deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-20 12:53:38 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Adding content

Browse Source
This commit is contained in:
LizRoss
2017-02-16 11:13:03 -08:00
parent 5a04429fae
commit 62597bcd97
18 changed files with 2526 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
windows/keep-secure/create-vpn-and-edp-policy-using-intune.md
View File

@ -1,5 +0,0 @@
---
title: Create and deploy a VPN policy for enterprise data protection (EDP) using Microsoft Intune (Windows 10)
description: After you've created and deployed your enterprise data protection (EDP) policy, you can use Microsoft Intune to create and deploy your Virtual Private Network (VPN) policy, linking it to your EDP policy.
redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/create-vpn-and-wip-policy-using-intune
---

5
windows/keep-secure/deploy-edp-policy-using-intune.md
View File

@ -1,5 +0,0 @@
---
title: Deploy your enterprise data protection (EDP) policy using Microsoft Intune (Windows 10)
description: After youve created your enterprise data protection (EDP) policy, you'll need to deploy it to your organization's enrolled devices.
redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/deploy-wip-policy-using-intune
---

5
windows/keep-secure/enlightened-microsoft-apps-and-edp.md
View File

@ -1,5 +0,0 @@
---
title: List of enlightened Microsoft apps for use with enterprise data protection (EDP) (Windows 10)
description: Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your Protected Apps list.
redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/enlightened-microsoft-apps-and-wip
---

5
windows/keep-secure/guidance-and-best-practices-edp.md
View File

@ -1,5 +0,0 @@
---
title: General guidance and best practices for enterprise data protection (EDP) (Windows 10)
description: This section includes info about the enlightened Microsoft apps, including how to add them to your Protected Apps list in Microsoft Intune. It also includes some testing scenarios that we recommend running through with enterprise data protection (EDP).
redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/guidance-and-best-practices-wip
---

5
windows/keep-secure/overview-create-edp-policy.md
View File

@ -1,5 +0,0 @@
---
title: Create an enterprise data protection (EDP) policy (Windows 10)
description: Microsoft Intune and System Center Configuration Manager Technical Preview version 1605 or later helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network.
redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/overview-create-wip-policy
---

5
windows/keep-secure/protect-enterprise-data-using-edp.md
View File

@ -1,5 +0,0 @@
---
title: Protect your enterprise data using enterprise data protection (EDP) (Windows 10)
description: With the increase of employee-owned devices in the enterprise, theres also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprises control.
redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/protect-enterprise-data-using-wip
---

5
windows/keep-secure/testing-scenarios-for-edp.md
View File

@ -1,5 +0,0 @@
---
title: Testing scenarios for enterprise data protection (EDP) (Windows 10)
description: We've come up with a list of suggested testing scenarios that you can use to test enterprise data protection (EDP) in your company.
redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/testing-scenarios-for-wip
---

5
windows/keep-secure/wip-enterprise-overview.md
View File

@ -1,5 +0,0 @@
---
title: Windows Information Protection overview (Windows 10)
description: Conceptual info about Windows Information Protection (WIP), formerly known as Windows Information Protection (WIP).
redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/protect-enterprise-data-using-wip
---

89
windows/manage/set-up-a-device-for-anyone-to-use.md Normal file
View File

@ -0,0 +1,89 @@
---
title: Set up a device for anyone to use (kiosk mode) (Windows 10)
description: You can configure Windows 10 as a kiosk device, so that users can only interact with a single app.
ms.assetid: F1F4FF19-188C-4CDC-AABA-977639C53CA8
keywords: ["kiosk", "lockdown", "assigned access"]
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
localizationpriority: high
---
# Set up a device for anyone to use (kiosk mode)
**Applies to**
- Windows 10
- Windows 10 Mobile
**Looking for Windows Embedded 8.1 Industry information?**
- [Assigned Access]( https://go.microsoft.com/fwlink/p/?LinkId=613653)
You can configure a device running Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile, or Windows 10 Mobile Enterprise as a kiosk device, so that users can only interact with a single application that you select.
Do you need a computer that can only do one thing? For example:
- A device in the lobby that customers can use to view your product catalog.
- A portable device that drivers can use to check a route on a map.
- A device that a temporary worker uses to enter data.
The following table identifies the type of application that can be used on each Windows 10 edition to create a kiosk device.
> [!NOTE]  
> A Universal Windows app is built on the Universal Windows Platform (UWP), which was first introduced in Windows 8 as the Windows Runtime. A Classic Windows application uses the Classic Windows Platform (CWP) (e.g., COM, Win32, WPF, WinForms, etc.) and is typically launched using an .EXE or .DLL file.
 
| Windows 10 edition | Universal Windows app | Classic Windows application |
|--------------------|------------------------------------|--------------------------------------|
| Mobile | ![supported](images/checkmark.png) | ![unsupported](images/crossmark.png) |
| Mobile Enterprise | ![supported](images/checkmark.png) | ![unsupported](images/crossmark.png) |
| Pro | ![supported](images/checkmark.png) | ![unsupported](images/crossmark.png) |
| Enterprise | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) |
| Education | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) |
 
## In this section
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Topic</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>[Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md)</p></td>
<td align="left"><p>A single-use device is easy to set up in Windows 10 for desktop editions (Pro, Enterprise, and Education). For a kiosk device to run a Universal Windows app, use the <strong>assigned access</strong> feature. For a kiosk device (Windows 10 Enterprise or Education) to run a Classic Windows application, use <strong>Shell Launcher</strong> to set a custom user interface as the shell.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](set-up-a-kiosk-for-windows-10-for-mobile-edition.md)</p></td>
<td align="left"><p>A device in kiosk mode runs a specified app with no access to other device functions, menus, or settings. You configure a device running Windows 10 Mobile or Windows 10 Mobile Enterprise for kiosk mode by using the Apps Corner feature. You can also use the Enterprise Assigned Access configuration service provider (CSP) to configure a kiosk experience.</p></td>
</tr>
</tbody>
</table>
 ## Learn more
[Customizing Your Device Experience with Assigned Access](https://channel9.msdn.com/Events/Build/2016/P508)
 
 

444
windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md Normal file
View File

@ -0,0 +1,444 @@
---
title: Set up a kiosk on Windows 10 Pro, Enterprise, or Education (Windows 10)
description: A single-use device is easy to set up in Windows 10 for desktop editions (Pro, Enterprise, and Education).
ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC
keywords: ["assigned access", "kiosk", "lockdown"]
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
localizationpriority: high
---
# Set up a kiosk on Windows 10 Pro, Enterprise, or Education
**Applies to**
- Windows 10
> **Looking for Windows Embedded 8.1 Industry information?** See [Assigned Access]( https://go.microsoft.com/fwlink/p/?LinkId=613653)
A single-use or *kiosk* device is easy to set up in Windows 10 for desktop editions (Pro, Enterprise, and Education). For a kiosk device to run a Universal Windows app, use the **assigned access** feature. For a kiosk device (Windows 10 Enterprise or Education) to run a Classic Windows application, use **Shell Launcher** to set a custom user interface as the shell. To return the device to the regular shell, see [Sign out of assigned access](#sign-out-of-assigned-access).
**Note**  
A Universal Windows app is built on the Universal Windows Platform (UWP), which was first introduced in Windows 8 as the Windows Runtime. A Classic Windows application uses the Classic Windows Platform (CWP) (e.g., COM, Win32, WPF, WinForms, etc.) and is typically launched using an .EXE or .DLL file.
 
## Other settings to lock down
For a more secure kiosk experience, we recommend that you make the following configuration changes to the device:
- Put device in **Tablet mode**.
If you want users to be able to use the touch (on screen) keyboard, go to **Settings** &gt; **System** &gt; **Tablet mode** and choose **On.**
- Hide **Ease of access** feature on the logon screen.
Go to **Control Panel** &gt; **Ease of Access** &gt; **Ease of Access Center**, and turn off all accessibility tools.
- Disable the hardware power button.
Go to **Power Options** &gt; **Choose what the power button does**, change the setting to **Do nothing**, and then **Save changes**.
- Remove the power button from the sign-in screen.
Go to **Computer Configuration** &gt; **Windows Settings** &gt; **Security Settings** &gt; **Local Policies** &gt;**Security Options** &gt; **Shutdown: Allow system to be shut down without having to log on** and select **Disabled.**
- Disable the camera.
Go to **Settings** &gt; **Privacy** &gt; **Camera**, and turn off **Let apps use my camera**.
- Turn off app notifications on the lock screen.
Go to **Group Policy Editor** &gt; **Computer Configuration** &gt; **Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen**.
- Disable removable media.
Go to **Group Policy Editor** &gt; **Computer Configuration** &gt; **Administrative Templates\\System\\Device Installation\\Device Installation Restrictions**. Review the policy settings available in **Device Installation Restrictions** for the settings applicable to your situation.
**Note**  
To prevent this policy from affecting a member of the Administrators group, in **Device Installation Restrictions**, enable **Allow administrators to override Device Installation Restriction policies**.
 
## <a href="" id="assigned-access-method"></a>Assigned access method for Universal Windows apps
Using assigned access, Windows 10 runs the designated Universal Windows app above the lockscreen, so that the assigned access account has no access to any other functionality on the device. You have these choices for setting up assigned access:
| Method | Account type | Windows 10 edition |
| --- | --- | --- |
| [Use Settings on the PC](#set-up-assigned-access-in-pc-settings) | Local standard | Pro, Enterprise, Education |
| [Apply a mobile device management (MDM) policy](#set-up-assigned-access-in-mdm) | All (domain, local standard, local administrator, etc) | Enterprise, Education |
| [Create a provisioning package using Windows Imaging and Configuration Designer (ICD)](#icd) | All (domain, local standard, local administrator, etc) | Enterprise, Education |
| [Run a PowerShell script](#set-up-assigned-access-using-windows-powershell) | Local standard | Pro, Enterprise, Education |
### Requirements
- A domain or local user account.
- A Universal Windows app that is installed or provisioned for that account and is an above lock screen app. For more information, see [Guidelines for choosing an app for assigned access](guidelines-for-assigned-access-app.md). For details on building an above lock screen app, see [Kiosk apps for assigned access: Best practices](https://go.microsoft.com/fwlink/p/?LinkId=708386).
The app can be your own company app that you have made available in your own app Store. To set up assigned access using MDM or PowerShell, you also need the Application User Model ID (AUMID) for the app. [Learn how to get the AUMID](https://go.microsoft.com/fwlink/p/?LinkId=614867).
The Universal Windows app must be able to handle multiple views and cannot launch other apps or dialogs.
**Note**  
Assigned access does not work on a device that is connected to more than one monitor.
 
