From 1fdb176e4464b5384352393bd1399cdac233b4e5 Mon Sep 17 00:00:00 2001 From: Patti Short Date: Wed, 18 Apr 2018 16:30:34 -0700 Subject: [PATCH 1/5] validated the version for each policy and ensuring RS4 policies were complete --- browsers/edge/available-policies.md | 31 ++++++++++++++++------------- 1 file changed, 17 insertions(+), 14 deletions(-) diff --git a/browsers/edge/available-policies.md b/browsers/edge/available-policies.md index 3766535880..1dd3c2d38a 100644 --- a/browsers/edge/available-policies.md +++ b/browsers/edge/available-policies.md @@ -27,6 +27,21 @@ Microsoft Edge works with the following Group Policy settings to help you manage Computer Configuration\Administrative Templates\Windows Components\Microsoft Edge\ +## Allow a shared books folder +>*Supported versions: Windows 10, version 1803* + +This policy setting specifies whether organizations should use a folder shared across users to store books from the Books Library. + +**Microsoft Intune to manage your MDM settings** +| | | +|---|---| +|MDM name |[UseSharedFolderForBooks](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-usesharedfolderforbooks) | +|Supported devices |Desktop | +|URI full path |./Vendor/MSFT/Policy/Config/Browser/UseSharedFolderForBooks | +|Data type | Integer | +|Allowed values | | + + ## Allow Address bar drop-down list suggestions >*Supporteded versions: Windows 10, version 1703 or later* @@ -74,7 +89,7 @@ Your browsing data is the information that Microsoft Edge remembers and stores a |Allowed values | | ## Allow configuration updates for the Books Library ->*Supporteded versions: Windows 10* +>*Supporteded versions: Windows 10, version 1803* Microsoft Edge automatically retrieves the configuration data for the Books Library, when this policy is enabled or not configured. If disabled, Microsoft Edge does not retrieve the Books configuration data. @@ -118,7 +133,7 @@ F12 developer tools is a suite of tools to help you build and debug your webpage |Allowed values | | ## Allow extended telemetry for the Books tab ->*Supporteded versions: Windows 10* +>*Supporteded versions: Windows 10, version 1803* If you enable this policy, both basic and additional diagnostic data is sent to Microsoft about the books you are reading from Books in Microsoft Edge. By default, this policy is disabled or not configured and only basic diagnostic data, depending on your device configuration, is sent to Microsoft. @@ -598,19 +613,7 @@ This policy setting specifies whether you see an additional page in Microsoft Ed |Data type | Integer | |Allowed values | | -## User shared folder for books ->*Supported versions: Windows 10* -This policy setting specifies whether organizations should use a folder shared across users to store books from the Books Library. - -**Microsoft Intune to manage your MDM settings** -| | | -|---|---| -|MDM name |[UseSharedFolderForBooks](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-usesharedfolderforbooks) | -|Supported devices |Desktop | -|URI full path |./Vendor/MSFT/Policy/Config/Browser/UseSharedFolderForBooks | -|Data type | Integer | -|Allowed values | | ## Related topics From be9c9592dd770d70bf76c1e649daf06273e89927 Mon Sep 17 00:00:00 2001 From: Patti Short Date: Fri, 20 Apr 2018 13:14:22 -0700 Subject: [PATCH 2/5] updated the content for SSO conditional access --- .../vpn/vpn-conditional-access.md | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/windows/security/identity-protection/vpn/vpn-conditional-access.md b/windows/security/identity-protection/vpn/vpn-conditional-access.md index 26fe73a382..0b9edcf96d 100644 --- a/windows/security/identity-protection/vpn/vpn-conditional-access.md +++ b/windows/security/identity-protection/vpn/vpn-conditional-access.md @@ -51,7 +51,7 @@ The following client-side components are also required: - Trusted Platform Module (TPM) ## VPN device compliance -According to the VPNv2 CSP, these settings options are **Optional**. If you want your users to access on-premises resources, such as files on a network share, based on the credential of a certificate that was issued by an on-premises CA, and not the Cloud CA certificate, you add these settings to the VPNv2 profile. Alternatively, if you add the cloud root certs to the NTAuth store in on-prem AD, your user's cloud cert will chain and KDC will issue TGT and TGS tickets to them. +According to the VPNv2 CSP, these settings options are **Optional**. If you want your users to access on-premises resources, such as files on a network share, based on the credential of a certificate that was issued by an on-premises CA, and not the Cloud CA certificate, you add these settings to the VPNv2 profile. Alternatively, if you add the cloud root certificates to the NTAuth store in on-prem AD, your user's cloud certificate will chain and KDC will issue TGT and TGS tickets to them. Server-side infrastructure requirements to support VPN device compliance include: @@ -61,6 +61,8 @@ Server-side infrastructure requirements to support VPN device compliance include - Domain servers trust Azure AD CA - A domain-trusted certificate is deployed to the client device and is configured to be used for single sign-on (SSO) + + After the server side is set up, VPN admins can add the policy settings for conditional access to the VPN profile using the VPNv2 DeviceCompliance node. Two client-side configuration service providers are leveraged for VPN device compliance. @@ -77,8 +79,12 @@ Two client-side configuration service providers are leveraged for VPN device com - Provisions the Health Attestation Certificate received from the HAS - Upon request, forwards the Health Attestation Certificate (received from HAS) and related runtime information to the MDM server for verification +>[!NOTE] +>Enabling SSO is not necessarily required unless you want VPN users to be issued Kerberos tickets to