deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

adding rs3 files

Browse Source
This commit is contained in:
Justin Hall 2017-09-13 09:52:24 -07:00
commit 5478700f41
30 changed files with 1016 additions and 124 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
browsers/edge/available-policies.md
View File

@ -21,7 +21,7 @@ Microsoft Edge works with Group Policy and Microsoft Intune to help you manage y
By using Group Policy and Intune, you can set up a policy setting once, and then copy that setting onto many computers. For example, you can set up multiple security settings in a GPO that's linked to a domain, and then apply all of those settings to every computer in the domain.
> [!NOTE]
> For more info about Group Policy, see the [Group Policy TechCenter](https://go.microsoft.com/fwlink/p/?LinkId=214514). This site provides links to the latest technical documentation, videos, and downloads for Group Policy. For more info about the tools you can use to change your Group Policy objects, see the Internet Explorer 11 topics, [Group Policy and the Group Policy Management Console (GPMC)](https://go.microsoft.com/fwlink/p/?LinkId=617921), [Group Policy and the Local Group Policy Editor](https://go.microsoft.com/fwlink/p/?LinkId=617922), [Group Policy and the Advanced Group Policy Management (AGPM)](https://go.microsoft.com/fwlink/p/?LinkId=617923), and [Group Policy and Windows PowerShell](https://go.microsoft.com/fwlink/p/?LinkId=617924).
> For more info about the tools you can use to change your Group Policy objects, see the Internet Explorer 11 topics, [Group Policy and the Group Policy Management Console (GPMC)](https://go.microsoft.com/fwlink/p/?LinkId=617921), [Group Policy and the Local Group Policy Editor](https://go.microsoft.com/fwlink/p/?LinkId=617922), [Group Policy and the Advanced Group Policy Management (AGPM)](https://go.microsoft.com/fwlink/p/?LinkId=617923), and [Group Policy and Windows PowerShell](https://go.microsoft.com/fwlink/p/?LinkId=617924).
## Group Policy settings
Microsoft Edge works with these Group Policy settings (`Computer Configuration\Administrative Templates\Windows Components\Microsoft Edge\`) to help you manage your company's web browser configurations:
@ -1027,5 +1027,4 @@ These are additional Windows 10-specific MDM policy settings that work with Mic
- **1 (default).** Employees can sync between PCs.
## Related topics
* [Group Policy TechCenter](https://go.microsoft.com/fwlink/p/?LinkId=214514)
* [Mobile Device Management (MDM) settings]( https://go.microsoft.com/fwlink/p/?LinkId=722885)

29
devices/surface-hub/manage-windows-updates-for-surface-hub.md
View File

@ -37,15 +37,15 @@ You can also configure Surface Hub to receive updates from both Windows Update f
## Surface Hub servicing model
Surface Hub uses the Windows 10 servicing model, referred to as Windows as a Service (WaaS). Traditionally, new features are added only in new versions of Windows that are released every few years. Each new version required lengthy and expensive processes to deploy in an organization. As a result, end users and organizations don't frequently enjoy the benefits of new innovation. The goal of Windows as a Service is to continually provide new capabilities while maintaining a high level of quality.
Surface Hub uses the Windows 10 servicing model, referred to as [Windows as a Service (WaaS)](https://docs.microsoft.com/windows/deployment/update/waas-overview). Traditionally, new features were added only in new versions of Windows that were released every few years. Each new version required lengthy and expensive processes to deploy in an organization. As a result, end users and organizations don't frequently enjoy the benefits of new innovation. The goal of Windows as a Service is to continually provide new capabilities while maintaining a high level of quality.
Microsoft publishes two types of Surface Hub releases broadly on an ongoing basis:
- **Feature updates** - Updates that install the latest new features, experiences, and capabilities. Microsoft expects to publish an average of two to three new feature upgrades per year.
- **Feature updates** - Updates that install the latest new features, experiences, and capabilities. Microsoft expects to publish two tnew feature updates per year.
- **Quality updates** - Updates that focus on the installation of security fixes, drivers, and other servicing updates. Microsoft expects to publish one cumulative quality update per month.
In order to improve release quality and simplify deployments, all new releases that Microsoft publishes for Windows 10, including Surface Hub, will be cumulative. This means new feature updates and quality updates will contain the payloads of all previous releases (in an optimized form to reduce storage and networking requirements), and installing the release on a device will bring it completely up to date. Also, unlike earlier versions of Windows, you cannot install a subset of the contents of a Windows 10 quality update. For example, if a quality update contains fixes for three security vulnerabilities and one reliability issue, deploying the update will result in the installation of all four fixes.
The Surface Hub operating system is available on **Current Branch (CB)** and **Current Branch for Business (CBB)**. Like other editions of Windows 10, the servicing lifetime of CB or CBB is finite. You must install new feature updates on machines running these branches in order to continue receiving quality updates.
The Surface Hub operating system receives updates on the [Semi-Annual Channel](https://docs.microsoft.com/windows/deployment/update/waas-overview#naming-changes). Like other editions of Windows 10, the servicing lifetime ois finite. You must install new feature updates on machines running these branches in order to continue receiving quality updates.
For more information on Windows as a Service, see [Overview of Windows as a service](https://technet.microsoft.com/itpro/windows/manage/waas-overview).
@ -55,11 +55,9 @@ Surface Hubs, like all Windows 10 devices, include **Windows Update for Business
**To set up Windows Update for Business:**
1. [Group Surface Hub into deployment rings](#group-surface-hub-into-deployment-rings)
2. [Configure Surface Hub to use Current Branch or Current Branch for Business](#configure-surface-hub-to-use-current-branch-or-current-branch-for-business).
2. [Configure when Surface Hub receives updates](#configure-when-surface-hub-receives-updates).
> [!NOTE]
> You can use Microsoft Intune, System Center Configuration Manager, or a supported third-party MDM provider to set up WUfB. [Walkthrough: use Microsoft Intune to configure Windows Update for Business.](https://technet.microsoft.com/itpro/windows/manage/waas-wufb-intune)
@ -70,29 +68,22 @@ This table gives examples of deployment rings.
| Deployment ring | Ring size | Servicing branch | Deferral for feature updates | Deferral for quality updates (security fixes, drivers, and other updates) | Validation step |
| --------- | --------- | --------- | --------- | --------- | --------- |
| Preview (e.g. non-critical or test devices) | Small | Current Branch (CB) | None. Devices receive feature updates immediately after CB is released. | None. Devices receive quality updates immediately after CB is released. | Manually test and evaluate new functionality. Pause updates if there are issues. |
| Release (e.g. devices used by select teams) | Medium | Current Branch for Business (CBB) | None. Devices receive feature updates immediately once CBB is released. | None. Devices receive quality updates immediately after CBB is released. | Monitor device usage and user feedback. Pause updates if there are issues. |
| Broad deployment (e.g. most of the devices in your organization) | Large | Current Branch for Business (CBB) | 120 days after CBB is released. | 7-14 days after CBB is released. | Monitor device usage and user feedback. Pause updates if there are issues. |
| Mission critical (e.g. devices in executive boardrooms) | Small | Current Branch for Business (CBB) | 180 days after CBB is released (maximum deferral for feature updates). | 30 days after CBB is released (maximum deferral for quality updates). | Monitor device usage and user feedback. |
| Preview (e.g. non-critical or test devices) | Small | Semi-annual channel (Targeted) | None. | None. | Manually test and evaluate new functionality. Pause updates if there are issues. |
| Release (e.g. devices used by select teams) | Medium | Semi-annual channel | None. | None. | Monitor device usage and user feedback. Pause updates if there are issues. |
| Broad deployment (e.g. most of the devices in your organization) | Large | Semi-annual channel | 120 days after release. | 7-14 days after release. | Monitor device usage and user feedback. Pause updates if there are issues. |
| Mission critical (e.g. devices in executive boardrooms) | Small | Semi-annual channel | 180 days after release (maximum deferral for feature updates). | 30 days after release (maximum deferral for quality updates). | Monitor device usage and user feedback. |
### Configure Surface Hub to use Current Branch or Current Branch for Business
By default, Surface Hubs are configured to receive updates from Current Branch (CB). CB receives feature updates as soon as they are released by Microsoft. Current Branch for Business (CBB), on the other hand, receives feature updates at least four months after they have been initially offered to CB devices, and includes all of the quality updates that have been released in the interim. For more information on the differences between CB and CBB, see [Servicing branches](https://technet.microsoft.com/itpro/windows/manage/waas-overview#servicing-branches).
**To manually configure Surface Hub to use CB or CBB:**
1. Open **Settings** > **Update & Security** > **Windows Update**, and then select **Advanced Options**.
2. Select **Defer feature updates**.
To configure Surface Hub to use CB or CBB remotely using MDM, set an appropriate [Update/BranchReadinessLevel](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_BranchReadinessLevel) policy.
### Configure when Surface Hub receives updates
Once you've determined deployment rings for your Surface Hubs, configure update deferral policies for each ring:
- To defer feature updates, set an appropriate [Update/DeferFeatureUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferFeatureUpdatesPeriodInDays) policy for each ring.
- To defer quality updates, set an appropriate [Update/DeferQualityUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferQualityUpdatesPeriodInDays) policy for each ring.
- To defer feature updates, set an appropriate [Update/DeferFeatureUpdatesPeriodInDays](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-deferfeatureupdatesperiodindays) policy for each ring.
- To defer quality updates, set an appropriate [Update/DeferQualityUpdatesPeriodInDays](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-deferqualityupdatesperiodindays) policy for each ring.
> [!NOTE]
> If you encounter issues during the update rollout, you can pause updates using [Update/PauseFeatureUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseFeatureUpdates) and [Update/PauseQualityUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseQualityUpdates).
> If you encounter issues during the update rollout, you can pause updates using [Update/PauseFeatureUpdates](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-pausefeatureupdates) and [Update/PauseQualityUpdates](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-pausequalityupdates).
## Use Windows Server Update Services