### Set up assigned access in PC settings
1. Go to **Start** &gt; **Settings** &gt; **Accounts** &gt; **Other users**.
2. Choose **Set up assigned access**.
3. Choose an account.
4. Choose an app. Only apps that can run above the lock screen will be displayed. For more information, see [Guidelines for choosing an app for assigned access](guidelines-for-assigned-access-app.md).
5. Close **Settings** your choices are saved automatically, and will be applied the next time that user account logs on.
To remove assigned access, in step 3, choose **Don't use assigned access**.
### Set up assigned access in MDM
Assigned Access has one setting, KioskModeApp. In the KioskModeApp setting, you enter the user account name and AUMID for the app to run in kiosk mode.
[Learn how to get the AUMID](https://go.microsoft.com/fwlink/p/?LinkId=614867).
[See the technical reference for the Assigned Access configuration service provider.](https://go.microsoft.com/fwlink/p/?LinkId=626608)
### <a href="" id="icd"></a>Set up assigned access using Windows Imaging and Configuration Designer (ICD)
Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package that configures a device as a kiosk. [Install the ADK.](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit)
> **Important**
When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
**Create a provisioning package for a kiosk device**
1. Open Windows ICD (by default, %windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe).
2. Choose **Advanced provisioning**.
3. Name your project, and click **Next**.
4. Choose **All Windows desktop editions** and click **Next**.
5. On **New project**, click **Finish**. The workspace for your package opens.
6. Expand **Runtime settings** &gt; **AssignedAccess**, and click **AssignedAccessSettings**.
7. Enter a string to specify the user account and app (by AUMID). For example:
"Account":"contoso\\\\kiosk","AUMID":"8f82d991-f842-44c3-9a95-521b58fc2084"
8. On the **File** menu, select **Save.**
9. On the **Export** menu, select **Provisioning package**.
10. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.**
11. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing.
- **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
- **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select** and choosing the certificate you want to use to sign the package.
12. Click **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows ICD uses the project folder as the output location.
Optionally, you can click **Browse** to change the default output location.
13. Click **Next**.
14. Click **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status.
If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
15. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
- If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
- If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
**Apply the provisioning package**
1. Select the provisioning package that you want to apply, double-click the file, and then allow admin privileges.
2. Consent to allow the package to be installed.
After you allow the package to be installed, the settings will be applied to the device
[Learn how to apply a provisioning package in audit mode or OOBE.](https://go.microsoft.com/fwlink/p/?LinkID=692012)
### Set up assigned access using Windows PowerShell
You can use any of the following PowerShell cmdlets to set up assigned access on multiple devices.
To open PowerShell on Windows 10, search for PowerShell and find **Windows PowerShell Desktop app** in the results. Run PowerShell as administrator.
```
Set-AssignedAccess -AppUserModelId <AUMID> -UserName <username>
```
```
Set-AssignedAccess -AppUserModelId <AUMID> -UserSID <usersid>
```
```
Set-AssignedAccess -AppName <CustomApp> -UserName <username>
```
```
Set-AssignedAccess -AppName <CustomApp> -UserSID <usersid>
```
> **Note:** To set up assigned access using `-AppName`, the user account that you specify for assigned access must have logged on at least once.
[Learn how to get the AUMID](https://go.microsoft.com/fwlink/p/?LinkId=614867).
[Learn how to get the AppName](https://msdn.microsoft.com/library/windows/hardware/mt620046%28v=vs.85%29.aspx) (see **Parameters**).
[Learn how to get the SID](https://go.microsoft.com/fwlink/p/?LinkId=615517).
To remove assigned access, using PowerShell, run the following cmdlet.
```
Clear-AssignedAccess
```
### Set up automatic logon
When your kiosk device restarts, whether from an update or power outage, you can log on the assigned access account manually or you can configure the device to log on to the assigned access account automatically. Make sure that Group Policy settings applied to the device do not prevent automatic logon.
Edit the registry to have an account automatically logged on.
1. Open Registry Editor (regedit.exe).
**Note**  
If you are not familiar with Registry Editor, [learn how to modify the Windows registry](https://go.microsoft.com/fwlink/p/?LinkId=615002).
 
2. Go to
**HKEY\_LOCAL\_MACHINE\SOFTWARE\\Microsoft\WindowsNT\CurrentVersion\Winlogon**
3. Set the values for the following keys.
- *AutoAdminLogon*: set value as **1**.
- *DefaultUserName*: set value as the account that you want logged in.
- *DefaultPassword*: set value as the password for the account.
> **Note**  If *DefaultUserName* and *DefaultPassword* aren't there, add them as **New** &gt; **String Value**.
- *DefaultDomainName*: set value for domain, only for domain accounts. For local accounts, do not add this key.
4. Close Registry Editor. The next time the computer restarts, the account will be logged on automatically.
### Sign out of assigned access
To exit the assigned access (kiosk) app, press **Ctrl + Alt + Del**, and then sign in using another account. When you press **Ctrl + Alt + Del** to sign out of assigned access, the kiosk app will exit automatically. If you sign in again as the assigned access account or wait for the login screen timeout, the kiosk app will be re-launched. The assigned access user will remain signed in until an admin account opens **Task Manager** > **Users** and signs out the user account.
If you press **Ctrl + Alt + Del** and do not sign in to another account, after a set time, assigned access will resume. The default time is 30 seconds, but you can change that in the following registry key:
**HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI**
To change the default time for assigned access to resume, add *IdleTimeOut* (DWORD) and enter the value data as milliseconds in hexadecimal.
## <a href="" id="local-user-policy"></a>Shell Launcher for Classic Windows applications
Using Shell Launcher, you can configure a kiosk device that runs a Classic Windows application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on.
### Requirements
- A domain or local user account.
- A Classic Windows application that is installed for that account. The app can be your own company application or a common app like Internet Explorer.
[See the technical reference for the shell launcher component.](https://go.microsoft.com/fwlink/p/?LinkId=618603)
### Configure Shell Launcher
To set a Classic Windows application as the shell, you first turn on the Shell Launcher feature, and then you can set your custom shell as the default using PowerShell.
**To turn on Shell Launcher in Windows features**
1. Go to Control Panel &gt; **Programs and Features** &gt; **Turn Windows features on or off**.
2. Select **Embedded Shell Launcher** and **OK**.
Alternatively, you can turn on Shell Launcher using the Deployment Image Servicing and Management (DISM.exe) tool.
**To turn on Shell Launcher using DISM**
1. Open a command prompt as an administrator.
2. Enter the following command.
```
Dism /online /Enable-Feature /all /FeatureName:Client-EmbeddedShellLauncher
```
**To set your custom shell**
Modify the following PowerShell script as appropriate. The comments in the sample script explain the purpose of each section and tell you where you will want to change the script for your purposes. Save your script with the extension .ps1, open Windows PowerShell as administrator, and run the script on the kiosk device.
```
# Check if shell launcher license is enabled
function Check-ShellLauncherLicenseEnabled
{
[string]$source = @"
using System;
using System.Runtime.InteropServices;
static class CheckShellLauncherLicense
{
const int S_OK = 0;
public static bool IsShellLauncherLicenseEnabled()
{
int enabled = 0;
if (NativeMethods.SLGetWindowsInformationDWORD("EmbeddedFeature-ShellLauncher-Enabled", out enabled) != S_OK) {
enabled = 0;
}
return (enabled != 0);
}
static class NativeMethods
{
[DllImport("Slc.dll")]
internal static extern int SLGetWindowsInformationDWORD([MarshalAs(UnmanagedType.LPWStr)]string valueName, out int value);
}
}
"@
$type = Add-Type -TypeDefinition $source -PassThru
return $type[0]::IsShellLauncherLicenseEnabled()
}
[bool]$result = $false
$result = Check-ShellLauncherLicenseEnabled
"`nShell Launcher license enabled is set to " + $result
if (-not($result))
{
"`nThis device doesn't have required license to use Shell Launcher"
exit
}
$COMPUTER = "localhost"
$NAMESPACE = "root\standardcimv2\embedded"
# Create a handle to the class instance so we can call the static methods.
try {
$ShellLauncherClass = [wmiclass]"\\$COMPUTER\${NAMESPACE}:WESL_UserSetting"
} catch [Exception] {
write-host $_.Exception.Message;
write-host "Make sure Shell Launcher feature is enabled"
exit
}
# This well-known security identifier (SID) corresponds to the BUILTIN\Administrators group.
$Admins_SID = "S-1-5-32-544"
# Create a function to retrieve the SID for a user account on a machine.
function Get-UsernameSID($AccountName) {
$NTUserObject = New-Object System.Security.Principal.NTAccount($AccountName)
$NTUserSID = $NTUserObject.Translate([System.Security.Principal.SecurityIdentifier])
return $NTUserSID.Value
}
# Get the SID for a user account named "Cashier". Rename "Cashier" to an existing account on your system to test this script.
$Cashier_SID = Get-UsernameSID("Cashier")
# Define actions to take when the shell program exits.
$restart_shell = 0
$restart_device = 1
$shutdown_device = 2
# Examples. You can change these examples to use the program that you want to use as the shell.
# This example sets the command prompt as the default shell, and restarts the device if the command prompt is closed.
$ShellLauncherClass.SetDefaultShell("cmd.exe", $restart_device)
# Display the default shell to verify that it was added correctly.
$DefaultShellObject = $ShellLauncherClass.GetDefaultShell()
"`nDefault Shell is set to " + $DefaultShellObject.Shell + " and the default action is set to " + $DefaultShellObject.defaultaction
# Set Internet Explorer as the shell for "Cashier", and restart the machine if Internet Explorer is closed.
$ShellLauncherClass.SetCustomShell($Cashier_SID, "c:\program files\internet explorer\iexplore.exe www.microsoft.com", ($null), ($null), $restart_shell)
# Set Explorer as the shell for administrators.
$ShellLauncherClass.SetCustomShell($Admins_SID, "explorer.exe")
# View all the custom shells defined.
"`nCurrent settings for custom shells:"
Get-WmiObject -namespace $NAMESPACE -computer $COMPUTER -class WESL_UserSetting | Select Sid, Shell, DefaultAction
# Enable Shell Launcher
$ShellLauncherClass.SetEnabled($TRUE)
$IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled()
"`nEnabled is set to " + $IsShellLauncherEnabled.Enabled
# Remove the new custom shells.
$ShellLauncherClass.RemoveCustomShell($Admins_SID)
$ShellLauncherClass.RemoveCustomShell($Cashier_SID)
# Disable Shell Launcher
$ShellLauncherClass.SetEnabled($FALSE)
$IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled()
"`nEnabled is set to " + $IsShellLauncherEnabled.Enabled
```
## Related topics
[Set up a device for anyone to use](set-up-a-device-for-anyone-to-use.md)
[Set up a kiosk for Windows 10 for mobile edition](set-up-a-kiosk-for-windows-10-for-mobile-edition.md)
[Manage and update Windows 10](index.md)
 
 

199
windows/manage/set-up-a-kiosk-for-windows-10-for-mobile-edition.md Normal file
View File

@ -0,0 +1,199 @@
---
title: Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise (Windows 10)
description: A device in kiosk mode runs a specified app with no access to other device functions, menus, or settings.
ms.assetid: 35EC82D8-D9E8-45C3-84E9-B0C8C167BFF7
keywords: kiosk, lockdown, assigned access
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: mobile
author: jdeckerMS
localizationpriority: high
---
# Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise
**Applies to**
- Windows 10 Mobile
A device in kiosk mode runs a specified app with no access to other device functions, menus, or settings. You configure a device running Windows 10 Mobile or Windows 10 Mobile Enterprise for kiosk mode by using the Apps Corner feature. You can also use the Enterprise Assigned Access configuration service provider (CSP) to configure a kiosk experience.
**Note**  
The specified app must be an above lock screen app. For details on building an above lock screen app, see [Kiosk apps for assigned access: Best practices](https://go.microsoft.com/fwlink/p/?LinkId=708386).
 
## Apps Corner
Apps Corner lets you set up a custom Start screen on your Windows 10 Mobile or Windows 10 Mobile Enterprise device, where you can share only the apps you choose with the people you let use your device. You configure a device for kiosk mode by selecting a single app to use in Apps Corner.
**To set up Apps Corner**
1. On Start ![start](images/starticon.png), swipe over to the App list, then tap **Settings** ![settings](images/settingsicon.png) &gt; **Accounts** &gt; **Apps Corner**.
2. Tap **Apps**, tap to select the app that you want people to use in the kiosk mode, and then tap done ![](images/doneicon.png)
3. If your phone doesn't already have a lock screen password, you can set one now to ensure that people can't get to your Start screen from Apps Corner. Tap **Protect my phone with a password**, click **Add**, type a PIN in the **New PIN** box, type it again in the **Confirm PIN** box, and then tap **OK**. Press **Back** ![back](images/backicon.png) to the Apps Corner settings.
4. Turn **Action center** on or off, depending on whether you want people to be able to use these features when using the device in kiosk mode.
5. Tap **advanced**, and then turn features on or off, depending on whether you want people to be able to use them.
6. Press **Back** ![back](images/backicon.png) when you're done.
**To use Apps Corner**
1. On Start ![start](images/starticon.png), swipe over to the App list, then tap **Settings** ![settings](images/settingsicon.png) &gt; **Accounts** &gt; **Apps Corner** &gt; launch ![launch](images/launchicon.png).
**Tip**  
Want to get to Apps Corner with one tap? In **Settings**, tap **Apps Corner** &gt; **pin** to pin the Apps Corner tile to your Start screen.
 