access on-premises resources using a certificate issued by the on-premises CA; not the cloud certificate issued by AAD. + + ## Client connection flow -The VPN client side connection flow works as follows: +The VPN client side connection flow works as follows: ![Device compliance workflow when VPN client attempts to connect](images/vpn-device-compliance.png) @@ -94,13 +100,6 @@ When a VPNv2 Profile is configured with \ \true<\/Ena See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx) for XML configuration. -The following image shows conditional access options in a VPN Profile configuration policy using Microsoft Intune. - -![conditional access in profile](images/vpn-conditional-access-intune.png) - ->[!NOTE] ->In Intune, the certificate selected in **Select a client certificate for client authentication** does not set any VPNv2 CSP nodes. It is simply a way to tie the VPN profile’s successful provisioning to the existence of a certificate. If you are enabling conditional access and using the Azure AD short-lived certificate for both VPN server authentication and domain resource authentication, do not select a certificate since the short-lived certificate is not a certificate that would be on the user’s device yet. - ## Learn more about Conditional Access and Azure AD Health - [Azure Active Directory conditional access](https://azure.microsoft.com/documentation/articles/active-directory-conditional-access/) From 315b0edfdb5e6381e14fbd7387d472956220123a Mon Sep 17 00:00:00 2001 From: Patti Short Date: Fri, 20 Apr 2018 14:13:01 -0700 Subject: [PATCH 3/5] final adjustment of content --- browsers/edge/available-policies.md | 47 ++----------------- .../vpn/vpn-conditional-access.md | 8 +--- 2 files changed, 5 insertions(+), 50 deletions(-) diff --git a/browsers/edge/available-policies.md b/browsers/edge/available-policies.md index 1dd3c2d38a..fcdd64629c 100644 --- a/browsers/edge/available-policies.md +++ b/browsers/edge/available-policies.md @@ -3,12 +3,13 @@ description: Microsoft Edge works with Group Policy and Microsoft Intune to help ms.assetid: 2e849894-255d-4f68-ae88-c2e4e31fa165 author: shortpatti ms.author: pashort +manager: elizapo ms.prod: edge ms.mktglfcycl: explore ms.sitesec: library title: Group Policy and Mobile Device Management settings for Microsoft Edge (Microsoft Edge for IT Pros) ms.localizationpriority: high -ms.date: 4/5/2018 #Previsou release date 09/13/2017 +ms.date: 4/20/2018 #Previous release date 09/13/2017 --- # Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge @@ -27,21 +28,6 @@ Microsoft Edge works with the following Group Policy settings to help you manage Computer Configuration\Administrative Templates\Windows Components\Microsoft Edge\ -## Allow a shared books folder ->*Supported versions: Windows 10, version 1803* - -This policy setting specifies whether organizations should use a folder shared across users to store books from the Books Library. - -**Microsoft Intune to manage your MDM settings** -| | | -|---|---| -|MDM name |[UseSharedFolderForBooks](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-usesharedfolderforbooks) | -|Supported devices |Desktop | -|URI full path |./Vendor/MSFT/Policy/Config/Browser/UseSharedFolderForBooks | -|Data type | Integer | -|Allowed values |
  • **0** - No shared folder.
  • **1** - Use as shared folder.
| - - ## Allow Address bar drop-down list suggestions >*Supporteded versions: Windows 10, version 1703 or later* @@ -88,20 +74,6 @@ Your browsing data is the information that Microsoft Edge remembers and stores a |Data type | Integer | |Allowed values |
  • **0 (default)** - Browsing data is not cleared on exit. The type of browsing data to clear can be configured by the employee in the Clear browsing data options under Settings.
  • **1** - Browsing data is cleared on exit.
| -## Allow configuration updates for the Books Library ->*Supporteded versions: Windows 10, version 1803* - -Microsoft Edge automatically retrieves the configuration data for the Books Library, when this policy is enabled or not configured. If disabled, Microsoft Edge does not retrieve the Books configuration data. - -**Microsoft Intune to manage your MDM settings** -| | | -|---|---| -|MDM name |[AllowConfigurationUpdateForBooksLibrary ](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowconfigurationupdateforbookslibrary) | -|Supported devices |Desktop | -|URI full path | ./Vendor/MSFT/Policy/Config/Browser/AllowConfigurationUpdateForBooksLibrary | -|Data type | Integer | -|Allowed values |
  • **0** - Disable. Microsoft Edge cannot retrieve a configuration.
  • **1 (default)** - Enable (default). Microsoft Edge can retrieve a configuration for Books Library.
| - ## Allow Cortana >*Supported versions: Windows 10, version 1607 or later* @@ -132,19 +104,6 @@ F12 developer tools is a suite of tools to help you build and debug your webpage |Data type | Integer | |Allowed values |
  • **0** - The F12 Developer Tools are disabled.
  • **1 (default)** - The F12 Developer Tools are enabled.
| -## Allow extended telemetry for the Books tab ->*Supporteded versions: Windows 10, version 1803* - -If you enable this policy, both basic and additional diagnostic data is sent to Microsoft about the books you are reading from Books in Microsoft Edge. By default, this policy is disabled or not configured and only basic diagnostic data, depending on your device configuration, is sent to Microsoft. - -**Microsoft Intune to manage your MDM settings** -| | | -|---|---| -|MDM name |[EnableExtendedBooksTelemetry](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-enableextendedbookstelemetry) | -|Supported devices |Desktop
Mobile | -|URI full path | ./Vendor/MSFT/Policy/Config/Browser/EnableExtendedBooksTelemetry | -|Data type | Integer | -|Allowed values |
  • **0 (default)** - Disable. Only basic diagnostic data is sent.
