ You can specify the quick actions as follows:
<System name="SystemSettings_Privacy_LocationEnabledUserPhone"/>
<System name="SystemSettings_Network_VPN_QuickAction"/>
<System name="SystemSettings_Flashlight_Toggle"/>
<System name="SystemSettings_QuickAction_Bluetooth"/>
<System name="SystemSettings_Device_BluetoothQuickAction"/>
<System name="SystemSettings_BatterySaver_LandingPage_OverrideControl" />
<System name="SystemSettings_QuickAction_QuietHours" />
<System name="SystemSettings_QuickAction_Camera" />
<System name="SystemSettings_Launcher_QuickNote" />
<System name="QuickActions_Launcher_AllSettings" />
<System name="QuickActions_Launcher_DeviceDiscovery" />
</Settings>
```
The following quick actions buttons are not conditional and will always be displayed:
- QuickActions\_Launcher\_AllSettings
- SystemSettings\_Launcher\_QuickNote
- QuickActions\_Launcher\_DeviceDiscovery
Some quick actions are dependent on related settings pages/page groups. When a dependent page/group is not available, then the corresponding quick action will also be hidden.
**Note**  
@ -448,24 +479,24 @@ Dependent settings group/pages will be automatically enabled when a quick action
The following table lists the dependencies between quick actions and Settings groups/pages.
| Quick action | Settings group | Settings page |
|------------------------------------------------------------|--------------------------------------------------|------------------------------------|
| SystemSettings\_System\_Display\_QuickAction\_Brightness | SettingsPageSystemDisplay | SettingsPageDisplay |
| SystemSettings\_System\_Display\_Internal\_Rotation | SettingsPageSystemDisplay | SettingsPageDisplay |
| SystemSettings\_QuickAction\_WiFi | SettingsPageNetworkWiFi | SettingsPageNetworkWiFi |
| SystemSettings\_QuickAction\_InternetSharing | SettingsPageNetworkInternetSharing | SettingsPageNetworkInternetSharing |
| SystemSettings\_QuickAction\_CellularData | SettingsGroupCellular | SettingsPageNetworkCellular |
| SystemSettings\_QuickAction\_AirplaneMode | SettingsPageNetworkAirplaneMode | SettingsPageNetworkAirplaneMode |
| SystemSettings\_Privacy\_LocationEnabledUserPhone | SettingsGroupPrivacyLocationGlobals | SettingsPagePrivacyLocation |
| SystemSettings\_Network\_VPN\_QuickAction | SettingsPageNetworkVPN | SettingsPageNetworkVPN |
| SystemSettings\_Launcher\_QuickNote | N/A | N/A |
| SystemSettings\_Flashlight\_Toggle | N/A | N/A |
| SystemSettings\_QuickAction\_Bluetooth | SettingsPagePCSystemBluetooth | SettingsPagePCSystemBluetooth |
| SystemSettings\_BatterySaver\_LandingPage\_OverrideControl | BatterySaver\_LandingPage\_SettingsConfiguration | SettingsPageBatterySaver |
| QuickActions\_Launcher\_DeviceDiscovery | N/A | N/A |
| QuickActions\_Launcher\_AllSettings | N/A | N/A |
| SystemSettings\_QuickAction\_QuietHours | N/A | N/A |
| SystemSettings\_QuickAction\_Camera | N/A | N/A |
| Quick action | Settings group | Settings page |
|-----|-------|-------|
| SystemSettings\_System\_Display\_QuickAction\_Brightness | SettingsPageSystemDisplay| SettingsPageDisplay |
| SystemSettings\_System\_Display\_Internal\_Rotation | SettingsPageSystemDisplay | SettingsPageDisplay |
| SystemSettings\_QuickAction\_WiFi | SettingsPageNetworkWiFi | SettingsPageNetworkWiFi |
| SystemSettings\_QuickAction\_InternetSharing | SettingsPageNetworkInternetSharing | SettingsPageNetworkInternetSharing |
| SystemSettings\_QuickAction\_CellularData | SettingsGroupCellular | SettingsPageNetworkCellular |
| SystemSettings\_QuickAction\_AirplaneMode | SettingsPageNetworkAirplaneMode | SettingsPageNetworkAirplaneMode |