2. Give the device to someone else, so they can use the device and only the one app you chose.
3. When they're done and you get the device back, press and hold Power ![power](images/powericon.png), and then swipe right to exit Apps Corner.
## Enterprise Assigned Access
Enterprise Assigned Access allows you to lock down your Windows 10 Mobile or Windows 10 Mobile Enterprise device in kiosk mode by creating a user role that has only a single app, set to run automatically, in the Allow list.
**Note**  The app can be a Universal Windows app, Universal Windows Phone 8 app, or a legacy Silverlight app.
 
### Set up Enterprise Assigned Access in MDM
In AssignedAccessXml, for Application, you enter the product ID for the app to run in kiosk mode. Find product IDs at [Product IDs in Windows 10 Mobile](product-ids-in-windows-10-mobile.md).
[See the technical reference for the Enterprise Assigned Access configuration service provider (CSP).](https://go.microsoft.com/fwlink/p/?LinkID=618601)
### Set up assigned access using Windows Imaging and Configuration Designer (ICD)
> **Important**
When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
**To create and apply a provisioning package for a kiosk device**
1. Create an *AssignedAccess*.xml file that specifies the app the device will run. (You can name use any file name.) For instructions on AssignedAccessXml, see [EnterpriseAssignedAccess CSP](https://go.microsoft.com/fwlink/p/?LinkID=618601).
**Note**  
Do not escape the xml in *AssignedAccess*.xml file as Windows Imaging and Configuration Designer (ICD) will do that when building the package. Providing escaped xml in Windows ICD will cause building the package fail.
 
2. Open Windows ICD (by default, `%windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe`).
3. Choose **Advanced provisioning**.
4. Name your project, and click **Next**.
5. Choose **All Windows mobile editions** and click **Next**.
6. On **New project**, click **Finish**. The workspace for your package opens.
7. Expand **Runtime settings** &gt; **EmbeddedLockdownProfiles**, and click **AssignedAccessXml**.
8. Click **Browse** to select the *AssignedAccess*.xml file.
9. On the **File** menu, select **Save.**
10. On the **Export** menu, select **Provisioning package**.
11. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.**
12. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing.
- **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
- **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select** and choosing the certificate you want to use to sign the package.
13. Click **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows ICD uses the project folder as the output location.
Optionally, you can click **Browse** to change the default output location.
14. Click **Next**.
15. Click **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status.
If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
16. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
- If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
- If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
17. Select the **output location** link to go to the location of the package. You can distribute that .ppkg to mobile devices using any of the following methods:
- Removable media (USB/SD)
**To apply a provisioning package from removable media**
1. Copy the provisioning package file to the root directory on a micro SD card.
2. On the device, insert the micro SD card containing the provisioning package.
3. Go to **Settings** &gt; **Accounts** &gt; **Provisioning.**
4. Tap **Add a package**.
5. On the **Choose a method** screen, in the **Add from** dropdown menu, select **Removable Media**.
6. Select a package will list all available provisioning packages on the micro SD card. Tap the desired package, and then tap **Add**.
7. You will see a message that tells you what the package will do the device, such as **Adding it will: Lock down the user interface**. Tap **Yes, add it**.
8. Restart the device and verify that the runtime settings that were configured in the provisioning package were applied to the device.
- Email
**To apply a provisioning package sent in email**
1. Send the provisioning package in email to an account on the device.
2. Open the email on the device, and then double-tap the attached file.
3. You will see a message that tells you what the package will do the device, such as **Adding it will: Lock down the user interface**. Tap **Yes, add it**.
4. Restart the device and verify that the runtime settings that were configured in the provisioning package were applied to the device.
- USB tether (mobile only)
**To apply a provisioning package using USB tether**
1. Connect the device to your PC by USB.
2. Select the provisioning package that you want to use to provision the device, and then drag and drop the file to your device.
3. The provisioning package installation dialog will appear on the phone.
4. You will see a message that tells you what the package will do the device, such as **Adding it will: Lock down the user interface**. Tap **Yes, add it**.
5. Restart the device and verify that the runtime settings that were configured in the provisioning package were applied to the device.
[Learn how to apply a provisioning package in audit mode or OOBE.](https://go.microsoft.com/fwlink/p/?LinkID=692012)
## Related topics
[Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md)
[Configure Windows 10 Mobile using Lockdown XML](lockdown-xml.md)
[Product IDs in Windows 10 Mobile](product-ids-in-windows-10-mobile.md)
 
 

517
windows/manage/settings-that-can-be-locked-down.md Normal file
View File

@ -0,0 +1,517 @@
---
title: Settings and quick actions that can be locked down in Windows 10 Mobile (Windows 10)
description: This topic lists the settings and quick actions that can be locked down in Windows 10 Mobile.
ms.assetid: 69E2F202-D32B-4FAC-A83D-C3051DF02185
keywords: ["lockdown"]
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: mobile
author: jdeckerMS
localizationpriority: high
---
# Settings and quick actions that can be locked down in Windows 10 Mobile
**Applies to**
- Windows 10 Mobile
This topic lists the settings and quick actions that can be locked down in Windows 10 Mobile.
## Settings lockdown
You can use Lockdown.xml to configure lockdown settings.
The following table lists the settings pages and page groups. Use the page name in the Settings section of Lockdown.xml. The Settings section contains an allow list of pages in the Settings app.
<table>
<thead>
<tr class="header">
<th align="left">Main menu</th>
<th align="left">Sub-menu</th>
<th align="left">Page name</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left">System</td>
<td align="left"></td>
<td align="left">SettingsPageGroupPCSystem</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Display</td>
<td align="left">SettingsPageDisplay</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Notifications & actions</td>
<td align="left">SettingsPageAppsNotifications</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Phone</td>
<td align="left">SettingsPageCalls</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Messaging</td>
<td align="left">SettingsPageMessaging</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Battery</td>
<td align="left">SettingsPageBatterySaver</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Apps for websites</td>
<td align="left">SettingsPageAppsForWebsites</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Storage</td>
<td align="left">SettingsPageStorageSenseStorageOverview</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Driving mode</td>
<td align="left">SettingsPageDrivingMode</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Offline maps</td>
<td align="left">SettingsPageMaps</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">About</td>
<td align="left">SettingsPagePCSystemInfo</td>
</tr>
<tr class="even">
<td align="left">Devices</td>
<td align="left"></td>
<td align="left">SettingsPageGroupDevices</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Default camera</td>
<td align="left">SettingsPagePhotos</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Bluetooth</td>
<td align="left">SettingsPagePCSystemBluetooth</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">NFC</td>
<td align="left">SettingsPagePhoneNFC</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Mouse</td>
<td align="left">SettingsPageMouseTouchpad</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">USB</td>
<td align="left">SettingsPageUsb</td>
</tr>
<tr class="even">
<td align="left">Network and wireless</td>
<td align="left"></td>
<td align="left">SettingsPageGroupNetwork</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Cellular & SIM</td>
<td align="left">SettingsPageNetworkCellular</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Wi-Fi</td>
<td align="left">SettingsPageNetworkWiFi</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Airplane mode</td>
<td align="left">SettingsPageNetworkAirplaneMode</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Data usage</td>
<td align="left">SettingsPageDataSenseOverview</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Mobile hotspot</td>
<td align="left">SettingsPageNetworkMobileHotspot</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">VPN</td>
<td align="left">SettingsPageNetworkVPN</td>
</tr>
<tr class="odd">
<td align="left">Personalization</td>
<td align="left"></td>
<td align="left">SettingsPageGroupPersonalization</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Start</td>
<td align="left">SettingsPageBackGround</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Colors</td>
<td align="left">SettingsPageColors</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Sounds</td>
<td align="left">SettingsPageSounds</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Lock screen</td>
<td align="left">SettingsPageLockscreen</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Glance screen</td>
<td align="left">SettingsPageGlance</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Navigation bar</td>
<td align="left">SettingsNagivationBar</td>
</tr>
<tr class="odd">
<td align="left">Accounts</td>
<td align="left"></td>
<td align="left">SettingsPageGroupAccounts</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Your info</td>
<td align="left">SettingsPageAccountsPicture</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Sign-in options</td>
<td align="left">SettingsPageAccountsSignInOptions</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Email & app accounts</td>
<td align="left">SettingsPageAccountsEmailApp</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Access work or school</td>
<td align="left">SettingsPageWorkAccess</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Sync your settings</td>
<td align="left">SettingsPageAccountsSync</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left"><p>Apps corner</p>
<p>(disabled in Assigned Access)</p></td>
<td align="left">SettingsPageAppsCorner</td>
</tr>
<tr class="odd">
<td align="left">Time & language</td>
<td align="left"></td>
<td align="left">SettingsPageGroupTimeRegion</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Date & time</td>
<td align="left">SettingsPageTimeRegionDateTime</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Language</td>
<td align="left">SettingsPageTimeLanguage</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Region</td>
<td align="left">SettingsPageTimeRegion</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Keyboard</td>
<td align="left">SettingsPageKeyboard</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Speech</td>
<td align="left">SettingsPageSpeech</td>
</tr>
<tr class="odd">
<td align="left">Ease of access</td>
<td align="left"></td>
<td align="left">SettingsPageGroupEaseOfAccess</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Narrator</td>
<td align="left">SettingsPageEaseOfAccessNarrator</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Magnifier</td>
<td align="left">SettingsPageEaseOfAccessMagnifier</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">High contrast</td>
<td align="left">SettingsPageEaseOfAccessHighContrast</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Closed captions</td>
<td align="left">SettingsPageEaseOfAccessClosedCaptioning</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">More options</td>
<td align="left">SettingsPageEaseOfAccessMoreOptions</td>
</tr>
<tr class="odd">
<td align="left">Privacy</td>
<td align="left"></td>
<td align="left">SettingsPageGroupPrivacy</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Location</td>
<td align="left">SettingsPagePrivacyLocation</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Camera</td>
<td align="left">SettingsPagePrivacyWebcam</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Microphone</td>
<td align="left">SettingsPagePrivacyMicrophone</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Motion</td>
<td align="left">SettingsPagePrivacyMotionData</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Notifications</td>
<td align="left">SettingsPagePrivacyNotifications</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Speech. inking, & typing</td>
<td align="left">SettingsPagePrivacyPersonalization</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Account info</td>
<td align="left">SettingsPagePrivacyAccountInfo</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Contacts</td>
<td align="left">SettingsPagePrivacyContacts</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Calendar</td>
<td align="left">SettingsPagePrivacyCalendar</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Phone calls</td>
<td align="left">SettingsPagePrivacyPhoneCall</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Call history</td>
<td align="left">SettingsPagePrivacyCallHistory</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Email</td>
<td align="left">SettingsPagePrivacyEmail</td>
</tr><tr class="even">
<td align="left"></td>
<td align="left">Messaging</td>
<td align="left">SettingsPagePrivacyMessaging</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Radios</td>
<td align="left">SettingsPagePrivacyRadios</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Continue App Experiences</td>
<td align="left">SettingsPagePrivacyCDP</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Background apps</td>
<td align="left">SettingsPagePrivacyBackgroundApps</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Accessory apps</td>
<td align="left">SettingsPageAccessories</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Advertising ID</td>
<td align="left">SettingsPagePrivacyAdvertisingId</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Other devices</td>
<td align="left">SettingsPagePrivacyCustomPeripherals</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Feedback and diagnostics</td>
<td align="left">SettingsPagePrivacySIUFSettings</td>
</tr>
<tr class="odd">
<td align="left">Update and security</td>
<td align="left"></td>
<td align="left">SettingsPageGroupRestore</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Phone update</td>
<td align="left">SettingsPageRestoreMusUpdate</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Windows Insider Program</td>
<td align="left">SettingsPageFlights</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Device encryption</td>
<td align="left">SettingsPageGroupPCSystemDeviceEncryption</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Backup</td>
<td align="left">SettingsPageRestoreOneBackup</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Find my phone</td>
<td align="left">SettingsPageFindMyDevice</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">For developers</td>
<td align="left">SettingsPageSystemDeveloperOptions</td>
</tr>
<tr class="even">
<td align="left">OEM</td>
<td align="left"></td>
<td align="left">SettingsPageGroupExtensibility</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Extensibility</td>
<td align="left">SettingsPageExtensibility</td>
</tr>
</tbody>
</table>
 
