Merged PR 12057: fix assignedaccess json and SH Start xml example

devices/surface-hub/surface-hub-start-menu.md

@@ -145,7 +145,7 @@ This example shows a link to a website and a link to a .pdf file.
            TileID="2678823080"
            DisplayName="Bing"
            Arguments="https://www.bing.com/"
-           Square150x150LogoUri="ms-appdata:///local/PinnedTiles/2678823080/lowres.png"
+           Square150x150LogoUri="ms-appx:///"
            Wide310x150LogoUri="ms-appx:///"
            ShowNameOnSquare150x150Logo="true"
            ShowNameOnWide310x150Logo="false"
@@ -164,7 +164,10 @@ This example shows a link to a website and a link to a .pdf file.
              TileID="6153963000"
              DisplayName="cstrtqbiology.pdf"
              Arguments="-contentTile -formatVersion 0x00000003 -pinnedTimeLow 0x45b7376e -pinnedTimeHigh 0x01d2356c -securityFlags 0x00000000 -tileType 0x00000000 -url 0x0000003a https://www.ada.gov/regs2010/2010ADAStandards/Guidance_2010ADAStandards.pdf"
-             Square150x150LogoUri="ms-appdata:///local/PinnedTiles/2678823080/lowres.png"                                                Wide310x150LogoUri="ms-appx:///" ShowNameOnSquare150x150Logo="true"                                                      ShowNameOnWide310x150Logo="true"
+             Square150x150LogoUri="ms-appx:///"                                                
+             Wide310x150LogoUri="ms-appx:///" 
+             ShowNameOnSquare150x150Logo="true"                                                      
+             ShowNameOnWide310x150Logo="true"
              BackgroundColor="#ff4e4248"
              Size="4x2" 
              Row="4"
@@ -177,6 +180,11 @@ This example shows a link to a website and a link to a .pdf file.
 
 ```
 
+>[!NOTE]
+>Microsoft Edge tile logos won't appear on secondary tiles because they aren't stored in Surface Hub.
+>
+>The default value for `ForegroundText` is light; you don't need to include `ForegroundText` in your XML unless you're changing the value to dark.
+
 ## More information
 
 - [Blog post: Changing Surface Hub’s Start Menu](https://blogs.technet.microsoft.com/y0av/2018/02/13/47/)

windows/client-management/connect-to-remote-aadj-pc.md

@@ -23,6 +23,9 @@ From its release, Windows 10 has supported remote connections to PCs that are jo
 
 ![Remote Desktop Connection client](images/rdp.png)
 
+>[!TIP]
+>Starting in Windows 10, version 1809, you can [use biometrics to authenticate to a remote desktop session.](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809#remote-desktop-with-biometrics)
+
 ## Set up
 
 - Both PCs (local and remote) must be running Windows 10, version 1607 (or later). Remote connection to an Azure AD-joined PC that is running earlier versions of Windows 10 is not supported.

windows/client-management/mdm/TOC.md

@@ -17,7 +17,7 @@
 ### [Add an Azure AD tenant and Azure AD subscription](add-an-azure-ad-tenant-and-azure-ad-subscription.md)
 ### [Register your free Azure Active Directory subscription](register-your-free-azure-active-directory-subscription.md)
 ## [Enterprise app management](enterprise-app-management.md)
-## [Device update management](device-update-management.md)
+## [Mobile device management (MDM) for device updates](device-update-management.md)
 ## [Bulk enrollment](bulk-enrollment-using-windows-provisioning-tool.md)
 ## [Management tool for the Microsoft Store for Business](management-tool-for-windows-store-for-business.md)
 ### [REST API reference for Microsoft Store for Business](rest-api-reference-windows-store-for-business.md)

windows/client-management/mdm/device-update-management.md

@@ -1,5 +1,5 @@
 ---
-title: Device update management
+title: Mobile device management MDM for device updates
 description: In the current device landscape of PC, tablets, phones, and IoT devices, the Mobile Device Management (MDM) solutions are becoming prevalent as a lightweight device management technology.
 ms.assetid: C27BAEE7-2890-4FB7-9549-A6EACC790777
 keywords: mdm,management,administrator
@@ -12,7 +12,7 @@ ms.date: 11/15/2017
 ---
 
 
-# Device update management
+# Mobile device management (MDM) for device updates 
 
 >[!TIP]
 >If you're not a developer or administrator, you'll find more helpful information in the [Windows Update: Frequently Asked Questions](https://support.microsoft.com/help/12373/windows-update-faq).