BIN
windows/application-management/media/user-service-flag.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 65 KiB

5
windows/client-management/change-history-for-client-management.md
View File

@ -16,6 +16,11 @@ ms.date: 06/13/2017
This topic lists new and updated topics in the [Client management](index.md) documentation for Windows 10 and Windows 10 Mobile.
## RELEASE: Windows 10, version 1709
The topics in this library have been updated for Windows 10, version 1709 (also known as the Fall Creators Update).
## July 2017
| New or changed topic | Description |

10
windows/client-management/connect-to-remote-aadj-pc.md
View File

@ -8,6 +8,8 @@ ms.sitesec: library
ms.pagetype: devices
author: jdeckerms
ms.localizationpriority: medium
ms.author: jdecker
ms.date: 10/17/2017
---
# Connect to remote Azure Active Directory-joined PC
@ -33,7 +35,13 @@ From its release, Windows 10 has supported remote connections to PCs that are jo
3. If the user who joined the PC to Azure AD is the only one who is going to connect remotely, no additional configuration is needed. To allow additional users to connect to the PC, you must allow remote connections for the local **Authenticated Users** group. Click **Select Users**.
>[!NOTE]
>You cannot specify individual Azure AD accounts for remote connections.
>You can specify individual Azure AD accounts for remote connections by having the user sign in to the remote device at least once and then running the following PowerShell cmdlet:
>
>`net localgroup "Remote Desktop Users" /add "AzureAD\FirstnameLastname"`
>
>In Windows 10, version 1709, the user does not have to sign in to the remote device first.
>
>In Windows 10, version 1709, you can add other Azure AD users to the **Administrators** group on a device in **Settings** and restrict remote credentials to **Administrators**. If there is a problem connecting remotely, make sure that both devices are joined to Azure AD and that TPM is functioning properly on both devices.
4. Enter **Authenticated Users**, then click **Check Names**. If the **Name Not Found** window opens, click **Locations** and select this PC.

5
windows/configuration/TOC.md
View File

@ -8,7 +8,10 @@
### [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md)
### [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md)
### [Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md)
### [Lock down Windows 10 to specific apps (AppLocker)](lock-down-windows-10-to-specific-apps.md)
### [Create a Windows 10 kiosk that runs multiple apps](lock-down-windows-10-to-specific-apps.md)
#### [Troubleshoot multi-app kiosk](multi-app-kiosk-troubleshoot.md)
#### [Use AppLocker to create a Windows 10 kiosk that runs multiple apps](lock-down-windows-10-applocker.md)
#### [Multi-app kiosk XML reference](multi-app-kiosk-xml.md)
## [Configure Windows 10 Mobile devices](mobile-devices/configure-mobile.md)
### [Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md)
### [Use Windows Configuration Designer to configure Windows 10 Mobile devices](mobile-devices/provisioning-configure-mobile.md)

11
windows/configuration/change-history-for-configure-windows-10.md
View File

@ -14,18 +14,29 @@ author: jdeckerms
This topic lists new and updated topics in the [Configure Windows 10](index.md) documentation for Windows 10 and Windows 10 Mobile.
## RELEASE: Windows 10, version 1709
The topics in this library have been updated for Windows 10, version 1709 (also known as the Fall Creators Update). The following new topics have been added:
- [Create a Windows 10 kiosk that runs multiple apps](lock-down-windows-10-to-specific-apps.md)
- [Multi-app kiosk XML reference](multi-app-kiosk-xml.md)
## September 2017
New or changed topic | Description
--- | ---
[Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) | Added that Windows Spotlight can be managed by the Experience/AllowWindowsSpotlight MDM policy.
## August 2017
New or changed topic | Description
--- | ---
[Windows Configuration Designer provisioning settings (reference)](wcd/wcd.md) | New section; reference content from [Windows Provisioning settings reference](https://msdn.microsoft.com/library/windows/hardware/dn965990.aspx) is being relocated here from MSDN.
## July 2017
| New or changed topic | Description |
| --- | --- |

5
windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md
View File

@ -8,6 +8,8 @@ ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerms
ms.localizationpriority: high
ms.author: jdecker
ms.date: 10/05/2017
---
# Customize Windows 10 Start and taskbar with Group Policy
@ -61,6 +63,9 @@ Three features enable Start and taskbar layout control:
To apply the Start and taskbar layout to users in a domain, use the Group Policy Management Console (GPMC) to configure a domain-based Group Policy Object (GPO) that sets **Start Layout** policy settings in the **Start Menu and Taskbar** administrative template for users in a domain.
>[!IMPORTANT]
>In Windows 10, version 1709, Edge is pinned to the desktop automatically during Windows 10 installation or upgrade. When you apply a custom Start layout using this policy, Edge will not be pinned to the desktop.
The GPO applies the Start and taskbar layout at the next user sign-in. Each time the user signs in, the timestamp of the .xml file with the Start and taskbar layout is checked and if a newer version of the file is available, the settings in the latest version of the file are applied.
The GPO can be configured from any computer on which the necessary ADMX and ADML files (StartMenu.admx and StartMenu.adml) for Windows 10 are installed.

2
windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
View File

@ -100,7 +100,7 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L
- **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
- **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select...** and choosing the certificate you want to use to sign the package.
- **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Browse** and choosing the certificate you want to use to sign the package.
12. Click **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows Imaging and Configuration Designer (ICD) uses the project folder as the output location.

BIN
windows/configuration/images/multiappassignedaccesssettings.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 5.0 KiB

BIN
windows/configuration/images/profile-config.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 42 KiB

BIN
windows/configuration/images/sample-start.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 92 KiB

2
windows/configuration/kiosk-shared-pc.md
View File

@ -20,4 +20,4 @@ Some desktop devices in an enterprise serve a special purpose, such as a common
| [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md) | Windows 10, version 1607, introduced *shared PC mode*, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. |
| [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) | You can configure a device running Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education as a kiosk device, so that users can only interact with a single application that you select. |
| [Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md) | You can choose almost any Windows app for assigned access; however, some apps may not provide a good user experience. This topic provides guidelines to help you choose an approprate app for a kiosk device. |
| [Lock down Windows 10 to specific apps (AppLocker)](lock-down-windows-10-to-specific-apps.md) | Learn how to configure a device running Windows 10 Enterprise or Windows 10 Education so that users can only run a few specific apps. The result is similar to a kiosk device, but with multiple apps available. For example, you might set up a library computer so that users can search the catalog and browse the Internet, but can't run any other apps or change computer settings. |
| [Create a Windows 10 kiosk that runs multiple apps](lock-down-windows-10-to-specific-apps.md) | Learn how to configure a device running Windows 10 Enterprise or Windows 10 Education so that users can only run a few specific apps. The result is similar to a kiosk device, but with multiple apps available. For example, you might set up a library computer so that users can search the catalog and browse the Internet, but can't run any other apps or change computer settings. |

121
windows/configuration/lock-down-windows-10-applocker.md Normal file
View File

@ -0,0 +1,121 @@
---
title: Use AppLocker to create a Windows 10 kiosk that runs multiple apps (Windows 10)
description: Learn how to use AppLocker to configure a kiosk device running Windows 10 Enterprise or Windows 10 Education so that users can only run a few specific apps.
ms.assetid: 14DDDC96-88C7-4181-8415-B371F25726C8
keywords: ["lockdown", "app restrictions", "applocker"]
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: edu, security
author: jdeckerms
ms.localizationpriority: high
ms.date: 10/05/2017
ms.author: jdecker
---
# Use AppLocker to create a Windows 10 kiosk that runs multiple apps
**Applies to**
- Windows 10
Learn how to configure a device running Windows 10 Enterprise or Windows 10 Education, version 1703 and earlier, so that users can only run a few specific apps. The result is similar to [a kiosk device](set-up-a-device-for-anyone-to-use.md), but with multiple apps available. For example, you might set up a library computer so that users can search the catalog and browse the Internet, but can't run any other apps or change computer settings.
>[!NOTE]
>For devices running Windows 10, version 1709, we recommend the [multi-app kiosk method](lock-down-windows-10-to-specific-apps.md).
You can restrict users to a specific set of apps on a device running Windows 10 Enterprise or Windows 10 Education by using [AppLocker](/windows/device-security/applocker/applocker-overview). AppLocker rules specify which apps are allowed to run on the device.
AppLocker rules are organized into collections based on file format. If no AppLocker rules for a specific rule collection exist, all files with that file format are allowed to run. However, when an AppLocker rule for a specific rule collection is created, only the files explicitly allowed in a rule are permitted to run. For more information, see [How AppLocker works](/windows/device-security/applocker/how-applocker-works-techref).
This topic describes how to lock down apps on a local device. You can also use AppLocker to set rules for applications in a domain by using Group Policy.
![install create lockdown customize](images/lockdownapps.png)
## Install apps
First, install the desired apps on the device for the target user account(s). This works for both Store and Win32. For Store apps, you must log on as that user for the app to install. For Win32 you can install an app for all users without logging on to the particular account.
## Use AppLocker to set rules for apps
After you install the desired apps, set up AppLocker rules to only allow specific apps, and block everything else.
1. Run Local Security Policy (secpol.msc) as an administrator.
2. Go to **Security Settings** > **Application Control Policies** > **AppLocker**, and select **Configure rule enforcement**.
![configure rule enforcement](images/apprule.png)
3. Check **Configured** under **Executable rules**, and then click **OK**.
4. Right-click **Executable Rules** and then click **Automatically generate rules**.
![automatically generate rules](images/genrule.png)
5. Select the folder that contains the apps that you want to permit, or select C:\\ to analyze all apps.
6. Type a name to identify this set of rules, and then click **Next**.
7. On the **Rule Preferences** page, click **Next**. Be patient, it might take awhile to generate the rules.
8. On the **Review Rules** page, click **Create**. The wizard will now create a set of rules allowing the installed set of apps.
9. Read the message and click **Yes**.
![default rules warning](images/appwarning.png)
10. (optional) If you want a rule to apply to a specific set of users, right-click on the rule and select **Properties**. Then use the dialog to choose a different user or group of users.
11. (optional) If rules were generated for apps that should not be run, you can delete them by right-clicking on the rule and selecting **Delete**.
12. Before AppLocker will enforce rules, the **Application Identity** service must be turned on. To force the Application Identity service to automatically start on reset, open a command prompt and run:
``` syntax
sc config appidsvc start=auto
```
13. Restart the device.
## Other settings to lock down
In addition to specifying the apps that users can run, you should also restrict some settings and functions on the device. For a more secure experience, we recommend that you make the following configuration changes to the device:
- Remove **All apps**.
Go to **Group Policy Editor** > **User Configuration** > **Administrative Templates\\Start Menu and Taskbar\\Remove All Programs list from the Start menu**.
- Hide **Ease of access** feature on the logon screen.
Go to **Control Panel** > **Ease of Access** > **Ease of Access Center**, and turn off all accessibility tools.
- Disable the hardware power button.
Go to **Power Options** > **Choose what the power button does**, change the setting to **Do nothing**, and then **Save changes**.
- Disable the camera.
Go to **Settings** > **Privacy** > **Camera**, and turn off **Let apps use my camera**.
- Turn off app notifications on the lock screen.
Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen**.
- Disable removable media.
Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Device Installation\\Device Installation Restrictions**. Review the policy settings available in **Device Installation Restrictions** for the settings applicable to your situation.
**Note**  
To prevent this policy from affecting a member of the Administrators group, in **Device Installation Restrictions**, enable **Allow administrators to override Device Installation Restriction policies**.
 