  • **1** - Enable. Both Basic and additional diagnostic data is sent.
| ## Allow Extensions >*Supporteded versions: Windows 10, version 1607 or later* @@ -212,7 +171,7 @@ This policy setting lets you configure what appears when a New Tab page is opene ## Always Enable book library ->*Supporteded versions: Windows 10* +>*Supporteded versions: Windows 10, version 1709 or later* This policy settings specifies whether to always show the Books Library in Microsoft Edge. By default, this setting is disabled, which means the library is only visible in countries or regions where available. if enabled, the Books Library is always shown regardless of countries or region of activation. diff --git a/windows/security/identity-protection/vpn/vpn-conditional-access.md b/windows/security/identity-protection/vpn/vpn-conditional-access.md index 0b9edcf96d..7d22c3efb9 100644 --- a/windows/security/identity-protection/vpn/vpn-conditional-access.md +++ b/windows/security/identity-protection/vpn/vpn-conditional-access.md @@ -7,9 +7,10 @@ ms.sitesec: library ms.pagetype: security, networking author: shortpatti ms.author: pashort +manager: elizapo ms.reviewer: ms.localizationpriority: high -ms.date: 04/17/2018 +ms.date: 04/20/2018 --- # VPN and conditional access @@ -44,7 +45,6 @@ Conditional Access Platform components used for Device Compliance include the fo - Encryption compliance - Device health attestation state (validated against attestation service after query) - The following client-side components are also required: - [HealthAttestation Configuration Service Provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/dn934876.aspx) - [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx) DeviceCompliance node settings @@ -61,8 +61,6 @@ Server-side infrastructure requirements to support VPN device compliance include - Domain servers trust Azure AD CA - A domain-trusted certificate is deployed to the client device and is configured to be used for single sign-on (SSO) - - After the server side is set up, VPN admins can add the policy settings for conditional access to the VPN profile using the VPNv2 DeviceCompliance node. Two client-side configuration service providers are leveraged for VPN device compliance. @@ -111,9 +109,7 @@ See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](https://msdn.m - [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 4)](https://blogs.technet.microsoft.com/tip_of_the_day/2016/03/16/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-4/) - ## Related topics - - [VPN technical guide](vpn-guide.md) - [VPN connection types](vpn-connection-type.md) - [VPN routing decisions](vpn-routing.md) From 016d7e0240e889f289007c1195f485c67f14a8fe Mon Sep 17 00:00:00 2001 From: Maricia Alforque Date: Fri, 20 Apr 2018 21:14:49 +0000 Subject: [PATCH 4/5] Merged PR 7353: Accounts CSP - new configuration service provider --- windows/client-management/mdm/TOC.md | 2 + windows/client-management/mdm/accounts-csp.md | 51 +++++ .../mdm/accounts-ddf-file.md | 179 ++++++++++++++++++ ...onfiguration-service-provider-reference.md | 30 ++- .../mdm/images/provisioning-csp-accounts.png | Bin 0 -> 9090 bytes ...ew-in-windows-mdm-enrollment-management.md | 9 +- .../mdm/policy-csp-kioskbrowser.md | 2 +- 7 files changed, 270 insertions(+), 3 deletions(-) create mode 100644 windows/client-management/mdm/accounts-csp.md create mode 100644 windows/client-management/mdm/accounts-ddf-file.md create mode 100644 windows/client-management/mdm/images/provisioning-csp-accounts.png diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md index b0b0610178..659b090224 100644 --- a/windows/client-management/mdm/TOC.md +++ b/windows/client-management/mdm/TOC.md @@ -70,6 +70,8 @@ ## [Configuration service provider reference](configuration-service-provider-reference.md) ### [AccountManagement CSP](accountmanagement-csp.md) #### [AccountManagement DDF file](accountmanagement-ddf.md) +### [Accounts CSP](accounts-csp.md) +#### [Accounts DDF file](accounts-ddf-file.md) ### [ActiveSync CSP](activesync-csp.md) #### [ActiveSync DDF file](activesync-ddf-file.md) ### [AllJoynManagement CSP](alljoynmanagement-csp.md) diff --git a/windows/client-management/mdm/accounts-csp.md b/windows/client-management/mdm/accounts-csp.md new file mode 100644 index 0000000000..0cec8a8ad3 --- /dev/null +++ b/windows/client-management/mdm/accounts-csp.md @@ -0,0 +1,51 @@ +--- +title: Accounts CSP +description: The Accounts configuration service provider (CSP) is used by the enterprise (1) to rename a device, (2) to create a new local Windows account and joint it to a local user group. +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +ms.date: 04/17/2018 +--- + +# Accounts CSP + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +The Accounts configuration service provider (CSP) is used by the enterprise (1) to rename a device, (2) to create a new local Windows account and joint it to a local user group. This CSP was added in Windows 10, version 1803. + + +The following diagram shows the Accounts configuration service provider in tree format. + +![Accounts CSP diagram](images/provisioning-csp-accounts.png) + +**./Device/Vendor/MSFT/Accounts** +Root node. + +**Domain** +Interior node for the account domain information. + +**Domain/ComputerName** +This node specifies the name for a device. This setting can be managed remotely. A couple of macros can be embedded within the value for dynamic substitution: %RAND:<# of digits>% and %SERIAL%. + +Examples: (a) "Test%RAND:6%" will generate a name "Test" followed by 6 random digits (e.g., "Test123456"). (b) "Foo%SERIAL%", will generate a name "Foo" followed by the serial number derived from device's ID. The server must explicitly reboot the device for this value to take effect. + +Supported operation is Add. + +**Users** +Interior node for the user account information. + +**Users/_UserName_** +This node specifies the username for a new local user account. This setting can be managed remotely. + +**Users/_UserName_/Password** +This node specifies the password for a new local user account. This setting can be managed remotely. + +Supported operation is Add. + +**Users/_UserName_/LocalUserGroup** +This optional node specifies the local user group that a local user account should be joined to. If the node is not set, the new local user account is joined just to the Standard Users group. Set the value to 2 for Administrators group. This setting can be managed remotely. + +Supported operation is Add. \ No newline at end of file diff --git a/windows/client-management/mdm/accounts-ddf-file.md b/windows/client-management/mdm/accounts-ddf-file.md new file mode 100644 index 0000000000..311ed73e93 --- /dev/null +++ b/windows/client-management/mdm/accounts-ddf-file.md @@ -0,0 +1,179 @@ +--- +title: Accounts DDF file +description: XML file containing the device description framework +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +ms.date: 04/17/2018 +--- + +# Accounts