windows/client-management/mdm/index.md

@@ -61,7 +61,7 @@ When an organization wants to move to MDM to manage devices, they should prepare
 
 -   [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md)
 -   [Enterprise app management](enterprise-app-management.md)
--   [Device update management](device-update-management.md)
+-   [Mobile device management (MDM) for device updates](device-update-management.md)
 -   [Enable offline upgrades to Windows 10 for Windows Embedded 8.1 Handheld devices](enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md)
 -   [OMA DM protocol support](oma-dm-protocol-support.md)
 -   [Structure of OMA DM provisioning files](structure-of-oma-dm-provisioning-files.md)

windows/configuration/change-history-for-configure-windows-10.md

@@ -17,6 +17,12 @@ ms.date: 10/02/2018
 
 This topic lists new and updated topics in the [Configure Windows 10](index.md) documentation for Windows 10 and Windows 10 Mobile.
 
+## October 2018
+
+New or changed topic | Description
+--- | ---
+[Troubleshoot multi-app kiosk](multi-app-kiosk-troubleshoot.md) and [Set up a single-app kiosk](kiosk-single-app.md) | Added event log path for auto-logon issues.
+
 ## RELEASE: Windows 10, version 1809
 
 The topics in this library have been updated for Windows 10, version 1809. The following new topic has been added:

windows/configuration/kiosk-prepare.md

@@ -38,6 +38,12 @@ Disable the camera. |     Go to **Settings** > **Privacy** > **Camera**, a
 Turn off app notifications on the lock screen. |     Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen**.
 Disable removable media. |     Go to **Group Policy Editor** &gt; **Computer Configuration** &gt; **Administrative Templates\\System\\Device Installation\\Device Installation Restrictions**. Review the policy settings available in **Device Installation Restrictions** for the settings applicable to your situation.</br></br>**NOTE**: To prevent this policy from affecting a member of the Administrators group, in **Device Installation Restrictions**, enable **Allow administrators to override Device Installation Restriction policies**.
 
+## Enable logging
+
+Logs can help you [troubleshoot issues](multi-app-kiosk-troubleshoot.md) kiosk issues. Logs about configuration and runtime issues can be obtained by enabling the **Applications and Services Logs\Microsoft\Windows\AssignedAccess\Operational** channel, which is disabled by default.
+
+![Event Viewer, right-click Operational, select enable log](images/enable-assigned-access-log.png)
+
 ## Automatic logon
 
 In addition to the settings in the table, you may want to set up **automatic logon** for your kiosk device. When your kiosk device restarts, whether from an update or power outage, you can sign in the assigned access account manually or you can configure the device to sign in to the assigned access account automatically. Make sure that Group Policy settings applied to the device do not prevent automatic sign in.

windows/configuration/kiosk-single-app.md

@@ -8,7 +8,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 author: jdeckerms
 ms.localizationpriority: medium
-ms.date: 10/02/2018
+ms.date: 10/09/2018
 ---
 
 # Set up a single-app kiosk
@@ -185,7 +185,7 @@ Clear-AssignedAccess
 
 
 >[!IMPORTANT]
->When Exchange Active Sync (EAS) password restrictions are active on the device, the autologon feature does not work. This behavior is by design. For more informations, see [How to turn on automatic logon in Windows}(https://support.microsoft.com/help/324737/how-to-turn-on-automatic-logon-in-windows).
+>When Exchange Active Sync (EAS) password restrictions are active on the device, the autologon feature does not work. This behavior is by design. For more informations, see [How to turn on automatic logon in Windows](https://support.microsoft.com/help/324737/how-to-turn-on-automatic-logon-in-windows).
 
 When you use the **Provision kiosk devices** wizard in Windows Configuration Designer, you can configure the kiosk to run either a Universal Windows app or a Windows desktop application.