## Quick actions lockdown
Quick action buttons are locked down in exactly the same way as Settings pages/groups. By default they are always conditional.
You can specify the quick actions as follows:
``` syntax
<Settings>
<System name="SystemSettings_System_Display_QuickAction_Brightness"/>
<System name="SystemSettings_System_Display_Internal_Rotation"/>
<System name="SystemSettings_QuickAction_WiFi"/>
<System name="SystemSettings_QuickAction_InternetSharing"/>
<System name="SystemSettings_QuickAction_CellularData"/>
<System name="SystemSettings_QuickAction_AirplaneMode"/>
<System name="SystemSettings_Privacy_LocationEnabledUserPhone"/>
<System name="SystemSettings_Network_VPN_QuickAction"/>
<System name="SystemSettings_Flashlight_Toggle"/>
<System name="SystemSettings_Device_BluetoothQuickAction"/>
<System name="SystemSettings_BatterySaver_LandingPage_OverrideControl" />
<System name="SystemSettings_QuickAction_QuietHours" />
<System name="SystemSettings_QuickAction_Camera" />
<System name="SystemSettings_Launcher_QuickNote" />
<System name="QuickActions_Launcher_AllSettings" />
<System name="QuickActions_Launcher_DeviceDiscovery" />
</Settings>
```
Some quick actions are dependent on related settings pages/page groups. When a dependent page/group is not available, then the corresponding quick action will also be hidden.
**Note**  
Dependent settings group/pages will be automatically enabled when a quick action is specified in the lockdown xml file. For example, if the Rotation quick setting is specified, the following group and page will automatically be added to the allow list: “SettingsPageSystemDisplay” and “SettingsPageDisplay”.
 
The following table lists the dependencies between quick actions and Settings groups/pages.
| Quick action | Settings group | Settings page |
|-----|-------|-------|
| SystemSettings\_System\_Display\_QuickAction\_Brightness | SettingsPageSystemDisplay| SettingsPageDisplay |
| SystemSettings\_System\_Display\_Internal\_Rotation | SettingsPageSystemDisplay | SettingsPageDisplay |
| SystemSettings\_QuickAction\_WiFi | SettingsPageNetworkWiFi | SettingsPageNetworkWiFi |
| SystemSettings\_QuickAction\_InternetSharing | SettingsPageNetworkInternetSharing | SettingsPageNetworkInternetSharing |
| SystemSettings\_QuickAction\_CellularData | SettingsGroupCellular | SettingsPageNetworkCellular |
| SystemSettings\_QuickAction\_AirplaneMode | SettingsPageNetworkAirplaneMode | SettingsPageNetworkAirplaneMode |
| SystemSettings\_Privacy\_LocationEnabledUserPhone | SettingsGroupPrivacyLocationGlobals | SettingsPagePrivacyLocation |
| SystemSettings\_Network\_VPN\_QuickAction | SettingsPageNetworkVPN | SettingsPageNetworkVPN |
| SystemSettings\_Launcher\_QuickNote | N/A | N/A |
| SystemSettings\_Flashlight\_Toggle | N/A | N/A |
| SystemSettings\_Device\_BluetoothQuickAction | SettingsPagePCSystemBluetooth | SettingsPagePCSystemBluetooth |
| SystemSettings\_BatterySaver\_LandingPage\_OverrideControl | BatterySaver\_LandingPage\_SettingsConfiguration | SettingsPageBatterySaver |
| QuickActions\_Launcher\_DeviceDiscovery | N/A | N/A |
| QuickActions\_Launcher\_AllSettings | N/A | N/A |
| SystemSettings\_QuickAction\_QuietHours | N/A | N/A |
| SystemSettings\_QuickAction\_Camera | N/A | N/A |
 
## Related topics
[Configure Windows 10 Mobile using Lockdown XML](lockdown-xml.md)
[Product IDs in Windows 10 Mobile](product-ids-in-windows-10-mobile.md)
 
 

