deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-22 10:17:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merged PR 5338: 1/17 PM Publish

Browse Source
This commit is contained in:
Alma Jenks 2018-01-17 23:32:21 +00:00
commit 6bd7e1c71d
22 changed files with 303 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
bcs/index.md
View File

@ -733,7 +733,7 @@ ms.date: 11/01/2017
</div>
</li>
<li>
<a href="http://videoplayercdn.osi.office.net/embed/0705c337-f3e8-4d28-bb6c-530cd28e99f2_1280x720_3400.mp4" target="_blank">
<a href="http://videoplayercdn.osi.office.net/embed/0705c337-f3e8-4d28-bb6c-530cd28e99f2" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -752,7 +752,7 @@ ms.date: 11/01/2017
</a>
</li>
<li>
<a href="http://videoplayercdn.osi.office.net/embed/a5734146-620a-4cec-8618-536b3ca37972_1280x720_3400.mp4" target="_blank">
<a href="http://videoplayercdn.osi.office.net/embed/a5734146-620a-4cec-8618-536b3ca37972" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -771,7 +771,7 @@ ms.date: 11/01/2017
</a>
</li>
<li>
<a href="http://videoplayercdn.osi.office.net/embed/e0ee7052-e0f4-4c42-a4f1-5e91b9776ce9_1280x720_3400.mp4" target="_blank">
<a href="http://videoplayercdn.osi.office.net/embed/e0ee7052-e0f4-4c42-a4f1-5e91b9776ce9" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -1704,7 +1704,7 @@ ms.date: 11/01/2017
</div>
</li>
<li>
<a href="http://videoplayercdn.osi.office.net/embed/0705c337-f3e8-4d28-bb6c-530cd28e99f2_1280x720_3400.mp4" target="_blank">
<a href="http://videoplayercdn.osi.office.net/embed/0705c337-f3e8-4d28-bb6c-530cd28e99f2" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -1723,7 +1723,7 @@ ms.date: 11/01/2017
</a>
</li>
<li>
<a href="http://videoplayercdn.osi.office.net/embed/a5734146-620a-4cec-8618-536b3ca37972_1280x720_3400.mp4" target="_blank">
<a href="http://videoplayercdn.osi.office.net/embed/a5734146-620a-4cec-8618-536b3ca37972" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -1742,7 +1742,7 @@ ms.date: 11/01/2017
</a>
</li>
<li>
<a href="http://videoplayercdn.osi.office.net/embed/e0ee7052-e0f4-4c42-a4f1-5e91b9776ce9_1280x720_3400.mp4" target="_blank">
<a href="http://videoplayercdn.osi.office.net/embed/e0ee7052-e0f4-4c42-a4f1-5e91b9776ce9" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">

1
devices/surface-hub/TOC.md
View File

@ -31,6 +31,7 @@
#### [Use fully qualified domain name with Surface Hub](use-fully-qualified-domain-name-surface-hub.md)
#### [Wireless network management](wireless-network-management-for-surface-hub.md)
### [Install apps on your Surface Hub](install-apps-on-surface-hub.md)
### [Configure Surface Hub Start menu](surface-hub-start-menu.md)
### [Set up and use Whiteboard to Whiteboard collaboration](whiteboard-collaboration.md)
### [End a Surface Hub meeting with End session](i-am-done-finishing-your-surface-hub-meeting.md)
### [Sign in to Surface Hub with Microsoft Authenticator](surface-hub-authenticator-app.md)

3
devices/surface-hub/change-history-surface-hub.md
View File

@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: surfacehub
author: jdeckerms
ms.author: jdecker
ms.date: 01/10/2018
ms.date: 01/17/2018
ms.localizationpriority: medium
---
@ -20,6 +20,7 @@ This topic lists new and updated topics in the [Surface Hub Admin Guide]( surfac
New or changed topic | Description
--- | ---
[Configure Surface Hub Start menu](surface-hub-start-menu.md) | New
[PowerShell for Surface Hub](appendix-a-powershell-scripts-for-surface-hub.md) | Added prerequisites for running the scripts
## November 2017