| SystemSettings\_Privacy\_LocationEnabledUserPhone | SettingsGroupPrivacyLocationGlobals | SettingsPagePrivacyLocation |
| SystemSettings\_Network\_VPN\_QuickAction | SettingsPageNetworkVPN | SettingsPageNetworkVPN |
| SystemSettings\_Launcher\_QuickNote | N/A | N/A |
| SystemSettings\_Flashlight\_Toggle | N/A | N/A |
| SystemSettings\_Device\_BluetoothQuickAction | SettingsPagePCSystemBluetooth | SettingsPagePCSystemBluetooth |
| SystemSettings\_BatterySaver\_LandingPage\_OverrideControl | BatterySaver\_LandingPage\_SettingsConfiguration | SettingsPageBatterySaver |
| QuickActions\_Launcher\_DeviceDiscovery | N/A | N/A |
| QuickActions\_Launcher\_AllSettings | N/A | N/A |
| SystemSettings\_QuickAction\_QuietHours | N/A | N/A |
| SystemSettings\_QuickAction\_Camera | N/A | N/A |
 

10
windows/manage/sign-up-windows-store-for-business-overview.md
View File

@ -36,18 +36,22 @@ IT admins can sign up for the Windows Store for Business, and get started workin
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>[Windows Store for Business overview](windows-store-for-business-overview.md)</p></td>
<td align="left"><p>Learn about Windows Store for Business.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Prerequisites for Windows Store for Business](prerequisites-windows-store-for-business.md)</p></td>
<td align="left"><p>There are a few prerequisites for using Store for Business.</p></td>
</tr>
<tr class="even">
<tr class="odd">
<td align="left"><p>[Sign up for Windows Store for Business](sign-up-windows-store-for-business.md)</p></td>
<td align="left"><p>Before you sign up for Store for Business, at a minimum, you'll need an Azure Active Directory (AD) account for your organization, and you'll need to be the global administrator for your organization. If your organization is already using Azure AD, you can go ahead and sign up for Store for Business. If not, we'll help you create an Azure AD account and directory as part of the sign up process.</p></td>
</tr>
<tr class="odd">
<tr class="even">
<td align="left"><p>[Roles and permissions in the Windows Store for Business](roles-and-permissions-windows-store-for-business.md)</p></td>
<td align="left"><p>The first person to sign in to Store for Business must be a Global Admin of the Azure Active Directory (AD) tenant. Once the Global Admin has signed in, they can give permissions to others employees.</p></td>
</tr>
<tr class="even">
<tr class="odd">
<td align="left"><p>[Settings reference: Windows Store for Business](settings-reference-windows-store-for-business.md)</p></td>
<td align="left"><p>The Store for Business has a group of settings that admins use to manage the store.</p></td>
</tr>

1
windows/manage/stop-employees-from-using-the-windows-store.md
View File

@ -7,6 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store, mobile
author: TrudyHa
localizationpriority: high
---
# Configure access to Windows Store

1
windows/manage/windows-10-mobile-and-mdm.md
View File

@ -8,6 +8,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: mobile, devices, security
author: AMeeus
localizationpriority: high
---
# Windows 10 Mobile and mobile device management

69
windows/manage/windows-10-start-layout-options-and-policies.md
View File

@ -1,26 +1,29 @@
---
title: Manage Windows 10 Start layout options (Windows 10)
description: Organizations might want to deploy a customized Start screen and menu to devices running Windows 10 Enterprise or Windows 10 Education.
title: Manage Windows 10 Start and taskbar layout (Windows 10)
description: Organizations might want to deploy a customized Start and taskbar layout to devices running Windows 10 Enterprise or Windows 10 Education.