CSP + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +This topic shows the OMA DM device description framework (DDF) for the **Accounts** configuration service provider. + +The XML below is for Windows 10, version 1803. + +``` syntax + +]> + + 1.2 + + Accounts + ./Device/Vendor/MSFT + + + + + + + + + + + + + + + + com.microsoft/1.0/MDM/Accounts + + + + Domain + + + + + + + + + + + + + + + + + + ComputerName + + + + + This node specifies the name for a device. This setting can be managed remotely. A couple of macros can be embedded within the value for dynamic substitution: %RAND:<# of digits>% and %SERIAL%. Examples: (a) "Test%RAND:6%" will generate a name "Test" followed by 6 random digits (e.g., "Test123456"). (b) "Foo%SERIAL%", will generate a name "Foo" followed by the serial number derived from device's ID. The server must explicitly reboot the device for this value to take effect. + + + + + + + + + + + + + ComputerName + + text/plain + + + + + + Users + + + + + + + + + + + + + + + + + + + + + + This node specifies the username for a new local user account. This setting can be managed remotely. + + + + + + + + + + UserName + + + + + + Password + + + + + This node specifies the password for a new local user account. This setting can be managed remotely. + + + + + + + + + + Password + + text/plain + + + + + LocalUserGroup + + + + + 1 + This optional node specifies the local user group that a local user account should be joined to. If the node is not set, the new local user account is joined just to the Standard Users group. Set the value to 2 for Administrators group. This setting can be managed remotely. + + + + + + + + + + + text/plain + + + + + + + +``` \ No newline at end of file diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index 85c2515f2c..25ce5fcc58 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -7,7 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 03/23/2018 +ms.date: 04/20/2018 --- # Configuration service provider reference @@ -64,6 +64,34 @@ Footnotes: + +[Accounts CSP](accounts-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark4cross markcheck mark4check mark4cross markcross mark
+ + + + [ActiveSync CSP](activesync-csp.md) diff --git a/windows/client-management/mdm/images/provisioning-csp-accounts.png b/windows/client-management/mdm/images/provisioning-csp-accounts.png new file mode 100644 index 0000000000000000000000000000000000000000..ceb90aff58271d542a1b1936ce706c9497f52d73 GIT binary patch literal 9090 zcmeHtc|4Tw_xG(7QrWf0KAI3JTN7i;zKrZ4RAd>9jD1&9mh4*?lxP|ZAN$Uy$TC8R z$sP@|josM&Zu)(`-)H&bd7jtz-{%jn`!zGyIoG+)b|&$)%)L#UlQbNLJa0OvH+ zmGuGOgaiOkNzk4EzbT`VYX=`xZu)9UKw;OFS?~k3ouZB+02Ig2?>#yNex`e>Zt4aA z=bMiHs9Ie<+5iCm1r23ILvPE)j3pNiwM;CfG5x~e1*+B0Vs&0OMBhlhUf^r6VVp6( z(ZWU3btSG-TS|Q8YS(G5sezsrYtv*2edU&D0WFAmS;4nP(hvQ;5Ohw@nOl%3YQ?t& z`E#ODwUP3C`DvZx>9wCHLkh@+qWYmrO~_u-_#$Yv@>vo!0K}byQ2`1h`)gP{9{=Ub z7jrM{TEd`g@XgTlZJJVwiLvqbvnK(2ZBAHH$J8q~h8Db|RZQmo!{5Ja1By87x9FA5 zx|JM$Yi+W)%W`2g^m@dJ;OXCJGb^iZ_QIfK*oN_vu$e0_B-VX{lQClFpexb)QqBiX zAecJ~b5K*}Eg;{lAO0eCJYX$j%A7;PI9Q0c5cTUi?PR zWhcpqREu>e-c}Zu8t+6oFV|Ok&j%Hmj5K^z8@KkPyD@Q?J>9g#R|82` zNT1ExtyycIOos)S%gQ5z7GcC*f5*Qrl@_8XxO^m6W5nwA}^Gbd8}sH zYYGjsds6m?D<gQxntquwaMDNaFd@S zGPx{ml&q(;@!3oe{wvAg{mKtvNC%8Sk+s)Nv-((~w{XwVbbq#=J34dPJfxH6uA0ke zhOq%?b(@2mo7>l#JhsRie32gI>_p+vlAIypw}n-UK{JusUR9603as$>v+R0%$=`(V zAoV163M<)L`SON!rOEj?{*{XSeNGP;v{&u-N`hCV=A4|vn4&Rio>B)jtRhB3k- z{b)-KYTZnXJ&l~D-aKW&5L^E?KvdUKNZRJ1plI(FkVPEWPb$k9Jz8)#XBQbZD%(l}lIz z(5!