7
devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md
View File

@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: surfacehub, mobility
author: jdeckerms
ms.author: jdecker
ms.date: 11/29/2017
ms.date: 01/17/2018
ms.localizationpriority: medium
---
@ -185,7 +185,12 @@ The following tables include info on Windows 10 settings that have been validate
| Set Network proxy | Use to configure a proxy server for ethernet and Wi-Fi connections. | [NetworkProxy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/networkproxy-csp) | Yes <br> [Use a custom policy.](#example-intune) | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
#### Configure Start menu
| Setting | Details | CSP reference | Supported with<br>Intune? | Supported with<br>Configuration Manager? | Supported with<br>SyncML*? |
| --- | ---- | --- |---- | --- | --- |
| Configure Start menu | Use to configure which apps are displayed on the Start menu. For more information, see [Configure Surface Hub Start menu](surface-hub-start-menu.md) | [Policy CSP: Start/StartLayout](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-startlayout) | Yes <br> [Use a custom policy.](#example-intune) | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
### Generate OMA URIs for settings
You need to use a settings OMA URI to create a custom policy in Intune, or a custom setting in System Center Configuration Manager.

3
devices/surface-hub/manage-surface-hub.md
View File

@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: surfacehub
author: jdeckerms
ms.author: jdecker
ms.date: 11/15/2017
ms.date: 01/17/2018
ms.localizationpriority: medium
---
@ -32,6 +32,7 @@ Learn about managing and updating Surface Hub.
| [Remote Surface Hub management](remote-surface-hub-management.md) |Topics related to managing your Surface Hub remotely. Include install apps, managing settings with MDM and monitoring with Operations Management Suite. |
| [Manage Surface Hub settings](manage-surface-hub-settings.md) |Topics related to managing Surface Hub settings: accessibility, device account, device reset, fully qualified domain name, Windows Update settings, and wireless network |
| [Install apps on your Surface Hub]( https://technet.microsoft.com/itpro/surface-hub/install-apps-on-surface-hub) | Admins can install apps can from either the Microsoft Store or the Microsoft Store for Business.|
[Configure Surface Hub Start menu](surface-hub-start-menu.md) | Use MDM to customize the Start menu for Surface Hub.
| [Set up and use Whiteboard to Whiteboard collaboration](whiteboard-collaboration.md) | Microsoft Whiteboards latest update includes the capability for two Surface Hubs to collaborate in real time on the same board. |
| [End a meeting with End session](https://technet.microsoft.com/itpro/surface-hub/i-am-done-finishing-your-surface-hub-meeting) | At the end of a meeting, users can tap **End session** to clean up any sensitive data and prepare the device for the next meeting.|
| [Sign in to Surface Hub with Microsoft Authenticator](surface-hub-authenticator-app.md) | You can sign in to a Surface Hub without a password using the Microsoft Authenticator app, available on Android and iOS. |