ms.assetid: 2E94743B-6A49-463C-9448-B7DD19D9CD6A
keywords: ["start screen", "start menu"]
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
localizationpriority: medium
---
# Manage Windows 10 Start layout options
# Manage Windows 10 Start and taskbar layout
**Applies to**
- Windows 10
**Looking for consumer information?**
> **Looking for consumer information?** See [Customize the Start menu](http://windows.microsoft.com/windows-10/getstarted-see-whats-on-the-menu)
- [Customize the Start menu](http://go.microsoft.com/fwlink/p/?LinkId=623630)
Organizations might want to deploy a customized Start and taskbar configuration to devices running Windows 10 Enterprise or Windows 10 Education. A standard, customized Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. Configuring the taskbar allows the organization to pin useful apps for their employees and to remove apps that are pinned by default.
Organizations might want to deploy a customized Start screen and menu to devices running Windows 10 Enterprise or Windows 10 Education. A standard Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes.
> **Note:** Taskbar configuration is available starting in Windows 10, version 1607.
## Start options
![start layout sections](images/startannotated.png)
@ -29,11 +32,6 @@ Some areas of Start can be managed using Group Policy. The layout of Start tiles
The following table lists the different parts of Start and any applicable policy settings or Settings options. Group Policy settings are in the **User Configuration**\\**Administrative Templates**\\**Start Menu and Taskbar** path except where a different path is listed in the table.
<table>
<colgroup>
<col width="33%" />
<col width="33%" />
<col width="33%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Start</th>
@ -93,8 +91,8 @@ The following table lists the different parts of Start and any applicable policy
<p>Group Policy: <strong>Start layout</strong></p>
<p>Group Policy: <strong>Prevent users from customizing their Start Screen</strong></p>
<div class="alert">
<strong>Warning</strong>  
<p><strong>Start layout</strong> can only be applied to a device using the same architecture (32-bit or 64-bit) as the device on which <strong>Start layout</strong> was created. When a Start screen layout is imported with Group Policy or MDM, the users cannot pin, unpin, or uninstall apps from the Start screen. Users can view and open all apps in the <strong>All Apps</strong> view, but they cannot pin any apps to the Start screen.</p>
<strong>Note</strong>  
<p> When a full Start screen layout is imported with Group Policy or MDM, the users cannot pin, unpin, or uninstall apps from the Start screen. Users can view and open all apps in the <strong>All Apps</strong> view, but they cannot pin any apps to the Start screen. When a partial Start screen layout is imported, users cannot change the tile groups applied by the partial layout, but can modify other tile groups and create their own.</p><p><strong>Start layout</strong> policy can be used to pin apps to the taskbar based on an XML File that you provide. Users will be able to change the order of pinned apps, unpin apps, and pin additional apps to the taskbar.
</div>
<div>
 
@ -120,18 +118,57 @@ The following table lists the different parts of Start and any applicable policy
</tbody>
</table>
 
 ## Taskbar options
Starting in Windows 10, version 1607, you can pin additional apps to the taskbar and remove default pinned apps from the taskbar. You can specify different taskbar configurations based on device locale or region.
There are three categories of apps that might be pinned to a taskbar:
* Apps pinned by the user
* Default Windows apps, pinned during operating system installation (Microsoft Edge, File Explorer, Store)
* Apps pinned by the enterprise, such as in an unattended Windows setup
**Note**  
The earlier method of using [TaskbarLinks](http://go.microsoft.com/fwlink/p/?LinkId=761230) in an unattended Windows setup file is deprecated in Windows 10, version 1607.
The following example shows how apps will be pinned - Windows default apps to the left (blue circle), apps pinned by the user in the center (orange triangle), and apps that you pin using XML to the right (green square).
> **Note**  In operating systems configured to use a right-to-left language, the taskbar order will be reversed.