|Q{Mp0Y-2B(TN8{^e-1Vyif}tqI6lwn_-|;ypy3K(}q>1mW%Yc!^rLZb^Br3ln z`sKbvY=TsL00Fm>@L>m+Szm~;S%{Ni$f*uYb2%r4rD4!zgZ3v<1B~dQ!NGQO82)~l ztgl|7!I>wK29_3DJ{5T%b>svLYxCfLX_!df)z^DPd(->8(+^!?6GUgGgx}2e-1&1; zBvV^SqV5|0({$6jN|)|1H2`=Un>8S;ZH_%{Nt{#p7AM(LTZJoB5)v8HzqVwYUmf5S zq9jtuNpyNeQ@RE;%r-RzZwQ5Mk(VWKHsR@Aq7yh1>N^ z8OkVi^Ow8$)vOXU#ynpMy~@eFzcf+q&>;E4AMWev>e`bU2g0Ht7OKk~wBnrK5o^(z zfi`s+e22{E$f8qTXv&xIW@juJ+97;w%p2+-4@VXdjhd2TUtcE=*%6-1oyWyt9zX~E z2*c#N%dfvtKJKHD>p9gi->o^BoTo@WzWKWn$0xNNxjZ^FgtmnM!3qS8z~W3v_92r7 zsfNk#70OT5&9db`2fXTzJEhy25x?ZSqWW|ANP`rmMO z|5|g0^7~yHSOz42qtW**ExRt1n7B3BsUk33vf61gi-&jm`gb|-arR7z9pCkZDoNjY zvP4!e5Ip@oC823&XJ_R7AZ`-k5dSG07h<=>HD8S{XA$|V5g8e|7jzZ)LElND_L~^f z4Prt2x-1vhFaSUc57Z!*1yK0;pFWil2r&Nhiziza;$!>58%#aq<(8v<0*t17yx5uU zEcrL}Sy^AF*S1|9B@#Ho^md9E_Pe{6t~B1jm8;472tzZMKX>kx+I4RcWPmVM=i~(M zeakl$swF9MT;zzQr7H)0#KT{m@{M_tEdtP8hW%N>t4YaEP1Q7@FXtFe0^f{>1hLq) zm@o5Qfx|cWwy(P(vv1TC7r#4@1%So(&gh*-sOkBh?y?>Ap>)vg!~!O;pg3dU=$)1J z1rwrNj}U*j(pdHS+?x#%`O~z(V(vM#@4?=-`ewW_i-tSjfbKR2i+?f$Fr@wi%`DKJ zM&JUGS2zr!zr8xQG{Xfq3=#)|ztNc^K!1Z(uwU~L$Kxkf3*?43y0eSTUFP*gHux2E zb-{rX08B7fU_Q9$?t3nu!?V83B5#jQ)-4-U)Y=-fG4Y3g;NLCEva+-^4w3?bpVAp2 zCX=eX;i8sFjvhA_Y<$^slB08oo{`3#15a5@VF9<-Hy2a0cRHwm7g`_DLqC38?6fQ6 zyBMf1F3?Itj?&C2Bu&YUvo&Tp7Kk?PRV0|4&(J~mX&UC}gDyF|H(_hJKLr4v1q@*-zubJeLfZrqt=QQ1+vWq&S#Zf60SL#FJv2H4LZRGm ztwgUzVLN>)m&*5SjQa=e$K0ANpLGl_bJMpB@~xpTYxEu zzTZX>JnnE9_cwtK7`h7{cxdQyrD{3fMbv{h!^y%ZzGC#MGI;>LA3qhu%H)e0-gctTYm&>y{wZ4LFCg3(}dY6gVWt0dwlx7|DuCAd=1Po^% zpz_@F@yklx_Hs?qf1gmOr8P$|ZA-u$xa8E%1B(JqFgmU-_||nd&HR@T{YQh;$FU}q z(ov0bZP=A8+3xEP3b-Nt{=f{3+_&e@%xy7?Y=z}(2~0VPavFy_n_nq&OVq%(t3&+I zPt()3P2=EROE+$2eTvlpy|MF633%={K6QC#X1ubOh^Gp8Ff8jHYnf3ab!w!7q z1%u9mHuGvf`H{h~G2{o7fMo2V(q|PeDd`1+|R+Y!D*07@(Q6N#3+F~>9Ku&A^xc+0ELJDDeC+W@=6JPEiEl`b91Y!Xu3PE z?Yc9=%tYu-xp`1zb7TfpsW>vuB(@U?> z)6>hy$RGm&2rJ1(bDm@LRlN z2otzCk^~8Q?TXw>h_iAm4`*ard7QhnlS1Jdv86kuaSAly3=Cgb7;S12Z6)_H38GZD zEwP`D8&24wW2Qsj5_k%8c5%^VZK;Y@+l-fg?LJx`q@}|dO#KX_P4@s1>JT}Ohx&DA zwI2M!W=;1mP^q73YfpSQRaR1ROTtw#U+#rO_?nzu=aX&&1tFKt(P(rF$gAUy1GO0EbaHatz-eLxb#G>h!M$SK zN40s0U4~xvig&aStzz6|DAIR{6YA99wqO=o?nR{hZ8oZ*AOXWAgTR3ez4)i@>WkCy z9Dw(7BC)TYo9r*)uPuCsP92Ylw)JJti-h_my|-G?V)OEfOx~;PC6hnkYv#DfnTDv1 z^}aba^WpgRa|MNkd8yQlL9q#fmD9vf%!zif?opWM#7X>b2#*ITXM`WMRoK`LPkMMI z!`nq>*D+tT72f4M9$p6`5=mZ4Z8VSMhJUX(!uE5Lh!`8&NVY40$g}Ju& z`T{#q=wQ+V6P$Y<2CPe9))d+@A8$c@4O^{N3KnX66(|)hDZ$D0`r~WRVQn%hqYiz! z(@siC>bv%dF!^KGmDSXwwVyj$*+YUX8Oy)n5g?)PnvU}5lG-_Sn8yZZ+l3P3Wh%%C zFsOo$$)64avShyD#L-{9Y8)=Y7SK0FA{8WmpU7R;t`MJEH=X_t*1>;^Fw6Q$jk_(5 zm-pUPPXK|H@ItbpGlry8qJa27EsV_(%~YTNT=FOE?!)MgZk_b1x#JQ3G?RY1!O5Zv zAKd)sg&_>!{y)*odmaw15Wm?Bts-Pn7^BOJRJ3$U^;?>7>f?~6JMi;y__~wK?a3Fl z`lV8^*!Ht_tRZ-HBJl|i-P}rVIB!_V$7F|b6lWeh{k?c|er_R#p(>4r?ldTV2L`(? zCPuHKLn?}~5evu+Y_xXEqa5z9Vm8{BUzz#MkoLTSzLHL_CR7iLtE_xh>0}6g@f@S= zP>#6*HhWnhZp}T6w%Sva?SB77Z7y)8_^-eIrbOSJ2?mo!4Z)N7Xhk;C&U}<6SUCiv zt%#Ti#sGKDkZjJN&(M&lzv&&phrw+gXmIoiSn6}kXDS$#J8N4zD~a`d8{OOYpu2dm zPZbaV=PC59Q?SsJ=o7!Mfk$f-yb{Zzpay2<|D^KO+atK>CsI+>$qEY#Bd;n(g5d{h zpw&cZX=$Z~H`z=k5$!2Tb@dN+Bn zH~uJ5K;$ecA|8RKKi*V*I0W+bXkVV$tJsDTUy^$PVbXG(#f{A|Qi1vhp zf?tksT-xTcH3Ykzxo*~vYomMq$6>s#==hEg*}0N;V0?stDKje%J$+cSr3+4noSEz1 zGO8mHQAuT?_P!<4UYlrubM`%pPZFl6kEGC_xfGNzs|lq_`5V{ zYcG>{bGM7bialEx8Y8~YwrU}`GBzCeek*!a>!WXCV|_Sgy*Qi;Q`pu?5oSapE}`#{!>4+7yWuaRgWglD;s4ybH`BYAc$vtP zF>E%cvbrON7NrP776C<50wlvFICP1(MA)i!iIcPZY~F}RpCMwdE{Q!0v(Q(ch`Aj7 z?~|_ZDWT(WtnSb}cA4qFez~=1C3oj!Pmg9n^sTce7x!