179
devices/surface-hub/surface-hub-start-menu.md Normal file
View File

@ -0,0 +1,179 @@
---
title: Configure Surface Hub Start menu
description: Use MDM to customize the Start menu on Surface Hub.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: surfacehub
author: jdeckerms
ms.author: jdecker
ms.date: 01/17/2018
ms.localizationpriority: medium
---
# Configure Surface Hub Start menu
The [January 17, 2018 update to Windows 10](https://support.microsoft.com/help/4057144) (build 15063.877) enables customized Start menus on Surface Hub devices. You apply the customized Start menu layout using mobile device management (MDM).
When you apply a customized Start menu layout to Surface Hub, users cannot pin, unpin, or uninstall apps from Start.
## How to apply a customized Start menu to Surface Hub
The customized Start menu is defined in a Start layout XML file. You have two options for creating your Start layout XML file:
- Edit the [default Surface Hub Start XML](#default)
-or-
- Configure the desired Start menu on a desktop (pinning only apps that are available on Surface Hub), and then [export the layout](https://docs.microsoft.com/windows/configuration/customize-and-export-start-layout#export-the-start-layout).
>[!TIP]
>To add a tile with a web link to your desktop start menu, go the the link in Microsoft Edge, select `...` in the top right corner, and select **Pin this page to Start**. See [a Start layout that includes a Microsoft Edge link](#edge) for an example of how links will appear in the XML.
To edit the default XML or the exported layout, familiarize yourself with the [Start layout XML](https://docs.microsoft.com/en-us/windows/configuration/start-layout-xml-desktop). There are a few [differences between Start layout on a deskop and a Surface Hub.](#differences)
When you have your Start menu defined in a Start layout XML, [create an MDM policy to apply the layout.](https://docs.microsoft.com/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management#a-href-idbkmk-domaingpodeploymentacreate-a-policy-for-your-customized-start-layout)
<span id="differences" />
## Differences between Surface Hub and desktop Start menu
There are a few key differences between Start menu customization for Surface Hub and a Windows 10 desktop:
- You cannot use **DesktopApplicationTile** (https://docs.microsoft.com/en-us/windows/configuration/start-layout-xml-desktop#startdesktopapplicationtile) in your Start layout XML because Windows desktop applications (Win32) are not supported on Surface Hub.
- You cannot use the Start layout XML to configure the taskbar or the Welcome screen for Surface Hub.
- Surface Hub supports a maximum of 6 columns (6 1x1 tiles), however, you **must** define `GroupCellWidth=8` even though Surface Hub will only display tiles in columns 0-5, not columns 6 and 7.
- Surface Hub supports a maximum 6 rows (6 1x1 tiles)
- `SecondaryTile`, which is used for links, will open the link in Microsoft Edge.
<span id="default" />
## Example: Default Surface Hub Start layout
```xml
<LayoutModificationTemplate Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification">
<LayoutOptions StartTileGroupCellWidth="8" />
<DefaultLayoutOverride>
<StartLayoutCollection>
<defaultlayout:StartLayout GroupCellWidth="8" xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout">
<start:Group Name="" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout">
<start:Tile
AppUserModelID="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge"
Size="2x2"
Row="0"
Column="0"/>
<start:Tile
AppUserModelID="Microsoft.Getstarted_8wekyb3d8bbwe!App"
Size="4x2"
Row="0"
Column="2"/>
<start:Tile
AppUserModelID="Microsoft.Office.PowerPoint_8wekyb3d8bbwe!Microsoft.pptim"
Size="2x2"
Row="2"
Column="0"/>
<start:Tile
AppUserModelID="Microsoft.Office.Word_8wekyb3d8bbwe!Microsoft.Word"
Size="2x2"
Row="2"
Column="2"/>
<start:Tile
AppUserModelID="Microsoft.Office.Excel_8wekyb3d8bbwe!Microsoft.Excel"
Size="2x2"
Row="2"
Column="4"/>
<start:Tile
AppUserModelID="c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy!App"
Size="2x2"
Row="4"
Column="0"/>
<start:Tile
AppUserModelID="microsoft.microsoftskydrive_8wekyb3d8bbwe!App"
Size="2x2"
Row="4"
Column="2"/>
<start:Tile
AppUserModelID="Microsoft.MicrosoftPowerBIForWindows_8wekyb3d8bbwe!Microsoft.MicrosoftPowerBIForWindows"
Size="2x2"
Row="4"
Column="4"/>
</start:Group>
</defaultlayout:StartLayout>
</StartLayoutCollection>
</DefaultLayoutOverride>
</LayoutModificationTemplate>
```
<span id="edge" />
## Example: Start layout that includes a Microsoft Edge link
This example shows a link to a website and a link to a .pdf file.
```xml
<LayoutModificationTemplate Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification">
<LayoutOptions StartTileGroupCellWidth="8" />
<DefaultLayoutOverride>
<StartLayoutCollection>
<defaultlayout:StartLayout GroupCellWidth="8" xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout">
<start:Group Name="" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout">
<start:Tile
AppUserModelID="Microsoft.Office.PowerPoint_8wekyb3d8bbwe!Microsoft.pptim"
Size="2x2"
Row="0"
Column="0"/>
<start:Tile
AppUserModelID="Microsoft.Office.Word_8wekyb3d8bbwe!Microsoft.Word"
Size="2x2"
Row="0"
Column="2"/>
<start:Tile
AppUserModelID="Microsoft.Office.Excel_8wekyb3d8bbwe!Microsoft.Excel"
Size="2x2"
Row="0"
Column="4"/>
<start:Tile
AppUserModelID="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge"
Size="2x2"
Row="2"
Column="0"/>
<start:Tile
AppUserModelID="microsoft.microsoftskydrive_8wekyb3d8bbwe!App"
Size="2x2"
Row="2"
Column="2"/>
<start:SecondaryTile
AppUserModelID="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge"
TileID="2678823080"
DisplayName="Bing"
Arguments="https://www.bing.com/"
Square150x150LogoUri="ms-appdata:///local/PinnedTiles/2678823080/lowres.png"
Wide310x150LogoUri="ms-appx:///"
ShowNameOnSquare150x150Logo="true"
ShowNameOnWide310x150Logo="false"
BackgroundColor="#ffe9e7e7"
ForegroundText="dark"
Size="2x2"
Column="4"
Row="2" />
<start:Tile
AppUserModelID="Microsoft.Windows.Photos_8wekyb3d8bbwe!App"
Size="2x2"
Row="4"
Column="0"/>
<start:SecondaryTile
AppUserModelID="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge"
TileID="6153963000"
DisplayName="cstrtqbiology.pdf"
Arguments="-contentTile -formatVersion 0x00000003 -pinnedTimeLow 0x45b7376e -pinnedTimeHigh 0x01d2356c -securityFlags 0x00000000 -tileType 0x00000000 -url 0x0000003a https://www.ada.gov/regs2010/2010ADAStandards/Guidance_2010ADAStandards.pdf"
Square150x150LogoUri="ms-appdata:///local/PinnedTiles/2678823080/lowres.png" Wide310x150LogoUri="ms-appx:///" ShowNameOnSquare150x150Logo="true" ShowNameOnWide310x150Logo="true"
BackgroundColor="#ff4e4248"
Size="4x2"
Row="4"
Column="2"/>
</start:Group>
</defaultlayout:StartLayout>
</StartLayoutCollection>
</DefaultLayoutOverride>
</LayoutModificationTemplate>
```