To learn more about locking down features, see [Customizations for Windows 10 Enterprise](https://go.microsoft.com/fwlink/p/?LinkId=691442).
## Customize Start screen layout for the device (recommended)
Configure the Start menu on the device to only show tiles for the permitted apps. You will make the changes manually, export the layout to an .xml file, and then apply that file to devices to prevent users from making changes. For instructions, see [Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md).

607
windows/configuration/lock-down-windows-10-to-specific-apps.md
View File

@ -1,6 +1,6 @@
---
title: Lock down Windows 10 to specific apps (Windows 10)
description: Learn how to configure a device running Windows 10 Enterprise or Windows 10 Education so that users can only run a few specific apps.
title: Create a Windows 10 kiosk that runs multiple apps (Windows 10)
description: Learn how to configure a kiosk device running Windows 10 so that users can only run a few specific apps.
ms.assetid: 14DDDC96-88C7-4181-8415-B371F25726C8
keywords: ["lockdown", "app restrictions", "applocker"]
ms.prod: w10
@ -9,120 +9,605 @@ ms.sitesec: library
ms.pagetype: edu, security
author: jdeckerms
ms.localizationpriority: high
ms.date: 10/05/2017
ms.author: jdecker
---
# Lock down Windows 10 to specific apps
# Create a Windows 10 kiosk that runs multiple apps
**Applies to**
- Windows 10
>For more info about the features and functionality that are supported in each edition of Windows, see [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare).
A [kiosk device](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) typically runs a single app, and users are prevented from accessing any features or functions on the device outside of the kiosk app. In Windows 10, version 1709, the [AssignedAccess configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) has been expanded to make it easy for administrators to create kiosks that run more than one app. You can configure multi-app kiosks using a provisioning package.
Learn how to configure a device running Windows 10 Enterprise or Windows 10 Education so that users can only run a few specific apps. The result is similar to [a kiosk device](set-up-a-device-for-anyone-to-use.md), but with multiple apps available. For example, you might set up a library computer so that users can search the catalog and browse the Internet, but can't run any other apps or change computer settings.
>[!NOTE]
>For devices running versions of Windows 10 earlier than version 1709, you can [create AppLocker rules](lock-down-windows-10-applocker.md) to configure a multi-app kiosk. Avoid applying AppLocker rules to devices running the multi-app kiosk configuration described in this topic.
You can restrict users to a specific set of apps on a device running Windows 10 Enterprise or Windows 10 Education by using [AppLocker](/windows/device-security/applocker/applocker-overview). AppLocker rules specify which apps are allowed to run on the device.
The benefit of a multi-app kiosk, or fixed-purpose device, is to provide an easy-to-understand experience for individuals by putting in front of them only the things they need to use, and removing from their view the things they dont need to access.
AppLocker rules are organized into collections based on file format. If no AppLocker rules for a specific rule collection exist, all files with that file format are allowed to run. However, when an AppLocker rule for a specific rule collection is created, only the files explicitly allowed in a rule are permitted to run. For more information, see [How AppLocker works](/windows/device-security/applocker/how-applocker-works-techref).
This topic describes how to lock down apps on a local device. You can also use AppLocker to set rules for applications in a domain by using Group Policy.
![install create lockdown customize](images/lockdownapps.png)
## Install apps
>[!WARNING]
>The assigned access feature is intended for corporate-owned fixed-purpose devices, like kiosks. When the multi-app assigned access configuration is applied on the device, certain policies are enforced system-wide, and will impact other users on the device. Deleting the multi-app configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all the enforced policies (such as Start layout). A factory reset is needed to clear all the policies enforced via assigned access.
First, install the desired apps on the device for the target user account(s). This works for both Store and Win32. For Store apps, you must log on as that user for the app to install. For Win32 you can install an app for all users without logging on to the particular account.
Process:
1. [Create XML file](#create-xml-file)
2. [Add XML file to provisioning package](#add-xml)
3. [Apply provisioning package to device](#apply-ppkg)
## Use AppLocker to set rules for apps
If you don't want to use a provisioning package, you can deploy the configuration XML file using [mobile device management (MDM)](#alternate-methods) or you can configure assigned access using the [MDM Bridge WMI Provider](#bridge).
## Prerequisites
- (latest version of WCD -- is Store version okay at GA?)
- The kiosk device must be running Windows 10 (S, Pro, Enterprise, or Education), version 1709
After you install the desired apps, set up AppLocker rules to only allow specific apps, and block everything else.
## Create XML file
1. Run Local Security Policy (secpol.msc) as an administrator.
Let's start by looking at the basic structure of the XML file.
2. Go to **Security Settings** > **Application Control Policies** > **AppLocker**, and select **Configure rule enforcement**.
- A configuration xml can define multiple *profiles*. Each profile has a unique **Id** and defines a set of applications that are allowed to run, whether the taskbar is visible, and can include a custom Start layout.
![configure rule enforcement](images/apprule.png)
- A configuration xml can have multiple *config* sections. Each config section associates a non-admin user account to a default profile **Id**.
3. Check **Configured** under **Executable rules**, and then click **OK**.
- Multiple config sections can be associated to the same profile.
4. Right-click **Executable Rules** and then click **Automatically generate rules**.
- A profile has no effect if its not associated to a config section.
![automatically generate rules](images/genrule.png)
![profile = app and config = account](images/profile-config.png)
5. Select the folder that contains the apps that you want to permit, or select C:\\ to analyze all apps.
You can start your file by pasting the following XML (or any other examples in this topic) into a XML editor, and saving the file as *filename*.xml. Each section of this XML is explained in this topic.
6. Type a name to identify this set of rules, and then click **Next**.
```xml
<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config">
<Profiles>
<Profile Id="">
<AllAppsList>
<AllowedApps/>
</AllAppsList>
<StartLayout/>
<Taskbar/>
</Profile>
</Profiles>
<Configs>
<Config>
<Account/>
<DefaultProfile Id=""/>
</Config>
</Configs>
</AssignedAccessConfiguration>
```
7. On the **Rule Preferences** page, click **Next**. Be patient, it might take awhile to generate the rules.
### Profile
8. On the **Review Rules** page, click **Create**. The wizard will now create a set of rules allowing the installed set of apps.
A profile section in the XML has the following entries:
9. Read the message and click **Yes**.
- [**Id**](#id)
![default rules warning](images/appwarning.png)
- [**AllowedApps**](#allowedapps)
10. (optional) If you want a rule to apply to a specific set of users, right-click on the rule and select **Properties**. Then use the dialog to choose a different user or group of users.
- [**StartLayout**](#startlayout)
11. (optional) If rules were generated for apps that should not be run, you can delete them by right-clicking on the rule and selecting **Delete**.
12. Before AppLocker will enforce rules, the **Application Identity** service must be turned on. To force the Application Identity service to automatically start on reset, open a command prompt and run:
``` syntax
sc config appidsvc start=auto
```
13. Restart the device.
## Other settings to lock down
- [**Taskbar**](#taskbar)
In addition to specifying the apps that users can run, you should also restrict some settings and functions on the device. For a more secure experience, we recommend that you make the following configuration changes to the device:
#### Id
- Remove **All apps**.
The profile **Id** is a GUID attribute to uniquely identify the profile. You can create a GUID using a GUID generator. The GUID just needs to be unique within this XML file.
Go to **Group Policy Editor** &gt; **User Configuration** &gt; **Administrative Templates\\Start Menu and Taskbar\\Remove All Programs list from the Start menu**.
```xml
<Profiles>
<Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"></Profile>
</Profiles>
```
- Hide **Ease of access** feature on the logon screen.
#### AllowedApps
Go to **Control Panel** &gt; **Ease of Access** &gt; **Ease of Access Center**, and turn off all accessibility tools.
**AllowedApps** is a list of applications that are allowed to run. Apps can be Universal Windows Platform (UWP) apps or Classic Windows desktop apps.
- Disable the hardware power button.
Based on the purpose of the kiosk device, define the list of applications that are allowed to run. This list can contain both UWP apps and desktop apps. When the mult-app kiosk configuration is applied to a device, AppLocker rules will be generated to allow the apps that are listed in the configuration.
Go to **Power Options** &gt; **Choose what the power button does**, change the setting to **Do nothing**, and then **Save changes**.
>[!NOTE]
>You cannot manage AppLocker rules that are generated by the multi-app kiosk configuration in [MMC snap-ins](https://technet.microsoft.com/library/hh994629.aspx#BKMK_Using_Snapins). Avoid applying AppLocker rules to devices running the multi-app kiosk configuration.
- Disable the camera.
- For UWP apps, you need to provide the App User Model ID (AUMID). [Learn how to get the AUMID](https://go.microsoft.com/fwlink/p/?LinkId=614867), or [get the AUMID from the Start Layout XML](#startlayout).
- For desktop apps, you need to specify the full path of the executable, which can contain one or more system environment variables in the form of %variableName% (i.e. %systemroot%, %windir%).
Go to **Settings** &gt; **Privacy** &gt; **Camera**, and turn off **Let apps use my camera**.
Here are the predefined assigned access AppLocker rules for **UWP apps**:
- Turn off app notifications on the lock screen.
1. Default rule is to allow all users to launch the signed package apps.
2. The package app deny list is generated at runtime when the assigned access user signs in. Based on the installed/provisioned package apps available for the user account, assigned access generates the deny list. This list will exclude the default allowed inbox package apps which are critical for the system to function, and then exclude the allowed packages that enterprises defined in the assigned access configuration. If there are multiple apps within the same package, all these apps will be excluded. This deny list will be used to prevent the user from accessing the apps which are currently available for the user but not in the allowed list.
Go to **Group Policy Editor** &gt; **Computer Configuration** &gt; **Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen**.
>[!NOTE]
>Multi-app kiosk mode doesnt block the enterprise or the users from installing UWP apps. When a new UWP app is installed during the current assigned access user session, this app will not be in the deny list. When the user signs out and signs in again, the app will be included in the deny list. If this is an enterprise-deployed line-of-business app and you want to allow it to run, update the assigned access configuration to include it in the allowed app list.
- Disable removable media.
Here are the predefined assigned access AppLocker rules for **desktop apps**:
Go to **Group Policy Editor** &gt; **Computer Configuration** &gt; **Administrative Templates\\System\\Device Installation\\Device Installation Restrictions**. Review the policy settings available in **Device Installation Restrictions** for the settings applicable to your situation.
1. Default rule is to allow all users to launch the desktop programs signed with Microsoft Certificate in order for the system to boot and function. The rule also allows the admin user group to launch all desktop programs.
2. There is a predefined inbox desktop app deny list for the assigned access user account, and this deny list is adjusted based on the desktop app allow list that you defined in the multi-app configuration.
3. Enterprise-defined allowed desktop apps are added in the AppLocker allow list.
**Note**  
To prevent this policy from affecting a member of the Administrators group, in **Device Installation Restrictions**, enable **Allow administrators to override Device Installation Restriction policies**.
The following example allows Groove Music, Movies & TV, Photos, Weather, Calculator, Paint, and Notepad apps to run on the device.
 
```xml
<AllAppsList>
<AllowedApps>
<App AppUserModelId="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" />
<App AppUserModelId="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" />
<App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
<App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
<App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
<App DesktopAppPath="%windir%\system32\mspaint.exe" />
<App DesktopAppPath="C:\Windows\System32\notepad.exe" />
</AllowedApps>
</AllAppsList>
```
To learn more about locking down features, see [Customizations for Windows 10 Enterprise](https://go.microsoft.com/fwlink/p/?LinkId=691442).
#### StartLayout
## Customize Start screen layout for the device (recommended)
After you define the list of allowed applications, you can customize the Start layout for your kiosk experience. You can choose to pin all the allowed apps on the Start screen or just a subset, depending on whether you want the end user to directly access them on the Start screen.
The easiest way to create a customized Start layout to apply to other Windows 10 devices is to set up the Start screen on a test device and then export the layout. For detailed steps, see [Customize and export Start layout](customize-and-export-start-layout.md).
A few things to note here:
- The test device on which you customize the Start layout should have the same OS version that is installed on the device where you plan to deploy the multi-app assigned access configuration.
- Since the multi-app assigned access experience is intended for fixed-purpose devices, to ensure the device experiences are consistent and predictable, use the *full* Start layout option instead of the *partial* Start layout.
- There are no apps pinned on the taskbar in the multi-app mode, and it is not supported to configure Taskbar layout using the `<CustomTaskbarLayoutCollection>` tag in a layout modification XML as part of the assigned access configuration.
- The following example uses DesktopApplicationLinkPath to pin the desktop app to start. When the desktop app doesnt have a shortcut link on the target device, [learn how to provision .lnk files using Windows Configuration Designer](#lnk-files).
This example pins Groove Music, Movies & TV, Photos, Weather, Calculator, Paint, and Notepad apps on Start.
```xml
<StartLayout>
<![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification">
<LayoutOptions StartTileGroupCellWidth="6" />
<DefaultLayoutOverride>
<StartLayoutCollection>
<defaultlayout:StartLayout GroupCellWidth="6">
<start:Group Name="Group1">
<start:Tile Size="4x4" Column="0" Row="0" AppUserModelID="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" />
<start:Tile Size="2x2" Column="4" Row="2" AppUserModelID="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" />
<start:Tile Size="2x2" Column="4" Row="0" AppUserModelID="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
<start:Tile Size="2x2" Column="4" Row="4" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
<start:Tile Size="4x2" Column="0" Row="4" AppUserModelID="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
</start:Group>
<start:Group Name="Group2">
<start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk" />
<start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk" />
</start:Group>
</defaultlayout:StartLayout>
</StartLayoutCollection>
</DefaultLayoutOverride>
</LayoutModificationTemplate>
]]>
</StartLayout>
```
>[!NOTE]
>If an app is not installed for the user but is included in the Start layout XML, the app will not be shown on the Start screen.
Configure the Start menu on the device to only show tiles for the permitted apps. You will make the changes manually, export the layout to an .xml file, and then apply that file to devices to prevent users from making changes. For instructions, see [Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md).
![What the Start screen looks like when the XML sample is applied](images/sample-start.png)
#### Taskbar
Define whether you want to have the taskbar present in the kiosk device. For tablet-based or touch-enabled all-in-one kiosks, when you dont attach a keyboard and mouse, you can hide the taskbar as part of the multi-app experience if you want.
The following example exposes the taskbar to the end user:
```xml
<Taskbar ShowTaskbar="true"/>
```
The following example hides the taskbar:
```xml
<Taskbar ShowTaskbar="false"/>
```
>[!NOTE]
>This is different from the **Automatically hide the taskbar** option in tablet mode, which shows the taskbar when swiping up from or moving the mouse pointer down to the bottom of the screen. Setting **ShowTaskbar** as **false** will always keep the taskbar hidden.
### Configs
Under **Configs**, define which user account will be associated with the profile. When this user account signs in on the device, the associated assigned access profile will be enforced, including the allowed apps, Start layout, and taskbar configuration, as well as other local group policies or mobile device management (MDM) policies set as part of the multi-app experience.
The full multi-app assigned access experience can only work for non-admin users. Its not supported to associate an admin user with the assigned access profile; doing this in the XML file will result in unexpected/unsupported experiences when this admin user signs in.
 