_m2Ed48&B=I+xCY1|vub#2y;NU>E z01$exj0ls~AEKu79kcAegfWUtmUl=xQp+pyfyhQJift4XIscks|0FE7W_C{IhTg@g z9j@cz^B0=g$oBJPzkCWCSekmTai8U^_wX{);R((;0(fHt!wi>yGA!39OZmeQ%=zc} z&<|Rxu3Zu(D}Fwzb=R;N85x+Q#n>k-=rcFC&vDmMnm8q+0A?zXa4Ep>1qEky9(hDu z__Etr3uZXDJFU7&O4l_s{KE-uqjyrqV6II!s%JSs!}}u;`hD7nOT6h34u($RMw_~w zi9!QR=+&A$axo`U@$|GKKaU0o52$V}*s1uje4;J`*T9jG`xGRp^oCnbjgd)o{lj># zsZ5m)XA_YIYZ?A}>zU-_-MMVo<58MLQ5b2T0An7fSGVzF^^!f629Y~_{f}B3P`7SRT zy6Wrj2P+3-vQ;K*4{Q#3@#~DevT)+T{$Qz(s&rcl*Huj};U|vDC)TE9M z4(hql@-XpW+gvFJc#ty_g1!h$PrPT0RgX0wF^WB-@2dvsjH6^&?2tcvXRvSkVT1cc z9(^9{wUYAkr1Z;&qtcDNLQK4+J6%ty$ zz4()ZxH{Wg3Psickn7eO; zjR8Axu+3jNiHLQIHTXU_IB05V*#I~Asyn^P`L&(?3pl1ZAA`u-Z8i9!5m(pWGj8+a9c#&?u6%$W^3kJ5j*eP7^!6-mbd!o& zQ|o=YYuoKkSEZlYlA6I*lh0+NAv=KowuXPr&iOF;eHWVX+eZk3*W(omd|VZEWH8A8 zyq`U&Nk2lR($X$$ zo}QlHbDsUBfM8@ekX;9HDxI8&&qF#M(_ z^27RLJao$W>-zPDo zPty5d_Xv+2Zb-C~783DEc{0S@Sxuf<$YSrft`_SlFIe4z-c8ALBk#1Dx?C(KfOqny z0iJ8iTy~K}z4BA}ke?T;t2QHs5J|Q9sVWG+nZuTGJGU#hBCpUt8BNVIE{zt@v+xk? zt0KqM4vre{dJX7zJ?lEq^zJG~CcGEut{%~mtCYN`T8G|SRh(BvbgCcQ{i#Uw>ls+; zOvYNJs8wwNTgF9Dsgx;&)A@%M`?zuAY1x;t)5{C9vlZDj$jZFpp%}H;ijP7i>zCSu zu`ip#Ou!H#(VI&0zx#6JWXc7p!=+_w=SyWV%>h$67RZDZe6CPR7bd{zTw86DH&N6Q z?pH9NPT(eU(low3j%9JbQhZRB8E^?d$2Kcu zLy8w=6R08c=g4HSv|FoyiI;7hnEKFm(TH|Ci;9qZvOU{ z_YJ?pUlXEua`UxlF2g#Sob}=p?kj2yQDnvjkK@+ShU2P9cI@ zL`_qeMd9>IB9YiHal~-m{tDZbR*tQB;SxrBiA0^zhOg~ADk6CdygFdJ|LDmR6&)UX zcpKdvrtRXecE>%-(}UK5l+L1t#-^agb8IAPPQu(A@~ZUT-Ngx6oyRZAt~W|wyah_6 zfc4h01G{Ym?S(wS0q`?W!z9EiG-6>QJnMyCJ*Xi9Q2s+$!X zk>Kaz|!mlsAUr?;7@?d99(0M<6TY_P`y!2JFV z;+euT49^`NC~yyq3$P#ifBl*1Er$Gc#CY78W_h)spx{UmNC?3B`1lfHGi9vU4eZH| zwT3J6f=_=QD03*dX!#jNo%J~e_?rgJr$-A~!`&u0R$L+mR(vz-vmwVn^!CCVcOMgV z1T%WP!i>TBIfR*%qe5_yn;JoMCT5eN;JZ_>KXzCl%>Mpj=;~EzZ&ax&3T^^UdU|{B zBS1hPPsznF_K5C9s@ zaee7l@VeXOHgDw51{}^ec$H_f)Ot_ZG#-)?10BwL(HV`Z`F;)>E%J#>vUqc0WxWVB zY@6q1DJb3;Sm!r@igE;P-Fg#PbCtwuc(5(+R|d-ec>L6$k=#Ma{{FbFkvVUi&ttMI z>||u}k9VrxJN>Z1@cQ<8z3{8@qVrS=e6Gfb!(JIE>f-e3R@C_Vp$qJiEqr5#nz`zwU8shq`d48Rjdi=&0DWG1BVpi4SQnx9L- zK`m&nVz;v%mnPe&bndhPn{~AxSqD*o0p7AGAj~#-pni`Gg`qke4eYyT#_HVTkyah- zaF@q8IpLWk>*WVh>+S6*y_9o{dc06Tou^Gh>wSkW`rR+fg7kJFpSIA*zH9s<`ooj3 zIyCX%UWh2$ur4BRIzK649#Tu=!vUjGm{dSO&VWq%=Sf)HHEI}DFat?Bn-TQ4Tr5kt z(vidd*99>Tr`&BxFP2$&#nKyJTY)9`9>^x)zPF%z%58G!Qg7>k08UU5p8|~PA{a{l zVIcpL24M6qE-o4c@AG|N1mjXA7`=0_*}1gJpE?47maOdkSY5sK=ZCaOsCZjolddiB ze?AQZsjSt#dkK6?;SdG+c$5KgvanoRO|b!AeaXd_D+HXe;io*U&5HRCiCw>CAY#YK zf`wnb4h{~K)W=rreA&U|AdkK{eeArl)))NHL0$UO-1|q$dTyfc#9O+FCHh?8%iPSf zm|NIm2Ip@{*7YB7GC(mxC|9Idia9FRT~#zaBDoYNHPnT$9z{K|F6V}E*(KPU*cDS^ zzMZ;zbRkz@`>VQ?(5$oK?g4yx=n~;76OsPMi;k7_HAN-011oc_SU$XpWoW+0P6LaN z>TmCCzNDSjnw6#NeG9IVu?GDb=!*?wV9O5bVmGdQfjOU9Z+GaJ2(oQ{AuQ6vQ{VLM z-s`hABV(IF(Au@oRQ@r%B$RpgwwEx!>(JEg(a|exgDY5y!cgY5iH}+cc)-yvK7e2CpIefNgGx3O`)x)yreZG3i7weM z2FRi(;ZWfBbv_8xG+KD2-(DuOcgeBH&_|cyXoeV#QN9xS(Oa|b!H23v%aq%XpZ>a{ zKhMGBteYk1=y@>MnzWdFccTz9qN8Uj6%O92JsVRTi^CN)gqbx24Dh!`AP1)b?VEXq z;o}AmmH~n%I1xAzZ2Sz<)&PPgxB^BWdOGM%fR6?Yf F{})irFgXAK literal 0 HcmV?d00001 diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index 6270e63cb6..6c8aea7fd4 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -1340,7 +1340,6 @@ For details about Microsoft mobile device management protocols for Windows 10 s [AccountManagement CSP](accountmanagement-csp.md)

Added a new CSP in Windows 10, version 1803.

- [RootCATrustedCertificates CSP](rootcacertificates-csp.md) @@ -1356,6 +1355,10 @@ For details about Microsoft mobile device management protocols for Windows 10 s
  • ProxySettingsPerUser
    • + +[Accounts CSP](accounts-csp.md) +

    Added a new CSP in Windows 10, version 1803.