![Windows left, user center, enterprise to the right](images/taskbar-generic.png)
Whether you apply the taskbar configuration to a clean install or an update, users will still be able to:
* Pin additional apps
* Change the order of pinned apps
* Unpin any app
### Taskbar configuration applied to clean install of Windows 10
In a clean install, if you apply a taskbar layout, only the apps that you specify and default apps that you do not remove will be pinned to the taskbar. Users can pin additional apps to the taskbar after the layout is applied.
### Taskbar configuration applied to Windows 10 upgrades
When a device is upgraded to Windows 10, apps will be pinned to the taskbar already. Some apps may have been pinned to the taskbar by a user, and others may have been pinned to the taskbar through a customized base image or by using Windows Unattend setup.
The new taskbar layout for upgrades to Windows 10, version 1607 or later, will apply the following behavior:
* If the user pinned the app to the taskbar, those pinned apps remain and new apps will be added to the right.
* If the user didn't pin the app (it was pinned during installation or by policy) and the app is not in updated layout file, the app will be unpinned.
* If the user didn't pin the app and the app is in the updated layout file, the app will be pinned to the right.
* New apps specified in updated layout file are pinned to right of user's pinned apps.
## Related topics
[Customize and export Start layout](customize-and-export-start-layout.md)
[Customize Windows 10 Start with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
[Configure Windows 10 taskbar](configure-windows-10-taskbar.md)
[Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
[Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
[Customize Windows 10 Start with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
[Customize Windows 10 Start and taskbar with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
[Changes to Group Policy settings for Windows 10 Start](changes-to-start-policies-in-windows-10.md)

78
windows/manage/windows-spotlight.md Normal file
View File

@ -0,0 +1,78 @@
---
title: Windows Spotlight on the lock screen (Windows 10)
description: Windows Spotlight is an option for the lock screen background that displays different background images on the lock screen.
ms.assetid: 1AEA51FA-A647-4665-AD78-2F3FB27AD46A
keywords: ["lockscreen"]
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
author: jdeckerMS
localizationpriority: medium
---
# Windows Spotlight on the lock screen
**Applies to**
- Windows 10
Windows Spotlight is an option for the lock screen background that displays different background images and occasionally offers suggestions on the lock screen. Windows Spotlight is available in all desktop editions of Windows 10.
For managed devices running Windows 10 Enterprise and Windows 10 Education, enterprise administrators can configure a mobile device management (MDM) or Group Policy setting to prevent users from using the Windows Spotlight background. For managed devices running Windows 10 Pro, version 1607, administrators can disable suggestions for third party apps.
## What does Windows Spotlight include?
- **Background image**
The Windows Spotlight displays a new image on the lock screen each day. The initial background image is included during installation. Additional images are downloaded on ongoing basis.
![lock screen image](images/lockscreen.png)
- **Feature suggestions, fun facts, tips**
The lock screen background will occasionally suggest Windows 10 features that the user hasn't tried yet, such as **Snap assist**.
## How do you turn off Windows spotlight locally?
To turn off Windows Spotlight locally, go to **Settings** &gt; **Personalization** &gt; **Lock screen** &gt; **Background** &gt; **Windows spotlight** &gt; select a different lock screen background
![personalization background](images/spotlight.png)
## How do you disable Windows Spotlight for managed devices?
Windows 10, version 1607, provides three new Group Policy settings to help you manage Spotlight on employees' computers.
**Windows 10 Pro, Enterprise, and Education**
- **User Configuration\Administrative Templates\Windows Components\Cloud Content\Do not suggest third-party content in Windows spotlight** enables enterprises to restrict suggestions to Microsoft apps and services.
**Windows 10 Enterprise and Education**
* **User Configuration\Administrative Templates\Windows Components\Cloud Content\Turn off all Windows Spotlight features** enables enterprises to completely disable all Spotlight features in a single setting.
* **User Configuration\Administrative Templates\Windows Components\Cloud Content\Configure Spotlight on lock screen** specifically controls the use of the dynamic Spotlight image on the lock screen, and can be enabled or disabled. (The Group Policy setting **Enterprise Spotlight** does not work in Windows 10, version 1607.)