11
windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md Normal file
View File

@ -0,0 +1,11 @@
# Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal
Go to your Azure AD Blade, select the Mobility (MDM and MAM) and there should be the Microsoft Intune "App" Visible, select the Microsoft Intune and configure the Blade
![How to get to the Blade](images/azure-mdm-intune.png)
Configure the Blade
![Configure the Blade](images/azure-intune-configure-scope.png)
Select all for allow all users to enroll a Device and make it Intune ready, or Some, then you can add a Group of Users.

1
windows/client-management/mdm/cm-cellularentries-csp.md
View File

@ -192,6 +192,7 @@ The following diagram shows the CM\_CellularEntries configuration service provid
- Purchase - 95522B2B-A6D1-4E40-960B-05E6D3F962AB
- Administrative - 2FFD9261-C23C-4D27-8DCF-CDE4E14A3364
- Application - 52D7654A-00A8-4140-806C-087D66705306
- eSIM provisioning - A36E171F-2377-4965-88FE-1F53EB4B47C0
## Additional information

41
windows/client-management/mdm/configuration-service-provider-reference.md
View File

@ -2441,27 +2441,28 @@ You can download the DDF files for various CSPs from the links below:
The following list shows the configuration service providers supported in Windows Holographic editions.
| Configuration service provider | Windows Holographic edition | Windows Holographic for Business edition |
|-------------------------------------------------------------------------------------------------------|-------------------------------------|-------------------------------------------|
| [Application CSP](application-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) |
| [AppLocker CSP](applocker-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) |
| [CertificateStore CSP](certificatestore-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) |
| [ClientCertificateInstall CSP](clientcertificateinstall-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) |
| [DevDetail CSP](devdetail-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) |
| [DeveloperSetup CSP](developersetup-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png)2 (Provisioning only)|
| [DeviceStatus CSP](devicestatus-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) |
| [DevInfo CSP](devinfo-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) |
| [DiagnosticLog CSP](diagnosticlog-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) |
| [DMAcc CSP](dmacc-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) |
| [DMClient CSP](dmclient-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) |
| Configuration service provider | Windows Holographic edition | Windows Holographic for Business edition |
|--------|--------|------------|
| [Application CSP](application-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) |
| [AppLocker CSP](applocker-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) |
| [CertificateStore CSP](certificatestore-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png)|
| [ClientCertificateInstall CSP](clientcertificateinstall-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) |
| [DevDetail CSP](devdetail-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) |
| [DeveloperSetup CSP](developersetup-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png)2 (Provisioning only)|
| [DeviceStatus CSP](devicestatus-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) |
| [DevInfo CSP](devinfo-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) |
| [DiagnosticLog CSP](diagnosticlog-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) |
| [DMAcc CSP](dmacc-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) |
| [DMClient CSP](dmclient-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) |
| [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) |
| [NodeCache CSP](nodecache-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) |
| [Policy CSP](policy-configuration-service-provider.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) |
| [RootCATrustedCertificates CSP](rootcacertificates-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) |
| [Update CSP](update-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) |
| [VPN2 CSP](vpnv2-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) |
| [WiFi CSP](wifi-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) |
| [WindowsLicensing CSP](windowslicensing-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) |
| [NodeCache CSP](nodecache-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) |
[PassportForWork CSP](passportforwork-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) |
| [Policy CSP](policy-configuration-service-provider.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) |
| [RootCATrustedCertificates CSP](rootcacertificates-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) |
| [Update CSP](update-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) |
| [VPN2 CSP](vpnv2-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) |
| [WiFi CSP](wifi-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) |
| [WindowsLicensing CSP](windowslicensing-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) |
Footnotes:
- 2 - Added in Windows 10, version 1703