 
The account can be local, domain, or Azure Active Directory (Azure AD). Groups are not supported.
- Local account can be entered as `machinename\account` or `.\account` or just `account`.
- Domain account should be entered as `domain\account`.
- Azure AD account must be specified in this format: `AzureAD\{email address}`. **AzureAD** must be provided AS IS (consider its a fixed domain name), then follow with the Azure AD email address, e.g. **AzureAD\someone@contoso.onmicrosoft.com**.
>[!WARNING]
>Assigned access can be configured via WMI or CSP to run its applications under a domain user or service account, rather than a local account. However, use of domain user or service accounts introduces risks that an attacker subverting the assigned access application might gain access to sensitive domain resources that have been inadvertently left accessible to any domain account. We recommend that customers proceed with caution when using domain accounts with assigned access, and consider the domain resources potentially exposed by the decision to do so.
Before applying the multi-app configuration, make sure the specified user account is available on the device, otherwise it will fail.
>[!NOTE]
>For both domain and Azure AD accounts, its not required that target account is explicitly added to the device. As long as the device is AD-joined or Azure AD-joined, the account can be discovered in the domain forest or tenant that the device is joined to. For local accounts, it is required that the account exist before you configure the account for assigned access.
```xml
<Configs>
<Config>
<Account>MultiAppKioskUser</Account>
<DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
</Config>
</Configs>
```
<span id="add-xml" />
## Add XML file to provisioning package
Before you add the XML file to a provisioning package, you can [validate your configuration XML against the XSD](multi-app-kiosk-xml.md#xsd-for-assignedaccess-configuration-xml).
Use the Windows Configuration Designer tool to create a provisioning package. [Learn how to install Windows Configuration Designer.](provisioning-packages/provisioning-install-icd.md)
>[!IMPORTANT]
>When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
1. Open Windows Configuration Designer (by default, %systemdrive%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe).
2. Choose **Advanced provisioning**.
3. Name your project, and click **Next**.
4. Choose **All Windows desktop editions** and click **Next**.
5. On **New project**, click **Finish**. The workspace for your package opens.
6. Expand **Runtime settings** &gt; **AssignedAccess** &gt; **MultiAppAssignedAccessSettings**.
7. In the center pane, click **Browse** to locate and select the assigned access configuration XML file that you created.
![Screenshot of the MultiAppAssignedAccessSettings field in Windows Configuration Designer](images/multiappassignedaccesssettings.png)
8. (**Optional**: If you want to apply the provisioning package after device initial setup and there is an admin user already available on the kiosk device, skip this step.) Create an admin user account in **Runtime settings** &gt; **Accounts** &gt; **Users**. Provide a **UserName** and **Password**, and select **UserGroup** as **Administrators**. With this account, you can view the provisioning status and logs if needed.
8. (**Optional**: If you already have a non-admin account on the kiosk device, skip this step.) Create a local standard user account in **Runtime settings** &gt; **Accounts** &gt; **Users**. Make sure the **UserName** is the same as the account that you specify in the configuration XML. Select **UserGroup** as **Standard Users**.
8. On the **File** menu, select **Save.**
9. On the **Export** menu, select **Provisioning package**.
10. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.**
11. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing.
- **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
- **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Browse** and choosing the certificate you want to use to sign the package.
12. Click **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows Imaging and Configuration Designer (ICD) uses the project folder as the output location.
Optionally, you can click **Browse** to change the default output location.
13. Click **Next**.
14. Click **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status.
If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
15. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
- If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
- If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
15. Copy the provisioning package to the root directory of a USB drive.
<span id="apply-ppkg" />
## Apply provisioning package to device
Provisioning packages can be applied to a device during the first-run experience (out-of-box experience or "OOBE") and after ("runtime").
### During initial setup, from a USB drive
1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.
![The first screen to set up a new PC](images/oobe.jpg)
2. Insert the USB drive. Windows Setup will recognize the drive and ask if you want to set up the device. Select **Set up**.
![Set up device?](images/setupmsg.jpg)
3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**.
![Provision this device](images/prov.jpg)
4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**.
![Choose a package](images/choose-package.png)
5. Select **Yes, add it**.
![Do you trust this package?](images/trust-package.png)
### After setup, from a USB drive, network folder, or SharePoint site
1. Sign in with an admin account.
2. Insert the USB drive to a desktop computer, navigate to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package to install.
>[!NOTE]
>if your provisioning package doesnt include the assigned access user account creation, make sure the account you specified in the multi-app configuration XML exists on the device.
![add a package option](images/package.png)
### Validate provisioning
- Go to **Settings** > **Accounts** > **Access work or school**, and then click **Add or remove a provisioning package**. You should see a list of packages that were applied to the device, including the one you applied for the multi-app configuration.
- Optionally, run Event Viewer (eventvwr.exe) and look through logs under **Applications and Services Logs** > **Microsoft** > **Windows** > **Provisioning-Diagnostics-Provider** > **Admin**.
<span id="alternate-methods" />
## Use MDM to deploy the multi-app configuration
Multi-app kiosk mode is enabled by the [AssignedAccess configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp). Your MDM policy can contain the assigned access configuration XML.
If your test device is enrolled with a MDM server which supports applying the assigned access configuration, you can use it to apply the setting remotely.
The OMA-URI for multi-app policy is `./Device/Vendor/MSFT/AssignedAccess/Configuration`.
<span id="bridge" />
## Use MDM Bridge WMI Provider to configure assigned access
Environments that use WMI can use the [MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/desktop/dn905224.aspx) to configure the MDM_AssignedAccess class. See [PowerShell Scripting with WMI Bridge Provider](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/using-powershell-scripting-with-the-wmi-bridge-provider) for more details about using a PowerShell script to configure AssignedAccess.
Heres an example to set AssignedAccess configuration:
1. Download the [psexec tool](https://technet.microsoft.com/sysinternals/bb897553.aspx).
2. Run `psexec.exe -i -s cmd.exe`.
3. In the command prompt launched by psexec.exe, enter `powershell.exe` to open PowerShell.
4. Execute the following script:
```ps
$nameSpaceName="root\cimv2\mdm\dmmap"
$className="MDM_AssignedAccess"
$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
$obj.Configuration = @"
&lt;?xml version=&quot;1.0&quot; encoding=&quot;utf-8&quot; ?&gt;
&lt;AssignedAccessConfiguration xmlns=&quot;http://schemas.microsoft.com/AssignedAccess/2017/config&quot;&gt;
&lt;Profiles&gt;
&lt;Profile Id=&quot;{9A2A490F-10F6-4764-974A-43B19E722C23}&quot;&gt;
&lt;AllAppsList&gt;
&lt;AllowedApps&gt;
&lt;App AppUserModelId=&quot;Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic&quot; /&gt;
&lt;App AppUserModelId=&quot;Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo&quot; /&gt;
&lt;App AppUserModelId=&quot;Microsoft.Windows.Photos_8wekyb3d8bbwe!App&quot; /&gt;
&lt;App AppUserModelId=&quot;Microsoft.BingWeather_8wekyb3d8bbwe!App&quot; /&gt;
&lt;App AppUserModelId=&quot;Microsoft.WindowsCalculator_8wekyb3d8bbwe!App&quot; /&gt;
&lt;App DesktopAppPath=&quot;%windir%\system32\mspaint.exe&quot; /&gt;
&lt;App DesktopAppPath=&quot;C:\Windows\System32\notepad.exe&quot; /&gt;
&lt;/AllowedApps&gt;
&lt;/AllAppsList&gt;
&lt;StartLayout&gt;
&lt;![CDATA[&lt;LayoutModificationTemplate xmlns:defaultlayout=&quot;http://schemas.microsoft.com/Start/2014/FullDefaultLayout&quot; xmlns:start=&quot;http://schemas.microsoft.com/Start/2014/StartLayout&quot; Version=&quot;1&quot; xmlns=&quot;http://schemas.microsoft.com/Start/2014/LayoutModification&quot;&gt;
&lt;LayoutOptions StartTileGroupCellWidth=&quot;6&quot; /&gt;
&lt;DefaultLayoutOverride&gt;
&lt;StartLayoutCollection&gt;
&lt;defaultlayout:StartLayout GroupCellWidth=&quot;6&quot;&gt;
&lt;start:Group Name=&quot;Group1&quot;&gt;
&lt;start:Tile Size=&quot;4x4&quot; Column=&quot;0&quot; Row=&quot;0&quot; AppUserModelID=&quot;Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic&quot; /&gt;
&lt;start:Tile Size=&quot;2x2&quot; Column=&quot;4&quot; Row=&quot;2&quot; AppUserModelID=&quot;Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo&quot; /&gt;
&lt;start:Tile Size=&quot;2x2&quot; Column=&quot;4&quot; Row=&quot;0&quot; AppUserModelID=&quot;Microsoft.Windows.Photos_8wekyb3d8bbwe!App&quot; /&gt;
&lt;start:Tile Size=&quot;2x2&quot; Column=&quot;4&quot; Row=&quot;4&quot; AppUserModelID=&quot;Microsoft.BingWeather_8wekyb3d8bbwe!App&quot; /&gt;
&lt;start:Tile Size=&quot;4x2&quot; Column=&quot;0&quot; Row=&quot;4&quot; AppUserModelID=&quot;Microsoft.WindowsCalculator_8wekyb3d8bbwe!App&quot; /&gt;
&lt;/start:Group&gt;
&lt;start:Group Name=&quot;Group2&quot;&gt;
&lt;start:DesktopApplicationTile Size=&quot;2x2&quot; Column=&quot;2&quot; Row=&quot;0&quot; DesktopApplicationLinkPath=&quot;%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk&quot; /&gt;
&lt;start:DesktopApplicationTile Size=&quot;2x2&quot; Column=&quot;0&quot; Row=&quot;0&quot; DesktopApplicationLinkPath=&quot;%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk&quot; /&gt;
&lt;/start:Group&gt;
&lt;/defaultlayout:StartLayout&gt;
&lt;/StartLayoutCollection&gt;