492
windows/manage/start-layout-xml-desktop.md Normal file
View File

@ -0,0 +1,492 @@
---
title: Start layout XML for desktop editions of Windows 10 (Windows 10)
description: This topic describes the options for customizing Start layout in LayoutModification.xml for Windows 10 desktop editions.
keywords: ["start screen"]
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
localizationpriority: high
---
# Start layout XML for desktop editions of Windows 10 (reference)
**Applies to**
- Windows 10
>**Looking for consumer information?** See [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630)
On Windows 10 for desktop editions, the customized Start works by:
- Windows 10 checks the chosen base default layout, such as the desktop edition and whether Cortana is supported for the country/region.
- Windows 10 reads the LayoutModification.xml file and allows groups to be appended to Start. The groups have the following constraints:
- 2 groups that are 6 columns wide, or equivalent to the width of 3 medium tiles.
- 2 medium-sized tile rows in height. Windows 10 ignores any tiles that are pinned beyond the second row.
- No limit to the number of apps that can be pinned. There is a theoretical limit of 24 tiles per group (4 small tiles per medium square x 3 columns x 2 rows).
## LayoutModification XML
IT admins can provision the Start layout using a LayoutModification.xml file. This file supports several mechanisms to modify or replace the default Start layout and its tiles. The easiest method for creating a LayoutModification.xml file is by using the Export-StartLayout cmdlet; see [Customize and export Start layout](customize-and-export-start-layout.md) for instructions.
>[!NOTE]
>To make sure the Start layout XML parser processes your file correctly, follow these guidelines when working with your LayoutModification.xml file:
>- Do not leave spaces or white lines in between each element.
>- Do not add comments inside the StartLayout node or any of its children elements.
>- Do not add multiple rows of comments.
The following table lists the supported elements and attributes for the LayoutModification.xml file.
| Element | Attributes | Description |
| --- | --- | --- |
| LayoutModificationTemplate | xmlns</br>xmlns:defaultlayout</br>xmlns:start</br>Version | Use to describe the changes to the default Start layout |
| [LayoutOptions](#layoutoptions)</br></br>Parent:</br>LayoutModificationTemplate | StartTileGroupsColumnCount</br>FullScreenStart | Use to specify:</br>- Whether to use full screen Start on the desktop</br>- The number of tile columns in the Start menu |
| RequiredStartGroupsCollection</br></br>Parent:</br>LayoutModificationTemplate | n/a | Use to contain collection of RequiredStartGroups |
| [RequiredStartGroups](#requiredstartgroups)</br></br>Parent:</br>RequiredStartGroupsCollection | Region | Use to contain the AppendGroup tags, which represent groups that can be appended to the default Start layout |
| [AppendGroup](#appendgroup)</br></br>Parent:</br>RequiredStartGroups | Name | Use to specify the tiles that need to be appended to the default Start layout |
| [start:Tile](#specify-start-tiles)</br></br>Parent:</br>AppendGroup | AppUserModelID</br>Size</br>Row</br>Column | Use to specify any of the following:</br>- A Universal Windows app</br>- A Windows 8 or Windows 8.1 app |
| start:DesktopApplicationTile</br></br>Parent:</br>AppendGroup | DesktopApplicationID</br>DesktopApplicationLinkPath</br>Size</br>Row</br>Column | Use to specify any of the following:</br>- A Windows desktop application with a known AppUserModelID</br>- An application in a known folder with a link in a legacy Start Menu folder</br>- A Windows desktop application link in a legacy Start Menu folder</br>- A Web link tile with an associated .url file that is in a legacy Start Menu folder |
| start:SecondaryTile</br></br>Parent:</br>AppendGroup | AppUserModelID</br>TileID</br>Arguments</br>DisplayName</br>Square150x150LogoUri</br>ShowNameOnSquare150x150Logo</br>ShowNameOnWide310x150Logo</br>Wide310x150LogoUri</br>BackgroundColor</br>ForegroundText</br>IsSuggestedApp</br>Size</br>Row</br>Column | Use to pin a Web link through a Microsoft Edge secondary tile |
| TopMFUApps</br></br>Parent:</br>LayoutModificationTemplate | n/a | Use to add up to 3 default apps to the frequently used apps section in the system area |
| Tile</br></br>Parent:</br>TopMFUApps | AppUserModelID | Use with the TopMFUApps tags to specify an app with a known AppUserModelID |
| DesktopApplicationTile</br></br>Parent:</br>TopMFUApps | LinkFilePath | Use with the TopMFUApps tags to specify an app without a known AppUserModelID |
| AppendOfficeSuite</br></br>Parent:</br>LayoutModificationTemplate | n/a | Use to add the in-box installed Office suite to Start</br></br>Do not use this tag with AppendDownloadOfficeTile |
| AppendDownloadOfficeTile</br></br>Parent:</br>LayoutModificationTemplate | n/a | Use to add a specific **Download Office** tile to a specific location in Start</br></br>Do not use this tag with AppendOfficeSuite |
### LayoutOptions
New devices running Windows 10 for desktop editions will default to a Start menu with 2 columns of tiles unless boot to tablet mode is enabled. Devices with screens that are under 10" have boot to tablet mode enabled by default. For these devices, users see the full screen Start on the desktop. You can adjust the following features:
- Boot to tablet mode can be set on or off.
- Set full screen Start on desktop to on or off.
To do this, add the LayoutOptions element in your LayoutModification.xml file and set the FullScreenStart attribute to true or false.
- Specify the number of columns in the Start menu to 1 or 2.
To do this, add the LayoutOptions element in your LayoutModification.xml file and set the StartTileGroupsColumnCount attribute to 1 or 2.
The following example shows how to use the LayoutOptions element to specify full screen Start on the desktop and to use 1 column in the Start menu:
```XML
<LayoutModificationTemplate
xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"
xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout"
xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout"
Version="1">
<LayoutOptions
StartTileGroupsColumnCount="1"
FullScreenStart="true"
/>
</LayoutModificationTemplate>
```
For devices being upgraded to Windows 10 for desktop editions:
- Devices being upgraded from Windows 7 will default to a Start menu with 1 column.
- Devices being upgraded from Windows 8.1 or Windows 8.1 Upgrade will default to a Start menu with 2 columns.
### RequiredStartGroups
The **RequiredStartGroups** tag contains **AppendGroup** tags that represent groups that you can append to the default Start layout.
>[!IMPORTANT]
>For Windows 10 for desktop editions, you can add a maximum of two (2) **AppendGroup** tags per **RequiredStartGroups** tag.
You can also assign regions to the append groups in the **RequiredStartGroups** tag's using the optional **Region** attribute or you can use the multivariant capabilities in Windows provisioning. If you are using the **Region** attribute, you must use a two-letter country code to specify the country/region that the append group(s) apply to. To specify more than one country/region, use a pipe ("|") delimiter as shown in the following example:
```XML
<RequiredStartGroups
Region="DE|ES|FR|GB|IT|US">
```
If the country/region setting for the Windows device matches a **RequiredStartGroups**, then the tiles laid out within the **RequiredStartGroups** is applied to Start.
If you specify a region-agnostic **RequiredStartGroups** (or one without the optional Region attribute) then the region-agnostic **RequiredStartGroups** is applied to Start.
### AppendGroup
**AppendGroup** tags specify a group of tiles that will be appended to Start. There is a maximum of two **AppendGroup** tags allowed per **RequiredStartGroups** tag.
For Windows 10 for desktop editions, AppendGroup tags contain start:Tile, start:DesktopApplicationTile, or start:SecondaryTile tags.
You can specify any number of tiles in an **AppendGroup**, but you cannot specify a tile with a **Row** attribute greater than 4. The Start layout does not support overlapping tiles.
### Specify Start tiles
To pin tiles to Start, partners must use the right kind of tile depending on what you want to pin.
#### Tile size and coordinates
All tile types require a size (**Size**) and coordinates (**Row** and **Column**) attributes regardless of the tile type that you use when prepinning items to Start.
The following table describes the attributes that you must use to specify the size and location for the tile.
| Attribute | Description |
| --- | --- |
| Size | Determines how large the tile will be.</br></br>- 1x1 - small tile</br>- 2x2 - medium tile</br>- 4x2 - wide tile</br>- 4x4 - large tile |
| Row | Specifies the row where the tile will appear. |
| Column | Specifies the column where the tile will appear. |
For example, a tile with Size="2x2", Row="2", and Column="2" results in a tile located at (2,2) where (0,0) is the top-left corner of a group.
#### start:Tile
You can use the **start:Tile** tag to pin any of the following apps to Start:
- A Universal Windows app
- A Windows 8 app or Windows 8.1 app
To specify any one of these apps, you must set the **AppUserModelID** attribute to the application user model ID that's associated with the corresponding app.
The following example shows how to pin the Microsoft Edge Universal Windows app:
```XML
<start:Tile
AppUserModelID="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge"
Size="2x2"
Row="0"
Column="0"/>
```
#### start:DesktopApplicationTile
You can use the **start:DesktopApplicationTile** tag to pin a Windows desktop application to Start. There are two ways you can specify a Windows desktop application:
- By using a path to a shortcut link (.lnk file) to a Windows desktop application.
To pin a Windows desktop application through this method, you must first add the .lnk file in the specified location when the device first boots.
The following example shows how to pin the Command Prompt:
```XML
<start:DesktopApplicationTile
DesktopApplicationLinkPath="%appdata%\Microsoft\Windows\Start Menu\Programs\System Tools\Command Prompt.lnk"
Size="2x2"
Row="0"
Column="4"/>
```
You must set the **DesktopApplicationLinkPath** attribute to the .lnk file that points to the Windows desktop application. The path also supports environment variables.
If you are pointing to a third-party Windows desktop application, you must put the .lnk file in a legacy Start Menu directory before first boot; for example, "%APPDATA%\Microsoft\Windows\Start Menu\Programs\" or the all users profile "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\".
- By using the application's application user model ID, if this is known. If the Windows desktop application doesn't have one, use the shortcut link option.
To pin a Windows desktop application through this method, you must set the **DesktopApplicationID** attribute to the application user model ID that's associated with the corresponding app.
The following example shows how to pin the Internet Explorer Windows desktop application:
```XML
<start:DesktopApplicationTile
DesktopApplicationID="Microsoft.Windows.Explorer"
Size="2x2"
Row="0"
Column="2"/>
```
You can also use the **start:DesktopApplicationTile** tag as one of the methods for pinning a Web link to Start. The other method is to use a Microsoft Edge secondary tile.
To pin a legacy .url shortcut to Start, you must create .url file (right-click on the desktop, select **New** > **Shortcut**, and then type a Web URL). You must add this .url file in a legacy Start Menu directory before first boot; for example, `%APPDATA%\Microsoft\Windows\Start Menu\Programs\` or the all users profile `%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\`.
The following example shows how to create a tile of the Web site's URL, which you can treat similarly to a Windows desktop application tile:
```XML
<start:DesktopApplicationTile
DesktopApplicationID="http://www.contoso.com/"
Size="2x2"
Row="0"
Column="2"/>
```
#### start:SecondaryTile
You can use the **start:SecondaryTile** tag to pin a Web link through a Microsoft Edge secondary tile. This method doesn't require any additional action compared to the method of using legacy .url shortcuts (through the start:DesktopApplicationTile tag).
The following example shows how to create a tile of the Web site's URL using the Microsoft Edge secondary tile:
```XML
<start:SecondaryTile
AppUserModelID="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge"
TileID="MyWeblinkTile"
Arguments="http://msn.com"
DisplayName="MySite"
Square150x150LogoUri="ms-appx:///Assets/MicrosoftEdgeSquare150x150.png"
Wide310x150LogoUri="ms-appx:///Assets/MicrosoftEdgeWide310x150.png"
ShowNameOnSquare150x150Logo="true"
ShowNameOnWide310x150Logo="false"
BackgroundColor="#FF112233"
Size="2x2"
Row="0"
Column="4"/>
```
The following table describes the other attributes that you can use with the **start:SecondaryTile** tag in addition to *8Size**, **Row**, and *8Column**.
| Attribute | Required/optional | Description |
| --- | --- | --- |
| AppUserModelID | Required | Must point to Microsoft Edge. |
| TileID | Required | Must uniquely identify your Web site tile. |
| Arguments | Required | Must contain the URL of your Web site. |
| DisplayName | Required | Must specify the text that you want users to see. |
| Square150x150LogoUri | Required | Specifies the logo to use on the 2x2 tile. |
| Wide310x150LogoUri | Optional | Specifies the logo to use on the 4x2 tile. |
| ShowNameOnSquare150x150Logo | Optional | Specifies whether the display name is shown on the 2x2 tile. The values you can use for this attribute are true or false. |
| ShowNameOnWide310x150Logo | Optional | Specifies whether the display name is shown on the 4x2 tile. The values you can use for this attribute are true or false. |
| BackgroundColor | Optional | Specifies the color of the tile. You can specify the value in ARGB hexadecimal (for example, #FF112233) or specify "transparent". |
| ForegroundText | Optional | Specifies the color of the foreground text. Set the value to either "light" or "dark". |
Secondary Microsoft Edge tiles have the same size and location behavior as a Universal Windows app, Windows 8 app, or Windows 8.1 app.
#### TopMFUApps
You can use the **TopMFUApps** tag to add up to 3 default apps to the frequently used apps section in the system area, which delivers system-driven lists to the user including important or frequently accessed system locations and recently installed apps.
You can use this tag to add:
- Apps with an **AppUserModelID** attribute - This includes Windows desktop applications that have a known application user model ID. Use a **Tile** tag with the **AppUserModelID** attribute set to the app's application user model ID.
- Apps without a **AppUserModelID** attribute - For these apps, you must create a .lnk file that points to the installed app and place the .lnk file in the `%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs` directory. Use a **DesktopApplicationTile** tag with the **LinkFilePath** attribute set to the .lnk file name and path.
The following example shows how to modify your LayoutModification.xml file to add both kinds of apps to the system area in Start:
```XML
<LayoutModificationTemplate
xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"
xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout"
xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout"
Version="1">
<TopMFUApps>
<Tile AppUserModelID="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
<Tile AppUserModelID="Microsoft.Getstarted_8wekyb3d8bbwe!App" />
<DesktopApplicationTile LinkFilePath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Win32App.lnk" />
</TopMFUApps>
</LayoutModificationTemplate>
```
#### AppendOfficeSuite
You can use the **AppendOfficeSuite** tag to add the in-box installed Office suite of apps to Start.
The following example shows how to add the **AppendOfficeSuite** tag to your LayoutModification.xml file to append the full Universal Office suite to Start:
```XML
<LayoutModificationTemplate
xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"
xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout"
xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout"
Version="1">
<AppendOfficeSuite/>
</LayoutModificationTemplate>
```
#### AppendDownloadOfficeTile
You can use the **AppendDownloadOfficeTile** tag to append the Office trial installer to Start. This tag adds the Download Office tile to Start and the download tile will appear at the bottom right-hand side of the second group.
The following example shows how to add the **AppendDownloadOfficeTile** tag to your LayoutModification.xml file:
```XML
<LayoutModificationTemplate
xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"
xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout"
xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout"
Version="1">
<AppendDownloadOfficeTile/>
</LayoutModificationTemplate>
```
## Sample LayoutModification.xml
The following sample LayoutModification.xml shows how you can configure the Start layout for devices running Windows 10 for desktop editions:
```XML
<LayoutModificationTemplate
xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"
xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout"
xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout"
Version="1">
<RequiredStartGroupsCollection>
<RequiredStartGroups
Region="DE|ES|FR|GB|IT|US">
<AppendGroup
Name="Fabrikam Group 1">
<start:Tile
AppUserModelID="Microsoft.Office.Word_8wekyb3d8bbwe!microsoft.word"
Size="2x2"
Row="0"
Column="0"/>
<start:DesktopApplicationTile
DesktopApplicationID="Microsoft.Windows.Explorer"
Size="2x2"
Row="0"
Column="2"/>
<start:Tile
AppUserModelID="Microsoft.Office.Excel_8wekyb3d8bbwe!microsoft.excel"
Size="2x2"
Row="0"
Column="4"/>
</AppendGroup>
<AppendGroup
Name="Fabrikam Group 2">
<start:Tile
AppUserModelID="Microsoft.Reader_8wekyb3d8bbwe!Microsoft.Reader"
Size="2x2"
Row="0"
Column="0"/>
<start:DesktopApplicationTile
DesktopApplicationID="http://www.bing.com/"
Size="2x2"
Row="0"
Column="2"/>
<start:DesktopApplicationTile
DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk"
Size="2x2"
Row="0"
Column="4"/>
</AppendGroup>
</RequiredStartGroups>
<RequiredStartGroups>
<AppendGroup
Name="Fabrikam Group 1">
<start:Tile
AppUserModelID="Microsoft.Office.Word_8wekyb3d8bbwe!microsoft.word"
Size="2x2"
Row="0"
Column="0"/>
<start:SecondaryTile
AppUserModelID="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge"
TileID="FabrikamWeblinkTile"
Arguments="http://www.fabrikam.com"
DisplayName="Fabrikam"
Square150x150LogoUri="ms-appx:///Assets/MicrosoftEdgeSquare150x150.png"
ShowNameOnSquare150x150Logo="true"
BackgroundColor="#FF112233"
Size="2x2"
Row="0"
Column="2"/>
</AppendGroup>
</RequiredStartGroups>
</RequiredStartGroupsCollection>
<TopMFUApps>
<Tile AppUserModelID="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
</TopMFUApps>
</LayoutModificationTemplate>
```
## Use Windows Provisioning multivariant support
The Windows Provisioning multivariant capability allows you to declare target conditions that, when met, supply specific customizations for each variant condition. For Start customization, you can create specific layouts for each variant that you have. To do this, you must create a separate LayoutModification.xml file for each variant that you want to support and then include these in your provisioning package. For more information on how to do this, see [Create a provisioning package with multivariant settings](https://msdn.microsoft.com/library/windows/hardware/dn916108.aspx).
The provisioning engine chooses the right customization file based on the target conditions that were met, adds the file in the location that's specified for the setting, and then uses the specific file to customize Start. To differentiate between layouts, you can add modifiers to the LayoutModification.xml filename such as "LayoutCustomization1". Regardless of the modifier that you use, the provsioning engine will always output "LayoutCustomization.xml" so that the operating system has a consistent file name to query against.
For example, if you want to ensure that there's a specific layout for a certain condition, you can:
1. Create a specific layout customization file and then name it LayoutCustomization1.xml.
2. Include the file as part of your provisioning package.
3. Create your multivariant target and reference the XML file within the target condition in the main customization XML file.
The following example shows what the overall customization file might look like with multivariant support for Start:
```XML
<?xml version="1.0" encoding="utf-8"?>
<WindowsCustomizatons>
<PackageConfig xmlns="urn:schemas-Microsoft-com:Windows-ICD-Package-Config.v1.0">
<ID>{6aaa4dfa-00d7-4aaa-8adf-73c6a7e2501e}</ID>
<Name>My Provisioning Package</Name>
<Version>1.0</Version>
<OwnerType>OEM</OwnerType>
<Rank>50</Rank>
</PackageConfig>
<Settings xmlns="urn:schemas-microsoft-com:windows-provisioning">
<Customizations>
<Targets>
<Target Id="Processor ABC">
<TargetState>
<TargetState>
<Condition Name="ProcessorName" Value="Pattern:.*Celeron.*" />
<Condition Name="ProcessorType" Value="Pattern:.*I|intel.*" />
</TargetState>
</TargetState>
</Target>
</Targets>
<Common>
<Settings>
<Policies>
<AllowBrowser>1</AllowBrowser>
<AllowCamera>1</AllowCamera>
<AllowBluetooth>1</AllowBluetooth>
</Policies>
<HotSpot>
<Enabled>1</Enabled>
</HotSpot>
</Settings>
</Common>
<Variant>
<TargetRefs>
<TargetRef Id="Processor ABC" />
</TargetRefs>
<Settings>
<StartLayout>c:\users\<userprofile>\appdata\local\Microsoft\Windows\Shell\LayoutCustomization1.XML</StartLayout>
<HotSpot>
<Enabled>1</Enabled>
</HotSpot>
</Settings>
</Variant>
</Customizations>
</Settings>
</WindowsCustomizatons>
```
When the condition is met, the provisioning engine takes the XML file and places it in the location that the operating system has set and then the Start subsystem reads the file and applies the specific customized layout.
You must repeat this process for all variants that you want to support so that each variant can have a distinct layout for each of the conditions and targets that need to be supported. For example, if you add a **Language** condition, you can create a Start layout that has its own localized group.
## Add the LayoutModification.xml file to the device
Once you have created your LayoutModification.xml file to customize devices that will run Windows 10 for desktop editions, you can use Windows ICD methods to add the XML file to the device.
1. In the **Available customizations** pane, expand **Runtime settings**, select **Start** and then click the **StartLayout** setting.
2. In the middle pane, click **Browse** to open File Explorer.
3. In the File Explorer window, navigate to the location where you saved your LayoutModification.xml file.
4. Select the file and then click **Open**.
This should set the value of **StartLayout**. The setting appears in the **Selected customizations** pane.
>[!NOTE]
>There is currently no way to add the .url and .lnk files through Windows ICD.
Once you have created the LayoutModification.xml file and it is present in the device, the system overrides the base default layout and any Unattend settings used to customize Start.
## Related topics
[Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md)
[Configure Windows 10 taskbar](configure-windows-10-taskbar.md)
[Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
[Customize Windows 10 Start and taskbar with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
[Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
[Changes to Group Policy settings for Windows 10 Start](changes-to-start-policies-in-windows-10.md)
 