Windows Spotlight is enabled by default. Administrators can replace Windows Spotlight with a selected image using the Group Policy setting **Computer Configuration** &gt; **Administrative Templates** &gt; **Control Panel** &gt; **Personalization** &gt; **Force a specific default lock screen image**.
![lockscreen policy details](images/lockscreenpolicy.png)
Pay attention to the checkbox in **Options**. In addition to providing the path to the lock screen image, administrators can choose to allow or **Turn off fun facts, tips, tricks, and more on lock screen**. If the checkbox is not selected, users will see the lock screen image that is defined in the policy setting, and will also see occasional messages, such as the example in the following image.
![fun facts](images/funfacts.png)
## Related topics
[Manage Windows 10 Start layout options](../manage/windows-10-start-layout-options-and-policies.md)
 
 

277
windows/manage/windows-store-for-business-overview.md Normal file
View File

@ -0,0 +1,277 @@
---
title: Windows Store for Business overview (Windows 10)
description: With the new Windows Store for Business, organizations can make volume purchases of Windows apps.
ms.assetid: 9DA71F6B-654D-4121-9A40-D473CC654A1C
ms.prod: w10
ms.pagetype: store, mobile
ms.mktglfcycl: manage
ms.sitesec: library
author: TrudyHa
---
# Windows Store for Business overview
**Applies to**
- Windows 10
- Windows 10 Mobile
With the new Windows Store for Business, organizations can make volume purchases of Windows apps. The Store for Business provides app purchases based on organizational identity, flexible distribution options, and the ability to reclaim or re-use licenses. Organizations can also use the Store for Business to create a private store for their employees that includes apps from the Store, as well private Line-of-Business (LOB) apps.
## Features
Organizations of any size can benefit from using the Store for Business provides:
- **Scales to fit the size of your business** - For smaller businesses, with Azure AD accounts and Windows 10 devices, you can quickly have an end-to-end process for acquiring and distributing content using the Store for Business. For larger businesses, all the capabilities of the Store for Businessare available to you, or you can integrate the Store for Businesswith management tools, for greater control over access to apps and app updates. You can use existing work or school accounts.
- **Bulk app acquisition** - Acquire apps in volume from the Store for Business.
- **Private store** - Curate a private store for your business thats easily available from any Windows 10 device.
- **Flexible distribution options** - Flexible options for distributing content and apps to your employee devices:
- Distribute through Store for Business services. You can assign apps to individual employees, or make apps available to all employees in your private store.
- Use a management tool from Microsoft, or a 3rd-party tool for advanced distribution and management functions, or for managing images.
- Offline licensing model allows you to distribute apps without connecting to Store services, and for managing images.
- **Line-of-business apps** - Privately add and distribute your internal line-of-business apps using any of the distribution options.
- **App license management**: Admins can reclaim and reuse app licenses. Online and offline licenses allow you to customize how you decide to deploy apps.
- **Up-to-date apps** - The Store for Business manages the update process for apps with online licenses. Apps are automatically updated so you are always current with the most recent software updates and product features. Store for Business apps also uninstall cleanly, without leaving behind extra files, for times when you need to switch apps for specific employees.
## Prerequisites
You'll need this software to work with the Store for Business.
### Required
- IT Pros that are administering Store for Business need a browser compatible with Store for Business running on a PC or mobile device. Supported browsers include: Internet Explorer 10 or later, Microsoft Edge, or current versions of Chrome or Firefox.
- Employees using apps from Store for Business need Windows 10, version 1511 running on a PC or mobile device.
Microsoft Azure Active Directory (AD) accounts for your employees:
- Admins need Azure AD accounts to sign up for the Store for Business, and then to sign in, get apps, distribute apps, and manage app licenses.
- Employees need Azure AD account when they access Store for Business content from Windows devices.
- If you use a management tool to distribute and manage online-licensed apps, all employees will need an Azure AD account
- For offline-licensed apps, Azure AD accounts are not required for employees.