BIN
windows/client-management/mdm/images/azure-intune-configure-scope.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 24 KiB

BIN
windows/client-management/mdm/images/azure-mdm-intune.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 47 KiB

2
windows/client-management/mdm/mdm-enrollment-of-windows-devices.md
View File

@ -112,7 +112,7 @@ All Windows devices can be connected to an Azure AD domain. These devices can be
If the tenant is a cloud-only tenant, this page will change to show the organization's custom branding, and you will be able to enter your password directly on this page. If the tenant is part of a federated domain, you will be redirected to the organization's on-premises federation server, such as Active Directory Federation Services (AD FS) for authentication.
Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. If your Azure AD tenant has auto-enrollment configured, your device will also be enrolled into MDM during this flow. For more information, see [this blog post](https://blogs.technet.microsoft.com/enterprisemobility/2015/08/14/windows-10-azure-ad-and-microsoft-intune-automatic-mdm-enrollment-powered-by-the-cloud/). If your tenant is not configured for auto-enrollment, you will have to go through the enrollment flow a second time to connect your device to MDM. After you complete the flow, your device will be connected to your organizations Azure AD domain.
Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. If your Azure AD tenant has auto-enrollment configured, your device will also be enrolled into MDM during this flow. For more information, see [these steps](azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md). If your tenant is not configured for auto-enrollment, you will have to go through the enrollment flow a second time to connect your device to MDM. After you complete the flow, your device will be connected to your organizations Azure AD domain.
![azure ad signin](images/unifiedenrollment-rs1-13.png)

2
windows/client-management/mdm/mobile-device-enrollment.md
View File

@ -82,7 +82,7 @@ Value: DisableRegistration
The following scenarios do not allow MDM enrollments:
- Built-in administrator accounts on Windows desktop cannot enroll into MDM.
- Prior to Windows 10, version 1709, standard users on Windows desktop cannot enroll into MDM via the Work access page in **Settings**. Only admin users can enroll. To enroll a standard user into MDM, we recommend using a provisioning package or joining the device to Azure AD from **Settings** -&gt; **System** -&gt; **About**. Starting in Windows 10, version 1709, standard users can enroll in MDM.
- Standard users cannot enroll in MDM. Only admin users can enroll.
- Windows 8.1 devices enrolled into MDM via enroll-on-behalf-of (EOBO) can upgrade to Windows 10, but the enrollment is not supported. We recommend performing a server initiated unenroll to remove these enrollments and then enrolling after the upgrade to Windows 10 is completed.
## Enrollment migration

1
windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
View File

@ -1465,6 +1465,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
<li>SystemServices/ConfigureXboxLiveNetworkingServiceStartupMode</li>
<li>TaskScheduler/EnableXboxGameSaveTask</li>
<li>TextInput/EnableTouchKeyboardAutoInvokeInDesktopMode</li>
<li>Update/ConfigureFeatureUpdateUninstallPeriod</li>
<li>UserRights/AccessCredentialManagerAsTrustedCaller</li>
<li>UserRights/AccessFromNetwork</li>
<li>UserRights/ActAsPartOfTheOperatingSystem</li>