    + @@ -1654,6 +1657,10 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware +[Accounts CSP](accounts-csp.md) +

    Added a new CSP in Windows 10, version 1803.

    + + [Policy CSP](policy-configuration-service-provider.md)

    Added the following new policies for Windows 10, version 1803:

      diff --git a/windows/client-management/mdm/policy-csp-kioskbrowser.md b/windows/client-management/mdm/policy-csp-kioskbrowser.md index 863f6e7bce..f662a910d4 100644 --- a/windows/client-management/mdm/policy-csp-kioskbrowser.md +++ b/windows/client-management/mdm/policy-csp-kioskbrowser.md @@ -223,7 +223,7 @@ Added in Windows 10, version 1803. Configures the default URL kiosk browsers to -Enables kiosk browser's end session button. When the policy is enabled, the kiosk browser enables a button to reset the browser by navigating back to the default URL and clearing the browsing data (cache, cookies, etc). When the user clicks on the button, the app will prompt the user for confirmation to end the session. +Shows the Kiosk Browser's end session button. When the policy is enabled, the Kiosk Browser app shows a button to reset the browser. When the user clicks on the button, the app will prompt the user for confirmation to end the session. When the user confirms, the Kiosk broswser will clear all browsing data (cache, cookies, etc.) and navigate back to the default URL. From b43942da488c9a308e556d01811049b5f1d4ee3a Mon Sep 17 00:00:00 2001 From: Jeanie Decker Date: Fri, 20 Apr 2018 21:15:08 +0000 Subject: [PATCH 5/5] Merged PR 7347: added default level for Pro --- devices/surface-hub/device-reset-surface-hub.md | 5 +++-- ...configure-windows-diagnostic-data-in-your-organization.md | 2 +- windows/configuration/guidelines-for-assigned-access-app.md | 3 --- 3 files changed, 4 insertions(+), 6 deletions(-) diff --git a/devices/surface-hub/device-reset-surface-hub.md b/devices/surface-hub/device-reset-surface-hub.md index d5d8bbf104..a595ea198c 100644 --- a/devices/surface-hub/device-reset-surface-hub.md +++ b/devices/surface-hub/device-reset-surface-hub.md @@ -60,6 +60,9 @@ If you see a blank screen for long periods of time during the **Reset device** p In the Windows Recovery Environment (Windows RE), you can recover your device by downloading a factory build from the cloud and installing it on the Surface Hub. This allows devices in an unusable state to recover without requiring assistance from Microsoft Support. +>[!NOTE] +>The **Recover from the cloud** process requires an open internet connection (no proxy, or other authentications). An ethernet connection is recommended. + ### Recover a Surface Hub in a bad state If the device account gets into an unstable state or the Admin account is running into issues, you can use cloud recovery in **Settings**. You should only use cloud recovery when [reset](#reset-a-surface-hub-from-settings) doesn't fix the problem. @@ -77,8 +80,6 @@ On rare occasions, a Surface Hub may encounter an error while cleaning up user a 1. From the welcome screen, toggle the Surface Hub's power switch 3 times. Wait a few seconds between each toggle. See the [Surface Hub Site Readiness Guide](https://www.microsoft.com/surface/support/surface-hub/surface-hub-site-readiness-guide) for help with locating the power switch. 2. The device should automatically boot into Windows RE. 3. After the Surface Hub enters Windows RE, select **Recover from the cloud**. (Optionally, you can choose **Reset**, however **Recover from the cloud** is the recommended approach.) - >[!NOTE] - >When using **Recover from the cloud**, an ethernet connection is recommended. ![Recover from the cloud](images/recover-from-cloud.png) diff --git a/windows/configuration/configure-windows-diagnostic-data-in-your-organization.md b/windows/configuration/configure-windows-diagnostic-data-in-your-organization.md index dab1a8d1a9..b3e7a68de0 100644 --- a/windows/configuration/configure-windows-diagnostic-data-in-your-organization.md +++ b/windows/configuration/configure-windows-diagnostic-data-in-your-organization.md @@ -311,7 +311,7 @@ In Windows 10, version 1709, we introduce the **Limit Enhanced diagnostic data t ### Full level -The **Full** level gathers data necessary to identify and to help fix problems, following the approval process described below. This level also includes data from the **Basic**, **Enhanced**, and **Security** levels. +The **Full** level gathers data necessary to identify and to help fix problems, following the approval process described below. This level also includes data from the **Basic**, **Enhanced**, and **Security** levels. This is the default level for Windows 10 Pro. Additionally, at this level, devices opted in to the [Windows Insider Program](http://insider.windows.com) will send events, such as reliability and app responsiveness. that can show Microsoft how pre-release binaries and features are performing. These events help us make decisions on which builds are flighted. All devices in the [Windows Insider Program](http://insider.windows.com) are automatically set to this level. diff --git a/windows/configuration/guidelines-for-assigned-access-app.md b/windows/configuration/guidelines-for-assigned-access-app.md index 751dcc8f7b..db93aea7b6 100644 --- a/windows/configuration/guidelines-for-assigned-access-app.md +++ b/windows/configuration/guidelines-for-assigned-access-app.md @@ -83,9 +83,6 @@ Follow the [best practices guidance for developing a kiosk app for assigned acce The above guidelines may help you select or develop an appropriate Windows app for your assigned access experience. Once you have selected your app, we recommend that you thoroughly test the assigned access experience to ensure that your device provides a good customer experience. -## Learn more - -[Customizing Your Device Experience with Assigned Access](https://channel9.msdn.com/Events/Build/2016/P508)