 

392
windows/manage/start-layout-xml-mobile.md Normal file
View File

@ -0,0 +1,392 @@
---
title: Start layout XML for mobile editions of Windows 10 (Windows 10)
description: This topic describes the options for customizing Start layout in LayoutModification.xml for Windows 10 mobile editions.
keywords: ["start screen"]
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
localizationpriority: high
---
# Start layout XML for mobile editions of Windows 10 (reference)
**Applies to**
- Windows 10
>**Looking for consumer information?** See [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630)
On Windows 10 Mobile, you can use the XML-based layout to modify the Start screen and provide the most robust and complete Start customization experience.
On Windows 10 Mobile, the customized Start works by:
- Windows 10 performs checks to determine the correct base default layout. The checks include the mobile edition, whether the device is dual SIM, the column width, and whether Cortana is supported for the country/region.
- Windows 10 ensures that it does not overwrite the layout that you have set and will sequence the level checks and read the file layout such that any multivariant settings that you have set is not overwritten.
- Windows 10 reads the LayoutModification.xml file and appends the group to the Start screen.
## Default Start layouts
The following diagrams show the default Windows 10, version 1607 Start layouts for single SIM and dual SIM devices with Cortana support, and single SIM and dual SIM devices with no Cortana support.
![Start layout for Windows 10 Mobile](images\mobile-start-layout.png)
The diagrams show:
- Tile coordinates - These are determined by the row number and the column number.
- Fold - Tiles "above the fold" are visible when users first navigate to the Start screen. Tiles "below the fold" are visible after users scroll up.
- Partner-customizable tiles - OEM and mobile operator partners can customize these areas of the Start screen by prepinning content. The partner configurable slots are:
- Rows 6-9
- Rows 16-19
## LayoutModification XML
IT admins can provision the Start layout by creating a LayoutModification.xml file. This file supports several mechanisms to modify or replace the default Start layout and its tiles.
>[!NOTE]
>To make sure the Start layout XML parser processes your file correctly, follow these guidelines when writing your LayoutModification.xml file:
>- Do not leave spaces or white lines in between each element.
>- Do not add comments inside the StartLayout node or any of its children elements.
>- Do not add multiple rows of comments.
The following table lists the supported elements and attributes for the LayoutModification.xml file.
| Element | Attributes | Description |
| --- | --- | --- |
| LayoutModificationTemplate | xmlns</br>xmlns:defaultlayout</br>xmlns:start</br>Version | Use to describe the changes to the default Start layout. |
| DefaultLayoutOverride</br></br>Parent:</br>LayoutModificationTemplate | n/a | Use to specify the customized Start layout for mobile devices. |
| StartLayoutCollection</br></br>Parent:</br>DefaultLayoutOverride | n/a | Use to contain a collection of Start layouts. |
| StartLayout</br></br>Parent:</br>StartLayoutCollection | n/a | Use to specify the tile groups that will be appended to the Start screen. |
| start:Group</br></br>Parent:</br>StartLayout | Name | Use to specify the tiles that need to be appended to the default Start layout. |
| start:Tile</br></br>Parent:</br>start:Group | AppUserModelID</br>Size</br>Row</br>Column | Use to specify any Universal Windows app that has a valid **AppUserModelID** attribute. |
| start:SecondaryTile</br></br>Parent:</br>start:Group | AppUserModelID</br>TileID</br>Arguments</br>DisplayName</br>Square150x150LogoUri</br>ShowNameOnSquare150x150Logo</br>ShowNameOnWide310x150Logo</br>Wide310x150LogoUri</br>BackgroundColor</br>ForegroundText</br>IsSuggestedApp</br>Size</br>Row</br>Column | Use to pin a Web link through a Microsoft Edge secondary tile. |
| start:PhoneLegacyTile</br></br>Parent:</br>start:Group | ProductID</br>Size</br>Row</br>Column | Use to add a mobile app that has a valid **ProductID** attribute. |
| start:Folder</br></br>Parent:</br>start:Group | Name</br>Size</br>Row</br>Column | Use to add a folder to the mobile device's Start screen. |
| RequiredStartTiles</br></br>Parent:</br>LayoutModificationTemplate | n/a | Use to specify the tiles that will be pinned to the bottom of the Start screen even if a restored Start screen does not have the tiles during backup or restore. |
### start:Group
**start:Group** tags specify a group of tiles that will be appended to Start. You can set the **Name** attribute to specify a name for the Start group.
>[!NOTE]
>Windows 10 Mobile only supports one Start group.
For Windows 10 Mobile, **start:Group** tags can contain the following tags or elements:
- **start:Tile**
- **start:SecondaryTile**
- **start:PhoneLegacyTile**
- **start:Folder**
### Specify Start tiles
To pin tiles to Start, you must use the right kind of tile depending on what you want to pin.
#### Tile size and coordinates
All tile types require a size (**Size**) and coordinates (**Row** and **Column**) attributes regardless of the tile type that you use when prepinning items to Start.
The following table describes the attributes that you must use to specify the size and location for the tile.
| Attribute | Description |
| --- | --- |
| Size | Determines how large the tile will be. </br>- 1x1 - small tile</br>- 2x2 - medium tile</br>- 4x2 - wide tile</br>- 4x4 - large tile |
| Row | Specifies the row where the tile will appear. |
| Column | Specifies the column where the tile will appear. |
For example, a tile with Size="2x2", Row="2", and Column="2" results in a tile located at (2,2) where (0,0) is the top-left corner of a group.
#### start:Tile
You can use the **start:Tile** tag to pin a Universal Windows app to Start.
To specify an app, you must set the **AppUserModelID** attribute to the application user model ID that's associated with the corresponding app.
The following example shows how to pin the Microsoft Edge Universal Windows app:
```XML
<start:Tile
AppUserModelID="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge"
Size="2x2"
Row="0"
Column="0"/>
```
#### start:SecondaryTile
You can use the **start:SecondaryTile** tag to pin a Web link through a Microsoft Edge secondary tile.
The following example shows how to create a tile of the Web site's URL using the Microsoft Edge secondary tile:
```XML
<start:SecondaryTile
AppUserModelID="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge"
TileID="MyWeblinkTile"
Arguments="http://msn.com"
DisplayName="MySite"
Square150x150LogoUri="ms-appx:///Assets/MicrosoftEdgeSquare150x150.png"
Wide310x150LogoUri="ms-appx:///Assets/MicrosoftEdgeWide310x150.png"
ShowNameOnSquare150x150Logo="true"
ShowNameOnWide310x150Logo="false"
BackgroundColor="#FF112233"
Size="2x2"
Row="0"
Column="4"/>
```
The following table describes the other attributes that you can use with the **start:SecondaryTile** tag in addition to **Size**, **Row**, and **Column**.
| Attribute | Required/optional | Description |
| --- | --- | --- |
| AppUserModelID | Required | Must point to Microsoft Edge. |
| TileID | Required | Must uniquely identify your Web site tile. |
| Arguments | Required | Must contain the URL of your Web site. |
| DisplayName | Required | Must specify the text that you want users to see. |
| Square150x150LogoUri | Required | Specifies the logo to use on the 2x2 tile. |
| Wide310x150LogoUri | Optional | Specifies the logo to use on the 4x2 tile. |
| ShowNameOnSquare150x150Logo | Optional | Specifies whether the display name is shown on the 2x2 tile. You can set the value for this attribute to true or false. By default, this is set to false. |
| ShowNameOnWide310x150Logo | Optional | Specifies whether the display name is shown on the 4x2 tile. You can set the value for this attribute to true or false. By default, this is set to false. |
| BackgroundColor | Optional | Specifies the color of the tile. You can specify the value in ARGB hexadecimal (for example, #FF112233) or specify "transparent". |
| ForegroundText | Optional | Specifies the color of the foreground text. Set the value to either "light" or "dark". |
Secondary Microsoft Edge tiles have the same size and location behavior as a Universal Windows app.
#### start:PhoneLegacyTile
You can use the **start:PhoneLegacyTile** tag to add a mobile app that has a valid ProductID, which you can find in the app's manifest file. The **ProductID** attribute must be set to the GUID of the app.
The following example shows how to add a mobile app with a valid ProductID using the start:PhoneLegacyTile tag:
```XML
<start:PhoneLegacyTile
ProductID="{00000000-0000-0000-0000-000000000000}"
Size="2x2"
Row="0"
Column="2"/>
```
#### start:Folder
You can use the **start:Folder** tag to add a folder to the mobile device's Start screen.
You must set these attributes to specify the size and location of the folder: **Size**, **Row**, and **Column**.
Optionally, you can also specify a folder name by using the **Name** attribute. If you specify a name, set the value to a string.
The position of the tiles inside a folder is relative to the folder. You can add any of the following tile types to the folder:
- Tile - Use to pin a Universal Windows app to Start.
- SecondaryTile - Use to pin a Web link through a Microsoft Edge secondary tile.
- PhoneLegacyTile - Use to pin a mobile app that has a valid ProductID.
The following example shows how to add a medium folder that contains two apps inside it:
```XML
<start:Folder
Name="Contoso apps"
Size="2x2"
Row="0"
Column="2">
<start:Tile
AppUserModelID="Microsoft.BingMaps_8wekyb3d8bbwe!ApplicationID"
Size="2x2"
Row="0"
Column="0"/>
<start:PhoneLegacyTile
ProductID="{00000000-0000-0000-0000-000000000000}"
Size="1x1"
Row="0"
Column="2"/>
</start:Folder>
```
#### RequiredStartTiles
You can use the **RequiredStartTiles** tag to specify the tiles that will be pinned to the bottom of the Start screen even if a restored Start screen does not have the tiles during backup or restore.
>[!NOTE]
>Enabling this Start customization may be disruptive to the user experience.
For Windows 10 Mobile, **RequiredStartTiles** tags can contain the following tags or elements. These are similar to the tiles supported in **start:Group**.
- Tile - Use to pin a Universal Windows app to Start.
- SecondaryTile - Use to pin a Web link through a Microsoft Edge secondary tile.
- PhoneLegacyTile - Use to pin a mobile app that has a valid ProductID.
- Folder - Use to pin a folder to the mobile device's Start screen.
Tiles specified within the **RequiredStartTiles** tag have the following behavior:
- The partner-pinned tiles will begin in a new row at the end of the user-restored Start screen.
- If theres a duplicate tile between what the user has in their Start screen layout and what the OEM has pinned to the Start screen, only the app or tile shown in the user-restored Start screen layout will be shown and the duplicate tile will be omitted from the pinned partner tiles at the bottom of the Start screen.
The lack of duplication only applies to pinned apps. Pinned Web links may be duplicated.
- If partners have prepinned folders to the Start screen, Windows 10 treats these folders in the same way as appended apps on the Start screen. Duplicate folders will be removed.
- All partner tiles that are appended to the bottom of the user-restored Start screen will be medium-sized. There will be no gaps in the appended partner Start screen layout. Windows 10 will shift tiles accordingly to prevent gaps.
## Sample LayoutModification.xml
The following sample LayoutModification.xml shows how you can configure the Start layout for devices running Windows 10 Mobile:
```XML
<?xml version="1.0" encoding="utf-8"?>
<LayoutModificationTemplate
xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"
xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout"
xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout"
Version="1">
<DefaultLayoutOverride>
<StartLayoutCollection>
<defaultlayout:StartLayout>
<start:Group
Name="First Group">
<start:Tile
AppUserModelID="Microsoft.BingFinance_8wekyb3d8bbwe!ApplicationID"
Size="2x2"
Row="0"
Column="0"/>
<start:Tile
AppUserModelID="Microsoft.BingMaps_8wekyb3d8bbwe!ApplicationID"
Size="1x1"
Row="0"
Column="2"/>
</start:Group>
</defaultlayout:StartLayout>
</StartLayoutCollection>
</DefaultLayoutOverride>
<RequiredStartTiles>
<PhoneLegacyTile ProductID="{b00d3141-1caa-43aa-b0b5-78c1acf778fd}"/>
<PhoneLegacyTile ProductID="{C3F8E570-68B3-4D6A-BDBB-C0A3F4360A51}"/>
<PhoneLegacyTile ProductID="{C60904B7-8DF4-4C2E-A417-C8E1AB2E51C7}"/>
<Tile AppUserModelID="Microsoft.MicrosoftFeedback_8wekyb3d8bbwe!ApplicationID"/>
</RequiredStartTiles>
</LayoutModificationTemplate>
```
## Use Windows Provisioning multivariant support
The Windows Provisioning multivariant capability allows you to declare target conditions that, when met, supply specific customizations for each variant condition. For Start customization, you can create specific layouts for each variant that you have. To do this, you must create a separate LayoutModification.xml file for each variant that you want to support and then include these in your provisioning package. For more information on how to do this, see Create a provisioning package with multivariant settings.
The provisioning engine chooses the right customization file based on the target conditions that were met, adds the file in the location that's specified for the setting, and then uses the specific file to customize Start. To differentiate between layouts, you can add modifiers to the LayoutModification.xml filename such as "LayoutCustomization1". Regardless of the modifier that you use, the provsioning engine will always output "LayoutCustomization.xml" so that the OS has a consistent file name to query against.
For example, if you want to ensure that there's a specific layout for a certain mobile operator in a certain country/region, you can:
1. Create a specific layout customization file and then name it LayoutCustomization1.xml.
2. Include the file as part of your provisioning package.
3. Create your multivariant target and reference the XML file within the target condition in the main customization XML file.
The following example shows what the overall customization file might look like with multivariant support for Start:
```XML
<?xml version="1.0" encoding="utf-8"?>
<WindowsCustomizatons>
<PackageConfig xmlns="urn:schemas-Microsoft-com:Windows-ICD-Package-Config.v1.0">
<ID>{6aaa4dfa-00d7-4aaa-8adf-73c6a7e2501e}</ID>
<Name>My Provisioning Package</Name>
<Version>1.0</Version>
<OwnerType>OEM</OwnerType>
<Rank>50</Rank>
</PackageConfig>
<Settings xmlns="urn:schemas-microsoft-com:windows-provisioning">
<Customizations>
<Targets>
<Target Id="Operator XYZ">
<TargetState>
<Condition Name="MCC" Value="Range:310, 320" />
<Condition Name="MNC" Value="!Range:400, 550" />
</TargetState>
</Target>
<Target Id="Processor ABC">
<TargetState>
<TargetState>
<Condition Name="ProcessorName" Value="Pattern:.*Celeron.*" />
<Condition Name="ProcessorType" Value="Pattern:.*I|intel.*" />
</TargetState>
</TargetState>
</Target>
</Targets>
<Common>
<Settings>
<Policies>
<AllowBrowser>1</AllowBrowser>
<AllowCamera>1</AllowCamera>
<AllowBluetooth>1</AllowBluetooth>
</Policies>
<HotSpot>
<Enabled>1</Enabled>
</HotSpot>
</Settings>
</Common>
<Variant>
<TargetRefs>
<TargetRef Id="Operator XYZ" />
</TargetRefs>
<Settings>
<StartLayout>c:\users\<userprofile>\appdata\local\Microsoft\Windows\Shell\LayoutCustomization1.XML</StartLayout>
<HotSpot>
<Enabled>1</Enabled>
</HotSpot>
</Settings>
</Variant>
</Customizations>
</Settings>
</WindowsCustomizatons>
```
When the condition is met, the provisioning engine takes the XML file and places it in the location that Windows 10 has set and then the Start subsystem reads the file and applies the specific customized layout.
You must repeat this process for all variants that you want to support so that each variant can have a distinct layout for each of the conditions and targets that need to be supported. For example, if you add a **Language** condition, you can create a Start layout that has it's own localized group or folder titles.
## Add the LayoutModification.xml file to the image
Once you have created your LayoutModification.xml file to customize devices that will run Windows 10 Mobile, you can use Windows ICD to add the XML file to the device:
1. In the **Available customizations** pane, expand **Runtime settings**, select **Start** and then click the **StartLayout** setting.
2. In the middle pane, click **Browse** to open File Explorer.
3. In the File Explorer window, navigate to the location where you saved your LayoutModification.xml file.
4. Select the file and then click **Open**.
This should set the value of **StartLayout**. The setting appears in the **Selected customizations** pane.
## Related topics
[Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md)
[Configure Windows 10 taskbar](configure-windows-10-taskbar.md)
[Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
[Customize Windows 10 Start and taskbar with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
[Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
[Changes to Group Policy settings for Windows 10 Start](changes-to-start-policies-in-windows-10.md)
 