15
windows/client-management/mdm/passportforwork-csp.md
View File

@ -54,6 +54,7 @@ The following diagram shows the PassportForWork configuration service provider i
<a href="" id="tenantid-policies-excludesecuritydevices--only-for---device-vendor-msft-"></a>***TenantId*/Policies/ExcludeSecurityDevices** (only for ./Device/Vendor/MSFT)
<p style="margin-left: 20px">Added in Windows 10, version 1703. Root node for excluded security devices.
<p style="margin-left: 20px">*Not supported on Windows Holographic and Windows Holographic for Business.*
<a href="" id="tenantid-policies-excludesecuritydevices-tpm12--only-for---device-vendor-msft-"></a>***TenantId*/Policies/ExcludeSecurityDevices/TPM12** (only for ./Device/Vendor/MSFT)
<p style="margin-left: 20px">Added in Windows 10, version 1703. Some Trusted Platform Modules (TPMs) are compliant only with the older 1.2 revision of the TPM specification defined by the Trusted Computing Group (TCG).
@ -178,27 +179,37 @@ This cloud service encrypts a recovery secret, which is stored locally on the cl
<a href="" id="tenantid-policies-remote--only-for---device-vendor-msft-"></a>***TenantId*/Policies/Remote** (only for ./Device/Vendor/MSFT)
<p style="margin-left: 20px">Interior node for defining remote Windows Hello for Business policies. This node was added in Windows 10, version 1511.
<p style="margin-left: 20px">*Not supported on Windows Holographic and Windows Holographic for Business.*
<a href="" id="tenantid-policies-remote-useremotepassport--only-for---device-vendor-msft-"></a>***TenantId*/Policies/Remote/UseRemotePassport** (only for ./Device/Vendor/MSFT)
<p style="margin-left: 20px">Boolean value used to enable or disable the use of remote Windows Hello for Business. Remote Windows Hello for Business provides the ability for a portable, registered device to be usable as a companion device for desktop authentication. Remote Windows Hello for Business requires that the desktop be Azure AD joined and that the companion device has a Windows Hello for Business PIN. This node was added in Windows 10, version 1511.
<p style="margin-left: 20px">Default value is false. If you set this policy to true, Remote Windows Hello for Business will be enabled and a portable, registered device can be used as a companion device for desktop authentication. If you set this policy to false, Remote Windows Hello for Business will be disabled.
<p style="margin-left: 20px">Supported operations are Add, Get, Delete, and Replace.
<p style="margin-left: 20px">*Not supported on Windows Holographic and Windows Holographic for Business.*
<a href="" id="usebiometrics"></a>**UseBiometrics**
<p style="margin-left: 20px">This node is deprecated. Use **Biometrics/UseBiometrics** node instead.
<a href="" id="biometrics--only-for---device-vendor-msft-"></a>**Biometrics** (only for ./Device/Vendor/MSFT)
<p style="margin-left: 20px">Node for defining biometric settings. This node was added in Windows 10, version 1511.
<p style="margin-left: 20px">*Not supported on Windows Holographic and Windows Holographic for Business.*
<a href="" id="biometrics-usebiometrics--only-for---device-vendor-msft-"></a>**Biometrics/UseBiometrics** (only for ./Device/Vendor/MSFT)
<p style="margin-left: 20px">Boolean value used to enable or disable the use of biometric gestures, such as face and fingerprint, as an alternative to the PIN gesture for Windows Hello for Business. Users must still configure a PIN if they configure biometric gestures to use in case of failures. This node was added in Windows 10, version 1511.
<p style="margin-left: 20px">Default value is false. If you set this policy to true, biometric gestures are enabled for use with Windows Hello for Business. If you set this policy to false, biometric gestures are disabled for use with Windows Hello for Business.
<p style="margin-left: 20px">Supported operations are Add, Get, Delete, and Replace.
<p style="margin-left: 20px">*Not supported on Windows Holographic and Windows Holographic for Business.*
<a href="" id="biometrics-facialfeaturesuseenhancedantispoofing--only-for---device-vendor-msft-"></a>**Biometrics/FacialFeaturesUseEnhancedAntiSpoofing** (only for ./Device/Vendor/MSFT)
<p style="margin-left: 20px">Boolean value used to enable or disable enhanced anti-spoofing for facial feature recognition on Windows Hello face authentication. This node was added in Windows 10, version 1511.
@ -208,8 +219,12 @@ This cloud service encrypts a recovery secret, which is stored locally on the cl
<p style="margin-left: 20px">Note that enhanced anti-spoofing for Windows Hello face authentication is not required on unmanaged devices.
<p style="margin-left: 20px">Supported operations are Add, Get, Delete, and Replace.
<p style="margin-left: 20px">*Not supported on Windows Holographic and Windows Holographic for Business.*
## Examples
<p style="margin-left: 20px">Here's an example for setting Windows Hello for Business and setting the PIN policies. It also turns on the use of biometrics and TPM.