&lt;/DefaultLayoutOverride&gt;
&lt;/LayoutModificationTemplate&gt;
]]&gt;
&lt;/StartLayout&gt;
&lt;Taskbar ShowTaskbar=&quot;true&quot;/&gt;
&lt;/Profile&gt;
&lt;/Profiles&gt;
&lt;Configs&gt;
&lt;Config&gt;
&lt;Account&gt;MultiAppKioskUser&lt;/Account&gt;
&lt;DefaultProfile Id=&quot;{9A2A490F-10F6-4764-974A-43B19E722C23}&quot;/&gt;
&lt;/Config&gt;
&lt;/Configs&gt;
&lt;/AssignedAccessConfiguration&gt;
"@
Set-CimInstance -CimInstance $obj
```
## Validate multi-app kiosk configuration
Sign in with the assigned access user account you specified in the configuration to check out the multi-app experience.
>[!NOTE]
>The setting will take effect the next time the assigned access user signs in. If that user account is signed in when you apply the configuration, make sure the user signs out and signs back in to validate the experience.
The following sections explain what to expect on a multi-app kiosk.
### App launching and switching experience
In the multi-app mode, to maximize the user productivity and streamline the experience, an app will be always launched in full screen when the users click the tile on the Start. The users can minimize and close the app, but cannot resize the app window.
The users can switch apps just as they do today in Windows. They can use the Task View button, Alt + Tab hotkey, and the swipe in from the left gesture to view all the open apps in task view. They can click the Windows button to show Start, from which they can open apps, and they can switch to an opened app by clicking it on the taskbar.
### Start changes
When the assigned access user signs in, you should see a restricted Start experience:
- Start gets launched in full screen and prevents the end user from accessing the desktop.
- Start shows the layout aligned with what you defined in the multi-app configuration XML.
- Start prevents the end user from changing the tile layout.
- The user cannot resize, reposition, and unpin the tiles.
- The user cannot pin additional tiles on the start.
- Start hides **All Apps** list.
- Start hides all the folders on Start (including File Explorer, Settings, Documents, Downloads, Music, Pictures, Videos, HomeGroup, Network, and Personal folders).
- Only **User** and **Power** buttons are available. (You can control whether to show the **User/Power** buttons using [existing policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start).)
- Start hides **Change account settings** option under **User** button.
### Taskbar changes
If the applied multi-app configuration enables taskbar, when the assigned access user signs in, you should see a restricted Taskbar experience:
- Disables context menu of Start button (Quick Link)
- Disables context menu of taskbar
- Prevents the end user from changing the taskbar
- Disables Cortana and Search Windows
- Hides notification icons and system icons, e.g. Action Center, People, Windows Ink Workspace
- Allows the end user to view the status of the network connection and power state, but disables the flyout of **Network/Power** to prevent end user from changing the settings
### Blocked hotkeys
The multi-app mode blocks the following hotkeys, which are not relevant for the lockdown experience.
| Hotkey | Action |
| --- | --- |
| Windows logo key + A | Open Action center |
| Windows logo key + Shift + C | Open Cortana in listening mode |
| Windows logo key + D | Display and hide the desktop |
| Windows logo key + Alt + D | Display and hide the date and time on the desktop |
| Windows logo key + E | Open File Explorer |
| Windows logo key + F | Open Feedback Hub |
| Windows logo key + G | Open Game bar when a game is open |
| Windows logo key + I | Open Settings |
| Windows logo key + J | Set focus to a Windows tip when one is available. |
| Windows logo key + O | Lock device orientation |
| Windows logo key + Q | Open search |
| Windows logo key + R | Open the Run dialog box |
| Windows logo key + S | Open search |
| Windows logo key + X | Open the Quick Link menu |
| Windows logo key + comma (,) | Temporarily peek at the desktop |
| Windows logo key + Ctrl + F | Search for PCs (if you're on a network) |
### Locked-down Ctrl+Alt+Del screen
The multi-app mode removes options (e.g. **Change a password**, **Task Manager**, **Network**) in the Ctrl+Alt+Del screen to ensure the users cannot access the functionalities that are not allowed in the lockdown experience.
### Auto-trigger touch keyboard
In the multi-app mode, the touch keyboard will be automatically triggered when there is an input needed and no physical keyboard is attached on touch-enabled devices. You dont need to configure any other setting to enforce this behavior.
## Considerations for Windows Mixed Reality immersive headsets
With the advent of [mixed reality devices (video link)](https://www.youtube.com/watch?v=u0jqNioU2Lo), you might want to create a kiosk that can run mixed reality apps.
To create a multi-app kiosk that can run mixed reality apps, you must include the following apps in the [AllowedApps list](#allowedapps):
```xml
<App AppUserModelId="MixedRealityLearning_cw5n1h2txyewy!MixedRealityLearning" />
<App AppUserModelId="HoloShell_cw5n1h2txyewy!HoloShell" />
<App AppUserModelId="Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy!App" />
```
These are in addition to any mixed reality apps that you allow.
**Before your kiosk user signs in:** An admin user must sign in to the PC, connect a mixed reality device, and complete the guided setup for the Mixed Reality Portal. The first time that the Mixed Reality Portal is set up, some files and content are downloaded. A kiosk user would not have permissions to download and so their setup of the Mixed Reality Portal would fail.
After the admin has completed setup, the kiosk account can sign in and repeat the setup. The admin user may want to complete the kiosk user setup before providing the PC to employees or customers.
There is a difference between the mixed reality experiences for a kiosk user and other users. Typically, when a user connects a mixed reality device, they begin in the [Mixed Reality home](https://developer.microsoft.com/windows/mixed-reality/navigating_the_windows_mixed_reality_home). The Mixed Reality home is a shell that runs in "silent" mode when the PC is configured as a kiosk. When a kiosk user connects a mixed reality device, they will see only a blank display in the device, and will not have access to the features and functionality available in the home. To run a mixed reality app, the kiosk user must launch the app from the PC Start screen.
## Policies set by multi-app kiosk configuration
It is not recommended to set policies enforced in assigned access multi-app mode to different values using other channels, as the multi-app mode has been optimized to provide a locked-down experience.
When the multi-app assigned access configuration is applied on the device, certain policies are enforced system-wide, and will impact other users on the device.
### Group Policy
The following local policies affect all **non-administrator** users on the system, regardless whether the user is configured as an assigned access user or not. This includes local users, domain users, and Azure Active Directory users.
| Setting | Value |
| --- | --- |
Remove access to the context menus for the task bar | Enabled
Clear history of recently opened documents on exit | Enabled
Prevent users from customizing their Start Screen | Enabled
Prevent users from uninstalling applications from Start | Enabled
Remove All Programs list from the Start menu | Enabled
Remove Run menu from Start Menu | Enabled
Disable showing balloon notifications as toast | Enabled
Do not allow pinning items in Jump Lists | Enabled
Do not allow pinning programs to the Taskbar | Enabled
Do not display or track items in Jump Lists from remote locations | Enabled
Remove Notifications and Action Center | Enabled
Lock all taskbar settings | Enabled
Lock the Taskbar | Enabled
Prevent users from adding or removing toolbars | Enabled
Prevent users from resizing the taskbar | Enabled
Remove frequent programs list from the Start Menu | Enabled
Remove Pinned programs from the taskbar | Enabled
Remove the Security and Maintenance icon | Enabled
Turn off all balloon notifications | Enabled
Turn off feature advertisement balloon notifications | Enabled
Turn off toast notifications | Enabled
Remove Task Manager | Enabled
Remove Change Password option in Security Options UI | Enabled
Remove Sign Out option in Security Options UI | Enabled
Remove All Programs list from the Start Menu | Enabled Remove and disable setting
Prevent access to drives from My Computer | Enabled - Restrict all drivers
### MDM policy
Some of the MDM policies based on the [Policy configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) affect all users on the system (i.e. system-wide).
Setting | Value | System-wide
--- | --- | ---
[Experience/AllowCortana](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowcortana) | 0 - Not allowed | Yes
[Start/AllowPinnedFolderSettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldersettings) | 0 - Shortcut is hidden and disables the setting in the Settings app | Yes
Start/HidePeopleBar | 1 - True (hide) | No
[Start/HideChangeAccountSettings](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-start#start-hidechangeaccountsettings) | 1 - True (hide) | Yes
[WindowsInkWorkspace/AllowWindowsInkWorkspace](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-windowsinkworkspace#windowsinkworkspace-allowwindowsinkworkspace) | 0 - Access to ink workspace is disabled and the feature is turned off | Yes
[Start/StartLayout](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-startlayout) | Configuration dependent | No
[WindowsLogon/DontDisplayNetworkSelectionUI](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-windowslogon#windowslogon-dontdisplaynetworkselectionui) | &lt;Enabled/&gt; | Yes
<span id="lnk-files" />
## Provision .lnk files using Windows Configuration Designer
First, create your desktop app's shortcut file by installing the app on a test device. Right-click the installed application, and choose **Send to** > **Desktop (create shortcut)**. Rename the shortcut to `<appName>.lnk`
Next, create a batch file with two commands. If the desktop app is already installed on the target device, skip the first command for MSI install.
```
msiexec /I "<appName>.msi" /qn /norestart
copy <appName>.lnk "%AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\<appName>.lnk"
```
In Windows Configuration Designer, under **ProvisioningCommands** > **DeviceContext**:
- Under **CommandFiles**, upload your batch file, your .lnk file, and your desktop app installation file
- Under **CommandLine**, enter cmd /c *FileName*.bat