 

124
windows/manage/stop-employees-from-using-the-windows-store.md Normal file
View File

@ -0,0 +1,124 @@
---
title: Configure access to Windows Store (Windows 10)
description: IT Pros can configure access to Windows Store for client computers in their organization. For some organizations, business policies require blocking access to Windows Store.
ms.assetid: 7AA60D3D-2A69-45E7-AAB0-B8AFC29C2E97
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store, mobile
author: TrudyHa
localizationpriority: high
---
# Configure access to Windows Store
**Applies to**
- Windows 10
- Windows 10 Mobile
>For more info about the features and functionality that are supported in each edition of Windows, see [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare).
IT pros can configure access to Windows Store for client computers in their organization. For some organizations, business policies require blocking access to Windows Store.
## Options to configure access to Windows Store
You can use these tools to configure access to Windows Store: AppLocker or Group Policy. For Windows 10, this is only supported on Windows 10 Enterprise edition.
## <a href="" id="block-store-applocker"></a>Block Windows Store using AppLocker
Applies to: Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile
AppLocker provides policy-based access control management for applications. You can block access to Windows Store app with AppLocker by creating a rule for packaged apps. You'll give the name of the Windows Store app as the packaged app that you want to block from client computers.
For more information on AppLocker, see [What is AppLocker?](../keep-secure/what-is-applocker.md) For more information on creating an AppLocker rule for app packages, see [Create a rule for packaged apps](../keep-secure/create-a-rule-for-packaged-apps.md).
**To block Windows Store using AppLocker**
1. Type secpol in the search bar to find and start AppLocker.
2. In the console tree of the snap-in, click **Application Control Policies**, click **AppLocker**, and then click **Packaged app Rules**.
3. On the **Action** menu, or by right-clicking on **Packaged app Rules**, click **Create New Rule**.
4. On **Before You Begin**, click **Next**.
5. On **Permissions**, select the action (allow or deny) and the user or group that the rule should apply to, and then click **Next**.
6. On **Publisher**, you can select **Use an installed app package as a reference**, and then click **Select**.
7. On **Select applications**, find and click **Store** under **Applications** column, and then click **OK**. Click **Next**.
[Create a rule for packaged apps](../keep-secure/create-a-rule-for-packaged-apps.md) has more information on reference options and setting the scope on packaged app rules.
8. Optional: On **Exceptions**, specify conditions by which to exclude files from being affected by the rule. This allows you to add exceptions based on the same rule reference and rule scope as you set before. Click **Next**.
## <a href="" id="block-store-group-policy"></a>Block Windows Store using Group Policy
Applies to: Windows 10 Enterprise, version 1511, Windows 10 Education
> [!Note]
> Not supported on Windows 10 Pro.
You can also use Group Policy to manage access to Windows Store.
**To block Windows Store using Group Policy**
1. Type gpedit in the search bar to find and start Group Policy Editor.
2. In the console tree of the snap-in, click **Computer Configuration**, click **Administrative Templates** , click **Windows Components**, and then click **Store**.
3. In the Setting pane, click **Turn off Store application**, and then click **Edit policy setting**.
4. On the **Turn off Store application** setting page, click **Enabled**, and then click **OK**.
## <a href="" id="block-store-mdm"></a>Block Windows Store using management tool
Applies to: Windows 10 Mobile
If you have mobile devices in your organization that you upgraded from earlier versions of Windows Phone 8 to Windows 10 Mobile, existing policies created using the Windows Phone 8.1 configuration service providers (CSP) with your MDM tool will continue to work on Windows 10 Mobile. If you are starting with Windows 10 Mobile, we recommend using [AppLocker](#block-store-applocker) to manage access to Windows Store app.
When your MDM tool supports Windows Store for Business, the MDM can use these CSPs to block Windows Store app:
- [Policy](https://go.microsoft.com/fwlink/p/?LinkId=717030)
- [EnterpriseAssignedAccess](https://msdn.microsoft.com/library/windows/hardware/mt157024.aspx) (Windows 10 Mobile, only)
For more information, see [Configure an MDM provider](configure-mdm-provider-windows-store-for-business.md).
## Show private store only using Group Policy
Applies to Windows 10 Enterprise, version 1607, Windows 10 Education
If you're using Windows Store for Business and you want employees to only see apps you're managing in your private store, you can use Group Policy to show only the private store. Windows Store app will still be available, but employees can't view or purchase apps. Employees can view and install apps that the admin has added to your organization's private store.
**To show private store only in Windows Store app**
1. Type **gpedit** in the search bar, and then select **Edit group policy (Control panel)** to find and start Group Policy Editor.
2. In the console tree of the snap-in, go to **User Configuration** or **Computer Configuration** > **Administrative Templates** > **Windows Components**, and then click **Store**.
3. Right-click **Only display the private store within the Windows Store app** in the right pane, and click **Edit**.
This opens the **Only display the private store within the Windows Store app** policy settings.
4. On the **Only display the private store within the Windows Store app** setting page, click **Enabled**, and then click **OK**.
## Related topics
[Distribute apps using your private store](distribute-apps-from-your-private-store.md)
[Manage access to private store](manage-access-to-private-store.md)
 