 
@@ -200,7 +200,7 @@ When you use the **Provision kiosk devices** wizard in Windows Configuration Des
 <tr><td  style="width:45%" valign="top">![step three](images/three.png)  ![account management](images/account-management.png)</br></br>Enable account management if you want to configure settings on this page. </br></br>**If enabled:**</br></br>You can enroll the device in Active Directory, enroll in Azure Active Directory, or create a local administrator account on the device</br></br>To enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain.</br></br>Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup). The **maximum number of devices per user** setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 30 days from the date you get the token). Click **Get bulk token**. In the **Let's get you signed in** window, enter an account that has permissions to join a device to Azure AD, and then the password. Click **Accept** to give Windows Configuration Designer the necessary permissions.</br></br>**Warning:** You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards.</br></br>To create a local administrator account, select that option and enter a user name and password. </br></br>**Important:** If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in.  </td><td>![join Active Directory, Azure AD, or create a local admin account](images/account-management-details.png)</td></tr>
 <tr><td  style="width:45%" valign="top">![step four](images/four.png) ![add applications](images/add-applications.png)</br></br>You can provision the kiosk app in the **Add applications** step. You can install multiple applications, both Windows desktop applications (Win32) and Universal Windows Platform (UWP) apps, in a provisioning package. The settings in this step vary according to the application that you select. For help with the settings, see [Provision PCs with apps](provisioning-packages/provision-pcs-with-apps.md)</br></br>**Warning:** If you click the plus button to add an application, you must specify an application for the provisioning package to validate. If you click the plus button in error, select any executable file in **Installer Path**, and then a **Cancel** button becomes available, allowing you to complete the provisioning package without an application. </td><td>![add an application](images/add-applications-details.png)</td></tr>
 <tr><td  style="width:45%" valign="top">![step five](images/five.png) ![add certificates](images/add-certificates.png)</br></br>To provision the device with a certificate for the kiosk app, click **Add a certificate**. Enter a name for the certificate, and then browse to and select the certificate to be used.</td><td>![add a certificate](images/add-certificates-details.png)</td></tr> 
-<tr><td  style="width:45%" valign="top">![step six](images/six.png)  ![Configure kiosk account and app](images/kiosk-account.png)</br></br>You can create a local standard user account that will be used to run the kiosk app. If you toggle **No**, make sure that you have an existing user account to run the kiosk app.</br></br>If you want to create an account, enter the user name and password, and then toggle **Yes** or **No** to automatically sign in the account when the device starts.</br></br>In **Configure the kiosk mode app**, enter the name of the user account that will run the kiosk mode app. Select the type of app to run in kiosk mode, and then enter the path or filename (for a Windows desktop application) or the AUMID (for a Universal Windows app). For a Windows desktop application, you can use the filename if the path to the file is in the PATH environment variable, otherwise the full path is required.</td><td>![Configure kiosk account and app](images/kiosk-account-details.png)</td></tr>
+<tr><td  style="width:45%" valign="top">![step six](images/six.png)  ![Configure kiosk account and app](images/kiosk-account.png)</br></br>You can create a local standard user account that will be used to run the kiosk app. If you toggle **No**, make sure that you have an existing user account to run the kiosk app.</br></br>If you want to create an account, enter the user name and password, and then toggle **Yes** or **No** to automatically sign in the account when the device starts. (If you encounter issues with auto sign-in after you apply the provisioning package, check the Event Viewer logs for auto logon issues under **Applications and Services Logs\Microsoft\Windows\Authentication User Interface\Operational**.)</br></br>In **Configure the kiosk mode app**, enter the name of the user account that will run the kiosk mode app. Select the type of app to run in kiosk mode, and then enter the path or filename (for a Windows desktop application) or the AUMID (for a Universal Windows app). For a Windows desktop application, you can use the filename if the path to the file is in the PATH environment variable, otherwise the full path is required.</td><td>![Configure kiosk account and app](images/kiosk-account-details.png)</td></tr>
 <tr><td  style="width:45%" valign="top">![step seven](images/seven.png)  ![configure kiosk common settings](images/kiosk-common.png)</br></br>On this step, select your options for tablet mode, the user experience on the Welcome and shutdown screens, and the timeout settings.</td><td>![set tablet mode and configure welcome and shutdown and turn off timeout settings](images/kiosk-common-details.png)</td></tr>
 <tr><td  style="width:45%" valign="top">  ![finish](images/finish.png)</br></br>You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.</td><td>![Protect your package](images/finish-details.png)</td></tr>
 </table>

windows/configuration/multi-app-kiosk-troubleshoot.md

@@ -9,7 +9,7 @@ ms.sitesec: library
 ms.pagetype: edu, security
 author: jdeckerms
 ms.localizationpriority: medium
-ms.date: 07/30/2018
+ms.date: 10/09/2018
 ms.author: jdecker
 ms.topic: article
 ---
@@ -39,6 +39,10 @@ For example:
 ![Event Viewer, right-click Operational, select enable log](images/enable-assigned-access-log.png)
 
 
+## Automatic logon issues 
+
+Check the Event Viewer logs for auto logon issues under **Applications and Services Logs\Microsoft\Windows\Authentication User Interface\Operational**.
+
 ## Apps configured in AllowedList are blocked
 
 1. Ensure the account is mapped to the correct profile and that the apps are specific for that profile. 

windows/configuration/wcd/wcd-assignedaccess.md

@@ -30,7 +30,7 @@ Enter the account and the application you want to use for Assigned access, using
 **Example**:
 
 ```
-"Account":"domain\user", "AUMID":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"
+{"Account":"domain\user", "AUMID":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"}
 ```
 
 ## MultiAppAssignedAccessSettings