15
windows/configuration/lock-down-windows-10.md
View File

@ -1,15 +0,0 @@
---
title: Lock down Windows 10 (Windows 10)
description: Windows 10 provides a number of features and methods to help you lock down specific parts of a Windows 10 device.
ms.assetid: 955BCD92-0A1A-4C48-98A8-30D7FAF2067D
keywords: lockdown
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security, mobile
author: jdeckerms
ms.localizationpriority: high
---
# Lock down Windows 10

56
windows/configuration/multi-app-kiosk-troubleshoot.md Normal file
View File

@ -0,0 +1,56 @@
---
title: Troubleshoot multi-app kiosk (Windows 10)
description: Tips for troubleshooting multi-app kiosk configuration.
ms.assetid: 14DDDC96-88C7-4181-8415-B371F25726C8
keywords: ["lockdown", "app restrictions"]
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: edu, security
author: jdeckerms
ms.localizationpriority: medium
ms.date: 10/05/2017
ms.author: jdecker
---
# Troubleshoot multi-app kiosk
**Applies to**
- Windows 10
## Unexpected results
For example:
- Start is not launched in full-screen
- Blocked hotkeys are allowed
- Task Manager, Cortana, or Settings can be launched
- Start layout has more apps than expected
**Troubleshooting steps**
1. [Verify that the provisioning package is applied successfully](lock-down-windows-10-to-specific-apps.md#validate-provisioning).
2. Verify that the account (config) is mapped to a profile in the configuration XML file.
3. Verify that the configuration XML file is authored and formatted correctly. Correct any configuration errors, then create and apply a new provisioning package. Sign out and sign in again to check the new configuration.
4. If the issue persists, [capture traces](https://msdn.microsoft.com/library/windows/desktop/dn904629.aspx) for components with the following GUIDs:
- 94097d3d-2a5a-5b8a-cdbd-194dd2e51a00
- ab84611c-2678-5cd7-d292-c940f9be6c6d
- f9f7f27c-5e5d-5273-468f-038e61965660
- 3e8fb07b-3e10-5981-01a9-fbd924fd5436
## Apps configured in AllowedList are blocked
1. Ensure the account is mapped to the correct profile and that the apps are specific for that profile.
2. Check the EventViewer logs for Applocker and AppxDeployment (under **Application and Services Logs\Microsoft\Windows**).
## Start layout not as expected
- Make sure the Start layout is authored correctly. Ensure that the attributes **Size**, **Row**, and **Column** are specified for each application and are valid.
- Check if the apps included in the Start layout are installed for the assigned access user.
- Check if the shortcut exists on the target device, if a desktop app is missing on Start.
## Feedback
Feedback and bugs can be submitted in the Feedback Hub. You can use the [Problems Steps Recorder](https://support.microsoft.com/help/22878/windows-10-record-steps) to reproduce the issue, and attach the resulting .zip file to your feedback.