For more information on Azure AD, see [About Office 365 and Azure Active Directory](http://go.microsoft.com/fwlink/p/?LinkId=708612), and [Intro to Azure: identity and access](http://go.microsoft.com/fwlink/p/?LinkId=708611).
### Optional
While not required, you can use a management tool to distribute and manage apps. Using a management tool allows you to distribute content, scope app availability, and control when app updates are installed. This might make sense for larger organizations that already use a management tool. A couple of things to note about management tools:
- Need to integrate with Windows 10 management framework and Azure AD.
- Need to sync with the Store for Business inventory to distribute apps.
## How does the Store for Business work?
### Sign up!
The first step for getting your organization started with the Store for Business is signing up. To sign up for the Business store, you need an Azure AD account and you must be a Global Administrator for your organization.
For more information, see [Sign up for the Store for Business](../manage/sign-up-windows-store-for-business.md).
### Set up
After your admin signs up for the Store for Business, they can assign roles to other employees in your company. The admin needs Azure AD User Admin permissions to assign WSFB roles. These are the roles and their permissions.
<table>
<colgroup>
<col width="20%" />
<col width="20%" />
<col width="20%" />
<col width="20%" />
<col width="20%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Permission</th>
<th align="left">Account settings</th>
<th align="left">Acquire apps</th>
<th align="left">Distribute apps</th>
<th align="left">Device Guard signing</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Admin</p></td>
<td align="left"><p>X</p></td>
<td align="left"><p>X</p></td>
<td align="left"><p>X</p></td>
<td align="left"></td>
</tr>
<tr class="even">
<td align="left"><p>Purchaser</p></td>
<td align="left"></td>
<td align="left"><p>X</p></td>
<td align="left"><p>X</p></td>
<td align="left"></td>
</tr>
<tr class="odd">
<td align="left"><p>Device Guard signer</p></td>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
<td align="left"><p>X</p></td>
</tr>
</tbody>
</table>
In some cases, admins will need to add Azure Active Directory (AD) accounts for their employees. For more information, see [Manage user accounts and groups](../manage/manage-users-and-groups-windows-store-for-business.md).
Also, if your organization plans to use a management tool, youll need to configure your management tool to sync with the Store for Business.
### Get apps and content
Once signed in to the Store for Business, you can browse and search for all products in the Store for Business catalog. Some apps are free, and some apps charge a price. We're continuing to add more paid apps to the Store for Business. Check back if you don't see the app that you're looking for. Currently, you can pay for apps with a credit card. We'll be adding more payment options over time.
**App types** -- These app types are supported in the Store for Business:
- Universal Windows Platform apps
- Universal Windows apps, by device: Phone, Surface Hub, IOT devices , HoloLens
Apps purchased from the Store for Business only work on Windows 10 devices.
Line-of-business (LOB) apps are also supported via the Business store. You can invite IT developers or ISVs to be LOB publishers for your organization. This allows them to submit apps via the developer center that are only available to your organization. These apps can be distributed using the distribution methods discussed in this topic. For more information, see Working with Line-of-Business apps.
**App licensing model**
The Business store supports two options to license apps: online and offline. **Online** licensing is the default licensing model and is similar to the Windows Store. Online licensed apps require users and devices to connect to the Store for Business service to acquire an app and its license. **Offline** licensing is a new licensing option for Windows 10. With offline licenses, organizations can cache apps and their licenses to deploy within their network. ISVs or devs can opt-in their apps for offline licensing when they submit them to the developer center.
For more information, see [Apps in the Store for Business](../manage/apps-in-windows-store-for-business.md#licensing-model).
### Distribute apps and content
App distribution is handled through two channels, either through the Store for Business, or using a management tool. You can use either or both distribution methods in your organization.
**Using the Store for Business** Distribution options for the Store for Business:
- Email link After purchasing an app, admins can send employees a link in an email message. Employees can click the link to install the app.
- Curate private store for all employees A private store can include content youve purchased from the Store, and your line-of-business apps that youve submitted to the Store for Business. Apps in your private store are available to all of your employees. They can browse the private store and install apps when needed.