4
windows/client-management/mdm/policy-configuration-service-provider.md
View File

@ -2912,6 +2912,9 @@ The following diagram shows the Policy configuration service provider in tree fo
<dd>
<a href="./policy-csp-update.md#update-branchreadinesslevel" id="update-branchreadinesslevel">Update/BranchReadinessLevel</a>
</dd>
<dd>
<a href="./policy-csp-update.md#update-configurefeatureupdateuninstallperiod" id="update-configurefeatureupdateuninstallperiod">Update/ConfigureFeatureUpdateUninstallPeriod</a>
</dd>
<dd>
<a href="./policy-csp-update.md#update-deferfeatureupdatesperiodindays" id="update-deferfeatureupdatesperiodindays">Update/DeferFeatureUpdatesPeriodInDays</a>
</dd>
@ -3794,6 +3797,7 @@ The following diagram shows the Policy configuration service provider in tree fo
- [Privacy/PublishUserActivities](#privacy-publishuseractivities)
- [Security/RequireProvisioningPackageSignature](#security-requireprovisioningpackagesignature)
- [Security/RequireRetrieveHealthCertificateOnBoot](#security-requireretrievehealthcertificateonboot)
- [Start/StartLayout](#start-startlayout)
- [System/AllowFontProviders](#system-allowfontproviders)
- [System/AllowLocation](#system-allowlocation)
- [System/AllowTelemetry](#system-allowtelemetry)

41
windows/client-management/mdm/policy-csp-update.md
View File

@ -57,6 +57,9 @@ ms.date: 12/19/2017
<dd>
<a href="#update-branchreadinesslevel">Update/BranchReadinessLevel</a>
</dd>
<dd>
<a href="#update-configurefeatureupdateuninstallperiod">Update/ConfigureFeatureUpdateUninstallPeriod</a>
</dd>
<dd>
<a href="#update-deferfeatureupdatesperiodindays">Update/DeferFeatureUpdatesPeriodInDays</a>
</dd>
@ -751,6 +754,42 @@ The following list shows the supported values:
- 16 {0x10} - (default) Semi-annual Channel (Targeted). Device gets all applicable feature updates from Semi-annual Channel (Targeted).
- 32 {0x20} - Semi-annual Channel. Device gets feature updates from Semi-annual Channel.
<!--/SupportedValues-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="update-configurefeatureupdateuninstallperiod"></a>**Update/ConfigureFeatureUpdateUninstallPeriod**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, next major update. Enable IT admin to configure feature update uninstall period. Values range 2 - 60 days. Default is 10 days.
<!--EndDescription-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--EndPolicy-->
<hr/>
@ -2393,7 +2432,7 @@ Supported values are 2, 4, 8, 12, or 24 (hours).
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1703. For devices in a cart, this policy skips the check for battery level to ensure that the reboot will happen at ScheduledInstallTime.
<p style="margin-left: 20px">Added in Windows 10, version 1703. For devices in a cart, this policy skips all restart checks to ensure that the reboot will happen at ScheduledInstallTime.
<p style="margin-left: 20px">The following list shows the supported values:

2
windows/configuration/provisioning-packages/provisioning-script-to-install-app.md
View File