 

178
windows/manage/windows-10-start-layout-options-and-policies.md Normal file
View File

@ -0,0 +1,178 @@
---
title: Manage Windows 10 Start and taskbar layout (Windows 10)
description: Organizations might want to deploy a customized Start and taskbar layout to devices running Windows 10 Enterprise or Windows 10 Education.
ms.assetid: 2E94743B-6A49-463C-9448-B7DD19D9CD6A
keywords: ["start screen", "start menu"]
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
localizationpriority: high
---
# Manage Windows 10 Start and taskbar layout
**Applies to**
- Windows 10
> **Looking for consumer information?** See [Customize the Start menu](http://windows.microsoft.com/windows-10/getstarted-see-whats-on-the-menu)
Organizations might want to deploy a customized Start and taskbar configuration to devices running Windows 10 Enterprise or Windows 10 Education. A standard, customized Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. Configuring the taskbar allows the organization to pin useful apps for their employees and to remove apps that are pinned by default.
>[!NOTE]
>Taskbar configuration is available starting in Windows 10, version 1607.
## Start options
![start layout sections](images/startannotated.png)
Some areas of Start can be managed using Group Policy. The layout of Start tiles can be managed using either Group Policy or Mobile Device Management (MDM) policy.
The following table lists the different parts of Start and any applicable policy settings or Settings options. Group Policy settings are in the **User Configuration**\\**Administrative Templates**\\**Start Menu and Taskbar** path except where a different path is listed in the table.
<table>
<thead>
<tr class="header">
<th align="left">Start</th>
<th align="left">Policy</th>
<th align="left">Setting</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left">User tile</td>
<td align="left">Group Policy: <strong>Remove Logoff on the Start menu</strong></td>
<td align="left"></td>
</tr>
<tr class="even">
<td align="left">Most used</td>
<td align="left">Group Policy: <strong>Remove frequent programs from the Start menu</strong></td>
<td align="left"><strong>Settings</strong> &gt; <strong>Personalization</strong> &gt; <strong>Start</strong> &gt; <strong>Show most used apps</strong></td>
</tr>
<tr class="odd">
<td align="left"><p>Suggestions</p>
<p>-and-</p>
<p>Dynamically inserted app tile</p></td>
<td align="left"><p>MDM: <strong>Allow Windows Consumer Features</strong></p>
<p>Group Policy: <strong>Computer Configuration</strong>\\<strong>Administrative Templates</strong>\\<strong>Windows Components</strong>\\<strong>Cloud Content</strong>\\<strong>Turn off Microsoft consumer experiences</strong></p>
<div class="alert">
<strong>Note</strong>  
<p>This policy also enables or disables notifications for a user's Microsoft account and app tiles from Microsoft dynamically inserted in the default Start menu.</p>
</div>
<div>
 
</div></td>
<td align="left"><strong>Settings</strong> &gt; <strong>Personalization</strong> &gt; <strong>Start</strong> &gt; <strong>Occasionally show suggestions in Start</strong></td>
</tr>
<tr class="even">
<td align="left">Recently added</td>
<td align="left">not applicable</td>
<td align="left"><strong>Settings</strong> &gt; <strong>Personalization</strong> &gt; <strong>Start</strong> &gt; <strong>Show recently added apps</strong></td>
</tr>
<tr class="odd">
<td align="left">Pinned folders</td>
<td align="left">not applicable</td>
<td align="left"><strong>Settings</strong> &gt; <strong>Personalization</strong> &gt; <strong>Start</strong> &gt; <strong>Choose which folders appear on Start</strong></td>
</tr>
<tr class="even">
<td align="left">Power</td>
<td align="left">Group Policy: <strong>Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands</strong></td>
<td align="left">None</td>
</tr>
<tr class="even">
<td align="left">Start layout</td>
<td align="left"><p>MDM: <strong>Start layout</strong></p>
<p>Group Policy: <strong>Start layout</strong></p>
<p>Group Policy: <strong>Prevent users from customizing their Start Screen</strong></p>
<div class="alert">
<strong>Note</strong>  
<p> When a full Start screen layout is imported with Group Policy or MDM, the users cannot pin, unpin, or uninstall apps from the Start screen. Users can view and open all apps in the <strong>All Apps</strong> view, but they cannot pin any apps to the Start screen. When a partial Start screen layout is imported, users cannot change the tile groups applied by the partial layout, but can modify other tile groups and create their own.</p><p><strong>Start layout</strong> policy can be used to pin apps to the taskbar based on an XML File that you provide. Users will be able to change the order of pinned apps, unpin apps, and pin additional apps to the taskbar.
</div>
<div>
 
</div></td>
<td align="left">None</td>
</tr>
<tr class="odd">
<td align="left">Jump lists</td>
<td align="left">Group Policy: <strong>Do not keep history of recently opened documents</strong></td>
<td align="left"><strong>Settings</strong> &gt; <strong>Personalization</strong> &gt; <strong>Start</strong> &gt; <strong>Show recently opened items in Jump Lists on Start or the taskbar</strong></td>
</tr>
<tr class="even">
<td align="left">Start size</td>
<td align="left"><p>MDM: <strong>Force Start size</strong></p>
<p>Group Policy: <strong>Force Start to be either full screen size or menu size</strong></p></td>
<td align="left"><strong>Settings</strong> &gt; <strong>Personalization</strong> &gt; <strong>Start</strong> &gt; <strong>Use Start full screen</strong></td>
</tr>
<tr class="odd">
<td align="left">All Settings</td>
<td align="left">Group Policy: <strong>Prevent changes to Taskbar and Start Menu Settings</strong></td>
<td align="left">None</td>
</tr>
</tbody>
</table>
 ## Taskbar options
Starting in Windows 10, version 1607, you can pin additional apps to the taskbar and remove default pinned apps from the taskbar. You can specify different taskbar configurations based on device locale or region.
There are three categories of apps that might be pinned to a taskbar:
* Apps pinned by the user
* Default Windows apps, pinned during operating system installation (Microsoft Edge, File Explorer, Store)
* Apps pinned by the enterprise, such as in an unattended Windows setup
**Note**  
The earlier method of using [TaskbarLinks](https://go.microsoft.com/fwlink/p/?LinkId=761230) in an unattended Windows setup file is deprecated in Windows 10, version 1607.
The following example shows how apps will be pinned - Windows default apps to the left (blue circle), apps pinned by the user in the center (orange triangle), and apps that you pin using XML to the right (green square).
> **Note**  In operating systems configured to use a right-to-left language, the taskbar order will be reversed.
![Windows left, user center, enterprise to the right](images/taskbar-generic.png)
Whether you apply the taskbar configuration to a clean install or an update, users will still be able to:
* Pin additional apps
* Change the order of pinned apps
* Unpin any app
### Taskbar configuration applied to clean install of Windows 10
In a clean install, if you apply a taskbar layout, only the apps that you specify and default apps that you do not remove will be pinned to the taskbar. Users can pin additional apps to the taskbar after the layout is applied.
### Taskbar configuration applied to Windows 10 upgrades
When a device is upgraded to Windows 10, apps will be pinned to the taskbar already. Some apps may have been pinned to the taskbar by a user, and others may have been pinned to the taskbar through a customized base image or by using Windows Unattend setup.
The new taskbar layout for upgrades to Windows 10, version 1607 or later, will apply the following behavior:
* If the user pinned the app to the taskbar, those pinned apps remain and new apps will be added to the right.
* If the user didn't pin the app (it was pinned during installation or by policy) and the app is not in updated layout file, the app will be unpinned.
* If the user didn't pin the app and the app is in the updated layout file, the app will be pinned to the right.
* New apps specified in updated layout file are pinned to right of user's pinned apps.
## Related topics
[Customize and export Start layout](customize-and-export-start-layout.md)
[Configure Windows 10 taskbar](configure-windows-10-taskbar.md)
[Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
[Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
[Customize Windows 10 Start and taskbar with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
[Changes to Group Policy settings for Windows 10 Start](changes-to-start-policies-in-windows-10.md)
 
 

85
windows/manage/windows-spotlight.md Normal file
View File

@ -0,0 +1,85 @@
---
title: Windows Spotlight on the lock screen (Windows 10)
description: Windows Spotlight is an option for the lock screen background that displays different background images on the lock screen.
ms.assetid: 1AEA51FA-A647-4665-AD78-2F3FB27AD46A
keywords: ["lockscreen"]
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
author: jdeckerMS
localizationpriority: high
---
# Windows Spotlight on the lock screen
**Applies to**
- Windows 10
Windows Spotlight is an option for the lock screen background that displays different background images and occasionally offers suggestions on the lock screen. Windows Spotlight is available in all desktop editions of Windows 10.
For managed devices running Windows 10 Enterprise and Windows 10 Education, enterprise administrators can configure a mobile device management (MDM) or Group Policy setting to prevent users from using the Windows Spotlight background. For managed devices running Windows 10 Pro, version 1607, administrators can disable suggestions for third party apps.
>[!NOTE]
>In Windows 10, version 1607, the lock screen background does not display if you disable the **Animate windows when minimizing and mazimizing** setting in **This PC** > **Properties** > **Advanced system settings** > **Performance settings** > **Visual Effects**, or if you enable the Group Policy setting **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Desktop Windows Manager** > **Do not allow windows animations**.
## What does Windows Spotlight include?
- **Background image**
The Windows Spotlight displays a new image on the lock screen each day. The initial background image is included during installation. Additional images are downloaded on ongoing basis.
![lock screen image](images/lockscreen.png)
- **Feature suggestions, fun facts, tips**
The lock screen background will occasionally suggest Windows 10 features that the user hasn't tried yet, such as **Snap assist**.
## How do you turn off Windows Spotlight locally?
To turn off Windows Spotlight locally, go to **Settings** &gt; **Personalization** &gt; **Lock screen** &gt; **Background** &gt; **Windows spotlight** &gt; select a different lock screen background
![personalization background](images/spotlight.png)
## How do you disable Windows Spotlight for managed devices?
Windows 10, version 1607, provides three new Group Policy settings to help you manage Windows Spotlight on enterprise computers.
**Windows 10 Pro, Enterprise, and Education**
- **User Configuration\Administrative Templates\Windows Components\Cloud Content\Do not suggest third-party content in Windows spotlight** enables enterprises to restrict suggestions to Microsoft apps and services.
**Windows 10 Enterprise and Education**
* **User Configuration\Administrative Templates\Windows Components\Cloud Content\Turn off all Windows Spotlight features** enables enterprises to completely disable all Windows Spotlight features in a single setting.
* **User Configuration\Administrative Templates\Windows Components\Cloud Content\Configure Spotlight on lock screen** specifically controls the use of the dynamic Windows Spotlight image on the lock screen, and can be enabled or disabled. (The Group Policy setting **Enterprise Spotlight** does not work in Windows 10, version 1607.)
Windows Spotlight is enabled by default. Administrators can replace Windows Spotlight with a selected image using the Group Policy setting **Computer Configuration** &gt; **Administrative Templates** &gt; **Control Panel** &gt; **Personalization** &gt; **Force a specific default lock screen image**.
>[!WARNING]
> In Windows 10, version 1607, the **Force a specific default lock screen image** policy setting will prevent users from changing the lock screen image. This behavior will be corrected in a future release.
![lockscreen policy details](images/lockscreenpolicy.png)
Pay attention to the checkbox in **Options**. In addition to providing the path to the lock screen image, administrators can choose to allow or **Turn off fun facts, tips, tricks, and more on lock screen**. If the checkbox is not selected, users will see the lock screen image that is defined in the policy setting, and will also see occasional messages, such as the example in the following image.
![fun facts](images/funfacts.png)
## Related topics
[Manage Windows 10 Start layout options](../manage/windows-10-start-layout-options-and-policies.md)