175
windows/configuration/multi-app-kiosk-xml.md Normal file
View File

@ -0,0 +1,175 @@
---
title: Multi-app kiosk XML reference (Windows 10)
description: XML and XSD for multi-app kiosk device configuration.
ms.assetid: 14DDDC96-88C7-4181-8415-B371F25726C8
keywords: ["lockdown", "app restrictions", "applocker"]
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: edu, security
author: jdeckerms
ms.localizationpriority: medium
ms.date: 10/05/2017
ms.author: jdecker
---
# Multi-app kiosk XML reference
**Applies to**
- Windows 10
## Full XML sample
```xml
<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config">
<Profiles>
<Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}">
<AllAppsList>
<AllowedApps>
<App AppUserModelId="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" />
<App AppUserModelId="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" />
<App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
<App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
<App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
<App DesktopAppPath="%windir%\system32\mspaint.exe" />
<App DesktopAppPath="C:\Windows\System32\notepad.exe" />
</AllowedApps>
</AllAppsList>
<StartLayout>
<![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification">
<LayoutOptions StartTileGroupCellWidth="6" />
<DefaultLayoutOverride>
<StartLayoutCollection>
<defaultlayout:StartLayout GroupCellWidth="6">
<start:Group Name="Group1">
<start:Tile Size="4x4" Column="0" Row="0" AppUserModelID="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" />
<start:Tile Size="2x2" Column="4" Row="2" AppUserModelID="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" />
<start:Tile Size="2x2" Column="4" Row="0" AppUserModelID="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
<start:Tile Size="2x2" Column="4" Row="4" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
<start:Tile Size="4x2" Column="0" Row="4" AppUserModelID="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
</start:Group>
<start:Group Name="Group2">
<start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk" />
<start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk" />
</start:Group>
</defaultlayout:StartLayout>
</StartLayoutCollection>
</DefaultLayoutOverride>
</LayoutModificationTemplate>
]]>
</StartLayout>
<Taskbar ShowTaskbar="true"/>
</Profile>
</Profiles>
<Configs>
<Config>
<Account>MultiAppKioskUser</Account>
<DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
</Config>
</Configs>
</AssignedAccessConfiguration>
```
## XSD for AssignedAccess configuration XML
```xml
<?xml version="1.0" encoding="utf-8"?>
<xs:schema
elementFormDefault="qualified"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"
targetNamespace="http://schemas.microsoft.com/AssignedAccess/2017/config"
>
<xs:complexType name="profile_list_t">
<xs:sequence minOccurs="1" >
<xs:element name="Profile" type="profile_t" minOccurs="1" maxOccurs="unbounded">
<xs:unique name="duplicateRolesForbidden">
<xs:selector xpath="Profile"/>
<xs:field xpath="@Id"/>
</xs:unique>
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:complexType name="profile_t">
<xs:sequence minOccurs="1" maxOccurs="1">
<xs:element name="AllAppsList" type="allappslist_t" minOccurs="1" maxOccurs="1">
<xs:unique name="ForbidDupApps">
<xs:selector xpath="App"/>
<xs:field xpath="@AppUserModelId"/>
<xs:field xpath="@DesktopAppPath"/>
</xs:unique>
</xs:element>
<xs:element name="StartLayout" type="xs:string" minOccurs="1" maxOccurs="1"/>
<xs:element name="Taskbar" type="taskbar_t" minOccurs="1" maxOccurs="1"/>
</xs:sequence>
<xs:attribute name="Id" type="guid_t" use="required"/>
<xs:attribute name="Name" type="xs:string" use="optional"/>
</xs:complexType>
<xs:complexType name="allappslist_t">
<xs:sequence minOccurs="1" >
<xs:element name="AllowedApps" type="allowedapps_t" minOccurs="1" maxOccurs="1">
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:complexType name="allowedapps_t">
<xs:sequence minOccurs="1" maxOccurs="1">
<xs:element name="App" type="app_t" minOccurs="1" maxOccurs="unbounded">
<xs:key name="mutexAumidOrDesktopApp">
<xs:selector xpath="."/>
<xs:field xpath="@AppUserModelId|@DesktopAppPath"/>
</xs:key>
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:complexType name="app_t">
<xs:attribute name="AppUserModelId" type="xs:string"/>
<xs:attribute name="DesktopAppPath" type="xs:string"/>
</xs:complexType>
<xs:complexType name="taskbar_t">
<xs:attribute name="ShowTaskbar" type="xs:boolean" use="required"/>
</xs:complexType>
<xs:complexType name="profileId_t">
<xs:attribute name="Id" type="guid_t" use="required"/>
</xs:complexType>
<xs:simpleType name="guid_t">
<xs:restriction base="xs:string">
<xs:pattern value="\{[0-9a-fA-F]{8}\-([0-9a-fA-F]{4}\-){3}[0-9a-fA-F]{12}\}"/>
</xs:restriction>
</xs:simpleType>
<xs:complexType name="config_list_t">
<xs:sequence minOccurs="1" >
<xs:element name="Config" type="config_t" minOccurs="1" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="config_t">
<xs:sequence minOccurs="1" maxOccurs="1">
<xs:element name="Account" type="xs:string" minOccurs="1" maxOccurs="1"/>
<xs:element name="DefaultProfile" type="profileId_t" minOccurs="1" maxOccurs="1"/>
</xs:sequence>
</xs:complexType>
<!--below is the definition of the config xml content-->
<xs:element name="AssignedAccessConfiguration">
<xs:complexType>
<xs:all minOccurs="1">
<xs:element name="Profiles" type="profile_list_t">
</xs:element>
<xs:element name="Configs" type="config_list_t"/>
</xs:all>
</xs:complexType>
</xs:element>
</xs:schema>
```

5
windows/configuration/provisioning-packages/provision-pcs-with-apps.md
View File

@ -7,6 +7,8 @@ ms.mktglfcycl: deploy
ms.sitesec: library
author: jdeckerms
ms.localizationpriority: high
ms.author: jdecker
ms.date: 10/05/2017
---
# Provision PCs with apps
@ -21,6 +23,9 @@ In Windows 10, version 1703, you can install multiple Universal Windows Platform
When you add an app in a Windows Configuration Designer wizard, the appropriate settings are displayed based on the app that you select. For instructions on adding an app using the advanced editor in Windows Configuration Designer, see [Add an app using advanced editor](#adv).
>[!IMPORTANT]
>If you plan to use Intune to manage your devices, we recommend using Intune to install Office 365 ProPlus 2016 apps (Access, Excel, OneDrive for Business, OneNote, Outlook, PowerPoint, Publisher, Skype for Business, Word, Project Online Desktop Cilent, and Visio Pro for Office 365 ProPlus). Apps that are installed using a provisioning package cannot be managed or modified using Intune. [Learn how to assign Office 365 ProPlus 2016 apps using Microsoft Intune.](https://docs.microsoft.com/intune/apps-add-office365)
## Settings for UWP apps
- **License Path**: Specify the license file if it is an app from the Microsoft Store. This is optional if you have a certificate for the app.

3
windows/configuration/provisioning-packages/provisioning-apply-package.md
View File

@ -23,6 +23,9 @@ Provisioning packages can be applied to a device during the first-run experience
## Desktop editions
>[!NOTE]
>In Windows 10, version 1709, you can interrupt a long-running provisioning process by pressing ESC.
### During initial setup, from a USB drive
1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.

2
windows/deployment/deploy-enterprise-licenses.md
View File

@ -24,7 +24,7 @@ If you are an EA customer with an existing Office 365 tenant, use the following
1. Work with your reseller to place an order for $0 SKU. There are two SKUs available, depending on their current Windows Enterprise SA license:<BR>
a. **AAA-51069** - Win10UsrOLSActv Alng MonthlySub Addon E3<BR>
b. **AAA-51068*** - Win10UsrOLSActv Alng MonthlySub Addon E5<BR>
b. **AAA-51068** - Win10UsrOLSActv Alng MonthlySub Addon E5<BR>
2. After placing an order, the OLS admin on the agreement will receive a service activation email, indicating their subscription licenses have been provisioned on the tenant.
3. The admin can now assign subscription licenses to users.

5
windows/device-security/bitlocker/bcd-settings-and-bitlocker.md
View File

@ -126,11 +126,12 @@ This following is a full list of BCD settings with friendly names which are igno
| 0x15000042 | all| keyringaddress|
| 0x15000047 | all| configaccesspolicy|
| 0x1500004b | all| integrityservices|
| 0x1500004c|all| volumebandid|
| 0x1500004c | all| volumebandid|
| 0x15000051 | all| initialconsoleinput|
| 0x15000052 | all| graphicsresolution|
| 0x15000065 | all| displaymessage|
| 0x15000066| all| displaymessageoverride|
| 0x15000066 | all| displaymessageoverride|
| 0x15000081 | all| logcontrol|
| 0x16000009 | all| recoveryenabled|
| 0x1600000b | all| badmemoryaccess|
| 0x1600000f | all| traditionalkseg|

28
windows/device-security/bitlocker/bitlocker-group-policy-settings.md
View File

@ -237,7 +237,7 @@ On a computer with a compatible TPM, four types of authentication methods can be
- only the TPM for authentication
- insertion of a USB flash drive containing the startup key
- the entry of a 6-digit to 20-digit personal identification number (PIN)
- the entry of a 4-digit to 20-digit personal identification number (PIN)
- a combination of the PIN and the USB flash drive
There are four options for TPM-enabled computers or devices:
@ -323,7 +323,7 @@ This policy setting is used to set a minimum PIN length when you use an unlock m
<tbody>
<tr class="odd">
<td align="left"><p><strong>Policy description</strong></p></td>
<td align="left"><p>With this policy setting, you can configure a minimum length for a TPM startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 6 digits, and it can have a maximum length of 20 digits.</p></td>
<td align="left"><p>With this policy setting, you can configure a minimum length for a TPM startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits, and it can have a maximum length of 20 digits. By default, the minimum PIN length is 6.</p></td>
</tr>
<tr class="even">
<td align="left"><p><strong>Introduced</strong></p></td>
@ -347,14 +347,34 @@ This policy setting is used to set a minimum PIN length when you use an unlock m
</tr>
<tr class="odd">
<td align="left"><p><strong>When disabled or not configured</strong></p></td>
<td align="left"><p>Users can configure a startup PIN of any length between 6 and 20 digits.</p></td>
<td align="left"><p>Users can configure a startup PIN of any length between 4 and 20 digits.</p></td>
</tr>
</tbody>
</table>
 
**Reference**
This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 6 digits and can have a maximum length of 20 digits.
This policy setting is applied when you turn on BitLocker.
The startup PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits.
Originally, BitLocker allowed from 4 to 20 characters for a PIN.
Windows Hello has its own PIN for logon, which can be 4 to 127 characters.
Both BitLocker and Windows Hello use the TPM to prevent PIN brute-force attacks.
The TPM can be configured to use Dictionary Attack Prevention parameters ([lockout threshold and lockout duration](/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings)) to control how many failed authorizations attempts are allowed before the TPM is locked out, and how much time must elapse before another attempt can be made.
The Dictionary Attack Prevention Parameters provide a way to balance security needs with usability.
For example, when BitLocker is used with a TPM + PIN configuration, the number of PIN guesses is limited over time.
A TPM 2.0 in this example could be configured to allow only 32 PIN guesses immediately, and then only one more guess every two hours.
This totals a maximum of about 4415 guesses per year.
If the PIN is 4 digits, all 9999 possible PIN combinations could be attempted in a little over two years.
Increasing the PIN length requires a greater number of guesses for an attacker.
In that case, the lockout duration between each guess can be shortened to allow legitimate users to retry a failed attempt sooner, while maintaining a similar level of protection.
Beginning with Windows 10, version 1703, the minimum length for the BitLocker PIN was increased to 6 characters to better align with other Windows features that leverage TPM 2.0, including Windows Hello.
To help organizations with the transition, beginning with Windows 10, version 1709 and Windows 10, version 1703 with the October 2017 [cumulative update](https://support.microsoft.com/help/4018124) installed, the BitLocker PIN length is 6 characters by default, but it can be reduced to 4 characters.
If the minimum PIN length is reduced from the default of six characters, then the TPM 2.0 lockout period will be extended.
### Disable new DMA devices when this computer is locked

6
windows/device-security/change-history-for-device-security.md
View File

@ -11,6 +11,12 @@ author: brianlic-msft
# Change history for device security
This topic lists new and updated topics in the [Device security](index.md) documentation.
## September 2017
|New or changed topic |Description |
|---------------------|------------|
| [TPM fundamentals](tpm/tpm-fundamentals.md)<br>[BitLocker Group Policy settings](bitlocker/bitlocker-group-policy-settings.md) | Explained the change to allow reducing the maximum PIN length from 6 characters to 4. |
## August 2017
|New or changed topic |Description |
|---------------------|------------|

29
windows/device-security/tpm/tpm-fundamentals.md
View File

@ -97,10 +97,7 @@ Because many entities can use the TPM, a single authorization success cannot res
TPM 2.0 has well defined anti-hammering behavior. This is in contrast to TPM 1.2 for which the anti-hammering protection was implemented by the manufacturer, and the logic varied widely throughout the industry.
> [!WARNING]
> For the purposes of this topic, Windows 8 Certified Hardware also pertains to Windows 8.1 systems. The following references to “Windows” include these supported Windows versions.
For Windows 8 Certified Hardware systems with TPM 2.0, the TPM is configured by Windows to lock after 32 authorization failures and to forget one authorization failure every two hours. This means that a user could quickly attempt to use a key with the wrong authorization value 32 times. For each of the 32 attempts, the TPM records if the authorization value was correct or not. This inadvertently causes the TPM to enter a locked state after 32 failed attempts.
For systems with TPM 2.0, the TPM is configured by Windows to lock after 32 authorization failures and to forget one authorization failure every two hours. This means that a user could quickly attempt to use a key with the wrong authorization value 32 times. For each of the 32 attempts, the TPM records if the authorization value was correct or not. This inadvertently causes the TPM to enter a locked state after 32 failed attempts.
Attempts to use a key with an authorization value for the next two hours would not return success or failure; instead the response indicates that the TPM is locked. After two hours, one authorization failure is forgotten and the number of authorization failures remembered by the TPM drops to 31, so the TPM leaves the locked state and returns to normal operation. With the correct authorization value, keys could be used normally if no authorization failures occur during the next two hours. If a period of 64 hours elapses with no authorization failures, the TPM does not remember any authorization failures, and 32 failed attempts could occur again.
@ -112,10 +109,28 @@ In some enterprise situations, the TPM owner authorization value is configured t
TPM 2.0 allows some keys to be created without an authorization value associated with them. These keys can be used when the TPM is locked. For example, BitLocker with a default TPM-only configuration is able to use a key in the TPM to start Windows, even when the TPM is locked.
### Rationale behind the Windows 8.1 and Windows 8 defaults
### Rationale behind the defaults
Windows relies on the TPM 2.0 anti-hammering protection for multiple features. The defaults that are selected for Windows 8 balance trade-offs for different scenarios.
For example, when BitLocker is used with a TPM plus PIN configuration, it needs the number of PIN guesses to be limited over time. If the computer is lost, someone could make only 32 PIN guesses immediately, and then only one more guess every two hours. This totals about 4415 guesses per year. This makes a good standard for system administrators to determine how many PIN characters to use for BitLocker deployments.
Originally, BitLocker allowed from 4 to 20 characters for a PIN.
Windows Hello has its own PIN for logon, which can be 4 to 127 characters.
Both BitLocker and Windows Hello use the TPM to prevent PIN brute-force attacks.
The TPM can be configured to use Dictionary Attack Prevention parameters ([lockout threshold and lockout duration](trusted-platform-module-services-group-policy-settings.md)) to control how many failed authorizations attempts are allowed before the TPM is locked out, and how much time must elapse before another attempt can be made.
The Dictionary Attack Prevention Parameters provide a way to balance security needs with usability.
For example, when BitLocker is used with a TPM + PIN configuration, the number of PIN guesses is limited over time.
A TPM 2.0 in this example could be configured to allow only 32 PIN guesses immediately, and then only one more guess every two hours.
This totals a maximum of about 4415 guesses per year.
If the PIN is 4 digits, all 9999 possible PIN combinations could be attempted in a little over two years.
Increasing the PIN length requires a greater number of guesses for an attacker.
In that case, the lockout duration between each guess can be shortened to allow legitimate users to retry a failed attempt sooner, while maintaining a similar level of protection.
Beginning with Windows 10, version 1703, the minimum length for the BitLocker PIN was increased to 6 characters to better align with other Windows features that leverage TPM 2.0, including Windows Hello.
To help organizations with the transition, beginning with Windows 10, version 1709 and Windows 10, version 1703 with the October 2017 [cumulative update](https://support.microsoft.com/help/4018124) installed, the BitLocker PIN length is 6 characters by default, but it can be reduced to 4 characters.
If the minimum PIN length is reduced from the default of six characters, then the TPM 2.0 lockout period will be extended.
### TPM-based smart cards
The Windows TPM-based smart card, which is a virtual smart card, can be configured to allow sign in to the system. In contrast with physical smart cards, the sign-in process uses a TPM-based key with an authorization value. The following list shows the advantages of virtual smart cards:

2
windows/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md
View File

@ -79,7 +79,7 @@ You can create a custom dashboard in Power BI Desktop to create visualizations t
8. Select **New table and matrix visuals** and **Custom data connectors** and click **OK**.
>[NOTE]
>[!NOTE]
>If you are using Power BI Desktop July 2017 version (or later), you won't need to select **New table and matrix visuals**. You'll only need to select **Custom data connectors**.
![Power BI options page](images/atp-powerbi-options.png)

2
windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
View File

@ -129,7 +129,7 @@ The following requirements must be met before Attack Surface Reduction will work
Windows 10 version | Windows Defender Antivirus
- | -
Insider Preview build 16232 or later (dated July 1, 2017 or later) | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) must be enabled
Insider Preview build 16232 or later (dated July 1, 2017 or later) | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) must be enabled

2
windows/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md
View File

@ -62,7 +62,7 @@ The following requirements must be met before Controlled Folder Access will work
Windows 10 version | Windows Defender Antivirus
-|-
Insider Preview build 16232 or later (dated July 1, 2017 or later) | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) must be enabled
Insider Preview build 16232 or later (dated July 1, 2017 or later) | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) must be enabled
## Review Controlled Folder Access events in Windows Event Viewer

7
windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
View File

@ -79,8 +79,7 @@ See the [Attack Surface Reduction](attack-surface-reduction-exploit-guard.md) to
- Disabled = 0
- Audit mode = 2
![](images/asr-rules-gp.png)
![](images/asr-rules-gp.png)
@ -91,13 +90,13 @@ See the [Attack Surface Reduction](attack-surface-reduction-exploit-guard.md) to
2. Enter the following cmdlet:
```PowerShell
Add-MpPreference -AttackSurfaceReductionRules_Ids <rule ID>
Set-MpPreference -AttackSurfaceReductionRules_Ids <rule ID> -AttackSurfaceReductionRules_Actions Enabled
```
You can enable the feature in audit mode using the following cmdlet:
```PowerShell
Set-MpPreference -AttackSurfaceReductionRules_Actions AuditMode
Add-MpPreference -AttackSurfaceReductionRules_Ids <rule ID> -AttackSurfaceReductionRules_Actions AuditMode
```
Use `Disabled` insead of `AuditMode` or `Enabled` to turn the feature off.

1
windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md
View File

@ -9,7 +9,6 @@ ms.pagetype: security
author: eross-msft
ms.localizationpriority: high
---
# Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings
**Applies to:**