- To use the options above users must be signed in with an Azure AD account on a Windows 10 device.
**Using a management tool** For larger organizations that might want a greater level of control over how apps are distributed and managed, a management tools provides other distribution options:
- Scoped content distribution Ability to scope content distribution to specific groups of employees.
- Install apps for employees Employees are not responsible for installing apps. Management tool installs apps for employees.
Management tools can synchronize content that has been acquired in the Store for Business. If an offline application has been purchased this will also include the app package, license and metadata for the app (like, icons, count, or localized product descriptions). Using the metadata, management tools can enable portals or apps as a destination for employees to acquire apps.
For more information, see [Distribute apps to your employees from the Store for Business](../manage/distribute-apps-to-your-employees-windows-store-for-business.md).
### Manage Store for Business settings and content
Once you are signed up with the Business store and have purchased apps, Admins can manage Store for Business settings and inventory.
**Manage Store for Business settings**
- Assign and change roles for employees or groups
- Device Guard signing
- Register a management server to deploy and install content
- Manage relationships with LOB publishers
- Manage offline licenses
- Update the name of your private store
**Manage inventory**
- Assign app licenses to employees
- Reclaim and reassign app licenses
- Manage app updates for all apps, or customize updates for each app. Online apps will automatically update from the Store. Offline apps can be updated using a management server.
- Download apps for offline installs
For more information, see [Manage settings in the Store for Business](../manage/manage-settings-windows-store-for-business.md) and [Manage apps](../manage/manage-apps-windows-store-for-business-overview.md).
## Supported markets
Store for Business is currently available in these markets.
|Country or locale|Paid apps|Free apps|
|-----------------|---------|---------|
|Argentina|X|X|
|Australia|X|X|
|Austria|X|X|
|Belgium (Dutch, French)|X|X|
|Brazil| |X|
|Canada (English, French)|X|X|
|Chile|X|X|
|Columbia|X|X|
|Croatia|X|X|
|Czech Republic|X|X|
|Denmark|X|X|
|Finland|X|X|
|France|X|X|
|Germany|X|X|
|Greece|X|X|
|Hong Kong SAR|X|X|
|Hungary|X|X|
|India| |X|
|Indonesia|X|X|
|Ireland|X|X|
|Italy|X|X|
|Japan|X|X|
|Malaysia|X|X|
|Mexico|X|X|
|Netherlands|X|X|
|New Zealand|X|X|
|Norway|X|X|
|Philippines|X|X|
|Poland|X|X|
|Portugal|X|X|
|Romania|X|X|
|Russia| |X|
|Singapore|X|X|
|Slovakia|X|X|
|South Africa|X|X|
|Spain|X|X|
|Sweden|X|X|
|Switzerland (French, German)|X|X|
|Taiwan| |X|
|Thailand|X|X|
|Turkey|X|X|
|Ukraine| |X|
|United Kingdom|X|X|
|United States|X|X|
|Vietnam|X|X|
## <a href="" id="isv-wsfb"></a>ISVs and the Store for Business
Developers in your organization, or ISVs can create content specific to your organization. In the Store for Business, we call these app line-of-business (LOB) apps, and the devs that create them are LOB publishers. The process looks like this:
- Admin invites devs to be LOB publishers for your organization. These devs can be internal devs, or external ISVs.
- LOB publishers accept the invitation, develop apps, and submits the app to the Windows Dev Center. LOB publishers use Enterprise associations when submitting the app to make the app exclusive to your organization.
- Admin adds the app to Store for Business inventory.
Once the app is in inventory, admins can choose how to distribute the app. ISVs creating apps through the dev center can make their apps available in the Store for Business. ISVs can opt-in their apps to make them available for offline licensing. Apps purchased in the Store for Business will work only on Windows 10.
For more information on line-of-business apps, see [Working with Line-of-Business apps](../manage/working-with-line-of-business-apps.md).