@ -138,7 +138,7 @@ This is an example script with logging that shows how to run a powershell script
set LOGFILE=%SystemDrive%\my_powershell_script.log
echo Running my_powershell_script.ps1 in system context >> %LOGFILE%
echo Executing "PsExec.exe -accepteula -i -s cmd.exe /c powershell.exe my_powershell_script.ps1" >> %LOGFILE%
PsExec.exe -accepteula -i -s cmd.exe /c powershell.exe my_powershell_script.ps1' >> %LOGFILE%
PsExec.exe -accepteula -i -s cmd.exe /c 'powershell.exe my_powershell_script.ps1' >> %LOGFILE%
echo result: %ERRORLEVEL% >> %LOGFILE%
```

2
windows/deployment/upgrade/windows-10-edition-upgrades.md
View File

@ -41,7 +41,7 @@ X = unsupported <BR>
-->
| Edition upgrade | Using mobile device management (MDM) | Using a provisioning package | Using a command-line tool | Using Microsoft Store for Business or PC | Entering a product key manually | Purchasing a license from the Microsoft Store |
|-----------------| ------------------------------------ | ---- ----------------------- | ------------------------- | -------------------------------------- | ----------------------------------- | --------------------------------------------- |
|-----------------| ------------------------------------ | --------------------------- | ------------------------- | -------------------------------------- | ----------------------------------- | --------------------------------------------- |
| **Home > Pro** | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) |
| **Home > Pro for Workstations** | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) |
| **Home > Pro Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) |

4
windows/device-security/applocker/understanding-applocker-rule-exceptions.md
View File

@ -20,7 +20,9 @@ This topic describes the result of applying AppLocker rule exceptions to rule co
You can apply AppLocker rules to individual users or a group of users. If you apply a rule to a group of users, all users in that group are affected by that rule. If you need to allow a subset of a user group to use an app, you can create a special rule for that subset.
For example, the rule "Allow Everyone to run Windows except Registry Editor" allows everyone in the organization to run Windows but does not allow anyone to run Registry Editor. The effect of this rule would prevent users such as help desk personnel from running a program that is necessary for their support tasks. To resolve this problem, create a second rule that applies to the Helpdesk user group: "Allow Helpdesk to run Registry Editor." If you create a deny rule that does not allow any users to run Registry Editor, the deny rule will override the second rule that allows the Helpdesk user group to run Registry Editor.
For example, the rule "Allow Everyone to run Windows except Registry Editor" allows Everyone to run Windows binaries, but does not allow anyone to run Registry Editor (by adding %WINDIR%\regedit.exe as a Path Exception of the rule).
The effect of this rule would prevent users such as Helpdesk personnel from running the Registry Editor, a program that is necessary for their support tasks.
To resolve this problem, create a second rule that applies to the Helpdesk user group: "Allow Helpdesk to run Registry Editor" and add %WINDIR%\regedit.exe as an allowed path. If you create a deny rule that does not allow any users to run Registry Editor, the deny rule will override the second rule that allows the Helpdesk user group to run Registry Editor.
## Related topics

2
windows/device-security/bitlocker/bitlocker-basic-deployment.md
View File

@ -523,7 +523,7 @@ Decryption with Windows PowerShell cmdlets is straightforward, similar to manage
Using the Disable-BitLocker command, they can remove all protectors and encryption at the same time without the need for additional commands. An example of this command is:
``` syntax
DisableBitLocker
Disable-BitLocker
```
If a user did not want to input each mount point individually, using the `-MountPoint` parameter in an array can sequence the same command into one line without requiring additional user input. An example command is:

6
windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
View File

@ -82,11 +82,11 @@ Disable Win32k system calls | Prevents an app from using the Win32k system call
Do not allow child processes | Prevents an app from creating child processes. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
Export address filtering (EAF) | Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
Import address filtering (IAF) | Detects dangerous operations being resolved by malicious code. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
Simulate execution (SimExec) | Ensures that calls to sensitive APIs return to legitimate callers. Only configurable for 32-bit (x86) applications. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
Validate API invocation (CallerCheck) | Ensures that sensitive APIs are invoked by legitimate callers. Only configurable for 32-bit (x86) applications. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
Simulate execution (SimExec) | Ensures that calls to sensitive APIs return to legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
Validate API invocation (CallerCheck) | Ensures that sensitive APIs are invoked by legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
Validate handle usage | Causes an exception to be raised on any invalid handle references. | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
Validate image dependency integrity | Enforces code signing for Windows image dependency loading. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
Validate stack integrity (StackPivot) | Ensures that the stack has not been redirected for sensitive APIs. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
Validate stack integrity (StackPivot) | Ensures that the stack has not been redirected for sensitive APIs. Not compatible with ACG | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
>[!IMPORTANT]
>If you add an app to the **Program settings** section and configure individual mitigation settings there, they will be honored above the configuration for the same mitigations specified in the **System settings** section. The following matrix and examples help to illustrate how defaults work: