deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-25 15:23:40 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

resolving merge conflict

Browse Source
This commit is contained in:
Justinha
2017-03-22 09:11:51 -07:00
parent a1666a75cb e2d0ecee88
commit 7a14dde652
1168 changed files with 2640 additions and 6159 deletions
Download Patch File Download Diff File Expand all files Collapse all files

141
windows/manage/TOC.md
View File

@ -1,78 +1,42 @@
# [Manage and update Windows 10](index.md)
# [Manage Windows 10](index.md)
## [Manage Windows 10 in your organization - transitioning to modern management](manage-windows-10-in-your-organization-modern-management.md)
## [Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md)
## [Administrative Tools in Windows 10](administrative-tools-in-windows-10.md)
## [Cortana integration in your business or enterprise](cortana-at-work-overview.md)
### [Testing scenarios using Cortana in your business or organization](cortana-at-work-testing-scenarios.md)
#### [Test scenario 1 - Sign-in to Azure AD and use Cortana to manage the notebook](cortana-at-work-scenario-1.md)
#### [Test scenario 2 - Perform a quick search with Cortana at work](cortana-at-work-scenario-2.md)
#### [Test scenario 3 - Set a reminder for a specific location using Cortana at work](cortana-at-work-scenario-3.md)
#### [Test scenario 4 - Use Cortana at work to find your upcoming meetings](cortana-at-work-scenario-4.md)
#### [Test scenario 5 - Use Cortana to send email to a co-worker](cortana-at-work-scenario-5.md)
#### [Test scenario 6 - Review a reminder suggested by Cortana based on what youve promised in email](cortana-at-work-scenario-6.md)
#### [Test scenario 7 - Use Cortana and Windows Information Protection (WIP) to help protect your organizations data on a device](cortana-at-work-scenario-7.md)
### [Set up and test Cortana with Office 365 in your organization](cortana-at-work-o365.md)
### [Set up and test Cortana with Microsoft Dynamics CRM (Preview feature) in your organization](cortana-at-work-crm.md)
### [Set up and test Cortana for Power BI in your organization](cortana-at-work-powerbi.md)
### [Set up and test custom voice commands in Cortana for your organization](cortana-at-work-voice-commands.md)
### [Use Group Policy and mobile device management (MDM) settings to configure Cortana in your organization](cortana-at-work-policy-settings.md)
### [Send feedback about Cortana at work back to Microsoft](cortana-at-work-feedback.md)
## [Update Windows 10 in the enterprise](waas-update-windows-10.md)
### [Quick guide to Windows as a service](waas-quick-start.md)
### [Overview of Windows as a service](waas-overview.md)
### [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
### [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
### [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
### [Monitor Windows Updates with Update Compliance](update-compliance-monitor.md)
#### [Get started with Update Compliance](update-compliance-get-started.md)
#### [Use Update Compliance](update-compliance-using.md)
### [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
#### [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
#### [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
### [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
### [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)
#### [Configure Windows Update for Business](waas-configure-wufb.md)
#### [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
#### [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
#### [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
### [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
### [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
### [Manage device restarts after updates](waas-restart.md)
## [Manage corporate devices](manage-corporate-devices.md)
### [Manage Windows 10 in your organization - transitioning to modern management](manage-windows-10-in-your-organization-modern-management.md)
### [Connect to remote Azure Active Directory-joined PC](connect-to-remote-aadj-pc.md)
### [Manage Windows 10 and Windows Store tips, tricks, and suggestions](manage-tips-and-suggestions.md)
### [New policies for Windows 10](new-policies-for-windows-10.md)
### [Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education](group-policies-for-enterprise-and-education-editions.md)
### [Changes to Group Policy settings for Windows 10 Start menu](changes-to-start-policies-in-windows-10.md)
### [Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md)
### [Introduction to configuration service providers (CSPs)](how-it-pros-can-use-configuration-service-providers.md)
## [Windows Spotlight on the lock screen](windows-spotlight.md)
## [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md)
### [Configure Windows 10 taskbar](configure-windows-10-taskbar.md)
### [Customize and export Start layout](customize-and-export-start-layout.md)
### [Start layout XML for desktop editions of Windows 10 (reference)](start-layout-xml-desktop.md)
### [Start layout XML for mobile editions of Windows 10 (reference)](start-layout-xml-mobile.md)
### [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
### [Customize Windows 10 Start and taskbar with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
### [Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
## [Windows Store for Business](windows-store-for-business.md)
### [Sign up and get started](sign-up-windows-store-for-business-overview.md)
####[Windows Store for Business overview](windows-store-for-business-overview.md)
#### [Prerequisites for Windows Store for Business](prerequisites-windows-store-for-business.md)
#### [Sign up for Windows Store for Business](sign-up-windows-store-for-business.md)
#### [Roles and permissions in the Windows Store for Business](roles-and-permissions-windows-store-for-business.md)
#### [Settings reference: Windows Store for Business](settings-reference-windows-store-for-business.md)
### [Find and acquire apps](find-and-acquire-apps-overview.md)
#### [Apps in the Windows Store for Business](apps-in-windows-store-for-business.md)
#### [Acquire apps in the Windows Store for Business](acquire-apps-windows-store-for-business.md)
#### [Working with line-of-business apps](working-with-line-of-business-apps.md)
### [Distribute apps to your employees from the Windows Store for Business](distribute-apps-to-your-employees-windows-store-for-business.md)
#### [Distribute apps using your private store](distribute-apps-from-your-private-store.md)
#### [Assign apps to employees](assign-apps-to-employees.md)
#### [Distribute apps with a management tool](distribute-apps-with-management-tool.md)
#### [Distribute offline apps](distribute-offline-apps.md)
### [Manage apps](manage-apps-windows-store-for-business-overview.md)
#### [App inventory managemement for Windows Store for Business](app-inventory-management-windows-store-for-business.md)
#### [Manage app orders in Windows Store for Business](manage-orders-windows-store-for-business.md)
#### [Manage access to private store](manage-access-to-private-store.md)
#### [Manage private store settings](manage-private-store-settings.md)
#### [Configure MDM provider](configure-mdm-provider-windows-store-for-business.md)
### [Device Guard signing portal](device-guard-signing-portal.md)
#### [Add unsigned app to code integrity policy](add-unsigned-app-to-code-integrity-policy.md)
#### [Sign code integrity policy with Device Guard signing](sign-code-integrity-policy-with-device-guard-signing.md)
### [Manage settings in the Windows Store for Business](manage-settings-windows-store-for-business.md)
#### [Update Windows Store for Business account settings](update-windows-store-for-business-account-settings.md)
#### [Manage user accounts in Windows Store for Business](manage-users-and-groups-windows-store-for-business.md)
### [Troubleshoot Windows Store for Business](troubleshoot-windows-store-for-business.md)
## [Create mandatory user profiles](mandatory-user-profile.md)
## [Lock down Windows 10](lock-down-windows-10.md)
### [Lockdown features from Windows Embedded 8.1 Industry](lockdown-features-windows-10.md)
### [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md)
### [Set up a device for anyone to use (kiosk mode)](set-up-a-device-for-anyone-to-use.md)
#### [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md)
#### [Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](set-up-a-kiosk-for-windows-10-for-mobile-edition.md)
#### [Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md)
### [Lock down Windows 10 to specific apps](lock-down-windows-10-to-specific-apps.md)
### [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
### [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md)
### [Configure access to Windows Store](stop-employees-from-using-the-windows-store.md)
### [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md)
### [Configure Windows 10 Mobile using Lockdown XML](lockdown-xml.md)
#### [Settings and quick actions that can be locked down in Windows 10 Mobile](settings-that-can-be-locked-down.md)
#### [Product IDs in Windows 10 Mobile](product-ids-in-windows-10-mobile.md)
### [Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md)
## [Connect to remote Azure Active Directory-joined PC](connect-to-remote-aadj-pc.md)
## [Join Windows 10 Mobile to Azure Active Directory](join-windows-10-mobile-to-azure-active-directory.md)
## [Configure devices without MDM](configure-devices-without-mdm.md)
## [New policies for Windows 10](new-policies-for-windows-10.md)
## [Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education](group-policies-for-enterprise-and-education-editions.md)
## [Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md)
## [Application Virtualization (App-V) for Windows](appv-for-windows.md)
### [Getting Started with App-V](appv-getting-started.md)
#### [What's new in App-V](appv-about-appv.md)
@ -163,7 +127,6 @@
### [Troubleshooting App-V](appv-troubleshooting.md)
### [Technical Reference for App-V](appv-technical-reference.md)
#### [Performance Guidance for Application Virtualization](appv-performance-guidance.md)
#### [Application Publishing and Client Interaction](appv-application-publishing-and-client-interaction.md)
#### [Viewing App-V Server Publishing Metadata](appv-viewing-appv-server-publishing-metadata.md)
#### [Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications](appv-running-locally-installed-applications-inside-a-virtual-environment.md)
@ -194,34 +157,4 @@
#### [Synchronizing Microsoft Office with UE-V](uev-synchronizing-microsoft-office-with-uev.md)
#### [Application Template Schema Reference for UE-V](uev-application-template-schema-reference.md)
#### [Security Considerations for UE-V](uev-security-considerations.md)
## [Windows Store for Business](windows-store-for-business.md)
### [Sign up and get started](sign-up-windows-store-for-business-overview.md)
####[Windows Store for Business overview](windows-store-for-business-overview.md)
#### [Prerequisites for Windows Store for Business](prerequisites-windows-store-for-business.md)
#### [Sign up for Windows Store for Business](sign-up-windows-store-for-business.md)
#### [Roles and permissions in the Windows Store for Business](roles-and-permissions-windows-store-for-business.md)
#### [Settings reference: Windows Store for Business](settings-reference-windows-store-for-business.md)
### [Find and acquire apps](find-and-acquire-apps-overview.md)
#### [Apps in the Windows Store for Business](apps-in-windows-store-for-business.md)
#### [Acquire apps in the Windows Store for Business](acquire-apps-windows-store-for-business.md)
#### [Working with line-of-business apps](working-with-line-of-business-apps.md)
### [Distribute apps to your employees from the Windows Store for Business](distribute-apps-to-your-employees-windows-store-for-business.md)
#### [Distribute apps using your private store](distribute-apps-from-your-private-store.md)
#### [Assign apps to employees](assign-apps-to-employees.md)
#### [Distribute apps with a management tool](distribute-apps-with-management-tool.md)
#### [Distribute offline apps](distribute-offline-apps.md)
### [Manage apps](manage-apps-windows-store-for-business-overview.md)
#### [App inventory managemement for Windows Store for Business](app-inventory-management-windows-store-for-business.md)
#### [Manage app orders in Windows Store for Business](manage-orders-windows-store-for-business.md)
#### [Manage access to private store](manage-access-to-private-store.md)
#### [Manage private store settings](manage-private-store-settings.md)
#### [Configure MDM provider](configure-mdm-provider-windows-store-for-business.md)
### [Device Guard signing portal](device-guard-signing-portal.md)
#### [Add unsigned app to code integrity policy](add-unsigned-app-to-code-integrity-policy.md)
#### [Sign code integrity policy with Device Guard signing](sign-code-integrity-policy-with-device-guard-signing.md)
### [Manage settings in the Windows Store for Business](manage-settings-windows-store-for-business.md)
#### [Update Windows Store for Business account settings](update-windows-store-for-business-account-settings.md)
#### [Manage user accounts in Windows Store for Business](manage-users-and-groups-windows-store-for-business.md)
### [Troubleshoot Windows Store for Business](troubleshoot-windows-store-for-business.md)
## [Windows Libraries](windows-libraries.md)
## [Change history for Manage and update Windows 10](change-history-for-manage-and-update-windows-10.md)
## [Change history for Manage Windows 10](change-history-for-manage-and-update-windows-10.md)

12
windows/manage/app-inventory-managemement-windows-store-for-business.md
View File

@ -1,12 +0,0 @@
---
title: App inventory management for Windows Store for Business (Windows 10)
description: You can manage all apps that you've acquired on your Inventory page.
ms.assetid: 44211937-801B-4B85-8810-9CA055CDB1B2
redirect_url: https://technet.microsoft.com/itpro/windows/manage/app-inventory-management-windows-store-for-business
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
author: TrudyHa
---

165
windows/manage/application-development-for-windows-as-a-service.md
View File

@ -1,165 +0,0 @@
---
title: Application development for Windows as a service (Windows 10)
description: Microsoft recommends that our ISV partners decouple their app release and support from specific Windows builds.
ms.assetid: 28E0D103-B0EE-4B14-8680-6F30BD373ACF
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security, servicing
author: jdeckerMS
redirect_url: https://msdn.microsoft.com/windows/uwp/get-started/application-development-for-windows-as-a-service
---
# Application development for Windows as a service
**Applies to**
- Windows 10
- Windows 10 Mobile
- Windows 10 IoT Core
In todays environment, where user expectations frequently are set by device-centric experiences, complete product cycles need to be measured in months, not years. Additionally, new releases must be made available on a continual basis, and must be deployable with minimal impact on users. Microsoft designed Windows 10 to meet these requirements by implementing a new approach to innovation, development, and delivery called [Windows as a service (WaaS)](introduction-to-windows-10-servicing.md). The key to enabling significantly shorter product cycles while maintaining high quality levels is an innovative community-centric approach to testing that Microsoft has implemented for Windows 10. The community, known as Windows Insiders, is comprised of millions of users around the world. When Windows Insiders opt in to the community, they test many builds over the course of a product cycle and provide feedback to Microsoft through an iterative methodology called flighting.
Builds distributed as flights provide the Windows engineering team with significant data regarding how well builds are performing in actual use. Flighting with Windows Insiders also enables Microsoft to test builds in much more diverse hardware, application, and networking environments than in the past, and to identify issues far more quickly. As a result, Microsoft believes that community-focused flighting will enable both a faster pace of innovation delivery and better public release quality than ever.
## Windows 10 release types and cadences
Although Microsoft releases flight builds to Windows Insiders, Microsoft will publish two types of Windows 10 releases broadly to the public on an ongoing basis:
**Feature updates** install the latest new features, experiences, and capabilities on devices that are already running Windows 10. Because feature updates contain an entire copy of Windows, they are also what customers use to install Windows 10 on existing devices running Windows 7 or Windows 8.1, and on new devices where no operating system is installed. Microsoft expects to publish an average of one to two new feature updates per year.
**Quality updates** deliver security issue resolutions and other important bug fixes. Quality updates will be provided to improve each feature currently in support, on a cadence of one or more times per month. Microsoft will continue publishing quality updates on Update Tuesday (sometimes referred to as Patch Tuesday). Additionally, Microsoft may publish additional quality updates for Windows 10 outside the Update Tuesday process when required to address customer needs.
During Windows 10 development, Microsoft streamlined the Windows product engineering and release cycle so that we can deliver the features, experiences, and functionality customers want, more quickly than ever. We also created new ways to deliver and install feature updates and quality updates that simplify deployments and on-going management, broaden the base of employees who can be kept current with the latest Windows capabilities and experiences, and lower total cost of ownership. Hence we have implemented new servicing options referred to as Current Branch (CB), Current Branch for Business (CBB), and Long-Term Servicing Branch (LTSB) that provide pragmatic solutions to keep more devices more current in enterprise environments than was previously possible.
The following table shows describes the various servicing branches and their key attributes.
| Servicing option | Availability of new feature upgrades for installation | Minimum length of servicing lifetime | Key benefits | Supported editions |
|-----------------------------------|-----------------------------------------------------------|--------------------------------------|-------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------|
| Current Branch (CB) | Immediately after first published by Microsoft | Approximately 4 months | Makes new features available to users as soon as possible | Home, Pro, Education, Enterprise, Mobile, IoT Core, Windows 10 IoT Core Pro (IoT Core Pro) |
| Current Branch for Business (CBB) | Approximately 4 months after first published by Microsoft | Approximately 8 months | Provides additional time to test new feature upgrades before deployment | Pro, Education, Enterprise, Mobile Enterprise, IoT Core Pro |
| Long-Term Servicing Branch (LTSB) | Immediately after published by Microsoft | 10 Years | Enables long-term deployment of selected Windows 10 releases in low-change configurations | Enterprise LTSB |
 
For more information, see [Windows 10 servicing options for updates and upgrades](introduction-to-windows-10-servicing.md).
## Supporting apps in Windows as a service
The traditional approach for supporting apps has been to release a new app version in response to a Windows release. This assumes that there are breaking changes in the underlying OS that could potentially cause a regression with the application. This model involves a dedicated development and validation cycle that requires our ISV partners to align with the Windows release cadence.
In the Windows as a service model, Microsoft is making a commitment to maintaining the compatibility of the underlying OS. This means Microsoft will make a concerted effort to ensure that there are no breaking changes that impact the app ecosystem negatively. In this scenario, when there is a release of a Windows build, most apps (those with no kernel dependencies) will continue to work.
In view of this change, Microsoft recommends that our ISV partners decouple their app release and support from specific Windows builds. Our mutual customers are better served by an application lifecycle approach. This means when an application version is released it will be supported for a certain period of time irrespective of however many Windows builds are released in the interim. The ISV makes a commitment to provide support for that specific version of the app as long as it is supported in the lifecycle. Microsoft follows a similar lifecycle approach for Windows that can be referenced [here](https://go.microsoft.com/fwlink/?LinkID=780549).
This approach will reduce the burden of maintaining an app schedule that aligns with Windows releases. ISV partners should be free to release features or updates at their own cadence. We feel that our partners can keep their customer base updated with the latest app updates independent of a Windows release. In addition, our customers do not have to seek an explicit support statement whenever a Windows build is released. Here is an example of a support statement that covers how an app may be supported across different versions of the OS:
| Example of an application lifecycle support statement |
|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Contoso is a software development company and is the owner of the popular Mojave app which has a major share in the enterprise space. Contoso releases its next major release Mojave 14.0 and declares mainstream support for a period of three years from the release date. During mainstream support all updates and support are complimentary for the licensed product. Contoso also declares an additional two years of extended support where customers can purchase updates and support for a grace period. Beyond the extended support end date this product version is no longer supported. During the period of mainstream support Contoso will support Mojave 14.0 on all released builds of Windows. Contoso will also release updates to Mojave as necessary and independent of the Windows product releases. |
 
In the following sections, you will find additional information about the steps Microsoft takes to maintain the compatibility of the underlying OS. You will also find guidance on steps you can take to help maintain the compatibility of the combined OS and app ecosystem. There is a section on how to leverage Windows flighting builds to detect app regressions before a Windows build is released. Lastly, we describe how we use an instrumentation and telemetry-driven approach to increase the quality of Windows builds. We recommend ISVs adopt a similar approach with their app portfolio.
## Key changes since Windows 7 to ensure app compatibility
We understand that compatibility matters to developers. ISVs and developers want to ensure their apps will run as expected on all supported versions of the Windows OS. Consumers and businesses have a key investment here—they want to ensure that the apps they have paid for will continue to work. We know that compatibility is the primary criteria for purchase decisions. Apps that are well written based on best practices will lead to much less code churn when
a new Windows version is released and will reduce fragmentation—these apps have a reduced engineering investment to maintain, and a faster time to market.
In the Windows 7 timeframe, compatibility was very much a reactive approach. In Windows 8, we started looking at this differently, working within Windows to ensure that compatibility was by design rather than an afterthought.
Windows 10 is the most compatible-by-design version of the OS to date. Here are some key ways we accomplished this:
- **App telemetry**: This helps us understand app popularity in the Windows ecosystem to inform compatibility testing.
- **ISV partnerships**: Work directly with external partners to provide them with data and help fix issues that our users experience.
- **Design reviews, upstream detection**: Partner with feature teams to reduce the number of breaking changes in Windows. Compatibility review is a gate that our feature teams must pass.
- **Communication**: Tighter control over API changes and improved communication.
- **Flighting and feedback loop**: Windows insiders receive flighted builds that help improve our ability to find compatibility issues before a final build is released to customers. This feedback process not only exposes bugs, but ensures we are shipping features our users want.
## Best practices for app compatibility
Microsoft uses diagnostic and usage data to identify and troubleshoot problems, improve our products and services, and provide our users with personalized experiences. The usage data we collect also extends to the apps that PCs in the Windows ecosystem are running. Based on what our customers use, we build our list to test these apps, devices, and drivers against new versions of the Windows OS. Windows 10 has been the most compatible version of Windows to-date, with over 90% compatibility against thousands of popular apps. The Windows Compatibility team commonly reaches out to our ISV partners to provide feedback if issues are discovered, so that we can partner together on solutions. Ideally, wed like our common customers to be able to update Windows seamlessly and without losing functionality in either their OS or the apps they depend on for their productivity or entertainment.
The following sections contain some best practices Microsoft recommends so you can ensure your apps are compatible with Windows 10.
### Windows version check
The OS version has been incremented with Windows 10. This means that the internal version number has been changed to 10.0. As in the past, we go to great lengths to maintain application and device compatibility after an OS version change. For most app categories (without any kernel dependencies), the change will not negatively impact app functionality, and existing apps will continue to work fine on Windows 10.
The manifestation of this change is app-specific. This means any app that specifically checks for the OS version will get a higher version number, which can lead to one or more of the following situations:
- App installers might not be able to install the app, and apps might not be able to start.
- Apps might become unstable or crash.
- Apps might generate error messages, but continue to function properly.
Some apps perform a version check and simply pass a warning to users. However, there are apps that are bound very tightly to a version check (in the drivers, or in kernel mode to avoid detection). In these cases, the app will fail if an incorrect version is found. Rather than a version check, we recommend one of the following approaches:
- If the app is dependent on specific API functionality, ensure you target the correct API version.
- Ensure you detect the change via APISet or another public API, and do not use the version as a proxy for some feature or fix. If there are breaking changes and a proper check is not exposed, then that is a bug.
- Ensure the app does NOT check for version in odd ways, such as via the registry, file versions, offsets, kernel mode, drivers, or other means. If the app absolutely needs to check the version, use the GetVersion APIs, which should return the major, minor, and build number.
- If you are using the [GetVersion](https://go.microsoft.com/fwlink/?LinkID=780555) API, remember that the behavior of this API has changed since Windows 8.1.
If you own apps such as antimalware or firewall apps, you should work through your usual feedback channels and via the Windows Insider program.
### Undocumented APIs
Your apps should not call undocumented Windows APIs, or take dependency on specific Windows file exports or registry keys. This can lead to broken functionality, data loss, and potential security issues. If there is functionality your app requires that is not available, this is an opportunity to provide feedback through your usual feedback channels and via the Windows Insider program.
### Develop Universal Windows Platform (UWP) and Centennial apps
We encourage all Win32 app ISVs to develop [Universal Windows Platform (UWP)](https://go.microsoft.com/fwlink/?LinkID=780560) and, specifically, [Centennial](https://go.microsoft.com/fwlink/?LinkID=780562) apps moving forward. There are great benefits to developing these app packages rather than using traditional Win32 installers. UWP apps are also supported in the [Windows Store](https://go.microsoft.com/fwlink/?LinkID=780563), so its easier for you to update your users to a consistent version automatically, lowering your support costs.
If your Win32 app types do not work with the Centennial model, we highly recommend that you use the right installer and ensure this is fully tested. An installer is your user or customers first experience with your app, so ensure that this works well. All too often, this doesnt work well or it hasnt been fully tested for all scenarios. The [Windows App Certification Kit](https://go.microsoft.com/fwlink/?LinkID=780565) can help you test the install and uninstall of your Win32 app and help you identify use of undocumented APIs, as well as other basic performance-related best-practice issues, before your users do.
**Best practices:**
- Use installers that work for both 32-bit and 64-bit versions of Windows.
- Design your installers to run on multiple scenarios (user or machine level).
- Keep all Windows redistributables in the original packaging if you repackage these, its possible that this will break the installer.
- Schedule development time for your installers—these are often overlooked as a deliverable during the software development lifecycle.
## Optimized test strategies and flighting
Windows OS flighting refers to the interim builds available to Windows Insiders before a final build is released to the general population. The more Insiders that flight these interim builds, the more feedback we receive on the build quality, compatibility, etc., and this helps improve quality of the final builds. You can participate in this flighting program to ensure that your apps work as expected on iterative builds of the OS. We also encourage you to provide feedback on how these flighted builds are working for you, issues you run into, and so on.
If your app is in the Store, you can flight your app via the Store, which means that your app will be available for our Windows Insider population to install. Users can install your app and you can receive preliminary feedback on your app before you release it to the general population. The follow sections outline the steps for testing your apps against Windows flighted builds.
### Step 1: Become a Windows Insider and participate in flighting
As a [Windows Insider,](https://go.microsoft.com/fwlink/p/?LinkId=521639) you can help shape the future of Windows—your feedback will help us improve features and functionality in the platform. This is a vibrant community where you can connect with other enthusiasts, join forums, trade advice, and learn about upcoming Insider-only events.
Since youll have access to preview builds of Windows 10, Windows 10 Mobile, and the latest Windows SDK and Emulator, youll have all the tools at your disposal to develop great apps and explore what's new in the Universal Windows Platform and the Windows Store.
This is also a great opportunity to build great hardware, with preview builds of the hardware development kits so you can develop universal drivers for Windows. The IoT Core Insider Preview is also available on supported IoT development boards, so you can build amazing connected solutions using the Universal Windows Platform.
Before you become a Windows Insider, please note that participation is intended for users who:
- Want to try out software thats still in development.
- Want to share feedback about the software and the platform.
- Dont mind lots of updates or a UI design that might change significantly over time.
- Really know their way around a PC and feel comfortable troubleshooting problems, backing up data, formatting a hard drive, installing an operating system from scratch, or restoring an old one if necessary.
- Know what an ISO file is and how to use it.
- Aren't installing it on their everyday computer or device.
### Step 2: Test your scenarios
Once you have updated to a flighted build, the following are some sample test cases to help you get started on testing and gathering feedback. For most of these tests, ensure you cover both x86 and AMD64 systems.
**Clean install test:** On a clean install of Windows 10, ensure your app is fully functional. If your app fails this test and the upgrade test, then its likely that the issue is caused by underlying OS changes or bugs in the app.
If after investigation, the former is the case, be sure to use the Windows Insider program to provide feedback and partner on solutions.
**Upgrade Test:** Check that your app works after upgrading from a down-level version of Windows (i.e. Windows 7 or Windows 8.1) to Windows 10. Your app shouldnt cause roll backs during upgrade, and should continue to work as expected after upgrade—this is crucial to achieve a seamless upgrade experience.
**Reinstall Test:** Ensure that app functionality can be restored by reinstalling your app after you upgrade the PC to Windows 10 from a down-level OS. If your app didnt pass the upgrade test and you have not been able to narrow down the cause of these issues, its possible that a reinstall can restore lost functionality. A passing reinstall test indicates that parts of the app may not have been migrated to Windows 10.
**OS\\Device Features Test:** Ensure that your app works as expected if your app relies on specific functionality in the OS. Common areas for testing include the following, often against a selection of the commonly used PC models to ensure coverage:
- Audio
- USB device functionality (keyboard, mouse, memory stick, external hard disk, and so on)
- Bluetooth
- Graphics\\display (multi-monitor, projection, screen rotation, and so on)
- Touch screen (orientation, on-screen keyboard, pen, gestures, and so on)
- Touchpad (left\\right buttons, tap, scroll, and so on)
- Pen (single\\double tap, press, hold, eraser, and so on)
- Print\\Scan
- Sensors (accelerometer, fusion, and so on)
- Camera
### Step 3: Provide feedback
Let us know how your app is performing against flighted builds. As you discover issues with your app during testing, please log bugs via the partner portal if you have access, or through your Microsoft representative. We encourage this information so that we can build a quality experience for our users together.
### Step 4: Register on Windows 10
The [Ready for Windows 10](https://go.microsoft.com/fwlink/?LinkID=780580) website is a directory of software that supports Windows 10. Its intended for IT administrators at companies and organizations worldwide that are considering Windows 10 for their deployments. IT administrators can check the site to see whether software deployed in their enterprise is supported in Windows 10.
## Related topics
[Windows 10 servicing options for updates and upgrades](introduction-to-windows-10-servicing.md)
 
 

4
windows/manage/appv-accessibility.md
View File

@ -1,4 +0,0 @@
---
title: Accessibility for App-V (Windows 10)
redirect_url: https://technet.microsoft.com/itpro/windows/manage/appv-getting-started
---

4
windows/manage/appv-accessing-the-client-management-console.md
View File

@ -1,4 +0,0 @@
---
title: How to access the client management console (Windows 10)
redirect_url: https://technet.microsoft.com/itpro/windows/manage/appv-using-the-client-management-console
---

4
windows/manage/appv-install-the-appv-client-for-shared-content-store-mode.md
View File

@ -1,4 +0,0 @@
---
title: How to Install the App-V Client for Shared Content Store Mode (Windows 10)
redirect_url: https://technet.microsoft.com/itpro/windows/manage/appv-deploying-the-appv-sequencer-and-client
---

4
windows/manage/appv-modify-client-configuration-with-the-admx-template-and-group-policy.md
View File

@ -1,4 +0,0 @@
---
title: How to Modify App-V Client Configuration Using the ADMX Template and Group Policy (Windows 10)
redirect_url: https://technet.microsoft.com/itpro/windows/manage/appv-deploying-the-appv-sequencer-and-client
---

4
windows/manage/appv-planning-for-migrating-from-a-previous-version-of-appv.md
View File

@ -1,4 +0,0 @@
---
title: Planning for Migrating from a Previous Version of App-V (Windows 10)
redirect_url: https://technet.microsoft.com/itpro/windows/manage/appv-migrating-to-appv-from-a-previous-version
---

30
windows/manage/change-history-for-manage-and-update-windows-10.md
View File

@ -1,6 +1,6 @@
---
title: Change history for Manage and update Windows 10 (Windows 10)
description: This topic lists new and updated topics in the Manage and update Windows 10 documentation for Windows 10 and Windows 10 Mobile.
title: Change history for Manage Windows 10 (Windows 10)
description: This topic lists new and updated topics in the Manage Windows 10 documentation for Windows 10 and Windows 10 Mobile.
ms.assetid: 29144AFA-1DA9-4532-B07D-1EBE34B7E1E0
ms.prod: w10
ms.mktglfcycl: manage
@ -8,17 +8,18 @@ ms.sitesec: library
author: jdeckerMS
---
# Change history for Manage and update Windows 10
# Change history for Manage Windows 10
This topic lists new and updated topics in the [Manage and update Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
This topic lists new and updated topics in the [Manage Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
>If you're looking for **update history** for Windows 10, see [Windows 10 and Windows Server 2016 update history](https://support.microsoft.com/help/12387/windows-10-update-history).
## March 2017
| New or changed topic | Description |
| --- | --- |
|[Test scenario 6 - Review a reminder suggested by Cortana based on what youve promised in email](cortana-at-work-scenario-6.md) |New |
## RELEASE: Windows 10, version 1703
The topics in this library have been updated for Windows 10, version 1703 (also known as the Creators Update). Some topics have been moved to [Update Windows 10](../update/index.md) or to [Configure Windows 10](../configure/index.md).
## February 2017
@ -37,7 +38,8 @@ This topic lists new and updated topics in the [Manage and update Windows 10](in
| New or changed topic | Description |
| --- | --- |
| [Cortana integration in your business or enterprise and sub-topics](cortana-at-work-overview.md) |New |
|[Cortana at work topics](../configure/cortana-at-work-overview.md)]|New |
| [Start layout XML for desktop editions of Windows 10](start-layout-xml-desktop.md) | New (previously published in Hardware Dev Center on MSDN) |
| [Start layout XML for mobile editions of Windows 10](start-layout-xml-mobile.md) | New (previously published in Hardware Dev Center on MSDN) |
| [Quick guide to Windows as a service](waas-quick-start.md) | Added video that explains how Windows as a service works. |
@ -64,8 +66,8 @@ This topic lists new and updated topics in the [Manage and update Windows 10](in
| --- | --- |
| [Manage device restarts after updates](waas-restart.md) | New |
| [Manage Windows 10 in your organization - transitioning to modern management](manage-windows-10-in-your-organization-modern-management.md) | New |
| [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md) |Added an important note about Cortana and Office 365 integration. |
| [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) | Fixed the explanation for Start behavior when the .xml file containing the layout is not available when the user signs in. |
| [Cortana integration in your business or enterprise](../configure/cortana-at-work-overview.md) |Added an important note about Cortana and Office 365 integration. |
| [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) | Fixed the explanation for Start behavior when the .xml file containing the layout is not available when the user signs in. |
| [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) | Added link to the Windows Restricted Traffic Limited Functionality Baseline. Added Teredo Group Policy. |
| [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) | Added Current Branch for Business (CBB) support for Windows 10 IoT Mobile. |
@ -75,7 +77,7 @@ This topic lists new and updated topics in the [Manage and update Windows 10](in
| New or changed topic | Description |
| --- | --- |
| [Update Windows 10 in the enterprise](waas-update-windows-10.md), replaces **Windows 10 servicing options** | New |
| [Lockdown features from Windows Embedded 8.1 Industry](lockdown-features-windows-10.md) | Added Group Policy setting to replace Gesture Filter |
| [Lockdown features from Windows Embedded 8.1 Industry](../configure/lockdown-features-windows-10.md) | Added Group Policy setting to replace Gesture Filter |
| [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) | Added content for Windows Server 2016 |
| [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) | Updated the script for setting a custom shell using Shell Launcher. |
@ -142,7 +144,7 @@ The topics in this library have been updated for Windows 10, version 1607 (also
| ---|---|
| [Application development for Windows as a service](application-development-for-windows-as-a-service.md) | New |
| [Join Windows 10 Mobile to Azure Active Directory](join-windows-10-mobile-to-azure-active-directory.md) | New |
| [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md) | Updated to include the new Preview feature, Cortana and Microsoft Dynamics CRM integration. |
| [Cortana integration in your business or enterprise](../configure/cortana-at-work-overview.md) | Updated to include the new Preview feature, Cortana and Microsoft Dynamics CRM integration. |
## February 2016
@ -160,7 +162,7 @@ The topics in this library have been updated for Windows 10, version 1607 (also
| New or changed topic | Description |
| ---|---|
| [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md) | New |
| [Cortana integration in your business or enterprise](../configure/cortana-at-work-overview.md) | New |
| [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) | New |
| [Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) | New |

172
windows/manage/changes-to-start-policies-in-windows-10.md
View File

@ -1,172 +0,0 @@
---
title: Changes to Group Policy settings for Windows 10 Start menu (Windows 10)
description: Windows 10 has a brand new Start experience.
ms.assetid: 612FB68A-3832-451F-AA97-E73791FEAA9F
keywords: ["group policy", "start menu", "start screen"]
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
localizationpriority: high
---
# Changes to Group Policy settings for Windows 10 Start
**Applies to**
- Windows 10
Windows 10 has a brand new Start experience. As a result, there are changes to the Group Policy settings that you can use to manage Start. Some policy settings are new or changed, and some old Start policy settings still apply. Other Start policy settings no longer apply and are deprecated.
## Start policy settings supported for Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
These policy settings are available in **Administrative Templates\\Start Menu and Taskbar** under **User Configuration**.
<table>
<thead>
<tr class="header">
<th align="left">Policy</th>
<th align="left">Notes</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left">Clear history of recently opened documents on exit</td>
<td align="left">Documents that the user opens are tracked during the session. When the user signs off, the history of opened documents is deleted.</td>
</tr>
<tr class="even">
<td align="left">Do not allow pinning items in Jump Lists</td>
<td align="left">Jump Lists are lists of recently opened items, such as files, folders, or websites, organized by the program that you use to open them. This policy prevents users from pinning items to any Jump List.</td>
</tr>
<tr class="odd">
<td align="left">Do not display or track items in Jump Lists from remote locations</td>
<td align="left">When this policy is applied, only items local on the computer are shown in Jump Lists.</td>
</tr>
<tr class="even">
<td align="left">Do not keep history of recently opened documents</td>
<td align="left">Documents that the user opens are not tracked during the session.</td>
</tr>
<tr class="odd">
<td align="left">Prevent changes to Taskbar and Start Menu Settings</td>
<td align="left">In Windows 10, this disables all of the settings in <strong>Settings</strong> &gt; <strong>Personalization</strong> &gt; <strong>Start</strong> as well as the options in dialog available via right-click Taskbar &gt; <strong>Properties</strong></td>
</tr>
<tr class="even">
<td align="left">Prevent users from customizing their Start Screen</td>
<td align="left"><p>Use this policy in conjunction with [CopyProfile](https://go.microsoft.com/fwlink/p/?LinkId=623229) or other methods for configuring the layout of Start to prevent users from changing it</p></td>
</tr>
<tr class="odd">
<td align="left">Prevent users from uninstalling applications from Start</td>
<td align="left">In Windows 10, this removes the uninstall button in the context menu. It does not prevent users from uninstalling the app through other entry points (e.g. PowerShell)</td>
</tr>
<tr class="even">
<td align="left">Remove All Programs list from the Start menu</td>
<td align="left">In Windows 10, this removes the <strong>All apps</strong> button.</td>
</tr>
<tr class="odd">
<td align="left">Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands</td>
<td align="left">This removes the Shut Down, Restart, Sleep, and Hibernate commands from the Start Menu, Start Menu power button, CTRL+ALT+DEL screen, and Alt+F4 Shut Down Windows menu.</td>
</tr>
<tr class="even">
<td align="left">Remove common program groups from Start Menu</td>
<td align="left">As in earlier versions of Windows, this removes apps specified in the All Users profile from Start</td>
</tr>
<tr class="odd">
<td align="left">Remove frequent programs list from the Start Menu</td>
<td align="left">In Windows 10, this removes the top left <strong>Most used</strong> group of apps.</td>
</tr>
<tr class="even">
<td align="left">Remove Logoff on the Start Menu</td>
<td align="left"><strong>Logoff</strong> has been changed to <strong>Sign Out</strong> in the user interface, however the functionality is the same.</td>
</tr>
<tr class="odd">
<td align="left">Remove pinned programs list from the Start Menu</td>
<td align="left">In Windows 10, this removes the bottom left group of apps (by default, only File Explorer and Settings are pinned).</td>
</tr>
<tr class="even">
<td align="left">Show &quot;Run as different user&quot; command on Start</td>
<td align="left">This enables the <strong>Run as different user</strong> option in the right-click menu for apps.</td>
</tr>
<tr class="odd">
<td align="left">Start Layout</td>
<td align="left"><p>This applies a specific Start layout, and it also prevents users from changing the layout. This policy can be configured in <strong>User Configuration</strong> or <strong>Computer Configuration</strong>.</p>
<div class="alert">
<strong>Note</strong>  
<p>Start Layout policy setting applies only to Windows 10 Enterprise and Windows 10 Education.</p>
</div>
<div>
 
</div></td>
</tr>
<tr class="even">
<td align="left">Force Start to be either full screen size or menu size</td>
<td align="left">This applies a specific size for Start.</td>
</tr>
</tbody>
</table>
 
## <a href="" id="deprecated-group-policy-settings-for-start-"></a>Deprecated Group Policy settings for Start
The Start policy settings listed below do not work on Windows 10. Most of them were deprecated in Windows 8 however a few more were deprecated in Windows 10. Deprecation in this case means that the policy setting will not work on Windows 10. The “Supported on” text for a policy setting will not list Windows 10. The policy settings are still in the Group Policy Management Console and can be used on the operating systems that they apply to.
| Policy | When deprecated |
|----------------------------------------------------------------------------------|-----------------|
| Go to the desktop instead of Start when signing in | Windows 10 |
| List desktop apps first in the Apps view | Windows 10 |
| Pin Apps to Start when installed (User or Computer) | Windows 10 |
| Remove Default Programs link from the Start menu. | Windows 10 |
| Remove Documents icon from Start Menu | Windows 10 |
| Remove programs on Settings menu | Windows 10 |
| Remove Run menu from Start Menu | Windows 10 |
| Remove the "Undock PC" button from the Start Menu | Windows 10 |
| Search just apps from the Apps view | Windows 10 |
| Show Start on the display the user is using when they press the Windows logo key | Windows 10 |
| Show the Apps view automatically when the user goes to Start | Windows 10 |
| Add the Run command to the Start Menu | Windows 8 |
| Change Start Menu power button | Windows 8 |
| Gray unavailable Windows Installer programs Start Menu shortcuts | Windows 8 |
| Remove Downloads link from Start Menu | Windows 8 |
| Remove Favorites menu from Start Menu | Windows 8 |
| Remove Games link from Start Menu | Windows 8 |
| Remove Help menu from Start Menu | Windows 8 |
| Remove Homegroup link from Start Menu | Windows 8 |
| Remove Music icon from Start Menu | Windows 8 |
| Remove Network icon from Start Menu | Windows 8 |
| Remove Pictures icon from Start Menu | Windows 8 |
| Remove Recent Items menu from Start Menu | Windows 8 |
| Remove Recorded TV link from Start Menu | Windows 8 |
| Remove user folder link from Start Menu | Windows 8 |
| Remove Videos link from Start Menu | Windows 8 |
 
## Related topics
[Manage corporate devices](manage-corporate-devices.md)
[New policies for Windows 10](new-policies-for-windows-10.md)
[Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md)
[Customize and export Start layout](customize-and-export-start-layout.md)
[Customize Windows 10 Start screens with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
[Customize Windows 10 Start screens with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
[Customize Windows 10 Start screens with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
 
 

203
windows/manage/configure-devices-without-mdm.md
View File

@ -1,203 +0,0 @@
---
title: Configure devices without MDM (Windows 10)
description: Create a runtime provisioning package to apply settings, profiles, and file assets to a device running Windows 10.
ms.assetid: 66D14E97-E116-4218-8924-E2A326C9367E
keywords: runtime provisioning, provisioning package
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: mobile, devices
author: jdeckerMS
localizationpriority: medium
---
# Configure devices without MDM
**Applies to**
- Windows 10
- Windows 10 Mobile
Create a runtime provisioning package to apply settings, profiles, and file assets to a device running Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile, or Windows 10 Mobile Enterprise.
Sometimes mobile device management (MDM) isn't available to you for setting up a device because the device isn't connected to your network, or because an employee is remote and needs a fast replacement for a work device. You might not use MDM in your organization at all, but would like an easy way to place a standard configuration on multiple devices.
Rather than wiping a device and applying a new system image, in Windows 10 you can apply a provisioning package at any time. A provisioning package can include management instructions and policies, installation of specific apps, customization of network connections and policies, and more.
You can provide provisioning packages on a network shared folder that employees can access to configure their devices. Or you can put a provisioning package on a USB flash drive or SD card to hand out.
Provisioning packages are simple for employees to install. And when they remove a provisioning package, policies that the package applied to their device are removed.
## Advantages
- You can configure new devices without re-imaging.
- Works on both mobile and desktop devices.
- No network connectivity required.
- Simple for people to apply.
- Ensures compliance and security before a device is enrolled in MDM.
## Typical use cases
- **Set up a new off-the-shelf device for an employee**
Package might include edition upgrade, device name, company root certificate, Wi-Fi profile, domain join with service account, or company application.
- **Configure an off-the-shelf mobile device to be used as a point of sale or inventory terminal**
Package might include edition upgrade, device name, company root certificate, Wi-Fi profile, security policies, company application, or assigned access (also known as [kiosk mode](set-up-a-device-for-anyone-to-use.md).
- **Help employees set up personally-owned devices to use for work**
Package might include company root certificate, Wi-Fi profiles, security policies, or company application.
> [!NOTE]  
> Test to make sure that removing the provisioning package from a personal device removes everything that the package installed. Some settings are not reverted when a provisioning package is removed from the device.
 
- **Repurpose devices by returning the device to a specific state between users**
Package might include computer name, company root certificate, Wi-Fi profile, or company application.
> [!NOTE]  
> To return the **Start** menu to a specific state, you must reset the device. When you reset the device, you can apply the provisioning package during the first-run experience.
 
For details about the settings you can customize in provisioning packages, see [Windows Provisioning settings reference]( https://go.microsoft.com/fwlink/p/?LinkId=619012).
## Create a provisioning package
Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a runtime provisioning package. [Install the ADK.](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit)
When you run Windows ICD, you have several options for creating your package.
![Simple or advanced provisioning](images/ICDstart-option.png).
- Choose **Simple provisioning** to define a desired configuration in Windows ICD and then apply that configuration on target devices. The simple provisioning wizard makes the entire process quick and easy by guiding an IT administrator through common configuration settings in a step-by-step manner.
- Choose **Provision school devices** to quickly create provisioning packages that configure settings and policies tailored for students. Learn more about using Windows ICD to provision student PCs (link tb added).
- Choose **Advanced provisioning** to create provisioning packages in the advanced settings editor and include classic (Win32) and Universal Windows Platform (UWP) apps for deployment on end-user devices.
> [!IMPORTANT]
> When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
### Using Simple provisioning
1. Open Windows ICD (by default, `%windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe`).
2. Click **Simple provisioning**.
2. Name your project and click **Finish**.
3. In the **Set up device** step, enter a unique 15-character name for the device. For help generating a unique name, you can use %SERIAL%, which includes a hardware-specific serial number, or you can use %RAND:x%, which generates random characters of x length.
4. (Optional) You can upgrade the following editions of Windows 10 by providing a product key for the edition to upgrade to.
- Home to Education
- Pro to Education
- Pro to Enterprise
- Enterprise to Education
- Mobile to Mobile Enterprise
5. Click **Set up network**.
6. Toggle **On** or **Off** for wireless network connectivity. If you select **On**, enter the SSID, type, and (if required) password for the wireless network.
7. Click **Enroll into Active Directory**.
8. Toggle **Yes** or **No** for Active Directory enrollment. If you select **Yes**, enter the credentials for an account with permissions to enroll the device. (Optional) Enter a user name and password to create a local administrator account.
> [!WARNING]
> If you don't create a local administrator account and the device fails to enroll in Active Directory for any reason, you will have to reimage the device and start over. As a best practice, we recommend:
>
>- Use a least-privileged domain account to join the device to the domain.
>- Create a temporary administrator account to use for debugging or reprovisioning if the device fails to enroll successfully.
>- [Use Group Policy to delete the temporary administrator account](https://blogs.technet.microsoft.com/canitpro/2014/12/10/group-policy-creating-a-standard-local-admin-account/) after the device is enrolled in Active Directory.
9. Click **Finish**.
10. Review your settings in the summary. You can return to previous pages to change your selections. Then, under **Protect your package**, toggle **Yes** or **No** to encrypt the provisioning package. If you select **Yes**, enter a password. This password must be entered to apply the encrypted provisioning package.
11. Click **Create**.
### Using Advanced provisioning
1. Open Windows ICD (by default, %windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe).
2. Click **Advanced provisioning**.
3. Choose **New provisioning package**.
3. Name your project, and click **Next**.
4. Choose **All Windows editions**, **All Windows desktop editions**, or **All Windows mobile editions**, depending on the devices you intend to provision, and click **Next**.
5. On **New project**, click **Finish**. The workspace for your package opens.
6. Configure settings. [Learn more about specific settings in provisioning packages.]( https://go.microsoft.com/fwlink/p/?LinkId=615916)
7. On the **File** menu, select **Save.**
8. On the **Export** menu, select **Provisioning package**.
9. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.**
10. Set a value for **Package Version**.
> [!TIP]  
> You can make changes to existing packages and change the version number to update previously applied packages.
 
11. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing.
- **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
- **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select...** and choosing the certificate you want to use to sign the package.
> [!IMPORTANT]  
> We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store and any package signed with that certificate thereafter can be applied silently.
 
12. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location.
Optionally, you can click **Browse** to change the default output location.
13. Click **Next**.
14. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.
If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
15. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
- If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
- If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
16. Select the **output location** link to go to the location of the package. You can provide that .ppkg to others through any of the following methods:
- Shared network folder
- SharePoint site
- Removable media (USB/SD)
- Email
- USB tether (mobile only)
Learn more: [Build and apply a provisioning package](https://go.microsoft.com/fwlink/p/?LinkID=629651)
## Apply package
On a desktop computer, the employee goes to **Settings** &gt; **Accounts** &gt; **Work access** &gt; **Add or remove a management package** &gt; **Add a package**, and selects the package to install. The user can also add a provisioning package simply by double-clicking the .ppkg file in local storage, on removable media, or at a URL.
![add a package option](images/package.png)
On a mobile device, the employee goes to **Settings** &gt; **Accounts** &gt; **Provisioning.** &gt; **Add a package**, and selects the package on removable media to install.
![add provisioning package on phone](images/phoneprovision.png)
## Manage a package
- Users can view details or delete package (if policy allows deletion); only user-installed packages are listed.
- Deleting a package removes settings, profiles, certificates, and apps it contains.
- Use policies to disable manual deletion of packages, installation of unsigned packages, or the installation of any additional packages.
- Update content by installing a new package with same name and new version number.
- Optionally, keep packages when you reset a mobile device. When you reset a desktop, runtime packages are removed.
![reset a device](images/resetdevice.png)
## Learn more
- [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921)
- [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922)
 
 

4
windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md
View File

@ -1,4 +0,0 @@
---
title: Configure Windows 10 devices to stop data flow to Microsoft (Windows 10)
redirect_url: https://technet.microsoft.com/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services
---

307
windows/manage/configure-windows-10-taskbar.md
View File

@ -1,307 +0,0 @@
---
title: Configure Windows 10 taskbar (Windows 10)
description: Admins can pin apps to users' taskbars.
keywords: ["taskbar layout","pin apps"]
ms.prod: W10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
localizationpriority: high
---
# Configure Windows 10 taskbar
Starting in Windows 10, version 1607, administrators can pin additional apps to the taskbar and remove default pinned apps from the taskbar by adding a `<TaskbarLayout>` section to a layout modification XML file. This method never removes user-pinned apps from the taskbar.
> [!NOTE]
> The only aspect of the taskbar that can currently be configured by the layout modification XML file is the layout.
You can specify different taskbar configurations based on device locale and region. There is no limit on the number of apps that you can pin. You specify apps using the [Application User Model ID (AUMID)](https://go.microsoft.com/fwlink/p/?LinkId=614867) or Desktop Application Link Path (the local path to the application).
If you specify an app to be pinned that is not provisioned for the user on the computer, the pinned icon won't appear on the taskbar.
The order of apps in the XML file dictates the order of pinned apps on the taskbar from left to right, to the right of any existing apps pinned by the user.
> [!NOTE]
> In operating systems configured to use a right-to-left language, the taskbar order will be reversed.
The following example shows how apps will be pinned: Windows default apps to the left (blue circle), apps pinned by the user in the center (orange triangle), and apps that you pin using the XML file to the right (green square).
![Windows left, user center, enterprise to the right](images/taskbar-generic.png)
## Configure taskbar (general)
To configure the taskbar:
1. Create the XML file.
* If you are also [customizing the Start layout](customize-and-export-start-layout.md), use `Export-StartLayout` to create the XML, and then add the `<CustomTaskbarLayoutCollection>` section from the following sample to the file.
* If you are only configuring the taskbar, use the following sample to create a layout modification XML file.
2. Edit and save the XML file. You can use [AUMID](https://go.microsoft.com/fwlink/p/?LinkId=614867) or Desktop Application Link Path to identify the apps to pin to the taskbar.
* Use `<taskbar:UWA>` and [AUMID](https://go.microsoft.com/fwlink/p/?LinkId=614867) to pin Universal Windows Platform apps.
* Use `<taskbar:DesktopApp>` and Desktop Application Link Path to pin desktop applications.
3. Apply the layout modification XML file to devices using [Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) or a [provisioning package created in Windows Imaging and Configuration Designer (Windows ICD)](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md).
>[!IMPORTANT]
>If you use a provisioning package to configure the taskbar, your configuration will be reapplied each time the explorer.exe process restarts. If your configuration pins an app and the user then unpins that app, the user's change will be overwritten the next time the configuration is applied. To apply a taskbar configuration that allows users to make changes that will persist, apply your configuration by using Group Policy.
>
>If you use Group Policy and your configuration only contains a taskbar layout, the default Windows tile layout will be applied and cannot be changed by users. If you use Group Policy and your configuration includes taskbar and a full Start layout, users can only make changes to the taskbar. If you use Group Policy and your configuration includes taskbar and a [partial Start layout](https://technet.microsoft.com/itpro/windows/manage/customize-and-export-start-layout#configure-a-partial-start-layout), users can make changes to the taskbar and to tile groups not defined in the partial Start layout.
### Tips for finding AUMID and Desktop Application Link Path
In the layout modification XML file, you will need to add entries for applications in the XML markup. In order to pin an application, you need either its AUMID or Desktop Application Link Path.
The easiest way to find this data for an application is to:
1. Pin the application to the Start menu on a reference or testing PC.
2. Open Windows PowerShell and run the `Export-StartLayout` cmdlet.
3. Open the generated XML file.
4. Look for an entry corresponding to the app you pinned.
5. Look for a property labeled `AppUserModelID` or `DesktopApplicationLinkPath`.
### Sample taskbar configuration XML file
```xml
<?xml version="1.0" encoding="utf-8"?>
<LayoutModificationTemplate
xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"
xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout"
xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout"
xmlns:taskbar="http://schemas.microsoft.com/Start/2014/TaskbarLayout"
Version="1">
<CustomTaskbarLayoutCollection>
<defaultlayout:TaskbarLayout>
<taskbar:TaskbarPinList>
<taskbar:UWA AppUserModelID="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge" />
<taskbar:DesktopApp DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools\File Explorer.lnk" />
</taskbar:TaskbarPinList>
</defaultlayout:TaskbarLayout>
</CustomTaskbarLayoutCollection>
</LayoutModificationTemplate>
```
### Sample taskbar configuration added to Start layout XML file
```xml
<?xml version="1.0" encoding="utf-8"?>
<LayoutModificationTemplate
xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"
xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout"
xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout"
xmlns:taskbar="http://schemas.microsoft.com/Start/2014/TaskbarLayout"
Version="1">
<LayoutOptions StartTileGroupCellWidth="6" StartTileGroupsColumnCount="1" />
<DefaultLayoutOverride>
<StartLayoutCollection>
<defaultlayout:StartLayout GroupCellWidth="6" xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout">
<start:Group Name="Life at a glance" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout">
<start:Tile Size="2x2" Column="0" Row="0" AppUserModelID="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge" />
<start:Tile Size="2x2" Column="4" Row="0" AppUserModelID="Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI" />
<start:Tile Size="2x2" Column="2" Row="0" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
</start:Group>
</defaultlayout:StartLayout>
</StartLayoutCollection>
</DefaultLayoutOverride>
<CustomTaskbarLayoutCollection>
<defaultlayout:TaskbarLayout>
<taskbar:TaskbarPinList>
<taskbar:UWA AppUserModelID="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge" />
<taskbar:DesktopApp DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools\File Explorer.lnk" />
</taskbar:TaskbarPinList>
</defaultlayout:TaskbarLayout>
</CustomTaskbarLayoutCollection>
</LayoutModificationTemplate>
```
##Keep default apps and add your own
The `<CustomTaskbarLayoutCollection>` section will append listed apps to the taskbar by default. The following sample keeps the default apps pinned and adds pins for Paint, Microsoft Reader, and a command prompt.
```xml
<?xml version="1.0" encoding="utf-8"?>
<LayoutModificationTemplate
xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"
xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout"
xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout"
xmlns:taskbar="http://schemas.microsoft.com/Start/2014/TaskbarLayout"
Version="1">
<CustomTaskbarLayoutCollection>
<defaultlayout:TaskbarLayout>
<taskbar:TaskbarPinList>
<taskbar:DesktopApp DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk" />
<taskbar:UWA AppUserModelID="Microsoft.Reader_8wekyb3d8bbwe!Microsoft.Reader" />
<taskbar:DesktopApp DesktopApplicationLinkPath="%appdata%\Microsoft\Windows\Start Menu\Programs\System Tools\Command Prompt.lnk" />
</taskbar:TaskbarPinList>
</defaultlayout:TaskbarLayout>
</CustomTaskbarLayoutCollection>
</LayoutModificationTemplate>
```
**Before:**
![default apps pinned to taskbar](images/taskbar-default.png)
**After:**
![additional apps pinned to taskbar](images/taskbar-default-plus.png)
## Remove default apps and add your own
By adding `PinListPlacement="Replace"` to `<CustomTaskbarLayoutCollection>`, you remove all default pinned apps; only the apps that you specify will be pinned to the taskbar.
If you only want to remove some of the default pinned apps, you would use this method to remove all default pinned apps and then include the default app that you want to keep in your list of pinned apps.
```xml
<?xml version="1.0" encoding="utf-8"?>
<LayoutModificationTemplate
xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"
xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout"
xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout"
xmlns:taskbar="http://schemas.microsoft.com/Start/2014/TaskbarLayout"
Version="1">
<CustomTaskbarLayoutCollection PinListPlacement="Replace">
<defaultlayout:TaskbarLayout>
<taskbar:TaskbarPinList>
<taskbar:DesktopApp DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessories\Internet Explorer.lnk"/>
<taskbar:DesktopApp DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk" />
<taskbar:UWA AppUserModelID="Microsoft.Office.Word_8wekyb3d8bbwe!microsoft.word" />
</taskbar:TaskbarPinList>
</defaultlayout:TaskbarLayout>
</CustomTaskbarLayoutCollection>
</LayoutModificationTemplate>
```
**Before:**
![Taskbar with default apps](images/taskbar-default.png)
**After:**
![Taskbar with default apps removed](images/taskbar-default-removed.png)
## Configure taskbar by country or region
The following example shows you how to configure taskbars by country or region. When the layout is applied to a computer, if there is no `<TaskbarPinList>` node with a region tag for the current region, the first `<TaskbarPinList>` node that has no specified region will be applied. When you specify one or more countries or regions in a `<TaskbarPinList>` node, the specified apps are pinned on computers configured for any of the specified countries or regions.
```xml
<?xml version="1.0" encoding="utf-8"?>
<LayoutModificationTemplate
xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"
xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout"
xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout"
xmlns:taskbar="http://schemas.microsoft.com/Start/2014/TaskbarLayout"
Version="1">
<CustomTaskbarLayoutCollection PinListPlacement="Replace">
<defaultlayout:TaskbarLayout region="US|UK">
<taskbar:TaskbarPinList >
<taskbar:UWA AppUserModelID="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge" />
<taskbar:DesktopApp DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools\File Explorer.lnk" />
<taskbar:UWA AppUserModelID="Microsoft.Office.Word_8wekyb3d8bbwe!microsoft.word" />
<taskbar:DesktopApp DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk"/>
<taskbar:UWA AppUserModelID="Microsoft.Reader_8wekyb3d8bbwe!Microsoft.Reader" />
</taskbar:TaskbarPinList>
</defaultlayout:TaskbarLayout>
<defaultlayout:TaskbarLayout region="DE|FR">
<taskbar:TaskbarPinList>
<taskbar:DesktopApp DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools\File Explorer.lnk" />
<taskbar:UWA AppUserModelID="Microsoft.Office.Word_8wekyb3d8bbwe!microsoft.word" />
<taskbar:UWA AppUserModelID="Microsoft.Office.Excel_8wekyb3d8bbwe!microsoft.excel" />
<taskbar:DesktopApp DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk"/>
<taskbar:UWA AppUserModelID="Microsoft.Reader_8wekyb3d8bbwe!Microsoft.Reader" />
</taskbar:TaskbarPinList>
</defaultlayout:TaskbarLayout>
<defaultlayout:TaskbarLayout>
<taskbar:TaskbarPinList>
<taskbar:DesktopApp DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools\File Explorer.lnk" />
<taskbar:UWA AppUserModelID="Microsoft.Office.Word_8wekyb3d8bbwe!microsoft.word" />
<taskbar:DesktopApp DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk"/>
<taskbar:UWA AppUserModelID="Microsoft.Reader_8wekyb3d8bbwe!Microsoft.Reader" />
</taskbar:TaskbarPinList>
</defaultlayout:TaskbarLayout>
</CustomTaskbarLayoutCollection>
</LayoutModificationTemplate>
```
When the preceding example XML file is applied, the resulting taskbar for computers in the US or UK:
![taskbar for US and UK locale](images/taskbar-region-usuk.png)
The resulting taskbar for computers in Germany or France:
![taskbar for DE and FR locale](images/taskbar-region-defr.png)
The resulting taskbar for computers in any other country region:
![taskbar for all other regions](images/taskbar-region-other.png)
> [!NOTE]
> [Look up country and region codes (use the ISO Short column)](https://go.microsoft.com/fwlink/p/?LinkId=786445)
## Layout Modification Template schema definition
```xml
<?xml version="1.0" encoding="utf-8"?>
<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:local="http://schemas.microsoft.com/Start/2014/TaskbarLayout"
targetNamespace="http://schemas.microsoft.com/Start/2014/TaskbarLayout"
elementFormDefault="qualified">
<xsd:complexType name="ct_PinnedUWA">
<xsd:attribute name="AppUserModelID" type="xsd:string" />
</xsd:complexType>
<xsd:complexType name="ct_PinnedDesktopApp">
<xsd:attribute name="DesktopApplicationID" type="xsd:string" />
<xsd:attribute name="DesktopApplicationLinkPath" type="xsd:string" />
</xsd:complexType>
<xsd:complexType name="ct_TaskbarPinList">
<xsd:sequence>
<xsd:choice minOccurs="1" maxOccurs="unbounded">
<xsd:element name="UWA" type="local:ct_PinnedUWA" />
<xsd:element name="DesktopApp" type="local:ct_PinnedDesktopApp" />
</xsd:choice>
</xsd:sequence>
<xsd:attribute name="Region" type="xsd:string" use="optional" />
</xsd:complexType>
<xsd:simpleType name="st_TaskbarPinListPlacement">
<xsd:restriction base="xsd:string">
<xsd:enumeration value="Append" />
<xsd:enumeration value="Replace" />
</xsd:restriction>
</xsd:simpleType>
<xsd:attributeGroup name="ag_SelectionAttributes">
<xsd:attribute name="SKU" type="xsd:string" use="optional"/>
<xsd:attribute name="Region" type="xsd:string" use="optional"/>
</xsd:attributeGroup>
<xsd:complexType name="ct_TaskbarLayout">
<xsd:sequence>
<xsd:element name="TaskbarPinList" type="local:ct_TaskbarPinList" minOccurs="1" maxOccurs="1" />
</xsd:sequence>
<xsd:attributeGroup ref="local:ag_SelectionAttributes"/>
</xsd:complexType>
</xsd:schema>
```
## Related topics
[Manage Windows 10 Start and taskbar layout ](windows-10-start-layout-options-and-policies.md)
[Customize and export Start layout](customize-and-export-start-layout.md)
[Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
[Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
[Customize Windows 10 Start and taskbar with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
[Changes to Group Policy settings for Windows 10 Start](changes-to-start-policies-in-windows-10.md)

411
windows/manage/configure-windows-telemetry-in-your-organization.md
View File

@ -1,411 +0,0 @@
---
description: Use this article to make informed decisions about how you can configure telemetry in your organization.
title: Configure Windows telemetry in your organization (Windows 10)
keywords: privacy
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
localizationpriority: high
author: brianlic-msft
---
# Configure Windows telemetry in your organization
**Applies to**
- Windows 10
- Windows 10 Mobile
- Windows Server 2016
At Microsoft, we use Windows telemetry to inform our decisions and focus our efforts in providing the most robust, most valuable platform for your business and the people who count on Windows to enable them to be as productive as possible. Telemetry gives users a voice in the operating systems development. This guide describes the importance of Windows telemetry and how we protect that data. Additionally, it differentiates between telemetry and functional data. It also describes the telemetry levels that Windows supports. Of course, you can choose how much telemetry is shared with Microsoft, and this guide demonstrates how.
To frame a discussion about telemetry, it is important to understand Microsofts privacy principles. We earn customer trust every day by focusing on six key privacy principles as described at [privacy.microsoft.com](https://privacy.microsoft.com/). These principles guided the implementation of the Windows telemetry system in the following ways:
- **Control.** We offer customers control of the telemetry they share with us by providing easy-to-use management tools.
- **Transparency.** We provide information about the telemetry that Windows and Windows Server collects so our customers can make informed decisions.
- **Security.** We encrypt telemetry in transit from your device and protect that data at our secure data centers.
- **Strong legal protections.** We respect customers local privacy laws and fight for legal protection of their privacy as a fundamental human right.
- **No content-based targeting.** We take steps to avoid and minimize the collection of customer content, such as the content of files, chats, or emails, through the Windows telemetry system. Customer content inadvertently collected is kept confidential and not used for user targeting.
- **Benefits to you.** We collect Windows telemetry to help provide you with an up-to-date, more secure, reliable and performant product, and to improve Windows for all of our customers.
This article applies to Windows and Windows Server telemetry only. Other Microsoft or third-party apps, such as System Center Configuration Manager, System Center Endpoint Protection, or System Center Data Protection Manager, might send data to their cloud services in ways that are inconsistent with this guide. Their publishers are responsible for notifying users of their privacy policies, telemetry controls, and so on. This article describes the types of telemetry we may gather, the ways you might manage it in your organization, and some examples of how telemetry can provide you with valuable insights into your enterprise deployments. Microsoft uses the data to quickly identify and address issues affecting its customers.
Use this article to make informed decisions about how you might configure telemetry in your organization. Telemetry is a term that means different things to different people and organizations. For the purpose of this article, we discuss telemetry as system data that is uploaded by the Connected User Experience and Telemetry component. The telemetry data is used to help keep Windows devices secure by identifying malware trends and other threats and to help Microsoft improve the quality of Windows and Microsoft services.
We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com.
## Overview
In previous versions of Windows and Windows Server, Microsoft used telemetry to check for updated or new Windows Defender signatures, check whether Windows Update installations were successful, gather reliability information through the Reliability Analysis Component (RAC), and gather reliability information through the Windows Customer Experience Improvement Program (CEIP) on Windows. In Windows 10 and Windows Server 2016, you can control telemetry streams by using the Privacy option in Settings, Group Policy, or MDM.
For Windows 10, we invite IT pros to join the [Windows Insider Program](http://insider.windows.com) to give us feedback on what we can do to make Windows work better for your organization.
## Understanding Windows telemetry
Windows as a Service is a fundamental change in how Microsoft plans, builds, and delivers the operating system. Historically, we released a major Windows version every few years. The effort required to deploy large and infrequent Windows versions was substantial. That effort included updating the infrastructure to support the upgrade. Windows as a Service accelerates the cadence to provide rich updates more frequently, and these updates require substantially less effort to roll out than earlier versions of Windows. Since it provides more value to organizations in a shorter timeframe, delivering Windows as a Service is a top priority for us.
The release cadence of Windows may be fast, so feedback is critical to its success. We rely on telemetry at each stage of the process to inform our decisions and prioritize our efforts.
### What is Windows telemetry?
Windows telemetry is vital technical data from Windows devices about the device and how Windows and related software are performing. It's used in the following ways:
- Keep Windows up to date
- Keep Windows secure, reliable, and performant
- Improve Windows through the aggregate analysis of the use of Windows
- Personalize Windows engagement surfaces
Here are some specific examples of Windows telemetry data:
- Type of hardware being used
- Applications installed and usage details
- Reliability information on device drivers
### What is NOT telemetry?
Telemetry can sometimes be confused with functional data. Some Windows components and apps connect to Microsoft services directly, but the data they exchange is not telemetry. For example, exchanging a users location for local weather or news is not an example of telemetry—it is functional data that the app or service requires to satisfy the users request.
There are subtle differences between telemetry and functional data. Windows collects and sends telemetry in the background automatically. You can control how much information is gathered by setting the telemetry level. Microsoft tries to avoid collecting personal information wherever possible (for example, if a crash dump is collected and a document was in memory at the time of the crash). On the other hand, functional data can contain personal information. However, a user action, such as requesting news or asking Cortana a question, usually triggers collection and transmission of functional data.
If youre an IT pro that wants to manage Windows functional data sent from your organization to Microsoft, see [Manage connections from Windows operating system components to Microsoft services](https://technet.microsoft.com/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services).
The following are specific examples of functional data:
- Current location for weather
- Bing searches
- Wallpaper and desktop settings synced across multiple devices
### Telemetry gives users a voice
Windows and Windows Server telemetry gives every user a voice in the operating systems development and ongoing improvement. It helps us understand how Windows 10 and Windows Server 2016 behaves in the real world, focus on user priorities, and make informed decisions that benefit them. For our enterprise customers, representation in the dataset on which we will make future design decisions is a real benefit. The following sections offer real examples of these benefits.
### Drive higher app and driver quality
Our ability to collect telemetry that drives improvements to Windows and Windows Server helps raise the bar for app and device driver quality. Telemetry helps us to quickly identify and fix critical reliability and security issues with apps and device drivers on given configurations. For example, we can identify an app that hangs on devices using a specific version of a video driver, allowing us to work with the app and device driver vendor to quickly fix the issue. The result is less downtime and reduced costs and increased productivity associated with troubleshooting these issues.
A real-world example of how Windows telemetry helps us quickly identify and fix issues is a particular version of a video driver that was crashing on some devices running Windows 10, causing the device to reboot. We detected the problem in our telemetry, and immediately contacted the third-party developer who builds the video driver. Working with the developer, we provided an updated driver to Windows Insiders within 24 hours. Based on telemetry from the Windows Insiders devices, we were able to validate the new version of the video driver, and rolled it out to the broad public as an update the next day. Telemetry helped us find, fix, and resolve this problem in just 48 hours, providing a better user experience and reducing costly support calls.
### Improve end-user productivity
Windows telemetry also helps Microsoft better understand how customers use (or do not use) the operating systems features and related services. The insights we gain from this data helps us prioritize our engineering effort to directly impact our customers experiences. Examples are:
- **Start menu.** How do people change the Start menu layout? Do they pin other apps to it? Are there any apps that they frequently unpin? We use this dataset to adjust the default Start menu layout to better reflect peoples expectations when they turn on their device for the first time.
- **Cortana.** We use telemetry to monitor the scalability of our cloud service, improving search performance.
- **Application switching.** Research and observations from earlier Windows versions showed that people rarely used Alt+Tab to switch between applications. After discussing this with some users, we learned they loved the feature, saying that it would be highly productive, but they did not know about it previously. Based on this, we created the Task View button in Windows 10 to make this feature more discoverable. Later telemetry showed significantly higher usage of this feature.
**These examples show how the use of telemetry data enables Microsoft to build or enhance features which can help organizations increase employee productivity while lowering help desk calls.**
### Insights into your own organization
Sharing information with Microsoft helps make Windows and other products better, but it can also help make your internal processes and user experiences better, as well. Microsoft is in the process of developing a set of analytics customized for your internal use. The first of these, called [Upgrade Readiness](../deploy/manage-windows-upgrades-with-upgrade-readiness.md).
#### Upgrade Readiness
Upgrading to new operating system versions has traditionally been a challenging, complex, and slow process for many enterprises. Discovering applications and drivers and then testing them for potential compatibility issues have been among the biggest pain points.
To better help customers through this difficult process, Microsoft developed Upgrade Readiness to give enterprises the tools to plan and manage the upgrade process end to end and allowing them to adopt new Windows releases more quickly and on an ongoing basis.
With Windows telemetry enabled, Microsoft collects computer, application, and driver compatibility-related information for analysis. We then identify compatibility issues that can block your upgrade and suggest fixes when they are known to Microsoft.
Use Upgrade Readiness to get:
- A visual workflow that guides you from pilot to production
- Detailed computer, driver, and application inventory
- Powerful computer level search and drill-downs
- Guidance and insights into application and driver compatibility issues with suggested fixes
- Data driven application rationalization tools
- Application usage information, allowing targeted validation; workflow to track validation progress and decisions
- Data export to commonly used software deployment tools
The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded.
## How is telemetry data handled by Microsoft?
### Data collection
Windows 10 and Windows Server 2016 includes the Connected User Experience and Telemetry component, which uses Event Tracing for Windows (ETW) tracelogging technology that gathers and stores telemetry events and data. The operating system and some Microsoft management solutions, such as System Center, use the same logging technology.
1. Operating system features and some management applications are instrumented to publish events and data. Examples of management applications include Virtual Machine Manager (VMM), Server Manager, and Storage Spaces.
2. Events are gathered using public operating system event logging and tracing APIs.
3. You can configure the telemetry level by using an MDM policy, Group Policy, or registry settings.
4. The Connected User Experience and Telemetry component transmits the telemetry data.
Info collected at the Enhanced and Full levels of telemetry is typically gathered at a fractional sampling rate, which can be as low as 1% of devices reporting data at those levels.
### Data transmission
All telemetry data is encrypted using SSL and uses certificate pinning during transfer from the device to the Microsoft Data Management Service. With Windows 10, data is uploaded on a schedule that is sensitive to event priority, battery use, and network cost. Real-time events, such as Windows Defender Advanced Threat Protection, are always sent immediately. Normal events are not uploaded on metered networks, unless you are on a metered server connection. On a free network, normal events can be uploaded every 4 hours if on battery, or every 15 minutes if on A/C power. Diagnostic and crash data are only uploaded on A/C power and free networks.
### Endpoints
The Microsoft Data Management Service routes data back to our secure cloud storage. Only Microsoft personnel with a valid business justification are permitted access.
The following table defines the endpoints for telemetry services:
| Service | Endpoint |
| - | - |
| Connected User Experience and Telemetry component | v10.vortex-win.data.microsoft.com<br />settings-win.data.microsoft.com |
| [Windows Error Reporting](http://msdn.microsoft.com/library/windows/desktop/bb513641.aspx) | watson.telemetry.microsoft.com |
| [Online Crash Analysis](http://msdn.microsoft.com/library/windows/desktop/ee416349.aspx) | oca.telemetry.microsoft.com |
| OneDrive app for Windows 10 | vortex.data.microsoft.com/collect/v1 |
### Data use and access
The principle of least privileged access guides access to telemetry data. Microsoft does not share personal data of our customers with third parties, except at the customers discretion or for the limited purposes described in the [Privacy Statement](https://privacy.microsoft.com/privacystatement). Microsoft may share business reports with OEMs and third party partners that include aggregated and anonymized telemetry information. Data-sharing decisions are made by an internal team including privacy, legal, and data management.
### Retention
Microsoft believes in and practices information minimization. We strive to gather only the info we need, and store it for as long as its needed to provide a service or for analysis. Much of the info about how Windows and apps are functioning is deleted within 30 days. Other info may be retained longer, such as error reporting data or Windows Store purchase history.
## Telemetry levels
This section explains the different telemetry levels in Windows 10, Windows Server 2016, and System Center. These levels are available on all desktop and mobile editions of Windows 10, with the exception of the **Security** level which is limited to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server 2016.
The telemetry data is categorized into four levels:
- **Security**. Information thats required to help keep Windows, Windows Server, and System Center secure, including data about the Connected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender.
- **Basic**. Basic device info, including: quality-related data, app compatibility, app usage data, and data from the **Security** level.
- **Enhanced**. Additional insights, including: how Windows, Windows Server, System Center, and apps are used, how they perform, advanced reliability data, and data from both the **Basic** and the **Security** levels.
- **Full**. All data necessary to identify and help to fix problems, plus data from the **Security**, **Basic**, and **Enhanced** levels.
The levels are cumulative and are illustrated in the following diagram. Also, these levels apply to all editions of Windows Server 2016.
![breakdown of telemetry levels and types of administrative controls](images/priv-telemetry-levels.png)
### Security level
The Security level gathers only the telemetry info that is required to keep Windows devices, Windows Server, and guests protected with the latest security updates. This level is only available on Windows Server 2016, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and Windows IoT Core editions.
> [!NOTE]
> If your organization relies on Windows Update for updates, you shouldnt use the **Security** level. Because no Windows Update information is gathered at this level, important information about update failures is not sent. Microsoft uses this information to fix the causes of those failures and improve the quality of our updates.
Windows Server Update Services (WSUS) and System Center Configuration Manager functionality is not affected at this level, nor is telemetry data about Windows Server features or System Center gathered.
 
The data gathered at this level includes:
- **Connected User Experience and Telemetry component settings**. If general telemetry data has been gathered and is queued, it is sent to Microsoft. Along with this telemetry, the Connected User Experience and Telemetry component may download a configuration settings file from Microsofts servers. This file is used to configure the Connected User Experience and Telemetry component itself. The data gathered by the client for this request includes OS information, device id (used to identify what specific device is requesting settings) and device class (for example, whether the device is server or desktop).
- **Malicious Software Removal Tool (MSRT)** The MSRT infection report contains information, including device info and IP address.
> [!NOTE]
> You can turn off the MSRT infection report. No MSRT information is included if MSRT is not used. If Windows Update is turned off, MSRT will not be offered to users. For more info, see Microsoft KB article [891716](http://support.microsoft.com/kb/891716).
 
- **Windows Defender/Endpoint Protection**. Windows Defender and System Center Endpoint Protection requires some information to function, including: anti-malware signatures, diagnostic information, User Account Control settings, Unified Extensible Firmware Interface (UEFI) settings, and IP address.
> [!NOTE]
> This reporting can be turned off and no information is included if a customer is using third party antimalware software, or if Windows Defender is turned off. For more info, see [Windows Defender](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender).
Microsoft recommends that Windows Update, Windows Defender, and MSRT remain enabled unless the enterprise uses alternative solutions such as Windows Server Update Services, System Center Configuration Manager, or a third party antimalware solution. Windows Update, Windows Defender, and MSRT provide core Windows functionality such as driver and OS updates, including security updates.
 
For servers with default telemetry settings and no Internet connectivity, you should set the telemetry level to **Security**. This stops data gathering for events that would not be uploaded due to the lack of Internet connectivity.
No user content, such as user files or communications, is gathered at the **Security** telemetry level, and we take steps to avoid gathering any information that directly identifies a company or user, such as name, email address, or account ID. However, in rare circumstances, MSRT information may unintentionally contain personal information. For instance, some malware may create entries in a computers registry that include information such as a username, causing it to be gathered. MSRT reporting is optional and can be turned off at any time.
### Basic level
The Basic level gathers a limited set of data thats critical for understanding the device and its configuration. This level also includes the **Security** level data. This level helps to identify problems that can occur on a particular hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. The Connected User Experience and Telemetry component does not gather telemetry data about System Center, but it can transmit telemetry for other non-Windows applications if they have user consent.
The normal upload range for the Basic telemetry level is between 109 KB - 159 KB per day, per device.
The data gathered at this level includes:
- **Basic device data**. Helps provide an understanding about the types of Windows devices and the configurations and types of native and virtualized Windows Server 2016 in the ecosystem. Examples include:
- Device attributes, such as camera resolution and display type
- Internet Explorer version
- Battery attributes, such as capacity and type
- Networking attributes, such as number of network adapters, speed of network adapters, mobile operator network, and IMEI number
- Processor and memory attributes, such as number of cores, architecture, speed, memory size, and firmware
- Virtualization attribute, such as Second Level Address Translation (SLAT) support and guest operating system
- Operating system attributes, such as Windows edition and virtualization state
- Storage attributes, such as number of drives, type, and size
- **Connected User Experience and Telemetry component quality metrics**. Helps provide an understanding about how the Connected User Experience and Telemetry component is functioning, including % of uploaded events, dropped events, and the last upload time.
- **Quality-related information**. Helps Microsoft develop a basic understanding of how a device and its operating system are performing. Some examples are the device characteristics of a Connected Standby device, the number of crashes or hangs, and application state change details, such as how much processor time and memory were used, and the total uptime for an app.
- **Compatibility data**. Helps provide an understanding about which apps are installed on a device or virtual machine and identifies potential compatibility problems.
- **General app data and app data for Internet Explorer add-ons**. Includes a list of apps that are installed on a native or virtualized instance of the OS and whether these apps function correctly after an upgrade. This app data includes the app name, publisher, version, and basic details about which files have been blocked from usage.
- **App usage data**. Includes how an app is used, including how long an app is used, when the app has focus, and when the app is started
- **Internet Explorer add-ons**. Includes a list of Internet Explorer add-ons that are installed on a device and whether these apps will work after an upgrade.
- **System data**. Helps provide an understanding about whether a device meets the minimum requirements to upgrade to the next version of the operating system. System information includes the amount of memory, as well as information about the processor and BIOS.
- **Accessory device data**. Includes a list of accessory devices, such as printers or external storage devices, that are connected to Windows PCs and whether these devices will function after upgrading to a new version of the operating system.
- **Driver data**. Includes specific driver usage thats meant to help figure out whether apps and devices will function after upgrading to a new version of the operating system. This can help to determine blocking issues and then help Microsoft and our partners apply fixes and improvements.
- **Windows Store**. Provides information about how the Windows Store performs, including app downloads, installations, and updates. It also includes Windows Store launches, page views, suspend and resumes, and obtaining licenses.
### Enhanced level
The Enhanced level gathers data about how Windows and apps are used and how they perform. This level also includes data from both the **Basic** and **Security** levels. This level helps to improve the user experience with the operating system and apps. Data from this level can be abstracted into patterns and trends that can help Microsoft determine future improvements.
This is the default level for Windows 10 Enterprise and Windows 10 Education editions, and the minimum level needed to quickly identify and address Windows, Windows Server, and System Center quality issues.
The normal upload range for the Enhanced telemetry level is between 239 KB - 348 KB per day, per device.
The data gathered at this level includes:
- **Operating system events**. Helps to gain insights into different areas of the operating system, including networking, Hyper-V, Cortana, storage, file system, and other components.
- **Operating system app events**. A set of events resulting from Microsoft applications and management tools that were downloaded from the Store or pre-installed with Windows or Windows Server, including Server Manager, Photos, Mail, and Microsoft Edge.
- **Device-specific events**. Contains data about events that are specific to certain devices, such as Surface Hub and Microsoft HoloLens. For example, Microsoft HoloLens sends Holographic Processing Unit (HPU)-related events.
- **Some crash dump types**. All crash dump types, except for heap dumps and full dumps.
If the Connected User Experience and Telemetry component detects a problem on Windows 10 that requires gathering more detailed instrumentation, the Connected User Experience and Telemetry component at the **Enhanced** telemetry level will only gather data about the events associated with the specific issue.
### Full level
The Full level gathers data necessary to identify and to help fix problems, following the approval process described below. This level also includes data from the **Basic**, **Enhanced**, and **Security** levels.
Additionally, at this level, devices opted in to the [Windows Insider Program](http://insider.windows.com) will send events, such as reliability and app responsiveness. that can show Microsoft how pre-release binaries and features are performing. These events help us make decisions on which builds are flighted. All devices in the [Windows Insider Program](http://insider.windows.com) are automatically set to this level.
If a device experiences problems that are difficult to identify or repeat using Microsofts internal testing, additional data becomes necessary. This data can include any user content that might have triggered the problem and is gathered from a small sample of devices that have both opted into the **Full** telemetry level and have exhibited the problem.
However, before more data is gathered, Microsofts privacy governance team, including privacy and other subject matter experts, must approve the diagnostics request made by a Microsoft engineer. If the request is approved, Microsoft engineers can use the following capabilities to get the information:
- Ability to run a limited, pre-approved list of Microsoft certified diagnostic tools, such as msinfo32.exe, powercfg.exe, and dxdiag.exe.
- Ability to get registry keys.
- All crash dump types, including heap dumps and full dumps.
## Enterprise management
Sharing telemetry data with Microsoft provides many benefits to enterprises, so we do not recommend turning it off. For most enterprise customers, simply adjusting the telemetry level and managing specific components is the best option.
Customers can set the telemetry level in both the user interface and with existing management tools. Users can change the telemetry level in the **Diagnostic and usage data** setting. In the Settings app, it is in **Privacy\Feedback & diagnostics**. They can choose between Basic, Enhanced, and Full. The Security level is not available.
IT pros can use various methods, including Group Policy and Mobile Device Management (MDM), to choose a telemetry level. If youre using Windows 10 Enterprise, Windows 10 Education, or Windows Server 2016, the Security telemetry level is available when managing the policy. Setting the telemetry level through policy overrides users choices. The remainder of this section describes how to do that.
### Manage your telemetry settings
We do not recommend that you turn off telemetry in your organization as valuable functionality may be impacted, but we recognize that in some scenarios this may be required. Use the steps in this section to do so for Windows, Windows Server, and System Center.
> [!IMPORTANT]
> These telemetry levels only apply to Windows, Windows Server, and System Center components and apps that use the Connected User Experience and Telemetry component. Non-Windows components, such as Microsoft Office or other 3rd-party apps, may communicate with their cloud services outside of these telemetry levels. You should work with your app vendors to understand their telemetry policy, and how you can to opt in or opt out. For more information on how Microsoft Office uses telemetry, see [Overview of Office Telemetry](http://technet.microsoft.com/library/jj863580.aspx).
You can turn on or turn off System Center telemetry gathering. The default is on and the data gathered at this level represents what is gathered by default when System Center telemetry is turned on. However, setting the operating system telemetry level to **Basic** will turn off System Center telemetry, even if the System Center telemetry switch is turned on.
The lowest telemetry setting level supported through management policies is **Security**. The lowest telemetry setting supported through the Settings UI is **Basic**. The default telemetry setting for Windows Server 2016 is **Enhanced**.
### Configure the operating system telemetry level
You can configure your operating system telemetry settings using the management tools youre already using, such as Group Policy, MDM, or Windows Provisioning. You can also manually change your settings using Registry Editor. Setting your telemetry levels through a management policy overrides any device level settings.
Use the appropriate value in the table below when you configure the management policy.
| Level | Data gathered | Value |
| - | - | - |
| Security | Security data only. | **0** |
| Basic | Security data, and basic system and quality data. | **1** |
| Enhanced | Security data, basic system and quality data, and enhanced insights and advanced reliability data. | **2** |
| Full | Security data, basic system and quality data, enhanced insights and advanced reliability data, and full diagnostics data. | **3** |
### Use Group Policy to set the telemetry level
Use a Group Policy object to set your organizations telemetry level.
1. From the Group Policy Management Console, go to **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Data Collection and Preview Builds**.
2. Double-click **Allow Telemetry**.
3. In the **Options** box, select the level that you want to configure, and then click **OK**.
### Use MDM to set the telemetry level
Use the [Policy Configuration Service Provider (CSP)](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) to apply the System/AllowTelemetry MDM policy.
### Use Registry Editor to set the telemetry level
Use Registry Editor to manually set the registry level on each device in your organization, or write a script to edit the registry. If a management policy already exists, such as Group Policy or MDM, it will override this registry setting.
1. Open Registry Editor, and go to **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection**.
2. Right-click **DataCollection**, click New, and then click **DWORD (32-bit) Value**.
3. Type **AllowTelemetry**, and then press ENTER.
4. Double-click **AllowTelemetry**, set the desired value from the table above, and then click **OK.**
5. Click **File** &gt; **Export**, and then save the file as a .reg file, such as **C:\\AllowTelemetry.reg**. You can run this file from a script on each device in your organization.
### Configure System Center 2016 telemetry
For System Center 2016 Technical Preview, you can turn off System Center telemetry by following these steps:
- Turn off telemetry by using the System Center UI Console settings workspace.
- For information about turning off telemetry for Service Management Automation and Service Provider Foundation, see [How to disable telemetry for Service Management Automation and Service Provider Foundation](https://support.microsoft.com/kb/3096505).
### Additional telemetry controls
There are a few more settings that you can turn off that may send telemetry information:
- To turn off Windows Update telemetry, you have two choices. Either turn off Windows Update, or set your devices to be managed by an on premises update server, such as [Windows Server Update Services (WSUS)](http://technet.microsoft.com/library/hh852345.aspx) or [System Center Configuration Manager](http://www.microsoft.com/server-cloud/products/system-center-2012-r2-configuration-manager/).
- Turn off **Windows Defender Cloud-based Protection** and **Automatic sample submission** in **Settings** &gt; **Update & security** &gt; **Windows Defender**.
- Manage the Malicious Software Removal Tool in your organization. For more info, see Microsoft KB article [891716](http://support.microsoft.com/kb/891716).
- Turn off **Linguistic Data Collection** in **Settings** &gt; **Privacy**. At telemetry levels **Enhanced** and **Full**, Microsoft uses Linguistic Data Collection info to improve language model features such as autocomplete, spellcheck, suggestions, input pattern recognition, and dictionary.
> [!NOTE]
> Microsoft does not intend to gather sensitive information, such as credit card numbers, usernames and passwords, email addresses, or other similarly sensitive information for Linguistic Data Collection. We guard against such events by using technologies to identify and remove sensitive information before linguistic data is sent from the user's device. If we determine that sensitive information has been inadvertently received, we delete the information.
## Additional resources
FAQs
- [Cortana, Search, and privacy](https://privacy.microsoft.com/windows-10-cortana-and-privacy)
- [Windows 10 feedback, diagnostics, and privacy](https://privacy.microsoft.com/windows-10-feedback-diagnostics-and-privacy)
- [Windows 10 camera and privacy](https://privacy.microsoft.com/windows-10-camera-and-privacy)
- [Windows 10 location service and privacy](https://privacy.microsoft.com/windows-10-location-and-privacy)
- [Microsoft Edge and privacy](https://privacy.microsoft.com/windows-10-microsoft-edge-and-privacy)
- [Windows 10 speech, inking, typing, and privacy](https://privacy.microsoft.com/windows-10-speech-inking-typing-and-privacy-faq)
- [Windows Hello and privacy](https://privacy.microsoft.com/windows-10-windows-hello-and-privacy)
- [Wi-Fi Sense](https://privacy.microsoft.com/windows-10-about-wifi-sense)
- [Windows Update Delivery Optimization](https://privacy.microsoft.com/windows-10-windows-update-delivery-optimization)
Blogs
- [Privacy and Windows 10](https://blogs.windows.com/windowsexperience/2015/09/28/privacy-and-windows-10)
Privacy Statement
- [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement)
TechNet
- [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
Web Pages
- [Privacy at Microsoft](http://privacy.microsoft.com)

62
windows/manage/cortana-at-work-crm.md
View File

@ -1,62 +0,0 @@
---
title: Set up and test Cortana with Microsoft Dynamics CRM (Preview feature) in your organization (Windows 10)
description: How to set up Cortana to help your salespeople get proactive insights on important CRM activities, including sales leads, accounts, and opportunities; presenting the most relevant info at any given time.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
localizationpriority: high
---
# Set up and test Cortana with Microsoft Dynamics CRM (Preview feature) in your organization
**Applies to:**
- Windows 10, Windows Insider Program
- Windows 10 Mobile, Windows Insider Program
>[!IMPORTANT]
>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
Cortana integration is a Preview feature that's available for your test or dev environment, starting with the CRM Online 2016 Update. If you decide to use this Preview feature, you'll need to turn in on and accept the license terms. After that, your salespeople will get proactive insights from Cortana on important CRM activities, including sales leads, accounts, and opportunities; presenting the most relevant info at any given time. This can even include getting company-specific news that surfaces when the person is meeting with a representative from another company.
>[!NOTE]
>For more info about Dynamics CRM integration, how to turn on Cortana, and how to provide feedback, see [Preview feature: Set up Cortana integration](http://go.microsoft.com/fwlink/p/?LinkId=746819).
![Cortana at work, showing the sales data pulled from Dynamics CRM](images/cortana-crm-screen.png)
## Turn on Cortana with Dynamics CRM in your organization
You must be a CRM administrator to turn on and use Preview features. For more info about what Preview features are and how to use them, see [What are Preview features and how do I enable them](http://go.microsoft.com/fwlink/p/?LinkId=746817)?
**To turn on Cortana with Dynamics CRM**
1. Go to **Settings**, and then click **Administration**.
2. Choose **System Settings**, and then click the **Previews** tab.
3. Read the license terms, and if you agree, select the **Ive read and agree to the license terms** check box.
4. For each preview feature you want to enable, click **Yes**.
## Turn on Cortana with Dynamics CRM on your employees devices
You must tell your employees to turn on Cortana, before theyll be able to use it with Dynamics CRM.
**To turn on local Cortana with Dynamics CRM**
1. Click on the **Cortana** search box in the taskbar, and then click the **Notebook** icon.
2. Click on **Connected Services**, click **Dynamics CRM**, and then click **Connect**.
![Cotana at work, showing how to turn on the connected services for Dynamics CRM](images/cortana-connect-crm.png)
The employee can also disconnect by clicking **Disconnect** from the **Dynamics CRM** screen.
## Turn off Cortana with Dynamics CRM
Cortana can only access data in Dynamics CRM when its turned on. If you dont want Cortana to access your corporate data, you can turn it off.
**To turn off Cortana with Dynamics CRM**
1. Go to **Settings**, and then click **Administration**.
2. Choose **System Settings**, and then click the **Previews** tab.
3. Click **No** for **Cortana**.
All Dynamics CRM functionality related to Cortana is turned off in your organization.

24
windows/manage/cortana-at-work-feedback.md
View File

@ -1,24 +0,0 @@
---
title: Send feedback about Cortana at work back to Microsoft (Windows 10)
description: How to send feedback to Microsoft about Cortana at work.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
localizationpriority: high
---
# Send feedback about Cortana at work back to Microsoft
**Applies to:**
- Windows 10, Windows Insider Program
- Windows 10 Mobile, Windows Insider Program
>[!IMPORTANT]
>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
We ask that you report bugs and issues. To provide feedback, you can click the **Feedback** icon in the Cortana window. When you send this form to Microsoft it also includes troubleshooting info, in case you run into problems.
![Cortana at work, showing how to provide feedback to Microsoft](images/cortana-feedback.png)
If you don't want to use the feedback tool in Cortana, you can add feedback through the general Windows Insider Preview feedback app. For info about the Insider Preview feedback app, see [How to use Windows Insider Preview Updates and feedback](http://windows.microsoft.com/en-us/windows/preview-updates-feedback-pc).

72
windows/manage/cortana-at-work-o365.md
View File

@ -1,72 +0,0 @@
---
title: Set up and test Cortana with Office 365 in your organization (Windows 10)
description: How to connect Cortana to Office 365 so your employees are notified about regular meetings, unusual events, such as meetings over lunch or during a typical commute time, and about early meetings, even setting an alarm so the employee isnt late.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
localizationpriority: high
---
# Set up and test Cortana with Office 365 in your organization
**Applies to:**
- Windows 10, Windows Insider Program
- Windows 10 Mobile, Windows Insider Program
>[!IMPORTANT]
>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
Cortana in Windows 10 is already great at letting your employees quickly see what the day is going to look like, do meeting prep work like researching people in LinkedIn or getting documents ready, see where and when their meetings are going to be, get a sense of travel times to and from work, and even get updates from a calendar for upcoming trips.
But Cortana works even harder when she connects to Office 365, helping employees to be notified about unusual events, such as meetings over lunch or during a typical commute time, and about early meetings, even setting an alarm so the employee isnt late.
![Cortana at work, showing the day's schedule pulled from Office 365](images/cortana-o365-screen.png)
Were continuing to add more and more capabilities to Cortana so she can become even more helpful with your productivity-related tasks, such as emailing, scheduling, and other tasks that are important to help you be successful.
>[!NOTE]
>For a quick review of the frequently asked questions about Cortana and Office 365 integration, see the blog post, [An early look at Cortana integration with Office 365](http://go.microsoft.com/fwlink/p/?LinkId=717379).
## Before you begin
There are a few things to be aware of before you start using Cortana with Office 365 in your organization.
- **Software requirements.** O365 integration with Cortana is available in all countries/regions where Cortana is supported for consumers today. This includes the United States, United Kingdom, Canada, France, Italy, Germany, Spain, China, Japan, India, and Australia. As Cortana comes to more countries, it will also become available to organizations.
- **Azure Active Directory (Azure AD) account.** Before your employees can use Cortana in your org, they must be logged in using their Azure AD account through Cortanas notebook. They must also authorize Cortana to access Office 365 on their behalf.
- **Office 365 Trust Center.** Cortana isn't a service covered by the Office 365 Trust Center. [Learn more about how Cortana treats your data](http://go.microsoft.com/fwlink/p/?LinkId=536419).
- **Troubleshooting tips.** If you run into issues, check out these [troubleshooting tips](http://go.microsoft.com/fwlink/p/?LinkId=620763).
## Turn on Cortana with Office 365 on employees devices
You must tell your employees to turn on Cortana before theyll be able to use it with Office 365.
**To turn on local Cortana with Office 365**
1. Click on the **Cortana** search box in the taskbar, and then click the **Notebook** icon.
2. Click on **Connected Services**, click **Office 365**, and then click **Connect**.
![Cotana at work, showing how to turn on the connected services for Office 365](images/cortana-connect-o365.png)
The employee can also disconnect by clicking **Disconnect** from the **Office 365** screen.
## Turn off Cortana with Office 365
Cortana can only access data in your Office 365 org when its turned on. If you dont want Cortana to access your corporate data, you can turn it off in the Office 365 admin center.
**To turn off Cortana with Office 365**
1. [Sign in to Office 365](http://www.office.com/signin) using your Azure AD account.
2. Go to the [Office 365 admin center](https://support.office.com/article/Office-365-admin-center-58537702-d421-4d02-8141-e128e3703547).
3. Expand **Service Settings**, and select **Cortana**.
4. Click **Cortana** to toggle Cortana off.
All Office 365 functionality related to Cortana is turned off in your organization and your employees are unable to use her at work.

64
windows/manage/cortana-at-work-overview.md
View File

@ -1,64 +0,0 @@
---
title: Cortana integration in your business or enterprise (Windows 10)
description: The worlds first personal digital assistant helps users get things done, even at work. Cortana includes powerful configuration options specifically to optimize for unique small to medium-sized business and enterprise environments.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
localizationpriority: high
---
# Cortana integration in your business or enterprise
**Applies to:**
- Windows 10, Windows Insider Program
- Windows 10 Mobile, Windows Insider Program
>[!IMPORTANT]
>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
## Who is Cortana?
Cortana is Microsofts personal digital assistant, who helps busy people get things done, even while at work.
Cortana has powerful configuration options, specifically optimized for your business. By signing in with an Azure Active Directory (Azure AD) account, your employees can give Cortana access to their enterprise/work identity, while getting all the functionality Cortana provides to them outside of work.
Using Azure AD also means that you can remove an employees profile (for example, when an employee leaves your organization) while respecting Windows Information Protection (WIP) policies and ignoring enterprise content, such as emails, calendar items, and people lists that are marked as enterprise data.
![Cortana at work, showing the About me screen](images/cortana-about-me.png)
## Where is Cortana available for use in my organization?
You can use Cortana at work in all countries/regions where Cortana is supported for consumers. This includes the United States, United Kingdom, Canada, France, Italy, Germany, Spain, China, Japan, India, and Australia. As Cortana comes to more countries, she will also become available to enterprise customers.
Cortana is available on Windows 10, Windows Insider Program and with limited functionality on Windows Phone 8.1, Windows Insider Program.
## Required hardware and software
Cortana requires the following hardware and software to successfully run the included scenario in your organization.
|Hardware |Description |
|---------|------------|
|Microphone |For speech interaction with Cortana. If you don't have a microphone, you can still interact with Cortana by typing in the Cortana Search Box in the taskbar. |
|Windows Phone |For location-specific reminders. You can also use a desktop device to run through this scenario, but location accuracy is usually better on phones. |
|Desktop devices |For non-phone-related scenarios. |
|Software |Minimum version |
|---------|------------|
|Client operating system |<ul><li>**Desktop:** Windows 10, Windows Insider Program</li><li>**Mobile:** Windows 8.1, Windows Insider Program (with limited functionality)</li> |
|Azure Active Directory (Azure AD) |While all employees signing into Cortana need an Azure AD account; an Azure AD premium tenant isnt required. |
|Additional policies (Group Policy and Mobile Device Management (MDM)) |There is a rich set of policies that can be used to manage various aspects of Cortana. Most of these policies will limit the abilities of Cortana, but won't turn Cortana off.<p>For example:<p>If you turn **Location** off, Cortana won't be able to provide location-based reminders, such as reminding you to visit the mail room when you get to work.<p>If you turn **Speech** off, your employees won't be able to use “Hello Cortana” for hands free usage or voice commands to easily ask for help. |
|Windows Information Protection (WIP) (optional) |If you want to secure the calendar, email, and contact info provided to Cortana on a device, you can use WIP. For more info about WIP, see [Protect your enterprise data using Windows Information Protection (WIP)](../keep-secure/protect-enterprise-data-using-wip.md)<p>If you decide to use WIP, you must also have a management solution. This can be Microsoft Intune, Microsoft System Center Configuration Manager (version 1606 or later), or your current company-wide 3rd party mobile device management (MDM) solution.|
## Signing in using Azure AD
Your organization must have an Azure AD tenant and your employees devices must all be Azure AD-joined for Cortana to work properly. For info about what an Azure AD tenant is, how to get your devices joined, and other Azure AD maintenance info, see [What is an Azure AD directory?](https://msdn.microsoft.com/library/azure/jj573650.aspx)
## Cortana and privacy
We understand that there are some questions about Cortana and your organizations privacy, including concerns about what info is collected by Cortana, where the info is saved, how to manage what data is collected, how to turn Cortana off, how to opt completely out of data collection, and what info is shared with other Microsoft apps and services. For more details about these concerns, see the [Cortana, Search, and privacy: FAQ](http://windows.microsoft.com/windows-10/cortana-privacy-faq) topic.
Cortana is covered under the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) and [Microsoft Services Agreement](https://www.microsoft.com/en-us/servicesagreement).
## See also
- [What is Cortana?](http://go.microsoft.com/fwlink/p/?LinkId=746818)
- [Cortana and Windows](http://go.microsoft.com/fwlink/?LinkId=717384)
- [Known issues for Windows Desktop Search and Cortana in Windows 10](https://support.microsoft.com/help/3206883/known-issues-for-windows-desktop-search-and-cortana-in-windows-10)
- [Cortana for developers](http://go.microsoft.com/fwlink/?LinkId=717385)

44
windows/manage/cortana-at-work-policy-settings.md
View File

@ -1,44 +0,0 @@
---
title: Use Group Policy and mobile device management (MDM) settings to configure Cortana in your organization (Windows 10)
description: The list of Group Policy and mobile device management (MDM) policy settings that apply to Cortana at work.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
localizationpriority: high
---
# Use Group Policy and mobile device management (MDM) settings to configure Cortana in your organization
**Applies to:**
- Windows 10, Windows Insider Program
- Windows 10 Mobile, Windows Insider Program
>[!IMPORTANT]
>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
>[!NOTE]
>For specific info about how to set, manage, and use each of these MDM policies to configure Cortana in your enterprise, see the [Policy CSP](http://go.microsoft.com/fwlink/p/?LinkId=717380) topic, located in the configuration service provider reference topics. For specific info about how to set, manage, and use each of these Group Policies to configure Cortana in your enterprise, see the [Group Policy TechCenter](http://go.microsoft.com/fwlink/p/?LinkId=717381).
|Group policy |MDM policy |Description |
|-------------|-----------|------------|
|Computer Configuration\Administrative Templates\Windows Components\Search\AllowCortanaAboveLock|AboveLock/AllowCortanaAboveLock|Specifies whether an employee can interact with Cortana using voice commands when the system is locked.<p>**NOTE**<br>This setting only applies to Windows 10 for desktop devices. |
|Computer Configuration\Administrative Templates\Control Panel\Regional and Language Options\Allow input personalization|Privacy/AllowInputPersonalization|Specifies whether an employee can use voice commands with Cortana in your organization.<p>**In Windows 10, version 1511**<br>Cortana wont work if this setting is turned off (disabled).<p>**In Windows 10, version 1607 and later**<br>Cortana still works if this setting is turned off (disabled).|
|None|System/AllowLocation|Specifies whether to allow app access to the Location service.<p>**In Windows 10, version 1511**<br>Cortana wont work if this setting is turned off (disabled).<p>**In Windows 10, version 1607 and later**<br>Cortana still works if this setting is turned off (disabled).|
|None|Accounts/AllowMicrosoftAccountConnection|Specifies whether to allow employees to sign in using a Microsoft account (MSA) from Windows apps.<p>Use this setting if you only want to support Azure AD in your organization.|
|Computer Configuration\Administrative Templates\Windows Components\Search\Allow search and Cortana to use location|Search/AllowSearchToUseLocation|Specifies whether Cortana can use your current location during searches and for location reminders.|
|Computer Configuration\Administrative Templates\Windows Components\Search\Set the SafeSearch setting for Search|Search/SafeSearchPermissions|Specifies what level of safe search (filtering adult content) is required.<p>**NOTE**<br>This setting only applies to Windows 10 Mobile.|
|User Configuration\Administrative Templates\Windows Components\File Explorer\Turn off display of recent search entries in the File Explorer search box|None|Specifies whether the search box can suggest recent queries and prevent entries from being stored in the registry for future reference.|
|Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results|None|Specifies whether search can perform queries on the web and if the web results are displayed in search.<p>**In Windows 10 Pro edition**<br>This setting cant be managed.<p>**In Windows 10 Enterprise edition**<br>Cortana won't work if this setting is turned off (disabled).|
|Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana|Experience/AllowCortana|Specifies whether employees can use Cortana.<p>**IMPORTANT**<br>Cortana wont work if this setting is turned off (disabled). However, employees can still perform local searches even with Cortana turned off.|

138
windows/manage/cortana-at-work-powerbi.md
View File

@ -1,138 +0,0 @@
---
title: Set up and test Cortana for Power BI in your organization (Windows 10)
description: How to integrate Cortana with Power BI to help your employees get answers directly from your key business data.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
localizationpriority: high
---
# Set up and test Cortana for Power BI in your organization
**Applies to:**
- Windows 10, Windows Insider Program
- Windows 10 Mobile, Windows Insider Program
>[!IMPORTANT]
>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
Integration between Cortana and Power BI shows how Cortana can work with custom business analytics solutions to enable you to get answers directly from your key business data, including introducing new features that let you create custom Cortana “answers” using the full capabilities of Power BI Desktop.
>[!Note]
>Cortana for Power BI is currently only available in English. For more info about Cortana and Power BI, see [Use Power BI to create a custom Answer Page for Cortana](https://powerbi.microsoft.com/documentation/powerbi-service-cortana-desktop-entity-cards/).
## Before you begin
To use this walkthrough, youll need:
- **Windows 10**. Youll need to be running at least Windows 10 with the latest version from the Windows Insider Program.
- **Cortana**. You need to have Cortana turned on and be logged into your account.
- **Power BI account with data**. You can use an existing Power BI account, or else you can get a trial account by signing up at http://powerbi.com. Just make sure that either way, you enter some data that you can use.
- **Azure Active Directory (Azure AD)/Work or School account**. You can use the account that you created for Office 365, or you can create a new one while youre establishing your Power BI account. If you choose to use Azure AD, you must connect your Azure AD account to your Windows account.
**To connect your account to Windows**
a. Open **Windows Settings**, click **Accounts**, click **Access work or school**, and then in the **Connect to work or school** section, click **Connect**.
b. Follow the instructions to add your Azure Active Directory (Azure AD) account to Windows.
## Set up your test environment for Cortana for Power BI
Before you can start this testing scenario, you must first set up your test environment and data, and then you must turn on and set up Cortana to connect and work with Power BI.
**To set up your test environment with Cortana and Power BI**
1. Go to http://powerbi.com and sign-in with the same O365 credentials you used in the Set up and use Cortana with Office 365 topic.
2. Expand the left rail by clicking the **Show the navigation pane** icon.
![Cortana at work, showing the navigation expand icon in Power BI](images/cortana-powerbi-expand-nav.png)
3. Click **Get Data** from the left-hand navigation in Power BI.
![Cortana at work, showing the Get Data link](images/cortana-powerbi-getdata.png)
4. Click **Samples** from the **Content Pack Library** area of the **Get Data** screen.
![Cortana at work, showing the Samples link](images/cortana-powerbi-getdata-samples.png)
5. Click **Retail Analysis Sample**, and then click **Connect**.
![Cortana at work, showing the Samples link](images/cortana-powerbi-retail-analysis-sample.png)
The sample data is imported and youre returned to the **Power BI** screen.
6. Click **Dashboards** from the left pane of the **Power BI** screen, and then click **Retail Analysis Sample**.
![Cortana at work, showing a dashboard view of the sample data](images/cortana-powerbi-retail-analysis-dashboard.png)
7. In the upper right-hand menu, click the **Settings** icon, and then click **Settings**.
![Cortana at work, showing where to find the Settings option](images/cortana-powerbi-settings.png)
8. Click the **Datasets** tab, and then pick the **Retail Analysis Sample** dataset from the list.
9. Click **Q&A and Cortana**, check the **Allow Cortana to access this dataset** box, and then click **Apply**.
![Cortana at work, showing where to find the dataset options](images/cortana-powerbi-retail-analysis-dataset.png)
>[!NOTE]
>It can take up to 30 minutes for a new dataset to appear for Power BI and Cortana. Logging in and out of Windows 10, or otherwise restarting Cortana, causes the new content to appear immediately.<p>If you enable a dataset for Cortana, and that dataset is part of a content pack you own, youll need to re-publish for your colleagues to also use it with Cortana.
## Create a custom Answer Page for Cortana
You must create special reports, known as _Answer Pages_, to display the most commonly asked answers in Cortana. For example, if you want Cortana to quickly show sales data to your employees, you can create a 2016 sales data Answer Page that shows sales data, with various pivots, in Cortana.
After youve finished creating your Answer Page, you can continue to the included testing scenarios.
>[!NOTE]
>It can take up to 30 minutes for a custom Answer Page to appear for Power BI and Cortana. Logging in and out of Windows 10, or otherwise restarting Cortana, causes the new content to appear immediately.
**To create a custom sales data Answer Page for Cortana**
1. In Power BI, click **My Workspace**, click **Create**, and then click **Report**.
![Cortana at work, showing where to create the new report](images/cortana-powerbi-create-report.png)
2. In the **Create Report** screen, click the **Retail Analysis Sample**, and then click **Create**.
A blank report page appears.
3. In the **Visualizations** pane, click the paint roller icon, expand **Page Size**, and then pick **Cortana** from the **Type** drop-down list.
![Cortana at work, showing the Visualizations options](images/cortana-powerbi-pagesize.png)
4. In the **Fields** pane, click to expand **Sales**, expand **This year sales**, and then add both **Value** and **Goal**.
![Cortana at work, showing the Field options](images/cortana-powerbi-field-selection.png)
The automatically generated graph is added to your blank report. You have the option to change colors, add borders, add additional visualizations, and modify this page so that it answers the question about sales data as precisely, and in as custom a way, as you want. You just need to make sure that it all stays within the page borders.
5. In the **Visualizations** pane, click the paint roller icon again, expand **Page Information**, type _Sales data 2016_ into the **Name** box, turn on **Q&A**, and then add alternate report names (separated by commas) into the text box.
The alternate names help Cortana to know what questions to look for and when to show this report. To also improve your results, you should avoid using the names of your report columns.
![Cortana at work, showing the page info for your specific report](images/cortana-powerbi-report-qna.png)
6. Click **File**, click **Save as**, and save the report as _Sales data 2016_.
Because this is part of the Retail Analysis Sample, it will automatically be included as part of the dataset you included for Cortana. However, you will still need to log in and out of Windows 10, or otherwise restart Cortana, before the new content appears.
## Test Scenario: Use Cortana to show info from Power BI in your organization
Now that youve set up your device, you can use Cortana to show your info from within Power BI.
**To use Cortana with Power BI**
1. Click on the **Cortana** icon in the taskbar, and then click in the **Search** bar.
2. Type _This year in sales_.
Cortana shows you the available results.
![Cortana at work, showing the best matches based on the Power BI data](images/cortana-powerbi-search.png)
3. In the **Power BI** area, click **This year in sales in Retail Analysis Sample**.
Cortana returns your custom report.
![Cortana at work, showing your custom report from Power BI](images/cortana-powerbi-myreport.png)
>[!NOTE]
>For more info about how to connect your own data, build your own custom Power BI cards and Answer Pages for Cortana, and how to share the cards with everyone in your organization, see [Use Power BI to create a custom Answer Page for Cortana](https://powerbi.microsoft.com/documentation/powerbi-service-cortana-desktop-entity-cards/).

58
windows/manage/cortana-at-work-scenario-1.md
View File

@ -1,58 +0,0 @@
---
title: Test scenario 1 - Sign-in to Azure AD and use Cortana to manage the notebook (Windows 10)
description: A test scenario walking you through signing in and managing the notebook.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
localizationpriority: high
---
# Test scenario 1 - Sign-in to Azure AD and use Cortana to manage the notebook
- Windows 10, Windows Insider Program
- Windows 10 Mobile, Windows Insider Program
>[!IMPORTANT]
>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
>[!IMPORTANT]
>The data created as part of these scenarios will be uploaded to Microsofts Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering.
This scenario turns on Azure AD and let's your employee use Cortana to manage an entry in the notebook.
## Turn on Azure AD
This process helps you to sign out of a Microsoft Account and to sign into an Azure AD account.
1. Click on the **Cortana** icon in the taskbar, click the **Notebook**, and then click **About Me**.
2. Click your email address.
A dialog box appears, showing the associated account info.
3. Click your email address again, and then click **Sign out**.
This signs out the Microsoft account, letting you continue to add and use the Azure AD account.
4. Click the **Search** box and then the **Notebook** icon in the left rail. This will start the sign-in request.
5. Click **Sign-In** and follow the instructions.
6. When youre asked to sign in, youll need to choose an Azure AD account, which will look like kelliecarlson@contoso.com.
>[!IMPORTANT]
>If theres no Azure AD account listed, youll need to go to **Windows Settings > Accounts > Email & app accounts**, and then click **Add a work or school account** to add it.
## Use Cortana to manage the notebook content
This process helps you to manage the content Cortana shows in your Notebook.
1. Click on the **Cortana** icon in the taskbar, click the **Notebook**, scroll down and click **Weather**.
2. In the **Weather** settings, scroll down to the **Cities your tracking** area, and then click **Add a city**.
3. Add *Redmond, Washington*, double-click the search result, click **Add**, and then click **Save**.
![Cortana at work, showing the multiple Weather screens](images/cortana-weather-multipanel.png)
4. Click on the **Home** icon and scroll to the weather forecast for Redmond, Washington.
![Cortana at work, showing Redmond, WA weather](images/cortana-redmond-weather.png)

41
windows/manage/cortana-at-work-scenario-2.md
View File

@ -1,41 +0,0 @@
---
title: Test scenario 2 - Perform a quick search with Cortana at work (Windows 10)
description: A test scenario about how to perform a quick search with Cortana at work.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
localizationpriority: high
---
# Test scenario 2 - Perform a quick search with Cortana at work
- Windows 10, Windows Insider Program
- Windows 10 Mobile, Windows Insider Program
>[!IMPORTANT]
>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
>[!IMPORTANT]
>The data created as part of these scenarios will be uploaded to Microsofts Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering.
This scenario helps you perform a quick search using Cortana, both by typing and through voice commands.
## Search using Cortana
This process helps you use Cortana at work to perform a quick search.
1. Click on the **Cortana** icon in the taskbar, and then click in the **Search** bar.
2. Type *Weather in New York*.
You should see the weather in New York, New York at the top of the search results.
![Cortana at work, showing the weather in New York, New York](images/cortana-newyork-weather.png)
## Search with Cortana, by using voice commands
This process helps you to use Cortana at work and voice commands to perform a quick search.
1. Click on the **Cortana** icon in the taskbar, and then click the **Microphone** icon (to the right of the **Search** box).
2. Say *What's the weather in Chicago?* Cortana tells you and shows you the current weather in Chicago.
![Cortana at work, showing the current weather in Chicago, IL](images/cortana-chicago-weather.png)

86
windows/manage/cortana-at-work-scenario-3.md
View File

@ -1,86 +0,0 @@
---
title: Test scenario 3 - Set a reminder for a specific location using Cortana at work (Windows 10)
description: A test scenario about how to set a location-based reminder using Cortana at work.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
localizationpriority: high
---
# Test scenario 3 - Set a reminder for a specific location using Cortana at work
- Windows 10, Windows Insider Program
- Windows 10 Mobile, Windows Insider Program
>[!IMPORTANT]
>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
>[!IMPORTANT]
>The data created as part of these scenarios will be uploaded to Microsofts Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering.
This scenario helps you set up, review, and edit a reminder based on a location. For example, reminding yourself to grab your expense report receipts before you leave the house.
>[!NOTE]
>You can set each reminder location individually as you create the reminders, or you can go into the **About me** screen and add both **Work** and **Home** addresses as favorites. Make sure that you use real addresses since youll need to go to these locations to complete your testing scenario.<p>Additionally, if youve turned on the **Meeting & reminder cards & notifications** option (in the **Meetings & reminders** option of your Notebook), youll also see your pending reminders on the Cortana **Home** page.
## Create a reminder for a specific location
This process helps you to create a reminder based on a specific location.
1. Click on the **Cortana** icon in the taskbar, click on the **Notebook** icon, and then click **Reminders**.
2. Click the **+** sign, add a subject for your reminder, such as _Remember to file expense report receipts_, and then click **Place**.
![Cortana at work, showing the add a reminder screens](images/cortana-add-reminder.png)
3. Choose **Arrive** from the drop-down box, and then type a location to associate with your reminder. For example, you can use the physical address of where you work. Just make sure you can physically get to your location, so you can test the reminder.
![Cortana at work, showing how to add a place to the reminder screens](images/cortana-place-reminder.png)
4. Click **Done**.
>[!NOTE]
>If youve never used this location before, youll be asked to add a name for it so it can be added to the **Favorites list** in Windows Maps.
5. Choose to be reminded the **Next time you arrive at the location** or on a specific day of the week from the drop-down box.
6. Take a picture of your receipts and store them locally on your device.
7. Click **Add Photo**, click **Library**, browse to your picture, and then click **OK**.
The photo is stored with the reminder.
![Cortana at work, showing the stored image in the reminder screens](images/cortana-final-reminder.png)
8. Review the reminder info, and then click **Remind**.
The reminder is saved and ready to be triggered.
![Cortana at work, showing the final reminder](images/cortana-reminder-pending.png)
## Create a reminder for a specific location by using voice commands
This process helps you to use Cortana at work and voice commands to create a reminder for a specific location.
1. Click on the **Cortana** icon in the taskbar, and then click the **Microphone** icon (to the right of the **Search** box).
2. Say _Remind me to grab my expense report receipts before I leave home_.
Cortana opens a new reminder task and asks if it sounds good.
![Cortana at work, showing the reminder created through voice commands](images/cortana-reminder-mic.png)
3. Say _Yes_ so Cortana can save the reminder.
![Cortana at work, showing the final reminder created through voice commands](images/cortana-reminder-pending-mic.png)
## Edit or archive an existing reminder
This process helps you to edit or archive and existing or completed reminder.
1. Click on the **Cortana** icon in the taskbar, click on the **Notebook** icon, and then click **Reminders**.
![Cortana at work, showing the list of pending reminders](images/cortana-reminder-list.png)
2. Click the pending reminder you want to edit.
![Cortana at work, showing the reminder editing screen](images/cortana-reminder-edit.png)
3. Change any text that you want to change, click **Add photo** if you want to add or replace an image, click **Delete** if you want to delete the entire reminder, click **Save** to save your changes, and click **Complete and move to History** if you want to save a completed reminder in your **Reminder History**.

51
windows/manage/cortana-at-work-scenario-4.md
View File

@ -1,51 +0,0 @@
---
title: Test scenario 4 - Use Cortana at work to find your upcoming meetings (Windows 10)
description: A test scenario about how to use Cortana at work to find your upcoming meetings.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
localizationpriority: high
---
# Test scenario 4 - Use Cortana at work to find your upcoming meetings
- Windows 10, Windows Insider Program
- Windows 10 Mobile, Windows Insider Program
>[!IMPORTANT]
>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
>[!IMPORTANT]
>The data created as part of these scenarios will be uploaded to Microsofts Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering.
This scenario helps you search for both general upcoming meetings, and specific meetings, both manually and verbally.
>[!NOTE]
>If youve turned on the **Meeting & reminder cards & notifications** option (in the **Meetings & reminders** option of your Notebook), youll also see your pending reminders on the Cortana **Home** page.
## Find out about upcoming meetings
This process helps you find your upcoming meetings.
1. Check to make sure your work calendar is connected and synchronized with your Azure AD account.
2. Click on the **Cortana** icon in the taskbar, and then click in the **Search** bar.
3. Type _Show me my meetings for tomorrow_.
Youll see all your meetings scheduled for the next day.
![Cortana at work, showing all upcoming meetings](images/cortana-meeting-tomorrow.png)
## Find out about upcoming meetings by using voice commands
This process helps you to use Cortana at work and voice commands to find your upcoming meetings.
1. Click on the **Cortana** icon in the taskbar, and then click the **Microphone** icon (to the right of the **Search** box.
2. Say _Show me what meeting I have at 3pm tomorrow_.
>[!IMPORTANT]
>Make sure that you have a meeting scheduled for the time you specify here.
![Cortana at work, showing the meeting scheduled for 3pm](images/cortana-meeting-specific-time.png)

57
windows/manage/cortana-at-work-scenario-5.md
View File

@ -1,57 +0,0 @@
---
title: Test scenario 5 - Use Cortana to send email to a co-worker (Windows 10)
description: A test scenario about how to use Cortana at work to send email to a co-worker.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
localizationpriority: high
---
# Test scenario 5 - Use Cortana to send email to a co-worker
- Windows 10, Windows Insider Program
- Windows 10 Mobile, Windows Insider Program
>[!IMPORTANT]
>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
>[!IMPORTANT]
>The data created as part of these scenarios will be uploaded to Microsofts Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering.
This scenario helps you to send an email to a co-worker listed in your work address book, both manually and verbally.
## Send an email to a co-worker
This process helps you to send a quick message to a co-worker from the work address book.
1. Check to make sure your Microsoft Outlook or mail app is connected and synchronized with your Azure AD account.
2. Click on the **Cortana** icon in the taskbar, and then click in the **Search** bar.
3. Type _Send an email to &lt;contact_name&gt;_.
Where _&lt;contact_name&gt;_ is the name of someone in your work address book.
4. Type your email message subject into the **Quick message** (255 characters or less) box and your message into the **Message** (unlimited characters) box, and then click **Send**.
![Cortana at work, showing the email text](images/cortana-send-email-coworker.png)
## Send an email to a co-worker by using voice commands
This process helps you to use Cortana at work and voice commands to send a quick message to a co-worker from the work address book.
1. Click on the **Cortana** icon in the taskbar, and then click the **Microphone** icon (to the right of the **Search** box.
2. Say _Send an email to &lt;contact_name&gt;_.
Where _&lt;contact_name&gt;_ is the name of someone in your work address book.
3. Add your email message by saying, _Hello this is a test email using Cortana at work._
The message is added and youre asked if you want to **Send it**, **Add more**, or **Make changes**.
![Cortana at work, showing the email text created from verbal commands](images/cortana-send-email-coworker-mic.png)
4. Say _Send it_.
The email is sent.
![Cortana at work, showing the sent email text](images/cortana-complete-send-email-coworker-mic.png)

48
windows/manage/cortana-at-work-scenario-6.md
View File

@ -1,48 +0,0 @@
---
title: Test scenario 6 - Review a reminder suggested by Cortana based on what youve promised in email (Windows 10)
description: A test scenario about how to use Cortana with the Suggested reminders feature.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: eross-msft
localizationpriority: high
---
# Test scenario 6 - Review a reminder suggested by Cortana based on what youve promised in email
- Windows 10, Windows Insider Program
- Windows 10 Mobile, Windows Insider Program
>[!IMPORTANT]
>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
>[!IMPORTANT]
>The data created as part of these scenarios will be uploaded to Microsofts Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering. For more info, see the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) and the [Microsoft Services Agreement](https://www.microsoft.com/en-us/servicesagreement).
Cortana automatically finds patterns in your email, suggesting reminders based things that you said you would do so you dont forget about them. For example, Cortana recognizes that if you include the text, _Ill get this to you by the end of the week_ in an email, you're making a commitment to provide something by a specific date. Cortana can now suggest that you be reminded about this event, letting you decide whether to keep it or to cancel it.
>[!NOTE]
>The Suggested reminders feature is currently only available in English (en-us).
**To use Cortana to create Suggested reminders for you**
1. Make sure that you've connected Cortana to Office 365. For the steps to connect, see [Set up and test Cortana with Office 365 in your organization](cortana-at-work-o365.md).
2. Click on the **Cortana** search box in the taskbar, click the **Notebook** icon, and then click **Permissions**.
3. Make sure the **Contacts, email, calendar, and communication history** option is turned on.
![Permissions options for Cortana at work](images/cortana-communication-history-permissions.png)
4. Click the **Notebook** icon again, click the **Suggested reminders** option, click to turn on the **All reminder suggestions cards** option, click the **Notify me when something I mentioned doing is coming up** box, and then click **Save**.
![Suggested reminders options for Cortana at work](images/cortana-suggested-reminder-settings.png)
5. Create and send an email to yourself (so you can see the Suggested reminder), including the text, _Ill finish this project by end of day today_.
6. After you get the email, click on the Cortana **Home** icon, and scroll to todays events.
If the reminder has a specific date or time associated with it, like end of day, Cortana notifies you at the appropriate time and puts the reminder into the Action Center. Also from the Home screen, you can view the email where you made the promise, set aside time on your calendar, officially set the reminder, or mark the reminder as completed.
![Cortana Home screen with your suggested reminder showing](images/cortana-suggested-reminder.png)

36
windows/manage/cortana-at-work-testing-scenarios.md
View File

@ -1,36 +0,0 @@
---
title: Testing scenarios using Cortana in your business or organization (Windows 10)
description: A list of suggested testing scenarios that you can use to test Cortana in your organization.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
localizationpriority: high
---
# Testing scenarios using Cortana in your business or organization
**Applies to:**
- Windows 10, Windows Insider Program
- Windows 10 Mobile, Windows Insider Program
>[!IMPORTANT]
>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
We've come up with a list of suggested testing scenarios that you can use to test Cortana in your organization. After you complete all the scenarios, you should be able to:
- [Sign-in to Cortana using Azure AD, manage entries in the notebook, and search for content across your device, Bing, and the cloud, using Cortana](cortana-at-work-scenario-1.md)
- [Perform a quick search with Cortana at work](cortana-at-work-scenario-2.md)
- [Set a reminder and have it remind you when youve reached a specific location](cortana-at-work-scenario-3.md)
- [Search for your upcoming meetings on your work calendar](cortana-at-work-scenario-4.md)
- [Send an email to a co-worker from your work email app](cortana-at-work-scenario-5.md)
- [Review a reminder suggested by Cortana based on what youve promised in email](cortana-at-work-scenario-6.md)
- [Use Windows Information Protection (WIP) to secure content on a device and then try to manage your organizations entries in the notebook](cortana-at-work-scenario-7.md)
>[!IMPORTANT]
>The data created as part of these scenarios will be uploaded to Microsofts Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering.

64
windows/manage/cortana-at-work-voice-commands.md
View File

@ -1,64 +0,0 @@
---
title: Set up and test custom voice commands in Cortana for your organization (Windows 10)
description: How to create voice commands that use Cortana to perform voice-enabled actions in your line-of-business (LOB) Universal Windows Platform (UWP) apps.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
localizationpriority: high
---
# Set up and test custom voice commands in Cortana for your organization
**Applies to:**
- Windows 10, Windows Insider Program
- Windows 10 Mobile, Windows Insider Program
>[!IMPORTANT]
>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
Working with a developer, you can create voice commands that use Cortana to perform voice-enabled actions in your line-of-business (LOB) Universal Windows Platform (UWP) apps. These voice-enabled actions can reduce the time necessary to access your apps and to complete simple actions.
>[!NOTE]
>For more info about how your developer can extend your current apps to work directly with Cortana, see [The Cortana Skills Kit](https://docs.microsoft.com/cortana/getstarted).
## High-level process
Cortana uses a Voice Command Definition (VCD) file, aimed at an installed app, to define the actions that are to happen during certain vocal commands. A VCD file can be very simple to very complex, supporting anything from a single sound to a collection of more flexible, natural language sounds, all with the same intent.
To enable voice commands in Cortana
1. **Extend your LOB app.** Add a custom VCD file to your app package. This file defines what capabilities are available to Cortana from the app, letting you tell Cortana what vocal commands should be understood and handled by your app and how the app should start when the command is vocalized.
Cortana can perform actions on apps in the foreground (taking focus from Cortana) or in the background (allowing Cortana to keep focus). We recommend that you decide where an action should happen, based on what your voice command is intended to do. For example, if your voice command requires employee input, its best for that to happen in the foreground. However, if the app only uses basic commands and doesnt require interaction, it can happen in the background.
- **Start Cortana with focus on your app, using specific voice-enabled statements.** [Create and install a VCD file that starts a foreground app using voice commands and Cortana](https://docs.microsoft.com/cortana/voicecommands/launch-a-foreground-app-with-voice-commands-in-cortana).
- **Start Cortana removing focus from your app, using specific voice-enabled statements.** [Create and install a VCD file that starts a background app using voice commands and Cortana](https://docs.microsoft.com/cortana/voicecommands/launch-a-background-app-with-voice-commands-in-cortana).
2. **Install the VCD file on employees' devices**. You can use System Center Configuration Manager or Microsoft Intune to deploy and install the VCD file on your employees' devices, the same way you deploy and install any other package in your organization.
## Test Scenario: Use voice commands in a Windows Store app
While these aren't line-of-business apps, we've worked to make sure to implement a VCD file, allowing you to test how the functionality works with Cortana in your organization.
**To get a Windows Store app**
1. Go to the Windows Store, scroll down to the **Collections** area, click **Show All**, and then click **Better with Cortana**.
2. Click **Uber**, and then click **Install**.
3. Open Uber, create an account or sign in, and then close the app.
**To set up the app with Cortana**
1. Click on the **Cortana** search box in the taskbar, and then click the **Notebook** icon.
2. Click on **Connected Services**, click **Uber**, and then click **Connect**.
![Cortana at work, showing where to connect the Uber service to Cortana](images/cortana-connect-uber.png)
**To use the voice-enabled commands with Cortana**
1. Click on the **Cortana** icon in the taskbar, and then click the **Microphone** icon (to the right of the **Search** box).
2. Say _Uber get me a taxi_.
Cortana changes, letting you provide your trip details for Uber.
## See also
- [Cortana for developers](http://go.microsoft.com/fwlink/?LinkId=717385)

169
windows/manage/customize-and-export-start-layout.md
View File

@ -1,169 +0,0 @@
---
title: Customize and export Start layout (Windows 10)
description: The easiest method for creating a customized Start layout is to set up the Start screen and export the layout.
ms.assetid: CA8DF327-5DD4-452F-9FE5-F17C514B6236
keywords: ["start screen"]
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
localizationpriority: high
---
# Customize and export Start layout
**Applies to**
- Windows 10
>**Looking for consumer information?** See [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630)
The easiest method for creating a customized Start layout to apply to other Windows 10 devices is to set up the Start screen on a test computer and then export the layout.
After you export the layout, decide whether you want to apply a *full* Start layout or a *partial* Start layout.
When a full Start layout is applied, the users cannot pin, unpin, or uninstall apps from Start. Users can view and open all apps in the **All Apps** view, but they cannot pin any apps to Start.
When [a partial Start layout](#configure-a-partial-start-layout) is applied, the contents of the specified tile groups cannot be changed, but users can move those groups, and can also create and customize their own groups.
>[!NOTE]
>Partial Start layout is only supported on Windows 10, version 1511 and later.
 
You can deploy the resulting .xml file to devices using one of the following methods:
- [Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
- [Windows Imaging and Configuration Designer provisioning package](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
- [Mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
## <a href="" id="bkmkcustomizestartscreen"></a>Customize the Start screen on your test computer
To prepare a Start layout for export, you simply customize the Start layout on a test computer.
**To prepare a test computer**
1. Set up a test computer on which to customize the Start layout. Your test computer should have the operating system that is installed on the users computers (Windows 10 Enterprise or Windows 10 Education). Install all apps and services that the Start layout should display.
2. Create a new user account that you will use to customize the Start layout.
<a href="" id="bmk-customize-start"></a>
**To customize Start**
1. Sign in to your test computer with the user account that you created.
2. Customize the Start layout as you want users to see it by using the following techniques:
- **Pin apps to Start**. From Start, type the name of the app. When the app appears in the search results, right-click the app, and then click **Pin to Start**.
To view all apps, click **All apps** in the bottom-left corner of Start. Right-click any app, and pin or unpin it from Start.
- **Unpin apps** that you dont want to display. To unpin an app, right-click the app, and then click **Unpin from Start**.
- **Drag tiles** on Start to reorder or group apps.
- **Resize tiles**. To resize tiles, right-click the tile and then click **Resize.**
- **Create your own app groups**. Drag the apps to an empty area. To name a group, click above the group of tiles and then type the name in the **Name group** field that appears above the group.
## <a href="" id="bmk-exportstartscreenlayout"></a>Export the Start layout
When you have the Start layout that you want your users to see, use the [Export-StartLayout](https://go.microsoft.com/fwlink/p/?LinkId=620879) cmdlet in Windows PowerShell to export the Start layout to an .xml file.
**To export the Start layout to an .xml file**
1. From Start, open **Windows PowerShell**.
2. At the Windows PowerShell command prompt, enter the following command:
`export-startlayout path <path><file name>.xml `
In the previous command, `-path` is a required parameter that specifies the path and file name for the export file. You can specify a local path or a UNC path (for example, \\\\FileServer01\\StartLayouts\\StartLayoutMarketing.xml).
Use a file name of your choice—for example, StartLayoutMarketing.xml. Include the .xml file name extension. The [Export-StartLayout](https://go.microsoft.com/fwlink/p/?LinkId=620879) cmdlet does not append the file name extension, and the policy settings require the extension.
Example of a layout file produced by `Export-StartLayout`:
<span codelanguage="XML"></span>
<table>
<colgroup>
<col width="100%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">XML</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><pre><code>&lt;LayoutModificationTemplate Version=&quot;1&quot; xmlns=&quot;http://schemas.microsoft.com/Start/2014/LayoutModification&quot;&gt;
&lt;DefaultLayoutOverride&gt;
&lt;StartLayoutCollection&gt;
&lt;defaultlayout:StartLayout GroupCellWidth=&quot;6&quot; xmlns:defaultlayout=&quot;http://schemas.microsoft.com/Start/2014/FullDefaultLayout&quot;&gt;
&lt;start:Group Name=&quot;Life at a glance&quot; xmlns:start=&quot;http://schemas.microsoft.com/Start/2014/StartLayout&quot;&gt;
&lt;start:Tile Size=&quot;2x2&quot; Column=&quot;0&quot; Row=&quot;0&quot; AppUserModelID=&quot;Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge&quot; /&gt;
&lt;start:Tile Size=&quot;2x2&quot; Column=&quot;4&quot; Row=&quot;0&quot; AppUserModelID=&quot;Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI&quot; /&gt;
&lt;start:Tile Size=&quot;2x2&quot; Column=&quot;2&quot; Row=&quot;0&quot; AppUserModelID=&quot;Microsoft.BingWeather_8wekyb3d8bbwe!App&quot; /&gt;
&lt;/start:Group&gt;
&lt;/defaultlayout:StartLayout&gt;
&lt;/StartLayoutCollection&gt;
&lt;/DefaultLayoutOverride&gt;
&lt;/LayoutModificationTemplate&gt;</code></pre></td>
</tr>
</tbody>
</table>
## Configure a partial Start layout
A partial Start layout enables you to add one or more customized tile groups to users' Start screens or menus, while still allowing users to make changes to other parts of the Start layout. All groups that you add are *locked*, meaning users cannot change the contents of those tile groups, however users can change the location of those groups. Locked groups are identified with an icon, as shown in the following image.
![locked tile group](images/start-pinned-app.png)
When a partial Start layout is applied for the first time, the new groups are added to the users' existing Start layouts. If an app tile is in both an existing group and in a new locked group, the duplicate app tile is removed from the existing (unlocked) group.
When a partial Start layout is applied to a device that already has a StartLayout.xml applied, groups that were added previously are removed and the groups in the new layout are added.
If the Start layout is applied by Group Policy or MDM, and the policy is removed, the groups remain on the devices but become unlocked.
**To configure a partial Start screen layout**
1. [Customize the Start layout](#bmk-customize-start).
2. [Export the Start layout](#bmk-exportstartscreenlayout).
3. Open the layout .xml file. There is a `<DefaultLayoutOverride>` element. Add `LayoutCustomizationRestrictionType="OnlySpecifiedGroups"` to the **DefaultLayoutOverride** element as follows:
``` syntax
<DefaultLayoutOverride LayoutCustomizationRestrictionType="OnlySpecifiedGroups">
```
4. Save the file and apply using any of the deployment methods.
## Related topics
[Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md)
[Configure Windows 10 taskbar](configure-windows-10-taskbar.md)
[Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
[Customize Windows 10 Start and taskbar with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
[Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
[Changes to Group Policy settings for Windows 10 Start](changes-to-start-policies-in-windows-10.md)
 
 

137
windows/manage/customize-windows-10-start-screens-by-using-group-policy.md
View File

@ -1,137 +0,0 @@
---
title: Customize Windows 10 Start with Group Policy (Windows 10)
description: In Windows 10 Enterprise and Windows 10 Education, you can use a Group Policy Object (GPO) to deploy a customized Start layout to users in a domain.
ms.assetid: F4A47B36-F1EF-41CD-9CBA-04C83E960545
keywords: ["Start layout", "start menu", "layout", "group policy"]
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
localizationpriority: high
---
# Customize Windows 10 Start and taskbar with Group Policy
**Applies to**
- Windows 10
>**Looking for consumer information?** See [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630)
In Windows 10 Enterprise and Windows 10 Education, you can use a Group Policy Object (GPO) to deploy a customized Start and taskbar layout to users in a domain. No reimaging is required, and the layout can be updated simply by overwriting the .xml file that contains the layout. This enables you to customize Start and taskbar layouts for different departments or organizations, with minimal management overhead.
This topic describes how to update Group Policy settings to display a customized Start and taskbar layout when the users sign in. By creating a domain-based GPO with these settings, you can deploy a customized Start and taskbar layout to users in a domain.
>[!WARNING]  
>When a full Start layout is applied with this method, the users cannot pin, unpin, or uninstall apps from Start. Users can view and open all apps in the **All Apps** view, but they cannot pin any apps to Start. When a partial Start layout is applied, the contents of the specified tile groups cannot be changed, but users can move those groups, and can also create and customize their own groups. When you apply a taskbar layout, users will still be able to pin and unpin apps, and change the order of pinned apps.
 
**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md)
## Operating system requirements
Start and taskbar layout control using Group Policy is supported in Windows 10 Enterprise and Windows 10 Education, Version 1607. Start and taskbar layout control is not supported in Windows 10 Pro.
The GPO can be configured from any computer on which the necessary ADMX and ADML files (StartMenu.admx and StartMenu.adml) for Windows 10 are installed. In Group Policy, ADMX files are used to define Registry-based policy settings in the Administrative Templates category. To find out how to create a central store for Administrative Templates files, see [article 929841, written for Windows Vista and still applicable](https://go.microsoft.com/fwlink/p/?LinkId=691687) in the Microsoft Knowledge Base.
## <a href="" id="bkmk-howstartscreencontrolworks"></a>How Start layout control works
Three features enable Start and taskbar layout control:
- The [Export-StartLayout](https://go.microsoft.com/fwlink/p/?LinkID=620879) cmdlet in Windows PowerShell exports a description of the current Start layout in .xml file format.
>[!NOTE]  
>To import the layout of Start to a mounted Windows image, use the [Import-StartLayout](https://go.microsoft.com/fwlink/p/?LinkId=623707) cmdlet.
- [You can modify the Start .xml file](configure-windows-10-taskbar.md) to include `<CustomTaskbarLayoutCollection>` or create an .xml file just for the taskbar configuration.
- In Group Policy, you use the **Start Layout** settings for the **Start Menu and Taskbar** administrative template to set a Start and taskbar layout from an .xml file when the policy is applied. The Group Policy object doesn't support an empty tile layout, so the default tile layout for Windows is loaded in that case.
>[!NOTE]  
>To learn how customize Start to include your line-of-business apps when you deploy Windows 10, see [Customize the Windows 10 Start layout]( https://go.microsoft.com/fwlink/p/?LinkId=620863).
 
## <a href="" id="bkmk-domaingpodeployment"></a>Use Group Policy to apply a customized Start layout in a domain
To apply the Start and taskbar layout to users in a domain, use the Group Policy Management Console (GPMC) to configure a domain-based Group Policy Object (GPO) that sets **Start Layout** policy settings in the **Start Menu and Taskbar** administrative template for users in a domain.
The GPO applies the Start and taskbar layout at the next user sign-in. Each time the user signs in, the timestamp of the .xml file with the Start and taskbar layout is checked and if a newer version of the file is available, the settings in the latest version of the file are applied.
The GPO can be configured from any computer on which the necessary ADMX and ADML files (StartMenu.admx and StartMenu.adml) for Windows 10 are installed.
The .xml file with the Start and taskbar layout must be located on shared network storage that is available to the users computers when they sign in and the users must have Read-only access to the file. If the file is not available when the first user signs in, Start and the taskbar are not customized during the session, but the user will be prevented from making changes to Start. On subsequent sign-ins, if the file is available at sign-in, the layout it contains will be applied to the user's Start and taskbar.
For information about deploying GPOs in a domain, see [Working with Group Policy Objects](https://go.microsoft.com/fwlink/p/?LinkId=620889).
## <a href="" id="bkmk-localgpimport"></a>Use Group Policy to apply a customized Start layout on the local computer
You can use the Local Group Policy Editor to provide a customized Start and taskbar layout for any user who signs in on the local computer. To display the customized Start and taskbar layout for any user who signs in, configure **Start Layout** policy settings for the **Start Menu and Taskbar** administrative template. You can use the **Start Menu and Taskbar** administrative template in **User Configuration** or **Computer Configuration**.
>[!NOTE]  
>This procedure applies the policy settings on the local computer only. For information about deploying the Start and taskbar layout to users in a domain, see [Use Group Policy to deploy a customized Start layout in a domain](#bkmk-domaingpodeployment).
>
>This procedure creates a Local Group Policy that applies to all users on the computer. To configure Local Group Policy that applies to a specific user or group on the computer, see [Step-by-Step Guide to Managing Multiple Local Group Policy Objects](https://go.microsoft.com/fwlink/p/?LinkId=620881). The guide was written for Windows Vista and the procedures still apply to Windows 10.
This procedure adds the customized Start and taskbar layout to the user configuration, which overrides any Start layout settings in the local computer configuration when a user signs in on the computer.
**To configure Start Layout policy settings in Local Group Policy Editor**
1. On the test computer, press the Windows key, type **gpedit**, and then select **Edit group policy (Control panel)**.
2. Go to **User Configuration** or **Computer Configuration** &gt; **Administrative Templates** &gt;**Start Menu and Taskbar**.
![start screen layout policy settings](images/starttemplate.jpg)
3. Right-click **Start Layout** in the right pane, and click **Edit**.
This opens the **Start Layout** policy settings.
![policy settings for start screen layout](images/startlayoutpolicy.jpg)
4. Enter the following settings, and then click **OK**:
1. Select **Enabled**.
2. Under **Options**, specify the path to the .xml file that contains the Start and taskbar layout. For example, type **C:\\Users\\Test01\\StartScreenMarketing.xml**.
3. Optionally, enter a comment to identify the Start and taskbar layout.
>[!IMPORTANT]  
>If you disable Start Layout policy settings that have been in effect and then re-enable the policy, users will not be able to make changes to Start, however the layout in the .xml file will not be reapplied unless the file has been updated. In Windows PowerShell, you can update the timestamp on a file by running the following command:
>`(ls <path>).LastWriteTime = Get-Date`
 
## <a href="" id="bkmk-updatestartscreenlayout"></a>Update a customized Start layout
After you use Group Policy to apply a customized Start and taskbar layout on a computer or in a domain, you can update the layout simply by replacing the .xml file that is specified in the Start Layout policy settings with a file with a newer timestamp.
## Related topics
[Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md)
[Customize and export Start layout](customize-and-export-start-layout.md)
[Customize Windows 10 Start and taskbar with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
[Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
 
 

152
windows/manage/customize-windows-10-start-screens-by-using-mobile-device-management.md
View File

@ -1,152 +0,0 @@
---
title: Customize Windows 10 Start with mobile device management (MDM) (Windows 10)
description: In Windows 10 Enterprise and Windows 10 Education, you can use a mobile device management (MDM) policy to deploy a customized Start layout to users.
ms.assetid: F487850D-8950-41FB-9B06-64240127C1E4
keywords: ["start screen", "start menu"]
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
localizationpriority: medium
---
# Customize Windows 10 Start with mobile device management (MDM)
**Applies to**
- Windows 10
- Windows 10 Mobile
**Looking for consumer information?**
- [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630)
In Windows 10 Mobile, Windows 10 Enterprise, and Windows 10 Education, you can use a mobile device management (MDM) policy to deploy a customized Start layout to users. No reimaging is required, and the Start layout can be updated simply by overwriting the .xml file that contains the layout. This enables you to customize Start layouts for different departments or organizations, with minimal management overhead.
> **Note:** Customized taskbar configuration cannot be applied using MDM at this time.
**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md) for desktop editions or [create a Start layout XML](start-layout-xml-mobile.md) for mobile.
**Warning**  
When a full Start layout is applied with this method, the users cannot pin, unpin, or uninstall apps from Start. Users can view and open all apps in the **All Apps** view, but they cannot pin any apps to Start. When a partial Start layout is applied, the contents of the specified tile groups cannot be changed, but users can move those groups, and can also create and customize their own groups.
 
## <a href="" id="bkmk-howstartscreencontrolworks"></a>How Start layout control works
Two features enable Start layout control:
- The **Export-StartLayout** cmdlet in Windows PowerShell exports a description of the current Start layout in .xml file format.
**Note**  
To import the layout of Start to a mounted Windows image, use the [Import-StartLayout](https://go.microsoft.com/fwlink/p/?LinkId=623707) cmdlet.
 
- In MDM, you set the path to the .xml file that defines the Start layout using an OMA-URI setting, which is based on the [Policy configuration service provider (CSP)](https://go.microsoft.com/fwlink/p/?LinkID=623244).
## <a href="" id="bkmk-domaingpodeployment"></a>Create a policy for your customized Start layout
This example uses Microsoft Intune to configure an MDM policy that applies a customized Start layout. See the documentation for your MDM solution for help in applying the policy.
1. In the Start layout file created when you ran **Export-StartLayout**, replace markup characters with escape characters, and save the file. (You can replace the characters manually or use an online tool.)
Example of a layout file produced by Export-StartLayout:
<span codelanguage="XML"></span>
<table>
<colgroup>
<col width="100%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">XML</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><pre><code>&lt;LayoutModificationTemplate Version=&quot;1&quot; xmlns=&quot;http://schemas.microsoft.com/Start/2014/LayoutModification&quot;&gt;
&lt;DefaultLayoutOverride&gt;
&lt;StartLayoutCollection&gt;
&lt;defaultlayout:StartLayout GroupCellWidth=&quot;6&quot; xmlns:defaultlayout=&quot;http://schemas.microsoft.com/Start/2014/FullDefaultLayout&quot;&gt;
&lt;start:Group Name=&quot;Life at a glance&quot; xmlns:start=&quot;http://schemas.microsoft.com/Start/2014/StartLayout&quot;&gt;
&lt;start:Tile Size=&quot;2x2&quot; Column=&quot;0&quot; Row=&quot;0&quot; AppUserModelID=&quot;Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge&quot; /&gt;
&lt;start:Tile Size=&quot;2x2&quot; Column=&quot;4&quot; Row=&quot;0&quot; AppUserModelID=&quot;Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI&quot; /&gt;
&lt;start:Tile Size=&quot;2x2&quot; Column=&quot;2&quot; Row=&quot;0&quot; AppUserModelID=&quot;Microsoft.BingWeather_8wekyb3d8bbwe!App&quot; /&gt;
&lt;/start:Group&gt;
&lt;/defaultlayout:StartLayout&gt;
&lt;/StartLayoutCollection&gt;
&lt;/DefaultLayoutOverride&gt;
&lt;/LayoutModificationTemplate&gt;</code></pre></td>
</tr>
</tbody>
</table>
Example of the same layout file with escape characters replacing the markup characters:
```
&amp;lt;wdcml:p xmlns:wdcml=&amp;quot;http://microsoft.com/wdcml&amp;quot;&amp;gt;Example of a layout file produced by Export-StartLayout:&amp;lt;/wdcml:p&amp;gt;&amp;lt;wdcml:snippet xmlns:wdcml=&amp;quot;http://microsoft.com/wdcml&amp;quot;&amp;gt;&amp;lt;![CDATA[&amp;lt;LayoutModificationTemplate Version=&amp;quot;1&amp;quot; xmlns=&amp;quot;http://schemas.microsoft.com/Start/2014/LayoutModification&amp;quot;&amp;gt;
&amp;lt;DefaultLayoutOverride&amp;gt;
&amp;lt;StartLayoutCollection&amp;gt;
&amp;lt;defaultlayout:StartLayout GroupCellWidth=&amp;quot;6&amp;quot; xmlns:defaultlayout=&amp;quot;http://schemas.microsoft.com/Start/2014/FullDefaultLayout&amp;quot;&amp;gt;
&amp;lt;start:Group Name=&amp;quot;Life at a glance&amp;quot; xmlns:start=&amp;quot;http://schemas.microsoft.com/Start/2014/StartLayout&amp;quot;&amp;gt;
&amp;lt;start:Tile Size=&amp;quot;2x2&amp;quot; Column=&amp;quot;0&amp;quot; Row=&amp;quot;0&amp;quot; AppUserModelID=&amp;quot;Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge&amp;quot; /&amp;gt;
&amp;lt;start:Tile Size=&amp;quot;2x2&amp;quot; Column=&amp;quot;4&amp;quot; Row=&amp;quot;0&amp;quot; AppUserModelID=&amp;quot;Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI&amp;quot; /&amp;gt;
&amp;lt;start:Tile Size=&amp;quot;2x2&amp;quot; Column=&amp;quot;2&amp;quot; Row=&amp;quot;0&amp;quot; AppUserModelID=&amp;quot;Microsoft.BingWeather_8wekyb3d8bbwe!App&amp;quot; /&amp;gt;
&amp;lt;/start:Group&amp;gt;
&amp;lt;/defaultlayout:StartLayout&amp;gt;
&amp;lt;/StartLayoutCollection&amp;gt;
&amp;lt;/DefaultLayoutOverride&amp;gt;
&amp;lt;/LayoutModificationTemplate&amp;gt;]]&amp;gt;&amp;lt;/wdcml:snippet&amp;gt;
```
2. In the Microsoft Intune administration console, click **Policy** &gt; **Add Policy**.
3. Under **Windows**, choose a **Custom Configuration (Windows 10 Desktop and Mobile and later)** policy.
4. Enter a name (mandatory) and description (optional) for the policy.
5. In the **OMA-URI Settings** section, click **Add.**
6. In **Add or Edit OMA-URI Setting**, enter the following information.
| Item | Information |
|----|----|
| **Setting name** | Enter a unique name for the OMA-URI setting to help you identify it in the list of settings. |
| **Setting description** | Provide a description that gives an overview of the setting and other relevant information to help you locate it. |
| **Data type** | **String** |
| **OMA-URI (case sensitive)** | **./User/Vendor/MSFT/Policy/Config/Start/StartLayout** |
| **Value** | Paste the contents of the Start layout .xml file that you created. |
 
7. Click **OK** to save the setting and return to the **Create Policy** page.
8. Click **Save Policy**.
## Related topics
[Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md)
[Customize and export Start layout](customize-and-export-start-layout.md)
[Configure Windows 10 taskbar](configure-windows-10-taskbar.md)
[Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
[Customize Windows 10 Start and taskbar with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
[Use Windows 10 custom policies to manage device settings with Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkID=616316)
 
 

122
windows/manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
View File

@ -1,122 +0,0 @@
---
title: Customize Windows 10 Start with ICD and provisioning packages (Windows 10)
description: In Windows 10, you can use a provisioning package to deploy a customized Start layout to users.
ms.assetid: AC952899-86A0-42FC-9E3C-C25F45B1ACAC
keywords: ["Start layout", "start menu"]
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
localizationpriority: medium
---
# Customize Windows 10 Start and taskbar with ICD and provisioning packages
**Applies to**
- Windows 10
- Windows 10 Mobile
**Looking for consumer information?**
- [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630)
In Windows 10 Mobile, Windows 10 Enterprise, and Windows 10 Education, version 1607, you can use a provisioning package that you create with Windows Imaging and Configuration Designer (ICD) tool to deploy a customized Start and taskbar layout to users. No reimaging is required, and the Start and taskbar layout can be updated simply by overwriting the .xml file that contains the layout. The provisioning package can be applied to a running device. This enables you to customize Start and taskbar layouts for different departments or organizations, with minimal management overhead.
>[!IMPORTANT]
>If you use a provisioning package to configure the taskbar, your configuration will be reapplied each time the explorer.exe process restarts. If your configuration pins an app and the user unpins that app, the user's change will be overwritten the next time the configuration is applied. To apply a taskbar configuration and allow users to make changes that will persist, apply your configuration by using Group Policy.
**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md) for desktop editions or [create a Start layout XML](start-layout-xml-mobile.md) for mobile.
## <a href="" id="bkmk-howstartscreencontrolworks"></a>How Start layout control works
Three features enable Start and taskbar layout control:
- The **Export-StartLayout** cmdlet in Windows PowerShell exports a description of the current Start layout in .xml file format.
**Note**  
To import the layout of Start to a mounted Windows image, use the [Import-StartLayout](https://go.microsoft.com/fwlink/p/?LinkId=623707) cmdlet.
- [You can modify the Start .xml file](configure-windows-10-taskbar.md) to include `<CustomTaskbarLayoutCollection>` or create an .xml file just for the taskbar configuration.
- In ICD, you use the **Start/StartLayout** setting to set the path to the .xml file that defines the Start and taskbar layout.
## <a href="" id="bkmk-domaingpodeployment"></a>Create a provisioning package that contains a customized Start layout
Use the [Imaging and Configuration Designer (ICD) tool](https://go.microsoft.com/fwlink/p/?LinkID=525483) included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package that applies a customized Start and taskbar layout. [Install the ADK.](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit)
>[!IMPORTANT]
>When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
1. Open ICD (by default, %systemdrive%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe).
2. Choose **Advanced provisioning**.
3. Name your project, and click **Next**.
4. Choose **All Windows desktop editions** and click **Next**.
5. On **New project**, click **Finish**. The workspace for your package opens.
6. Expand **Runtime settings** &gt; **Start**, and click **StartLayout**.
>[!TIP]
>If **Start** is not listed, check the type of settings you selected in step 4. You must create the project using settings for **All Windows desktop editions**.
7. Specify the path and file name of the Start layout .xml that you created with the [Export-StartLayout](https://go.microsoft.com/fwlink/p/?LinkId=620879) cmdlet.
8. On the **File** menu, select **Save.**
9. On the **Export** menu, select **Provisioning package**.
10. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.**
11. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing.
- **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
- **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select...** and choosing the certificate you want to use to sign the package.
12. Click **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows Imaging and Configuration Designer (ICD) uses the project folder as the output location.
Optionally, you can click **Browse** to change the default output location.
13. Click **Next**.
14. Click **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status.
If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
15. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
- If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
- If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
16. Copy the provisioning package to the target device.
17. Double-click the ppkg file and allow it to install.
## Related topics
[Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md)
[Customize and export Start layout](customize-and-export-start-layout.md)
[Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
[Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
 
 

4
windows/manage/disconnect-your-organization-from-microsoft.md
View File

@ -1,4 +0,0 @@
---
title: Configure Windows 10 devices to stop data flow to Microsoft (Windows 10)
redirect_url: https://technet.microsoft.com/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services
---

14
windows/manage/group-policies-for-enterprise-and-education-editions.md
View File

@ -18,17 +18,17 @@ In Windows 10, version 1607, the following Group Policy settings apply only to W
| Policy name | Policy path | Comments |
| --- | --- | --- |
| **Configure Spotlight on lock screen** | User Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](windows-spotlight.md). Note that an additional **Cloud Content** policy, **Do not suggest third-party content in Windows spotlight**, does apply to Windows 10 Pro. |
| **Turn off all Windows Spotlight features** | User Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](windows-spotlight.md) |
| **Turn off Microsoft consumer features** | Computer Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](windows-spotlight.md) |
| **Do not display the lock screen** | Computer Configuration > Administrative Templates > Control Panel > Personalization | For more info, see [Windows spotlight on the lock screen](windows-spotlight.md) |
| **Configure Spotlight on lock screen** | User Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](../configure/windows-spotlight.md). Note that an additional **Cloud Content** policy, **Do not suggest third-party content in Windows spotlight**, does apply to Windows 10 Pro. |
| **Turn off all Windows Spotlight features** | User Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](../configure/windows-spotlight.md) |
| **Turn off Microsoft consumer features** | Computer Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](../configure/windows-spotlight.md) |
| **Do not display the lock screen** | Computer Configuration > Administrative Templates > Control Panel > Personalization | For more info, see [Windows spotlight on the lock screen](../configure/windows-spotlight.md) |
| **Do not require CTRL+ALT+DEL** </br>combined with</br>**Turn off app notifications on the lock screen** | Computer Configuration > Administrative Templates > System > Logon </br>and</br>Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Interactive logon | When both of these policy settings are enabled, the combination will also disable lock screen apps ([assigned access](set-up-a-device-for-anyone-to-use.md)) on Windows 10 Enterprise and Windows 10 Education only. These policy settings can be applied to Windows 10 Pro, but lock screen apps will not be disabled on Windows 10 Pro. </br></br>**Important:** The description for **Interactive logon: Do not require CTRL+ALT+DEL** in the Group Policy Editor incorrectly states that it only applies to Windows 10 Enterprise and Education. The description will be corrected in a future release.|
| **Do not show Windows Tips** | Computer Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](windows-spotlight.md |
| **Force a specific default lock screen image** | Computer Configuration > Administrative Templates > Control Panel > Personalization | For more info, see [Windows spotlight on the lock screen](windows-spotlight.md) |
| **Do not show Windows Tips** | Computer Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](../configure/windows-spotlight.md |
| **Force a specific default lock screen image** | Computer Configuration > Administrative Templates > Control Panel > Personalization | For more info, see [Windows spotlight on the lock screen](../configure/windows-spotlight.md) |
| **Start layout** | User Configuration\Administrative Templates\Start Menu and Taskbar | For more info, see [Manage Windows 10 Start layout options and policies](windows-10-start-layout-options-and-policies.md) |
| **Turn off the Store application** | Computer Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application<br><br>User Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application | For more info, see [Knowledge Base article# 3135657](https://support.microsoft.com/kb/3135657). |
| **Only display the private store within the Windows Store app** | Computer Configuration > Administrative Templates > Windows Components > Store > Only display the private store within the Windows Store app<br><br>User Configuration > Administrative Templates > Windows Components > Store > Only display the private store within the Windows Store app | For more info, see [Manage access to private store](manage-access-to-private-store.md) |
| **Don't search the web or display web results** | Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results | For more info, see [Cortana integration in your enterprise](cortana-at-work-overview.md) |
| **Don't search the web or display web results** | Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results | For more info, see [Cortana integration in your enterprise](../configure/cortana-at-work-overview.md) |

104
windows/manage/guidelines-for-assigned-access-app.md
View File

@ -1,104 +0,0 @@
---
title: Guidelines for choosing an app for assigned access (Windows 10)
description: You can configure Windows 10 as a kiosk device, so that users can only interact with a single app.
ms.assetid: F1F4FF19-188C-4CDC-AABA-977639C53CA8
keywords: ["kiosk", "lockdown", "assigned access"]
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
localizationpriority: high
---
# Guidelines for choosing an app for assigned access (kiosk mode)
**Applies to**
- Windows 10
You can use assigned access to restrict customers at your business to using only one Windows app so your device acts like a kiosk. Administrators can use assigned access to restrict a selected user account to access a single Windows app. You can choose almost any Windows app for assigned access; however, some apps may not provide a good user experience.
The following guidelines may help you choose an appropriate Windows app for your assigned access experience in Windows 10, Version 1607.
## General guidelines
- Windows apps must be provisioned or installed for the assigned access account before they can be selected as the assigned access app. [Learn how to provision and install apps](https://msdn.microsoft.com/library/windows/hardware/mt228170.aspx#install_your_apps).
- Updating a Windows app can sometimes change the Application User Model ID (AUMID) of the app. If this happens, you must update the assigned access settings to launch the updated app, because assigned access uses the AUMID to determine which app to launch.
## Guidelines for Windows apps that launch other apps
Some Windows apps can launch other apps. Assigned access prevents Windows apps from launching other apps.
Avoid selecting Windows apps that are designed to launch other apps as part of their core functionality.
## Guidelines for web browsers
Microsoft Edge and any third-party web browsers that can be set as a default browser have special permissions beyond that of most Windows apps.
If you use a web browser as your assigned access app, consider the following tips:
- You can download browsers that are optimized to be used as a kiosk from the Microsoft Store.
- You can use Group Policy to block access to the file system (network shares, local drives, and local folders) from Internet Explorers web address bar.
- You can create your own web browser Windows app by using the WebView class. Learn more about developing your own web browser app:
- [Creating your own browser with HTML and JavaScript](https://blogs.windows.com/msedgedev/2015/08/27/creating-your-own-browser-with-html-and-javascript/)
- [WebView class](https://msdn.microsoft.com/library/windows/apps/windows.ui.xaml.controls.webview.aspx)
- [A web browser built with JavaScript as a Windows app](https://github.com/MicrosoftEdge/JSBrowser/tree/v1.0)
**To block access to the file system from Internet Explorer's web address bar**
1. On the Start screen, type the following:
`gpedit.msc`
2. Press **Enter** or click the gpedit icon to launch the group policy editor.
3. In the group policy editor, navigate to **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar**.
4. Select **Remove Run menu from Start Menu**, select **Disabled**, and click **Apply**. Disabling this policy prevents users from entering the following into the Internet Explorer Address Bar:
- A UNC path (\\\\*server*\\\\*share*)
- A local drive (C:\\)
- A local folder (\temp)
## Secure your information
Avoid selecting Windows apps that may expose the information you dont want to show in your kiosk, since kiosk usually means anonymous access and locates in a public setting like a shopping mall. For example, an app that has a file picker allows the user to gain access to files and folders on the user's system, avoid selecting this type of apps if they provide unnecessary data access.
## App configuration
Some apps may require additional configurations before they can be used appropriately in assigned access . For example, Microsoft OneNote requires you to set up a Microsoft account for the assigned access user account before OneNote will open in assigned access.
Check the guidelines published by your selected app and do the setup accordingly.
## Develop your kiosk app
Assigned access in Windows 10 leverages the new lock framework. When an assigned access user signs in, the selected kiosk app is launched above lock . The kiosk app is actually running as an above lock screen app.
Follow the [best practices guidance for developing a kiosk app for assigned access](https://msdn.microsoft.com/library/windows/hardware/mt633799%28v=vs.85%29.aspx).
## Test your assigned access experience
The above guidelines may help you select or develop an appropriate Windows app for your assigned access experience. Once you have selected your app, we recommend that you thoroughly test the assigned access experience to ensure that your device provides a good customer experience.
 ## Learn more
[Customizing Your Device Experience with Assigned Access](https://channel9.msdn.com/Events/Build/2016/P508)
## Related topics
[Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md)
[Set up a device for anyone to use (kiosk mode)](set-up-a-device-for-anyone-to-use.md)
[Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md)
[Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](set-up-a-kiosk-for-windows-10-for-mobile-edition.md)
[Lock down Windows 10 to specific apps](lock-down-windows-10-to-specific-apps.md)
 
 

238
windows/manage/how-it-pros-can-use-configuration-service-providers.md
View File

@ -1,238 +0,0 @@
---
title: Introduction to configuration service providers (CSPs) for IT pros (Windows 10)
description: Configuration service providers (CSPs) expose device configuration settings in Windows 10.
ms.assetid: 25C1FDCA-0E10-42A1-A368-984FFDB2B7B6
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
localizationpriority: medium
---
# Introduction to configuration service providers (CSPs) for IT pros
**Applies to**
- Windows 10
- Windows 10 Mobile
Configuration service providers (CSPs) expose device configuration settings in Windows 10. This topic is written for people who have no experience with CSPs.
The CSPs are documented on the [Hardware Dev Center](https://go.microsoft.com/fwlink/p/?LinkId=717390) because CSPs are used by mobile device management (MDM) service providers. This topic explains how IT pros and system administrators can take advantage of many settings available through CSPs to configure devices running Windows 10 and Windows 10 Mobile in their organizations.
**Note**  
The explanation of CSPs and CSP documentation also apply to Windows Mobile 5, Windows Mobile 6, Windows Phone 7, and Windows Phone 8, but links to current CSPs are for Windows 10 and Windows 10 Mobile.
 [See what's new for CSPs in Windows 10, version 1607.](https://msdn.microsoft.com/library/windows/hardware/mt299056.aspx#whatsnew_1607)
## What is a CSP?
A CSP is an interface in the client operating system between configuration settings specified in a provisioning document and configuration settings on the device. Their function is similar to that of Group Policy client-side extensions in that they provide an interface to read, set, modify, or delete configuration settings for a given feature. Typically, these settings map to registry keys, files or permissions. Some of these settings are configurable and some are read-only.
Starting in Windows Mobile 5.0, CSPs were used to manage Windows mobile devices. In the Windows 10 platform, the management approach for both desktop and mobile devices converges, taking advantage of the same CSPs to configure and manage all devices running Windows 10.
Each CSP provides access to specific settings. For example, the [Wi-Fi CSP](https://go.microsoft.com/fwlink/p/?LinkId=717438) contains the settings to create a Wi-Fi profile.
CSPs are behind many of the management tasks and policies for Windows 10 in Microsoft Intune and non-Microsoft MDM service providers. For example, in Intune, the policy to allow search suggestions in the Microsoft Edge address bar uses **Browser/AllowSearchSuggestionsinAddressBar** in the [Policy CSP](https://go.microsoft.com/fwlink/p/?LinkID=623244).
![how intune maps to csp](images/policytocsp.png)
CSPs receive configuration policies in the XML-based SyncML format pushed to it from an MDM-compliant management server such as Microsoft Intune. Traditional enterprise management systems, such as System Center Configuration Manager, can also target CSPs by using a client-side WMI-to-CSP bridge.
### Synchronization Markup Language (SyncML)
The Open Mobile Alliance Device Management (OMA-DM) protocol uses the XML-based Synchronization Markup Language (SyncML) for data exchange between compliant servers and clients. SyncML offers an open standard to use as an alternative to vendor-specific management solutions (such as WMI). The value for enterprises adopting industry standard management protocols is that it allows the management of a broader set of vendor devices using a single platform (such as Microsoft Intune). Device policies, including VPN connection profiles, are delivered to client devices formatted as in SyncML. The target CSP reads this information and applies the necessary configurations.
### The WMI-to-CSP Bridge
The WMI-to-CSP Bridge is a component allowing configuration of Windows 10 CSPs via scripts and traditional enterprise management software such as Configuration Manager using Windows Management Instrumentation (WMI). The bridge is responsible for reading WMI commands and through a component called the common device configurator pass them to a CSP for application on the device.
[Learn how to use the WMI Bridge Provider with PowerShell.](https://go.microsoft.com/fwlink/p/?LinkId=761090)
## Why should you learn about CSPs?
Generally, enterprises rely on Group Policy or MDM to configure and manage devices. For devices running Windows, MDM services use CSPs to configure your devices.
In addition, you may have unmanaged devices, or a large number of devices that you want to configure before enrolling them in management, or you want to apply custom settings that aren't available through your MDM service. The [CSP documentation](#bkmk-csp-doc) can help you understand the settings that can be configured or queried.
In addition, some of the topics in the [Windows 10 and Windows 10 Mobile](../index.md) library on Technet include links to applicable CSP reference topics, such as [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md) which links to the [Policy CSP](https://go.microsoft.com/fwlink/p/?LinkID=623244). In the CSP topics, you can learn about all of the available configuration settings.
### CSPs in Windows Imaging and Configuration Designer (ICD)
You can use Windows Imaging and Configuration Designer (ICD) to create [provisioning packages](https://go.microsoft.com/fwlink/p/?LinkId=717466) to apply settings to devices during the out-of-box-experience (OOBE) and after devices are set up. You can use provisioning packages to configure a device's connectivity and enroll the device in MDM. Many of the runtime settings in Windows ICD are based on CSPs.
Many settings in Windows ICD will display documentation for that setting in the center pane, and will include a reference to the CSP if the setting uses one, as shown in the following image.
![how help content appears in icd](images/cspinicd.png)
[Configure devices without MDM](configure-devices-without-mdm.md) explains how to use the Windows ICD tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a runtime provisioning package.
### CSPs in MDM
Most, if not all, CSPs are surfaced through your MDM service. If you see a CSP that provides a capability that you want to make use of and cannot find that capability in your MDM service, contact your MDM provider for assistance. It might simply be named differently than you expected. You can see the CSPs supported by MDM in the [Configuration service provider reference](https://go.microsoft.com/fwlink/p/?LinkId=717390).
When a CSP is available but is not explicitly included in your MDM solution, you may be able to make use of the CSP by using OMA-URI settings. In Intune, for example, you can use [custom policy settings](https://go.microsoft.com/fwlink/p/?LinkID=616316) to deploy settings. Intune documents [a partial list of settings](https://go.microsoft.com/fwlink/p/?LinkID=616317) that you can enter in the **OMA-URI Settings** section of a custom policy, if your MDM service provides that extension. You'll notice that the list doesn't explain the meanings of the allowed and default values, so use the [CSP reference documentation](https://go.microsoft.com/fwlink/p/?LinkId=717390) to locate that information.
### CSPs in Lockdown XML
Lockdown XML can be used to configure devices running Windows 10 Mobile. You can manually author a [Lockdown XML file](lockdown-xml.md) to make use of the configuration settings available through the [EnterpriseAssignedAccess configuration service provider (CSP)](https://go.microsoft.com/fwlink/p/?LinkID=618601).
## <a href="" id="bkmk-csp-doc"></a>How do you use the CSP documentation?
All CSPs in Windows 10 are documented in the [Configuration service provider reference](https://go.microsoft.com/fwlink/p/?LinkId=717390).
The [main CSP topic](https://go.microsoft.com/fwlink/p/?LinkId=717390) tells you which CSPs are supported on each edition of Windows 10, and links to the documentation for each individual CSP.
![csp per windows edition](images/csptable.png)
The documentation for each CSP follows the same structure. After an introduction that explains the purpose of the CSP, a diagram shows the parts of the CSP in tree format.
The full path to a specific configuration setting is represented by its Open Mobile Alliance - Uniform Resource Identifier (OMA-URI). The URI is relative to the devices root node (MSFT, for example). Features supported by a particular CSP can be set by addressing the complete OMA-URI path.
The following example shows the diagram for the [AssignedAccess CSP](https://go.microsoft.com/fwlink/p/?LinkID=626608). The diagram maps to the XML for that CSP. Notice the different shapes in the diagram: rounded elements are nodes and rectangular elements are settings or policies for which a value must be supplied.
![assigned access csp tree](images/provisioning-csp-assignedaccess.png)
The element in the tree diagram after the root node tells you the name of the CSP. Knowing this structure, you would recognize in XML the parts of the URI path for that CSP and, if you saw it in XML, you would know which CSP reference to look up. For example, in the following OMS-URI path for the kiosk mode app settings, you can see it uses the [AssignedAccess CSP](https://go.microsoft.com/fwlink/p/?LinkID=626608).
```XML
./Vendor/MSFT/AssignedAccess/KioskModeApp
```
When an element in the diagram uses italic font, it indicates a placeholder for specific information, such as the tenant ID in the following example.
![placeholder in csp tree](images/csp-placeholder.png)
After the diagram, the documentation describes each element. For each policy or setting, the valid values are listed.
For example, in the [AssignedAccess CSP](https://go.microsoft.com/fwlink/p/?LinkID=626608), the setting is **KioskModeApp**. The documentation tells you that the value for **KioskModeApp** is a JSON string that contains the user account name and Application User Model ID (AUMID) of the Kiosk mode app.
The documentation for most CSPs will also include an XML example.
## CSP examples
CSPs provide access to a number of settings useful to enterprises. This section introduces two CSPs that an enterprise might find particularly useful.
- [EnterpriseAssignedAccess CSP](https://go.microsoft.com/fwlink/p/?LinkID=618601)
The EnterpriseAssignedAccess configuration service provider allows IT administrators to configure settings on a Windows 10 Mobile device. An enterprise can make use of this CSP to create single-use or limited-use mobile devices, such as a handheld device that only runs a price-checking app.
In addition to lockscreen wallpaper, theme, time zone, and language, the EnterpriseAssignedAccess CSP includes AssignedAccessXml which can be used to lock down the device through the following settings:
- Enabling or disabling the Action Center.
- Configuring the number of tile columns in the Start layout.
- Restricting the apps that will be available on the device.
- Restricting the settings that the user can access.
- Restricting the hardware buttons that will be operable.
- Restricting access to the context menu.
- Enabling or disabling tile manipulation.
- Creating role-specific configurations.
- [Policy CSP](https://go.microsoft.com/fwlink/p/?LinkID=623244)
The Policy configuration service provider enables the enterprise to configure policies on Windows 10 and Windows 10 Mobile. Some of these policy settings can also be applied using Group Policy, and the CSP documentation lists the equivalent Group Policy settings.
Some of the settings available in the Policy CSP include the following:
- **Accounts**, such as whether a non-Microsoft account can be added to the device
- **Application management**, such as whether only Windows Store apps are allowed
- **Bluetooth**, such as the services allowed to use it
- **Browser**, such as restricting InPrivate browsing
- **Connectivity**, such as whether the device can be connected to a computer by USB
- **Defender** (for desktop only), such as day and time to scan
- **Device lock**, such as the type of PIN or password required to unlock the device
- **Experience**, such as allowing Cortana
- **Security**, such as whether provisioning packages are allowed
- **Settings**, such as allowing the user to change VPN settings
- **Start**, such as applying a standard Start layout
- **System**, such as allowing the user to reset the device
- **Text input**, such as allowing the device to send anonymized user text input data samples to Microsoft
- **Update**, such as specifying whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Windows Store
- **WiFi**, such as whether to enable Internet sharing
Here is a list of CSPs supported on Windows 10 Enterprise, Windows 10 Mobile Enterprise, or both:
- [ActiveSync CSP](https://go.microsoft.com/fwlink/p/?LinkId=723219)
- [Application CSP](https://go.microsoft.com/fwlink/p/?LinkId=723220)
- [AppLocker CSP](https://go.microsoft.com/fwlink/p/?LinkID=626609)
- [AssignedAccess CSP](https://go.microsoft.com/fwlink/p/?LinkID=626608)
- [Bootstrap CSP](https://go.microsoft.com/fwlink/p/?LinkId=723224)
- [BrowserFavorite CSP](https://go.microsoft.com/fwlink/p/?LinkId=723428)
- [CellularSettings CSP](https://go.microsoft.com/fwlink/p/?LinkId=723427)
- [CertificateStore CSP](https://go.microsoft.com/fwlink/p/?LinkId=723225)
- [ClientCertificateInstall CSP](https://go.microsoft.com/fwlink/p/?LinkId=723226)
- [CM\_CellularEntries CSP](https://go.microsoft.com/fwlink/p/?LinkId=723426)
- [CM\_ProxyEntries CSP](https://go.microsoft.com/fwlink/p/?LinkId=723425)
- [CMPolicy CSP](https://go.microsoft.com/fwlink/p/?LinkId=723424)
- [Defender CSP](https://go.microsoft.com/fwlink/p/?LinkId=723227)
- [DevDetail CSP](https://go.microsoft.com/fwlink/p/?LinkId=723228)
- [DeviceInstanceService CSP](https://go.microsoft.com/fwlink/p/?LinkId=723275)
- [DeviceLock CSP](https://go.microsoft.com/fwlink/p/?LinkId=723370)
- [DeviceStatus CSP](https://go.microsoft.com/fwlink/p/?LinkId=723229)
- [DevInfo CSP](https://go.microsoft.com/fwlink/p/?LinkId=723230)
- [DiagnosticLog CSP](https://go.microsoft.com/fwlink/p/?LinkId=723231)
- [DMAcc CSP](https://go.microsoft.com/fwlink/p/?LinkId=723232)
- [DMClient CSP](https://go.microsoft.com/fwlink/p/?LinkId=723233)
- [Email2 CSP](https://go.microsoft.com/fwlink/p/?LinkId=723234)
- [EnterpriseAPN CSP](https://go.microsoft.com/fwlink/p/?LinkId=723235)
- [EnterpriseAppManagement CSP](https://go.microsoft.com/fwlink/p/?LinkId=723237)
- [EnterpriseAssignedAccess CSP](https://go.microsoft.com/fwlink/p/?LinkID=618601)
- [EnterpriseDesktopAppManagement CSP](https://go.microsoft.com/fwlink/p/?LinkId=723236)
- [EnterpriseExt CSP](https://go.microsoft.com/fwlink/p/?LinkId=723423)
- [EnterpriseExtFileSystem CSP](https://go.microsoft.com/fwlink/p/?LinkID=703716)
- [EnterpriseModernAppManagement CSP](https://go.microsoft.com/fwlink/p/?LinkId=723257)
- [FileSystem CSP](https://go.microsoft.com/fwlink/p/?LinkId=723422)
- [HealthAttestation CSP](https://go.microsoft.com/fwlink/p/?LinkId=723258)
- [HotSpot CSP](https://go.microsoft.com/fwlink/p/?LinkId=723421)
- [Maps CSP](https://go.microsoft.com/fwlink/p/?LinkId=723420)
- [NAP CSP](https://go.microsoft.com/fwlink/p/?LinkId=723419)
- [NAPDEF CSP](https://go.microsoft.com/fwlink/p/?LinkId=723371)
- [NodeCache CSP]( https://go.microsoft.com/fwlink/p/?LinkId=723265)
- [PassportForWork CSP](https://go.microsoft.com/fwlink/p/?LinkID=692070)
- [Policy CSP](https://go.microsoft.com/fwlink/p/?LinkID=623244)
- [PolicyManager CSP]( https://go.microsoft.com/fwlink/p/?LinkId=723418)
- [Provisioning CSP](https://go.microsoft.com/fwlink/p/?LinkId=723266)
- [Proxy CSP]( https://go.microsoft.com/fwlink/p/?LinkId=723372)
- [PXLOGICAL CSP](https://go.microsoft.com/fwlink/p/?LinkId=723374)
- [Registry CSP](https://go.microsoft.com/fwlink/p/?LinkId=723417)
- [RemoteFind CSP](https://go.microsoft.com/fwlink/p/?LinkId=723267)
- [RemoteWipe CSP](https://go.microsoft.com/fwlink/p/?LinkID=703714)
- [Reporting CSP](https://go.microsoft.com/fwlink/p/?LinkId=723375)
- [RootCATrustedCertificates CSP](https://go.microsoft.com/fwlink/p/?LinkId=723270)
- [SecurityPolicy CSP](https://go.microsoft.com/fwlink/p/?LinkId=723376)
- [Storage CSP](https://go.microsoft.com/fwlink/p/?LinkId=723377)
- [SUPL CSP](https://go.microsoft.com/fwlink/p/?LinkId=723378)
- [UnifiedWriteFilter CSP](https://go.microsoft.com/fwlink/p/?LinkId=723272)
- [Update CSP](https://go.microsoft.com/fwlink/p/?LinkId=723271)
- [VPN CSP](https://go.microsoft.com/fwlink/p/?LinkId=723416)
- [VPNv2 CSP](https://go.microsoft.com/fwlink/p/?LinkID=617588)
- [Wi-Fi CSP](https://go.microsoft.com/fwlink/p/?LinkID=71743)
- [WindowsLicensing CSP](https://go.microsoft.com/fwlink/p/?LinkId=723274)
- [WindowsSecurityAuditing CSP](https://go.microsoft.com/fwlink/p/?LinkId=723415)
## Related topics
[What's new in MDM enrollment and management in Windows 10, version 1607](https://msdn.microsoft.com/library/windows/hardware/mt299056.aspx#whatsnew_1607)
[Lock down Windows 10](lock-down-windows-10.md)
[Manage corporate devices](manage-corporate-devices.md)
[New policies for Windows 10](new-policies-for-windows-10.md)
[Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md)
[Changes to Group Policy settings for Start in Windows 10](changes-to-start-policies-in-windows-10.md)
 
 

90
windows/manage/index.md
View File

@ -1,5 +1,5 @@
---
title: Manage and update Windows 10 (Windows 10)
title: Manage Windows 10 (Windows 10)
description: Learn about managing and updating Windows 10.
ms.assetid: E5716355-02AB-4B75-A962-14B1A7F7BDA0
keywords: Windows 10, MDM, WSUS, Windows update
@ -11,77 +11,37 @@ localizationpriority: high
author: jdeckerMS
---
# Manage and update Windows 10
# Manage Windows 10
Learn about managing and updating Windows 10.
Learn about managing Windows 10.
>[!NOTE]
>Information for Windows 10 Enterprise also applies to Windows 10 IoT Enterprise, and information for Windows 10 Mobile Enterprise also applies to Windows 10 IoT Mobile. For information about managing devices running Windows 10 IoT Core, see [Windows 10 IoT Core Commercialization](https://www.windowsforiotdevices.com/).
## In this section
<table>
<thead>
<tr class="header">
<th align="left">Topic</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="even">
<td align="left"><p>[Administrative Tools in Windows 10](administrative-tools-in-windows-10.md)</p></td>
<td align="left"><p>Administrative Tools is a folder in Control Panel that contains tools for system administrators and advanced users.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md)</p></td>
<td align="left"><p>The worlds first personal digital assistant helps users get things done, even at work. Cortana includes powerful configuration options specifically to optimize for unique small to medium-sized business and enterprise environments.</p></td></tr>
<tr><td>[Update Windows 10 in the enterprise](waas-update-windows-10.md) </td><td>Learn how to manage updates to Windows 10 in your organization, including Update Compliance, and Windows Update for Business. </td></tr>
<tr><td align="left"><p>[Manage corporate devices](manage-corporate-devices.md)</p></td>
<td align="left"><p>You can use the same management tools to manage all device types running Windows 10: desktops, laptops, tablets, and phones. And your current management tools, such as Group Policy, Windows Management Instrumentation (WMI), PowerShell scripts, Orchestrator runbooks, System Center tools, and so on, will continue to work for Windows 10 on desktop editions.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Windows Spotlight on the lock screen](windows-spotlight.md)</p></td>
<td align="left"><p>Windows Spotlight is an option for the lock screen background that displays different background images and occasionally offers suggestions on the lock screen.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md)</p></td>
<td align="left"><p>Organizations might want to deploy a customized Start screen and menu to devices running Windows 10 Enterprise or Windows 10 Education. A standard Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes.</p></td>
</tr>
<tr><td><p>[Create mandatory user profiles](mandatory-user-profile.md)</p></td><td><p>Mandatory user profiles are useful when standardization is important, such as on a kiosk device or in educational settings.</p></td></tr>
<tr class="odd">
<td align="left"><p>[Lock down Windows 10](lock-down-windows-10.md)</p></td>
<td align="left"><p>Enterprises often need to manage how people use corporate devices. Windows 10 provides a number of features and methods to help you lock down specific parts of a Windows 10 device.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Join Windows 10 Mobile to Azure Active Directory](join-windows-10-mobile-to-azure-active-directory.md)</p></td>
<td align="left"><p>Devices running Windows 10 Mobile can join Azure Active Directory (Azure AD) when the device is configured during the out-of-box experience (OOBE).</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Configure devices without MDM](configure-devices-without-mdm.md)</p></td>
<td align="left"><p>Create a runtime provisioning package to apply settings, profiles, and file assets to a device running Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile, or Windows 10 Mobile Enterprise.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Application Virtualization for Windows (App-V)](appv-for-windows.md)</p></td>
<td align="left"><p>When you deploy Application Virtualization (App-V) in your orgnazation, you can deliver Win32 applications to users as virtual applications. Virtual applications are installed on centrally managed servers and delivered to users as a service in real time and on as as-needed basis. Users launch virtual applications from familiar access points, including the Windows Store, and interact with them as if they were installed locally.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[User Experience Virtualization for Windows (UE-V)](uev-for-windows.md)</p></td>
<td align="left"><p>When you deploy User Experience Virtualization (UE-V) in your organization, you can synchronize users' personalized application and operating system settings across all the devices they work from. UE-V allows you to capture user-customized application and Windows settings and store them on a centrally managed network file share. When users log on, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they log on to.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Windows Store for Business](windows-store-for-business.md)</p></td>
<td align="left"><p>Welcome to the Windows Store for Business! You can use the Store for Business, to find, acquire, distribute, and manage apps for your organization.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Windows Libraries](windows-libraries.md)</p></td>
<td align="left"><p>Libraries are virtual containers for users content. A library can contain files and folders stored on the local computer or in a remote storage location. Libraries are built upon the legacy known folders (such as My Documents, My Pictures, and My Music).</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Change history for Manage and update Windows 10](change-history-for-manage-and-update-windows-10.md)</p></td>
<td align="left"><p>This topic lists new and updated topics in the Manage and update Windows 10 documentation for [Windows 10 and Windows 10 Mobile](../index.md).</p></td>
</tr>
</tbody>
</table>
| Topic | Description |
| --- | --- |
| [Manage Windows 10 in your organization - transitioning to modern management](manage-windows-10-in-your-organization-modern-management.md) | Strategies for deploying and managing Windows 10, including deploying Windows 10 in a mixed environment. |
| [Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md) | How to plan for and deploy Windows 10 Mobile devices. |
| [Administrative Tools in Windows 10](administrative-tools-in-windows-10.md) | Administrative Tools is a folder in Control Panel that contains tools for system administrators and advanced users. |
| [Windows Store for Business](windows-store-for-business.md) | Welcome to the Windows Store for Business! You can use the Store for Business, to find, acquire, distribute, and manage apps for your organization. |
| [Create mandatory user profiles](mandatory-user-profile.md) | Mandatory user profiles are useful when standardization is important, such as on a kiosk device or in educational settings. |
| [Connect to remote Azure Active Directory-joined PC](connect-to-remote-aadj-pc.md) | How to use Remote Desktop Connection to connect to an Azure AD-joined PC. |
| [Join Windows 10 Mobile to Azure Active Directory](join-windows-10-mobile-to-azure-active-directory.md) | Devices running Windows 10 Mobile can join Azure Active Directory (Azure AD) when the device is configured during the out-of-box experience (OOBE). |
| [New policies for Windows 10](new-policies-for-windows-10.md) | New Group Policy settings added in Windows 10. |
| [Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education](group-policies-for-enterprise-and-education-editions.md) | Group Policy settings that apply only to Windows 10 Enterprise and Windows 10 Education. |
| [Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md) | There are two methods for resetting a Windows 10 Mobile device: factory reset and "wipe and persist" reset. |
| [Application Virtualization (App-V) for Windows](appv-for-windows.md) | When you deploy Application Virtualization (App-V) in your orgnazation, you can deliver Win32 applications to users as virtual applications. Virtual applications are installed on centrally managed servers and delivered to users as a service in real time and on as as-needed basis. Users launch virtual applications from familiar access points, including the Windows Store, and interact with them as if they were installed locally. |
| [User Experience Virtualization for Windows (UE-V)](uev-for-windows.md) | When you deploy User Experience Virtualization (UE-V) in your organization, you can synchronize users' personalized application and operating system settings across all the devices they work from. UE-V allows you to capture user-customized application and Windows settings and store them on a centrally managed network file share. When users log on, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they log on to. |
| [Change history for Manage Windows 10](change-history-for-manage-and-update-windows-10.md) | This topic lists new and updated topics in the Manage and update Windows 10 documentation for [Windows 10 and Windows 10 Mobile](../index.md). |
 
## Related topics
[Windows 10 and Windows 10 Mobile](../index.md)

493
windows/manage/introduction-to-windows-10-servicing.md
View File

@ -1,493 +0,0 @@
---
title: Windows 10 servicing options for updates and upgrades (Windows 10)
description: This article describes the new servicing options available in Windows 10.
ms.assetid: D1DEB7C0-283F-4D7F-9A11-EE16CB242B42
keywords: update, LTSB, lifecycle, Windows update, upgrade
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security, servicing
author: jdeckerMS
redirect_url: https://technet.microsoft.com/en-us/itpro/windows/manage/waas-update-windows-10
---
# Windows 10 servicing options
**Applies to**
- Windows 10
- Windows 10 IoT Core (IoT Core)
This article provides detailed information about new servicing options available in Windows 10 and IoT Core. It also provides information on how enterprises can make better use of Windows Update, and what the new servicing options mean for support lifecycles. Before reading this article, you should understand the new Windows 10 servicing model. For an overview of this servicing model, see: [Windows 10 servicing overview](../plan/windows-10-servicing-options.md).
For Windows 10 current version numbers by servicing option see: [Windows 10 release information](https://technet.microsoft.com/en-us/windows/mt679505.aspx).
 
## Key terminology
The following terms are used When discussing the new Windows 10 servicing model:
<table border="1" cellpadding="2">
<tr>
<td BGCOLOR="#a0e4fa">**Term**</td>
<td BGCOLOR="#a0e4fa">**Description**</td>
</tr>
<tr>
<td>Upgrade</td>
<td>A new Windows 10 release that contains additional features and capabilities, released two to three times per year.</td>
</tr>
<tr>
<td>Update</td>
<td>Packages of security fixes, reliability fixes, and other bug fixes that are released periodically, typically once a month on Update Tuesday (sometimes referred to as Patch Tuesday). With Windows 10, these are cumulative in nature.</td>
</tr>
<tr>
<td>Branch</td>
<td>The windows servicing branch is one of four choices: Windows Insider, Current Branch, Current Branch for Business, or Long-Term Servicing Branch. Branches are determined by the frequency with which the computer is configured to receive feature updates.</td>
</tr>
<tr>
<td>Ring</td>
<td>A ring is a groups of PCs that are all on the same branch and have the same update settings. Rings can be used internally by organizations to better control the upgrade rollout process.</td>
</tr>
</table>
## Windows 10 servicing
The following table provides an overview of the planning implications of the three Windows 10 servicing options so that IT administrators can be well-grounded conceptually before they start a Windows 10 deployment project.
Table 1. Windows 10 servicing options
| Servicing option | Availability of new feature upgrades for installation | Minimum length of servicing lifetime | Key benefits | Supported editions |
|-----------------------------------|-----------------------------------------------------------|--------------------------------------|-------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------|
| Current Branch (CB) | Immediately after first published by Microsoft | Approximately 4 months | Makes new features available to users as soon as possible | Home, Pro, Education, Enterprise, IoT Core, Windows 10 IoT Core Pro (IoT Core Pro) |
| Current Branch for Business (CBB) | Approximately 4 months after first published by Microsoft | Approximately 8 months | Provides additional time to test new feature upgrades before deployment | Pro, Education, Enterprise, IoT Core Pro |
| Long-Term Servicing Branch (LTSB) | Immediately after published by Microsoft | 10 Years | Enables long-term deployment of selected Windows 10 releases in low-change configurations | Enterprise LTSB |
 
## Streamlined product development and release cycles
**Product cycles and builds**
The Windows engineering team adds new features and functionality to Windows through *product cycles* comprised of development, testing, and release phases. Each day during a product cycle, the team compiles the source code for Windows and assembles the output into a *build* that users can install on their devices. The first recipients of builds are Microsoft employees who begin what Microsoft calls *selfhost* testing.
**Testing and release prior to Windows 10**
Prior to Windows 10, Microsoft issued and extensively tested many builds internally before selecting one for testing outside Microsoft. After repeating the external test cycle several times against builds of progressively better quality, the engineering team selected a build to enter the release phase. At the end of this phase, the team published the build as a new version of Windows an event referred to as the *Release to Manufacturing* (RTM) milestone. In total, product cycles took between one and three years to complete, with testing and release processes taking up as much as half of the total investment in time.
**A different approach for Windows 10**
In todays environment, where user expectations frequently are set by device-centric experiences, complete product cycles need to be measured in months, not years. Additionally, new releases must be made available on a continual basis, and must be deployable with minimal impact on users. Microsoft designed Windows 10 to meet these requirements by implementing a new approach to innovation development and delivery called *Windows as a Service* (WaaS).
The key to enabling significantly shorter product cycles while maintaining high quality levels is an innovative community-centric approach to testing that Microsoft has implemented for Windows 10. The community, known as Windows Insiders, is comprised of millions of users around the world. When Windows Insiders opt in to the community, they test many builds over the course of a product cycle, and provide feedback to Microsoft through an iterative methodology called *flighting*.
Builds distributed as *flights* provide the Windows engineering team with significant data regarding how well builds are performing in actual use. Flighting with Windows Insiders also enables Microsoft to test builds in much more diverse hardware, application, and networking environments than in the past, and to identify issues far more quickly. As a result, Microsoft believes that community-focused flighting will enable both a faster pace of innovation delivery, and better public release quality than ever.
**Windows 10 release types and cadences**
Although Microsoft releases flight builds to Windows Insiders, Microsoft will publish two types of Windows 10 releases broadly to the public on an ongoing basis:
- **Feature upgrades** that install the latest new features, experiences, and capabilities on devices that are already running Windows 10. Because feature upgrades contain an entire copy of Windows, they are also what customers use to install Windows 10 on existing devices running Windows 7 or Windows 8.1, and on new devices where no operating system is installed.
- **Servicing updates** that focus on the installation of security fixes and other important updates.
Microsoft expects to publish an average of two to three new feature upgrades per year, and to publish servicing updates as needed for any feature upgrades that are still in support. Microsoft will continue publishing servicing updates on Update Tuesday (sometimes referred to as Patch Tuesday). Additionally, Microsoft may publish additional servicing updates for Windows 10 outside the Update Tuesday process when required to address customer needs.
**The cumulative nature of all Windows 10 releases**
It is important to note that, in order to improve release quality and simplify deployments, all new releases that Microsoft publishes for Windows 10 will be *cumulative*. This means new feature upgrades and servicing updates will contain the *payloads* of all previous releases (in an optimized form to reduce storage and networking requirements), and installing the release on a device will bring it completely up to date. Also, unlike earlier versions of Windows, you cannot install a subset of the contents of a Windows 10 servicing update. For example, if a servicing update contains fixes for three security vulnerabilities and one reliability issue, deploying the update will result in the installation of all four fixes.
## New Windows 10 delivery and installation alternatives
As with earlier releases of Windows, Windows 10 includes support for the deployment of new releases using Windows Update, Windows Server Update Services, System Center Configuration Manager, and third-party configuration management tools. Because of the importance of the Windows as a Service (WaaS) approach to delivering innovations to businesses, and the proven ability of Windows Update to deploy releases quickly and seamlessly to consumers and small businesses, several of the largest investments in Windows 10 focus on enabling broader use of Windows Update within enterprises.
**Windows Update use by consumers and small businesses**
Since Microsoft introduced the first generation of Windows Update with Windows 95, Windows Update has evolved to become the standard way for consumers and small businesses to help keep devices running Windows secure and running reliably. Almost one billion Windows devices communicate with the Windows Update service on a regular basis. The process of downloading and installing updates has evolved to be less and less obtrusive to users. More recently, Microsoft also has used Windows Update to deliver larger, feature-centric updates, such as the upgrade from Windows 8 to Windows 8.1, and is using Windows Update to upgrade devices running Windows 7 and Windows 8.1 to Windows 10.
**Windows Update use within enterprises**
Although Windows Update greatly simplifies and accelerates update deployment, enterprises are not using Windows Update as broadly as consumers and small businesses. This is largely because Windows Update maintains control over which updates are installed and the timing of installation. This makes it difficult for IT administrators to test updates before deployment in their specific environment.
**The role of Windows Server Update Services**
To help address the concerns of IT administrators, Microsoft released Windows Server Update Services in 2005. Windows Server Update Services enables IT administrators to obtain the updates that Windows Update determines are applicable to the devices in their enterprise, perform additional testing and evaluation on the updates, and select the updates they want to install. Windows Server Update Services also provides IT administrators with an all or nothing way to specify when they want an approved update to be installed. Because IT administrators ultimately select and install most updates identified by Windows Update, the role of Windows Server Update Services in many enterprises is to provide IT administrators with the additional time they need to gain confidence in the quality of updates prior to deployment.
**New Windows Update capabilities in Windows 10**
To enable enterprises to manage more of their devices using Windows Update directly, Windows 10 provides IT administrators with a way to configure devices so that Windows Update will defer new feature upgrade installations until approximately four months after Microsoft first publishes them. The additional time can be used to perform testing or enable releases to gain additional time in market prior to deployment.
At the end of each approximately four month period, Microsoft executes a set of processes that require no action from enterprise IT administrators. First, Microsoft creates new installation media for the feature upgrade by combining the original installation media with all the servicing updates published by Microsoft since the original medias release. This reduces the time it can take to install a feature upgrade on a device. Second, Microsoft *republishes* the new media to Windows Update with *targeting* instructions that state (in effect) “install this media on devices that are configured for deferred installation of new feature upgrades.” At this point, devices configured to defer installation will begin receiving and installing the feature upgrade automatically.
**The role of Windows Update for Business**
Although Windows 10 will enable IT administrators to defer installation of new feature upgrades using Windows Update, enterprises may also want additional control over how and when Windows Update installs releases. With this need in mind, Microsoft [announced Windows Update for Business](https://go.microsoft.com/fwlink/p/?LinkId=624798) in May of 2015. Microsoft designed Windows Update for Business to provide IT administrators with additional Windows Update-centric management capabilities, such as the ability to deploy updates to groups of devices and to define maintenance windows for installing releases. This article will be updated with additional information about the role of Windows Update for Business in servicing Windows 10 devices as it becomes available.
## Windows 10 servicing branches
Historically, because of the length of time between releases of new Windows versions, and the relatively low number of enterprise devices that were upgraded to newer versions of Windows during their deployment lifetimes, most IT administrators defined servicing as installing the updates that Microsoft published every month. Looking forward, because Microsoft will be publishing new feature upgrades on a continual basis, *servicing* will also include (on some portion of an enterprise's devices) installing new feature upgrades as they become available.
In fact, when planning to deploy Windows 10 on a device, one of the most important questions for IT administrators to ask is, “What should happen to this device when Microsoft publishes a new feature upgrade?” This is because Microsoft designed Windows 10 to provide businesses with multiple servicing options, centered on enabling different rates of feature upgrade adoption. In particular, IT administrators can configure Windows 10 devices to:
- Receive feature upgrades immediately after Microsoft makes them available publicly, so that users gain access to new features, experiences, and functionality as soon as possible. For more information, see [Immediate feature upgrade installation with Current Branch (CB) servicing](#immediate-upgrade-cb).
- Defer receiving feature upgrades for a period of approximately four months after Microsoft makes them available publicly, to provide IT administrators with time to perform pre-deployment testing and provide feature upgrades releases with additional time-in-market to mature. For more information, see [Deferred feature upgrade installation with Current Branch for Business (CBB) servicing](#deferred-upgrade-cbb).
- Receive only servicing updates for the duration of their Windows 10 deployment in order to reduce the number of non-essential changes made to the device. For more information, see [Install servicing updates only by using Long-Term Servicing Branch (LTSB) servicing](#install-updates-ltsb).
The breakout of a companys devices by the categories above is likely to vary significantly by industry and other factors. What is most important is that companies can decide what works best for them and can choose different options for different devices.
## Current Branch versus Current Branch for Business
When the development of a new Windows 10 feature upgrade is complete, it is initially offered to Current Branch computers; those computers configured for Current Branch for Business will receive the feature upgrade (with additional fixes) at a later date, generally at least four months later. An additional deferral of at least eight months is available to organizations that use tools to control the update process. During this time, monthly security updates will continue to be made available to machines not yet upgraded.
The process to configure a PC for Current Branch for Business is simple. The **Defer upgrades** setting needs to be configured, either manually (through the Settings app), by using Group Policy, or by using mobile device management (MDM).
![figure 1](images/fig1-deferupgrades.png)
Figure 1. Configure the **Defer upgrades** setting
Most organizations today leverage Windows Server Update Services (WSUS) or System Center Configuration Manager to update their PCs. With Windows 10, this does not need to change; all updates are controlled through approvals or automatic deployment rules configured in those products, so new upgrades will not be deployed until the organization chooses. The **Defer upgrades** setting can function as an additional validation check, so that Current Branch for Business machines that are targeted with a new upgrade prior to the end of the initial four-month deferral period will decline to install it; they can install the upgrade any time within the eight-month window after that initial four-month deferral period.
For computers configured to receive updates from Windows Update directly, the **Defer upgrades** setting directly controls when the PC will be upgraded. Computers that are not configured to defer upgrades will be upgraded at the time of the initial Current Branch release; computers that are configured to defer upgrades will be upgraded four months later.
With Windows 10 it is now possible to manage updates for PCs and tablets that have a higher degree of mobility and are not joined to a domain. For these PCs, you can leverage mobile device management (MDM) services or Windows Update for Business to provide the same type of control provided today with WSUS or Configuration Manager.
For PCs enrolled in a mobile device management (MDM) service, Windows 10 provides new update approval mechanisms that could be leveraged to delay the installation of a new feature upgrade or any other update. Windows Update for Business will eventually provide these and other capabilities to manage upgrades and updates; more details on these capabilities will be provided when they are available later in 2015.
With the release of each Current Branch feature update, new ISO images will be made available. You can use these images to upgrade existing machines or to create new custom images. These feature upgrades will also be published with WSUS to enable simple deployment to devices already running Windows 10.
Unlike previous versions of Windows, the servicing lifetime of Current Branch or Current Branch for Business is finite. You must install new feature upgrades on machines running these branches in order to continue receiving monthly security updates. This requires new ways of thinking about software deployment. It is best to align your deployment schedule with the Current Branch release schedule:
- Begin your evaluation process with the Windows Insider Program releases.
- Perform initial pilot deployments by using the Current Branch.
- Expand to broad deployment after the Current Branch for Business is available.
- Complete deployments by using that release in advance of the availability of the next Current Branch.
![figure 2](images/fig2-deploymenttimeline.png)
Figure 2. Deployment timeline
Some organizations may require more than 12 months to deploy Windows 10 to all of their existing PCs. To address this, it may be necessary to deploy multiple Windows 10 releases, switching to these new releases during the deployment project. Notice how the timelines can overlap, with the evaluation of one release happening during the pilot and deployment of the previous release:
![figure 3](images/fig3-overlaprelease.png)
Figure 3. Overlapping releases
As a result of these overlapping timelines, organizations can choose which release to deploy. Note though that by continuing for longer with one release, that gives you less time to deploy the subsequent release (to both existing Windows 10 PCs as well as newly-migrated ones), so staying with one release for the full lifetime of that release can be detrimental overall.
## Long-Term Servicing Branch
For specialized devices, Windows 10 Enterprise Long Term Servicing Branch (LTSB) ISO images will be made available. These are expected to be on a variable schedule, less often than CB and CBB releases. Once released, these will be supported with security and reliability fixes for an extended period; no new features will be added over its servicing lifetime. Note that LTSB images will not contain most in-box Universal Windows Apps (for example, Microsoft Edge, Cortana, the Windows Store, the Mail and Calendar apps) because the apps or the services that they use will be frequently updated with new functionality and therefore cannot be supported on PCs running the LTSB OS.
These LTSB images can be used to upgrade existing machines or to create new custom images.
Note that Windows 10 Enterprise LTSB installations fully support the Universal Windows Platform, with the ability to run line-of-business apps created using the Windows SDK, Visual Studio, and related tools capable of creating Universal Windows apps. For apps from other ISVs (including those published in the Windows Store), contact the ISV to confirm if they will provide long-term support for their specific apps.
As mentioned previously, there are few, if any, scenarios where an organization would use the Long-Term Servicing Branch for every PC or even for a majority of them.
## Windows Insider Program
During the development of a new Windows 10 feature update, preview releases will be made available to Windows Insider Program participants. This enables those participants to try out new features, check application compatibility, and provide feedback during the development process.
To obtain Windows Insider Program builds, the Windows Insider Program participants must opt in through the Settings app, and specify their Microsoft account.
Occasionally (typically as features are made available to those in the Windows Insider Program “slow” ring), new ISO images will be released to enable deployment validation, testing, and image creation.
## Switching between branches
During the life of a particular PC, it may be necessary or desirable to switch between the available branches. Depending on the branch you are using, the exact mechanism for doing this can be different; some will be simple, others more involved.
<table>
<colgroup>
<col width="33%" />
<col width="33%" />
<col width="33%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">For a PC that uses…</th>
<th align="left">Changing to…</th>
<th align="left">You need to:</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left">Windows Insider Program</td>
<td align="left">Current Branch</td>
<td align="left">Wait for the final Current Branch release.</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Current Branch for Business</td>
<td align="left">Not directly possible, because Windows Insider Program machines are automatically upgraded to the Current Branch release at the end of the development cycle.</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Long-Term Servicing Branch</td>
<td align="left">Not directly possible (requires wipe-and-load).</td>
</tr>
<tr class="even">
<td align="left">Current Branch</td>
<td align="left">Insider</td>
<td align="left">Use the Settings app to enroll the device in the Windows Insider Program.</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Current Branch for Business</td>
<td align="left">Select the <strong>Defer upgrade</strong> setting, or move the PC to a target group or flight that will not receive the next upgrade until it is business ready. Note that this change will not have any immediate impact; it only prevents the installation of the next Current Branch release.</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Long-Term Servicing Branch</td>
<td align="left">Not directly possible (requires wipe-and-load).</td>
</tr>
<tr class="odd">
<td align="left">Current Branch for Business</td>
<td align="left">Insider</td>
<td align="left">Use the Settings app to enroll the device in the Windows Insider Program.</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Current Branch</td>
<td align="left">Disable the <strong>Defer upgrade</strong> setting, or move the PC to a target group or flight that will receive the latest Current Branch release.</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Long-Term Servicing Branch</td>
<td align="left">Not directly possible (requires wipe-and-load).</td>
</tr>
<tr class="even">
<td align="left">Long-Term Servicing Branch</td>
<td align="left">Insider</td>
<td align="left">Use media to upgrade to the latest Windows Insider Program build.</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Current Branch</td>
<td align="left">Use media to upgrade to a later Current Branch build. (Note that the Current Branch build must be a later build.)</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Current Branch for Business</td>
<td align="left">Use media to upgrade to a later Current Branch for Business build (Current Branch build plus fixes). Note that it must be a later build.</td>
</tr>
</tbody>
</table>
## Plan for Windows 10 deployment
The remainder of this article focuses on the description of the three options outlined above, and their planning implications, in more detail. In practice, IT administrators have to focus on two areas when planning a Windows 10 device deployment:
- **When should new feature upgrades be deployed?** Should the device install new feature upgrades when they are published by Microsoft? If so, should installation occur immediately or on a deferred basis?
- **How will releases be installed on devices?** Will Windows Update or Windows Server Update Services be used to install new releases, or will installation be performed using a configuration management system such as
Configuration Manager?
The content that follows will provide IT administrators with the context needed to understand why these areas are pivotal, and the choices available to them.
**How Microsoft releases Windows 10 feature upgrades**
>Some figures in this article show multiple feature upgrades of Windows being released by Microsoft over time. Be aware that these figures were created with dates that were chosen for illustrative clarity, not for release roadmap accuracy, and should not be used for planning purposes.
When it is time to release a build as a new feature upgrade for Windows 10, Microsoft performs several processes in sequence. The first process involves creating either one or two servicing branches in a source code management system. These branches (shown in Figure 4) are required to produce feature upgrade installation media and servicing update packages that can be deployed on different Windows 10 editions, running in different configurations.
![figure 4](images/w10servicing-f1-branches.png)
Figure 4. Feature upgrades and servicing branches
In all cases, Microsoft creates a servicing branch (referred to in Figure 4 as Servicing Branch \#1) that is used to produce releases for approximately one year (although the lifetime of the branch will ultimately depend on when Microsoft publishes subsequent feature upgrade releases). If Microsoft has selected the feature upgrade to receive long-term servicing-only support, Microsoft also creates a second servicing branch (referred to in Figure 4 as Servicing Branch \#2) that is used to produce servicing update releases for up to 10 years.
As shown in Figure 5, when Microsoft publishes a new feature upgrade, Servicing Branch \#1 is used to produce the various forms of media needed by OEMs, businesses, and consumers to install Windows 10 Home, Pro, Education, and Enterprise editions. Microsoft also produces the files needed by Windows Update to distribute and install the feature upgrade, along with *targeting* information that instructs Windows Update to only install the files on devices configured for *immediate* installation of feature upgrades.
![figure 5](images/win10servicing-fig2-featureupgrade.png)
Figure 5. Producing feature upgrades from servicing branches
Approximately four months after publishing the feature upgrade, Microsoft uses Servicing Branch \#1 again to *republish* updated installation media for Windows 10 Pro, Education, and Enterprise editions. The updated media contains the exact same feature upgrade as contained in the original media except Microsoft also includes all the servicing updates that were published since the feature upgrade was first made available. This enables the feature upgrade to be installed on a device more quickly, and in a way that is potentially less obtrusive to users.
Concurrently, Microsoft also changes the way the feature upgrade is published in the Windows Update service. In particular, the files used by Windows Update to distribute and install the feature upgrade are refreshed with the updated versions, and the targeting instructions are changed so that the updated feature upgrade will now be installed on devices configured for *deferred* installation of feature upgrades.
**How Microsoft publishes the Windows 10 Enterprise LTSB Edition**
If Microsoft has selected the feature upgrade to receive long-term servicing support, Servicing Branch \#2 is used to publish the media needed to install the Windows 10 Enterprise LTSB edition. The time between releases of feature upgrades with long-term servicing support will vary between one and three years, and is strongly influenced by input from customers regarding the readiness of the release for long-term enterprise deployment. Figure 5 shows the Windows 10 Enterprise LTSB edition being published at the same time as the other Windows 10 editions, which mirrors the way editions were actually published for Windows 10 in July of 2015. It is important to note that this media is never published to Windows Update for deployment. Installations of the Enterprise LTSB edition on devices must be performed another way.
**How Microsoft releases Windows 10 servicing updates**
As shown in Figure 6, servicing branches are also used by Microsoft to produce servicing updates containing fixes for security vulnerabilities and other important issues. Servicing updates are published in a way that determines the Windows 10 editions on which they can be installed. For example, servicing updates produced from a given servicing branch can only be installed on devices running a Windows 10 edition produced from the same servicing branch. In addition, because Windows 10 Home does not support deferred installation of feature upgrades, servicing updates produced from Servicing Branch \#1 are targeted at devices running Windows 10 Home only until Microsoft publishes feature upgrades for deferred installation.
![figure 6](images/win10servicing-fig3.png)
Figure 6. Producing servicing updates from servicing branches
**Release installation alternatives**
When IT administrators select Windows Update and/or Windows Server Update Services to deploy feature upgrades and servicing updates, Windows 10 and Windows Update will determine and deploy the correct releases for each of the three servicing options at the appropriate times. If there are multiple feature upgrades receiving long-term servicing support at the same time, Windows Update will select updates for each device that are appropriate for the feature upgrades they are running.
When IT administrators manage deployments of feature upgrades and servicing updates directly with configuration management products such as Configuration Manager, they are responsible for the timing of installation of both feature upgrades and servicing updates. It is important to note that until IT administrators install a new servicing update, devices may remain exposed to security vulnerabilities. Therefore, when managing deployments directly, IT administrators should deploy new servicing updates as soon as possible.
## Servicing options and servicing branch designations
Servicing options have several different attributes that affect deployment planning decisions. For example, each servicing option:
- Is supported on a selected set of Windows 10 editions (and no Windows 10 edition supports all three servicing options).
- Has a policy that determines the periods of time during which Microsoft will produce servicing updates for a given feature upgrade.
- Has a policy that determines when devices being managed by Windows Update or Windows Server Update Services will install new feature upgrades when they become available from Microsoft.
Because the servicing lifetime of a feature upgrade typically ends when the servicing lifetime of the subsequent feature upgrade begins, the length of servicing lifetimes will also vary. To simplify referring to these ranges,
Microsoft created *servicing branch designations* for each of the three time range/servicing branch combinations. The designations are Current Branch (CB), Current Branch for Business (CBB), and Long-Term Servicing Branch (LTSB).
Because there is a one-to-one mapping between servicing options and servicing branch designations, Microsoft occasionally refers to servicing options using servicing branch-centric terminology. The following sections describe servicing options and servicing branch designations, including terminology, servicing lifetime policies, upgrade behavior, and edition support, in more detail.
**Service lifetime and feature upgrade installation paths**
Although Microsoft is currently planning to release approximately two to three feature upgrades per year, the actual frequency and timing of releases will vary. Because the servicing lifetimes of feature upgrades typically end when the servicing lifetimes of other, subsequent feature upgrades begin, the lengths of servicing lifetimes will also vary.
![figure 7](images/win10servicing-fig4-upgradereleases.png)
Figure 7. Example release cadence across multiple feature upgrades
To show the variability of servicing lifetimes, and show the paths that feature upgrade installations will take when Windows Update and Windows Server Update Services are used for deployments, Figure 4 contains three feature upgrade releases (labeled *X*, *Y*, and *Z*) and their associated servicing branches. The time period between publishing X and Y is four months, and the time period between publishing Y and Z is six months. X and Z have long-term servicing support, and Y has shorter-term servicing support only.
The same underlying figure will be used in subsequent figures to show all three servicing options in detail. It is important to note that Figure 7 is provided for illustration of servicing concepts only and should not be used for actual Windows 10 release planning.
To simplify the servicing lifetime and feature upgrade behavior explanations that follow, this document refers to branch designations for a specific feature upgrade as the +0 versions, the designations for the feature upgrade after the +0 version as the +1 (or successor) versions, and the designation for the feature upgrade after the +1 version as the +2 (or second successor) versions.
### <a href="" id="immediate-upgrade-cb"></a>
**Immediate feature upgrade installation with Current Branch (CB) servicing**
As shown in Figure 8, the Current Branch (CB) designation refers to Servicing Branch \#1 during the period that starts when Microsoft publishes a feature upgrade targeted for devices configured for *immediate* installation and ends when Microsoft publishes the *successor* feature upgrade targeted for devices configured for *immediate* installation.
![figure 8](images/win10servicing-fig5.png)
Figure 8. Immediate installation with Current Branch Servicing
The role of Servicing Branch \#1 during the CB period is to produce feature upgrades and servicing updates for Windows 10 devices configured for *immediate* installation of new feature upgrades. Microsoft refers to devices configured this way as being *serviced from CBs*. The Windows 10 editions that support servicing from CBs are Home, Pro, Education, and Enterprise. The Current Branch designation is intended to reflect the fact that devices serviced using this approach will be kept as current as possible with respect to the latest Windows 10 feature upgrade release.
Windows 10 Home supports Windows Update for release deployment. Windows 10 editions (Pro, Education, and Enterprise) support Windows Update, Windows Server Update Services, Configuration Manager, and other configuration management systems:
- When IT administrators use Windows Update to manage deployments, devices will receive new feature upgrades and servicing updates as soon as they are published by Microsoft in the Windows Update service, targeted to devices configured for *immediate* feature upgrade installation.
- When devices are being managed by using Windows Server Update Services, the same workflows are executed as with Windows Update except IT administrators must approve releases before installations begin.
- When using configuration management systems such as Configuration Manager to manage deployments, IT administrators can obtain installation media from Microsoft and deploy new feature upgrades immediately by using standard change control processes. IT administrators who use configuration management systems should also make sure to obtain and deploy all servicing updates published by Microsoft as soon as possible.
It is important to note that devices serviced from CBs must install two to three feature upgrades per year to remain current and continue to receive servicing updates.
### <a href="" id="deferred-upgrade-cbb"></a>
**Deferred feature upgrade installation with Current Branch for Business (CBB) servicing**
As shown in Figure 9, the Current Branch for Business (CBB) designation refers to Servicing Branch \#1 during the period that starts when Microsoft republishes a feature upgrade targeted for devices configured for *deferred* installation and ends when Microsoft republishes the *second successor* feature upgrade targeted for devices configured for *deferred* installation.
![figure 9](images/win10servicing-fig6.png)
Figure 9. Deferred installation with Current Branch for Business Servicing
The role of Servicing Branch \#1 during the CBB period is to produce feature upgrades and servicing updates for Windows 10 devices configured for *deferred* installation of new feature upgrades. Microsoft refers to devices configured this way as being *serviced from CBBs*. The Windows 10 editions that support servicing from CBBs are Pro, Education, and Enterprise. The Current Branch for Business designation is intended to reflect the fact that many businesses require IT administrators to test feature upgrades prior to deployment, and servicing devices from CBBs is a pragmatic solution for businesses with testing constraints to remain as current as possible.
Windows 10 (Pro, Education, and Enterprise editions) support release deployment by using Windows Update, Windows Server Update Services, Configuration Manager, and other configuration management systems:
- When IT administrators use Windows Update to manage deployments, devices will receive new feature upgrades and servicing updates as soon as they are published by Microsoft in the Windows Update service, targeted to devices configured for *deferred* feature upgrade installation. It is important to note that, even when devices are configured to defer installations, all servicing updates that are applicable to the feature upgrade that is running on a device will be installed immediately after being published by Microsoft in the Windows Update service.
- When devices are being managed through Windows Server Update Services, the same workflows are executed as with Windows Update except IT administrators must approve releases before installations begin.
- When using configuration management systems such as Configuration Manager to manage deployments, IT administrators can obtain media published for deferred installation from Microsoft and deploy new feature upgrades by using standard change control processes. When deferring feature upgrade installations, IT administrators should still deploy all applicable servicing updates as soon as they become available from Microsoft.
Microsoft designed Windows 10 servicing lifetime policies so that CBBs will receive servicing updates for approximately twice as many months as CBs. This enables two CBBs to receive servicing support at the same time, which provides businesses with more flexibility when deploying new feature upgrades. That said, it is important to note that Microsoft will not produce servicing updates for a feature upgrade after its corresponding CBB reaches the end of its servicing lifetime. This means that feature upgrade deployments cannot be extended indefinitely and IT administrators should ensure that they deploy newer feature upgrades onto devices before CBBs end.
### <a href="" id="install-updates-ltsb"></a>
**Install servicing updates only by using Long-Term Servicing Branch (LTSB) servicing**
As shown in Figure 10, the Long-Term Servicing Branch (LTSB) designation refers to Servicing Branch \#2 from beginning to end. LTSBs begin when a feature upgrade with long-term support is published by Microsoft and end after 10 years. It is important to note that only the Windows 10 Enterprise LTSB edition supports long-term servicing, and there are important differences between this edition and other Windows 10 editions regarding upgradability and feature set (described below in the [Considerations when configuring devices for servicing updates only](#servicing-only) section).
![figure 10](images/win10servicing-fig7.png)
Figure 10. Servicing updates only using LTSB Servicing
The role of LTSBs is to produce servicing updates for devices running Windows 10 configured to install servicing updates only. Devices configured this way are referred to as being *serviced from LTSBs*. The Long-Term Servicing Branch designation is intended to reflect the fact that this servicing option is intended for scenarios where changes to software running on devices must be limited to essential updates (such as those for security vulnerabilities and other important issues) for the duration of deployments.
Windows 10 Enterprise LTSB supports release deployment by using Windows Update, Windows Server Update Services, Configuration Manager, and other configuration management systems:
- When IT administrators use Windows Update to manage deployments, Windows Update will install only servicing updates, and do so as soon as they are published by Microsoft in the Windows Update service. Windows Update does not install feature upgrades on devices configured for long-term servicing.
- When devices are being managed using Windows Server Update Services, the same workflows are executed as with Windows Update except IT administrators must approve releases before installations begin.
- When using configuration management systems such as System Center Configuration Manager to manage deployments, IT administrators should make sure to obtain and deploy all servicing updates published by Microsoft as soon as possible.
**Note**  
It is important to note again that not all feature upgrades will have an LTSB. The initial release of Windows 10, published in July 2015, has an LTSB and Microsoft expects to designate one additional feature upgrade in the next 12 months for long-term support. After that, Microsoft expects to publish feature upgrades with long-term servicing support approximately every two to three years. Microsoft will provide additional information in advance of publishing new feature upgrades so that IT administrators can make informed deployment planning decisions.
 
### <a href="" id="servicing-only"></a>
**Considerations when configuring devices for servicing updates only**
Before deciding to configure a device for LTSB-based servicing, IT administrators should carefully consider the implications of changing to a different servicing option later, and the effect of using Windows 10 Enterprise LTSB on the availability of *in-box* applications.
Regarding edition changes, it is possible to reconfigure a device running Windows 10 Enterprise LTSB to run Windows 10 Enterprise while preserving the data and applications already on the device. Reconfiguring a device running Windows 10 Enterprise LTSB to run other editions of Windows 10 may require IT administrators to restore data and/or reinstall applications on the device after the other edition has been installed.
Regarding in-box applications, Windows 10 Enterprise LTSB does not include all the universal apps that are included with other Windows 10 editions. This is because the universal apps included with Windows 10 will be continually upgraded by Microsoft, and new releases of in-box universal apps are unlikely to remain compatible with a feature upgrade of Windows 10 Enterprise LTSB for the duration of its servicing lifetime. Examples of apps that Windows 10 Enterprise LTSB does not include are Microsoft Edge, Windows Store Client, Cortana (limited search capabilities remain available), Outlook Mail, Outlook Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, and Clock.
Windows 10 Enterprise LTSB does include Internet Explorer 11, and is compatible with Windows 32 versions of Microsoft Office. IT administrators can also install universal apps on devices when apps are compatible with the feature upgrades running on the device. They should do so with care, however, as servicing updates targeted for devices running Windows 10 Enterprise LTSB will not include security or non-security fixes for universal apps. Additionally, Microsoft will not provide servicing updates for specific releases of apps on any Windows 10 edition after the feature upgrade of Windows 10 with which the apps were included reaches the end of its servicing lifetime.
**Servicing option summary**
Table 2. Servicing option summary
<table>
<tr>
<th rowspan="2">Comparison</th>
<th colspan="3">Windows 10 servicing options</th>
</tr>
<tr>
<th>Current Branch (CB)</th>
<th>Current Branch for Business (CBB)</th>
<th>Long-Term Servicing Branch (LTSB)</th>
</tr>
<tr>
<td><b>Availability of new feature upgrades for installation</b></td>
<td>Immediate</td>
<td>Deferred by ~4 months</td>
<td>Not applicable</td>
</tr>
<tr>
<td><b>Supported editions</b></td>
<td>Windows 10 Home, Windows 10 Pro, Windows 10 Education, Windows 10 Enterprise,
IoT Core, IoT Core Pro</td>
<td>Windows 10 Pro,
Windows 10 Education,
Windows 10 Enterprise,
IoT Core Pro</td>
<td>Windows 10 Enterprise LTSB</td>
</tr>
<tr>
<td><b>Minimum length of servicing lifetime</b></td>
<td>Approximately 4 Months</td>
<td>Approximately 8 months</td>
<td>10 years</td>
</tr>
<tr>
<td><b>Ongoing installation of new feature upgrades required to receive servicing updates</b></td>
<td>Yes</td>
<td>Yes</td>
<td>No</td>
</tr>
<tr>
<td><b>Supports Windows Update for release deployment</b></td>
<td>Yes</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td><b>Supports Windows Server Update Services for release deployment</b></td>
<td>Yes
(excludes Home)
</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td><b>Supports Configuration Manager/configuration management systems for release deployment</b></td>
<td>Yes
(excludes Home)
</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td><b>First party browsers included</b></td>
<td>Microsoft Edge,
Internet Explorer 11</td>
<td>Microsoft Edge,
IE11</td>
<td>IE11</td>
</tr>
<tr>
<td><b>Notable Windows
system apps removed
</b></td>
<td>None</td>
<td>None</td>
<td>Microsoft Edge, Windows Store Client, Cortana (limited search available)</td>
</tr>
<tr>
<td><b>Notable Windows
universal apps removed
</b></td>
<td>None</td>
<td>None</td>
<td>Outlook Mail/Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, Clock</td>
</tr>
</table>
 
## Related topics
[Plan for Windows 10 deployment](../plan/index.md)
[Deploy Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=624776)
[Manage and update Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=624796)
 
 

131
windows/manage/lock-down-windows-10-to-specific-apps.md
View File

@ -1,131 +0,0 @@
---
title: Lock down Windows 10 to specific apps (Windows 10)
description: Learn how to configure a device running Windows 10 Enterprise or Windows 10 Education so that users can only run a few specific apps.
ms.assetid: 14DDDC96-88C7-4181-8415-B371F25726C8
keywords: ["lockdown", "app restrictions", "applocker"]
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: edu, security
author: jdeckerMS
localizationpriority: high
---
# Lock down Windows 10 to specific apps
**Applies to**
- Windows 10
>For more info about the features and functionality that are supported in each edition of Windows, see [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare).
Learn how to configure a device running Windows 10 Enterprise or Windows 10 Education so that users can only run a few specific apps. The result is similar to [a kiosk device](set-up-a-device-for-anyone-to-use.md), but with multiple apps available. For example, you might set up a library computer so that users can search the catalog and browse the Internet, but can't run any other apps or change computer settings.
You can restrict users to a specific set of apps on a device running Windows 10 Enterprise or Windows 10 Education by using [AppLocker](../keep-secure/applocker-overview.md). AppLocker rules specify which apps are allowed to run on the device.
AppLocker rules are organized into collections based on file format. If no AppLocker rules for a specific rule collection exist, all files with that file format are allowed to run. However, when an AppLocker rule for a specific rule collection is created, only the files explicitly allowed in a rule are permitted to run. For more information, see [How AppLocker works](../keep-secure/how-applocker-works-techref.md).
This topic describes how to lock down apps on a local device. You can also use AppLocker to set rules for applications in a domain by using Group Policy.
![install create lockdown customize](images/lockdownapps.png)
## Install apps
First, install the desired apps on the device for the target user account(s). This works for both Store and Win32. For Store apps, you must log on as that user for the app to install. For Win32 you can install an app for all users without logging on to the particular account.
## Use AppLocker to set rules for apps
After you install the desired apps, set up AppLocker rules to only allow specific apps, and block everything else.
1. Run Local Security Policy (secpol.msc) as an administrator.
2. Go to **Security Settings** &gt; **Application Control Policies** &gt; **AppLocker**, and select **Configure rule enforcement**.
![configure rule enforcement](images/apprule.png)
3. Check **Configured** under **Executable rules**, and then click **OK**.
4. Right-click **Executable Rules** and then click **Automatically generate rules**.
![automatically generate rules](images/genrule.png)
5. Select the folder that contains the apps that you want to permit, or select C:\\ to analyze all apps.
6. Type a name to identify this set of rules, and then click **Next**.
7. On the **Rule Preferences** page, click **Next**. Be patient, it might take awhile to generate the rules.
8. On the **Review Rules** page, click **Create**. The wizard will now create a set of rules allowing the installed set of apps.
9. Read the message and click **Yes**.
![default rules warning](images/appwarning.png)
10. (optional) If you want a rule to apply to a specific set of users, right-click on the rule and select **Properties**. Then use the dialog to choose a different user or group of users.
11. (optional) If rules were generated for apps that should not be run, you can delete them by right-clicking on the rule and selecting **Delete**.
12. Before AppLocker will enforce rules, the **Application Identity** service must be turned on. To force the Application Identity service to automatically start on reset, open a command prompt and run:
``` syntax
sc config appidsvc start=auto
```
13. Restart the device.
## Other settings to lock down
In addition to specifying the apps that users can run, you should also restrict some settings and functions on the device. For a more secure experience, we recommend that you make the following configuration changes to the device:
- Remove **All apps**.
Go to **Group Policy Editor** &gt; **User Configuration** &gt; **Administrative Templates\\Start Menu and Taskbar\\Remove All Programs list from the Start menu**.
- Hide **Ease of access** feature on the logon screen.
Go to **Control Panel** &gt; **Ease of Access** &gt; **Ease of Access Center**, and turn off all accessibility tools.
- Disable the hardware power button.
Go to **Power Options** &gt; **Choose what the power button does**, change the setting to **Do nothing**, and then **Save changes**.
- Disable the camera.
Go to **Settings** &gt; **Privacy** &gt; **Camera**, and turn off **Let apps use my camera**.
- Turn off app notifications on the lock screen.
Go to **Group Policy Editor** &gt; **Computer Configuration** &gt; **Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen**.
- Disable removable media.
Go to **Group Policy Editor** &gt; **Computer Configuration** &gt; **Administrative Templates\\System\\Device Installation\\Device Installation Restrictions**. Review the policy settings available in **Device Installation Restrictions** for the settings applicable to your situation.
**Note**  
To prevent this policy from affecting a member of the Administrators group, in **Device Installation Restrictions**, enable **Allow administrators to override Device Installation Restriction policies**.
 
To learn more about locking down features, see [Customizations for Windows 10 Enterprise](https://go.microsoft.com/fwlink/p/?LinkId=691442).
## Customize Start screen layout for the device
Configure the Start menu on the device to only show tiles for the permitted apps. You will make the changes manually, export the layout to an .xml file, and then apply that file to devices to prevent users from making changes. For instructions, see [Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md).
## Related topics
- [Provisioning packages for Windows 10](../deploy/provisioning-packages.md)
 
 

77
windows/manage/lock-down-windows-10.md
View File

@ -1,77 +0,0 @@
---
title: Lock down Windows 10 (Windows 10)
description: Windows 10 provides a number of features and methods to help you lock down specific parts of a Windows 10 device.
ms.assetid: 955BCD92-0A1A-4C48-98A8-30D7FAF2067D
keywords: lockdown
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security, mobile
author: jdeckerMS
localizationpriority: high
---
# Lock down Windows 10
Enterprises often need to manage how people use corporate devices. Windows 10 provides a number of features and methods to help you lock down specific parts of a Windows 10 device.
## In this section
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Topic</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody><tr><td><p>[Lockdown features from Windows Embedded 8.1 Industry](lockdown-features-windows-10.md)</p></td><td><p>Many of the lockdown features available in Windows Embedded 8.1 Industry have been modified in some form for Windows 10.</p></td></tr>
<tr><td align="left"><p>[Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md)</p></td><td align="left"><p>Windows 10, Version 1607, introduces *shared PC mode*, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail.</p></td></tr>
<tr class="odd">
<td align="left"><p>[Set up a device for anyone to use (kiosk mode)](set-up-a-device-for-anyone-to-use.md)</p></td>
<td align="left"><p>You can configure a device running Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile, or Windows 10 Mobile Enterprise as a kiosk device, so that users can only interact with a single application that you select.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Lock down Windows 10 to specific apps](lock-down-windows-10-to-specific-apps.md)</p></td>
<td align="left"><p>Learn how to configure a device running Windows 10 Enterprise or Windows 10 Education so that users can only run a few specific apps. The result is similar to [a kiosk device](set-up-a-device-for-anyone-to-use.md), but with multiple apps available. For example, you might set up a library computer so that users can search the catalog and browse the Internet, but can't run any other apps or change computer settings.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md)</p></td>
<td align="left"><p>Use this article to make informed decisions about how you can configure Windows telemetry in your organization.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)</p></td>
<td align="left"><p>Learn about the network connections that Windows components make to Microsoft and also the privacy settings that affect data that is shared with either Microsoft or apps and how they can be managed by an IT Pro.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Configure access to Windows Store](stop-employees-from-using-the-windows-store.md)</p></td>
<td align="left"><p>IT Pros can configure access to Windows Store for client computers in their organization. For some organizations, business policies require blocking access to Windows Store.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md)</p></td>
<td align="left"><p>Wi-Fi Sense automatically connects you to Wi-Fi, so you can get online quickly in more places. It can connect you to open Wi-Fi hotspots it knows about through crowdsourcing, or to Wi-Fi networks your contacts have shared with you by using Wi-Fi Sense.</p>
<p>The initial settings for Wi-Fi Sense are determined by the options you chose when you first set up your PC with Windows 10.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Configure Windows 10 Mobile using Lockdown XML](lockdown-xml.md)</p></td>
<td align="left"><p>Windows 10 Mobile allows enterprises to lock down a device, define multiple user roles, and configure custom layouts on a device.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md)</p></td>
<td align="left"><p>There are two methods for resetting a Windows 10 Mobile device: factory reset and &quot;wipe and persist&quot; reset.</p></td>
</tr>
</tbody>
</table>
## Learn more
[Customizing Your Device Experience with Assigned Access](https://channel9.msdn.com/Events/Build/2016/P508)
## Related topics
[Lockdown features from Windows Embedded Industry 8.1](../whats-new/lockdown-features-windows-10.md)

116
windows/manage/lockdown-features-windows-10.md
View File

@ -1,116 +0,0 @@
---
title: Lockdown features from Windows Embedded 8.1 Industry (Windows 10)
description: Many of the lockdown features available in Windows Embedded 8.1 Industry have been modified in some form for Windows 10.
ms.assetid: 3C006B00-535C-4BA4-9421-B8F952D47A14
keywords: lockdown, embedded
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: jdeckerMS
localizationpriority: high
---
# Lockdown features from Windows Embedded 8.1 Industry
**Applies to**
- Windows 10
Many of the lockdown features available in Windows Embedded 8.1 Industry have been modified in some form for Windows 10. This table maps Windows Embedded Industry 8.1 features to Windows 10 Enterprise features, along with links to documentation.
<table>
<colgroup>
<col width="33%" />
<col width="33%" />
<col width="33%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Windows Embedded 8.1 Industry lockdown feature</th>
<th align="left">Windows 10 feature</th>
<th align="left">Changes</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>[Hibernate Once/Resume Many (HORM)](https://go.microsoft.com/fwlink/p/?LinkId=626758): Quick boot to device</p></td>
<td align="left">N/A</td>
<td align="left"><p>HORM is supported in Windows 10, version 1607. </p></td>
</tr>
<tr class="even">
<td align="left"><p>[Unified Write Filter](https://go.microsoft.com/fwlink/p/?LinkId=626757): protect a device's physical storage media</p></td>
<td align="left">[Unified Write Filter](https://msdn.microsoft.com/en-us/library/windows/hardware/mt572001.aspx)</td>
<td align="left"><p>The Unified Write Filter is continued in Windows 10, with the exception of HORM which has been deprecated.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Keyboard Filter]( https://go.microsoft.com/fwlink/p/?LinkId=626761): block hotkeys and other key combinations</p></td>
<td align="left">[Keyboard Filter](https://go.microsoft.com/fwlink/p/?LinkId=708391)</td>
<td align="left"><p>Keyboard filter is added in Windows 10, version 1511. As in Windows Embedded Industry 8.1, Keyboard Filter is an optional component that can be turned on via <strong>Turn Windows Features On/Off</strong>. Keyboard Filter (in addition to the WMI configuration previously available) will be configurable through Windows Imaging and Configuration Designer (ICD) in the SMISettings path.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Shell Launcher](https://go.microsoft.com/fwlink/p/?LinkId=626676): launch a Classic Windows application on sign-on</p></td>
<td align="left">[Shell Launcher](https://go.microsoft.com/fwlink/p/?LinkId=618603)</td>
<td align="left"><p>Shell Launcher continues in Windows 10. It is now configurable in Windows ICD under the <strong>SMISettings</strong> category.</p>
<p>Learn [how to use Shell Launcher to create a kiosk device](https://go.microsoft.com/fwlink/p/?LinkId=626922) that runs a Classic Windows application.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Application Launcher]( https://go.microsoft.com/fwlink/p/?LinkId=626675): launch a Universal Windows Platform (UWP) app on sign-on</p></td>
<td align="left">[Assigned Access](https://go.microsoft.com/fwlink/p/?LinkId=626608)</td>
<td align="left"><p>The Windows 8 Application Launcher has been consolidated into Assigned Access. Application Launcher enabled launching a Windows 8 app and holding focus on that app. Assigned Access offers a more robust solution for ensuring that apps retain focus.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Dialog Filter](https://go.microsoft.com/fwlink/p/?LinkId=626762): suppress system dialogs and control which processes can run</p></td>
<td align="left">[AppLocker](../keep-secure/applocker-overview.md)</td>
<td align="left"><p>Dialog Filter has been deprecated for Windows 10. Dialog Filter provided two capabilities; the ability to control which processes were able to run, and the ability to prevent dialogs (in practice, system dialogs) from appearing.</p>
<ul>
<li><p>Control over which processes are able to run will now be provided by AppLocker.</p></li>
<li><p>System dialogs in Windows 10 have been replaced with system toasts. To see more on blocking system toasts, see Toast Notification Filter below.</p></li>
</ul></td>
</tr>
<tr class="odd">
<td align="left"><p>[Toast Notification Filter]( https://go.microsoft.com/fwlink/p/?LinkId=626673): suppress toast notifications</p></td>
<td align="left">Mobile device management (MDM) and Group Policy</td>
<td align="left"><p>Toast Notification Filter has been replaced by MDM and Group Policy settings for blocking the individual components of non-critical system toasts that may appear. For example, to prevent a toast from appearing when a USB drive is connected, ensure that USB connections have been blocked using the USB-related policies, and turn off notifications from apps.</p>
<p>Group Policy: <strong>User Configuration</strong> &gt; <strong>Administrative Templates</strong> &gt; <strong>Start Menu and Taskbar</strong> &gt; <strong>Notifications</strong></p>
<p>MDM policy name may vary depending on your MDM service. In Microsoft Intune, use <strong>Allow action center notifications</strong> and a [custom OMA-URI setting](https://go.microsoft.com/fwlink/p/?LinkID=616317) for <strong>AboveLock/AllowActionCenterNotifications</strong>.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Embedded Lockdown Manager](https://go.microsoft.com/fwlink/p/?LinkId=626763): configure lockdown features</p></td>
<td align="left">[Windows Imaging and Configuration Designer (ICD)](https://go.microsoft.com/fwlink/p/?LinkID=525483)</td>
<td align="left"><p>The Embedded Lockdown Manager has been deprecated for Windows 10 and replaced by the Windows ICD. Windows ICD is the consolidated tool for Windows imaging and provisioning scenarios and enables configuration of all Windows settings, including the lockdown features previously configurable through Embedded Lockdown Manager.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[USB Filter](https://go.microsoft.com/fwlink/p/?LinkId=626674): restrict USB devices and peripherals on system</p></td>
<td align="left">MDM and Group Policy</td>
<td align="left"><p>The USB Filter driver has been replaced by MDM and Group Policy settings for blocking the connection of USB devices.</p>
<p>Group Policy: <strong>Computer Configuration</strong> &gt; <strong>Administrative Templates</strong> &gt; <strong>System</strong> &gt; <strong>Device Installation</strong> &gt; <strong>Device Installation Restrictions</strong></p>
<p>MDM policy name may vary depending on your MDM service. In Microsoft Intune, use <strong>Allow removable storage</strong> or <strong>Allow USB connection (Windows 10 Mobile only)</strong>.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Assigned Access](https://go.microsoft.com/fwlink/p/?LinkID=613653): launch a UWP app on sign-in and lock access to system</p></td>
<td align="left">[Assigned Access](https://go.microsoft.com/fwlink/p/?LinkId=626608)</td>
<td align="left"><p>Assigned Access has undergone significant improvement for Windows 10. In Windows 8.1, Assigned Access blocked system hotkeys and edge gestures, and non-critical system notifications, but it also applied some of these limitations to other accounts on the device.</p>
<p>In Windows 10, Assigned Access no longer affects accounts other than the one being locked down. Assigned Access now restricts access to other apps or system components by locking the device when the selected user account logs in and launching the designated app above the lock screen, ensuring that no unintended functionality can be accessed.</p>
<p>Learn [how to use Assigned Access to create a kiosk device](https://go.microsoft.com/fwlink/p/?LinkId=626922) that runs a Universal Windows app.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Gesture Filter](https://go.microsoft.com/fwlink/p/?LinkId=626672): block swipes from top, left, and right edges of screen</p></td>
<td align="left">MDM and Group Policy</td>
<td align="left"><p>In Windows 8.1, gestures provided the ability to close an app, to switch apps, and to reach the Charms. In Windows 10, Charms have been removed. In Windows 10, version 1607, you can block swipes using the [Allow edge swipe](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962(v=vs.85).aspx#LockDown_AllowEdgeSwipe) policy. </p></td>
</tr>
<tr class="even">
<td align="left"><p>[Custom Logon]( https://go.microsoft.com/fwlink/p/?LinkId=626759): suppress Windows UI elements during Windows sign-on, sign-off, and shutdown</p></td>
<td align="left">[Embedded Logon](https://go.microsoft.com/fwlink/p/?LinkId=626760)</td>
<td align="left"><p>No changes. Applies only to Windows 10 Enterprise and Windows 10 Education.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Unbranded Boot](https://go.microsoft.com/fwlink/p/?LinkId=626872): custom brand a device by removing or replacing Windows boot UI elements</p></td>
<td align="left">[Unbranded Boot](https://go.microsoft.com/fwlink/p/?LinkId=626873)</td>
<td align="left"><p>No changes. Applies only to Windows 10 Enterprise and Windows 10 Education.</p></td>
</tr>
</tbody>
</table>
 
 
 

870
windows/manage/lockdown-xml.md
View File

@ -1,870 +0,0 @@
---
title: Configure Windows 10 Mobile using Lockdown XML (Windows 10)
description: Windows 10 Mobile allows enterprises to lock down a device, define multiple user roles, and configure custom layouts on a device.
ms.assetid: 22C8F654-2EC3-4E6D-8666-1EA9FCF90F5F
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security, mobile
author: jdeckerMS
localizationpriority: high
---
# Configure Windows 10 Mobile using Lockdown XML
**Applies to**
- Windows 10 Mobile
Windows 10 Mobile allows enterprises to lock down a device, define multiple user roles, and configure custom layouts on a device. For example, the enterprise can lock down a device so that only applications and settings in an allow list are available.
This topic provides example XML that you can use in your own lockdown XML file that can be included in a provisioning package or when using a mobile device management (MDM) solution to push lockdown settings to enrolled devices.
Lockdown XML is an XML file that contains settings for Windows 10 Mobile. When you deploy the lockdown XML file to a device, it is saved on the device as **wehlockdown.xml**. When the device boots, it looks for wehlockdown.xml and applies any settings configured in the file. In this topic, you'll learn how to create an XML file that contains all lockdown entries available in the AssignedAccessXml area of the [EnterpriseAssignedAccess configuration service provider (CSP)](https://go.microsoft.com/fwlink/p/?LinkID=618601).
> [!NOTE]
> On Windows 10 desktop editions, *assigned access* is a feature that lets you configure the device to run a single app above the lockscreen ([kiosk mode](set-up-a-device-for-anyone-to-use.md)). On a Windows 10 Mobile device, assigned access refers to the lockdown settings in AssignedAccessXml in the [EnterpriseAssignedAccess configuration service provider (CSP)](https://go.microsoft.com/fwlink/p/?LinkID=618601).
If you're not familiar with CSPs, read [Introduction to configuration service providers (CSPs)](how-it-pros-can-use-configuration-service-providers.md) first.
## Overview of the lockdown XML file
Let's start by looking at the basic structure of the lockdown XML file. You can start your file by pasting the following XML (or any other examples in this topic) into a text or XML editor, and saving the file as *filename*.xml.
```xml
<?xml version "1.0" encoding "utf-8"?>
<HandheldLockdown version "1.0" >
<Default>
<ActionCenter>
<Apps>
<Buttons>
<CSPRunner>
<MenuItems>
<Settings>
<Tiles>
<StartScreenSize>
</Default>
</HandheldLockdown>
```
**Default** and the entries beneath it establish the default device settings that are applied for every user. The device will always boot to this Default role. You can create additional roles on the device, each with its own settings, in the same XML file. [Learn how to add roles.](#configure-additional-roles)
The settings for the Default role and other roles must be listed in your XML file in the order presented in this topic. All of the entries are optional. If you don't include a setting, that aspect of the device will operate as it would for an nonconfigured device.
> **Tip**&nbsp;&nbsp;Keep your XML file easy to work with and to understand by using proper indentation and adding comments for each setting you configure.
## Action Center
![XML for Action Center](images/ActionCenterXML.jpg)
The Action Center setting controls whether the user can open the Action Center on the device. When the Action Center is disabled, notifications on the lockscreen and toasts are also disabled. You can use optional attributes with the Action Center element to change that behavior for either notifications, toasts, or both.
In the following example, the Action Center is enabled and both policies are disabled.
```xml
<ActionCenter enabled="true" aboveLockToastEnabled="0" actionCenterNotificationEnabled="0"/>
```
In the following example, Action Center and the toast policy are enabled, and the notifications policy is disabled.
```xml
<ActionCenter enabled="true" aboveLockToastEnabled="1" actionCenterNotificationEnabled="0"/>
```
The following example is a complete lockdown XML file that disables Action Center, notifications, and toasts.
```xml
<?xml version="1.0" encoding="utf-8"?>
<HandheldLockdown version="1.0" >
<Default>
<!-- disable Action Center -->
<ActionCenter enabled="false" />
</Default>
</HandheldLockdown>
```
## Apps
![XML for Apps](images/AppsXML.png)
The Apps setting serves as an allow list and specifies the applications that will be available in the All apps list. Apps that are not included in this setting are hidden from the user and blocked from running.
You provide the product ID for each app in your file. The product ID identifies an app package, and an app package can contain multiple apps, so you should also provide the App User Model ID (AUMID) to differentiate the app. Optionally, you can set an app to run automatically. [Get product ID and AUMID for apps in Windows 10 Mobile.](product-ids-in-windows-10-mobile.md)
The following example makes Outlook Calendar available on the device.
```xml
<Apps>
<!-- Outlook Calendar -->
<Application productId="{A558FEBA-85D7-4665-B5D8-A2FF9C19799B}" aumid="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.calendar">
</Application>
</Apps>
```
When you list an app, you can also set the app to be pinned to the Start screen by specifying the tile size and location. Tip: draw a grid and mark your app tiles on it to make sure you get the result you want. The width (X axis) in the following example is the limit for Windows 10 Mobile, but the length (Y axis) is unlimited. The number of columns available to you depends on the value for [StartScreenSize](#start-screen-size).
![Grid to lay out tiles for Start](images/StartGrid.jpg)
Tile sizes are:
* Small: 1x1
* Medium: 2x2
* Large: 2x4
Based on 6 columns, you can pin six small tiles or three medium tiles on a single row. A large tile can be combined with two small tiles or one medium tile on the same row. Obviously, you cannot set a medium tile for LocationX=5, or a large tile for LocationX=3, 4, or 5.
If the tile configuration in your file exceeds the available width, such as setting a large tile to start at position 3 on the X axis, that tile is appended to the bottom of the Start screen. Also, if the tile configuration in your file would result in tiles overlapping each other, the overlapping tiles are instead appended to the bottom of the Start screen.
In the following example, Outlook Calendar and Outlook Mail are pinned to the Start screen, and the Store app is allowed but is not pinned to Start.
```xml
<Apps>
<!-- Outlook Calendar -->
<Application productId="{A558FEBA-85D7-4665-B5D8-A2FF9C19799B}" aumid="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.calendar">
<PinToStart>
<Size>Large</Size>
<Location>
<LocationX>0</LocationX>
<LocationY>0</LocationY>
</Location>
</PinToStart>
</Application>
<!-- Outlook Mail-->
<Application productId="{A558FEBA-85D7-4665-B5D8-A2FF9C19799B}" aumid="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.mail">
<PinToStart>
<Size>Medium</Size>
<Location>
<LocationX>4</LocationX>
<LocationY>0</LocationY>
</Location>
</PinToStart>
</Application>
<!-- Store -->
<Application productId="7D47D89A-7900-47C5-93F2-46EB6D94C159" aumid="Microsoft.WindowsStore_8wekyb3d8bbwe!App" />
</Apps>
```
That layout would appear on a device like this:
![Example of the layout on a Start screen](images/StartGridPinnedApps.jpg)
You can create and pin folders to Start by using the Apps setting. Each folder requires a **folderId**, which must be a consecutive positive integer starting with `1`. You can also specify a **folderName** (optional) which will be displayed on Start.
```xml
<Apps>
<!-- Management folder -->
<Application folderId="1" folderName="Management">
<PinToStart>
<Size>Medium</Size>
<Location>
<LocationX>4</LocationX>
<LocationY>0</LocationY>
</Location>
</PinToStart>
</Application>
</Apps>
```
To add apps to the folder, include **ParentFolderId** in the application XML, as shown in the following example:
```xml
<Apps>
<!-- Outlook Calendar -->
<Application productId="{A558FEBA-85D7-4665-B5D8-A2FF9C19799B}" aumid="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.calendar">
<PinToStart>
<Size>Large</Size>
<Location>
<LocationX>0</LocationX>
<LocationY>0</LocationY>
</Location>
<ParentFolderId>1</ParentFolderId>
</PinToStart>
</Application>
<!-- Outlook Mail-->
<Application productId="{A558FEBA-85D7-4665-B5D8-A2FF9C19799B}" aumid="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.mail">
<PinToStart>
<Size>Medium</Size>
<Location>
<LocationX>4</LocationX>
<LocationY>0</LocationY>
</Location>
<ParentFolderId>1</ParentFolderId>
</PinToStart>
</Application>
</Apps>
```
When an app is contained in a folder, its **PinToStart** configuration (tile size and location) applies to its appearance when the folder is opened.
## Buttons
![XML for buttons](images/ButtonsXML.jpg)
In the Buttons setting, you use ButtonLockdownList to disable hardware buttons and ButtonRemapList to change button events to open an app that you specify.
### ButtonLockdownList
When a user taps a button that is in the lockdown list, nothing will happen. The following table lists which events can be disabled for each button.
Button | Press | PressAndHold | All
---|:---:|:---:|:--:|-
Start | ![no](images/crossmark.png) | ![yes](images/checkmark.png) | ![no](images/crossmark.png)
Back | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![yes](images/checkmark.png)
Search | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![yes](images/checkmark.png)
Camera | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![yes](images/checkmark.png)
Custom 1, 2, and 3 | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![yes](images/checkmark.png)
> [!NOTE]
> Custom buttons are hardware buttons that can be added to devices by OEMs.
In the following example, press-and-hold is disabled for the Back button.
```xml
<Buttons>
<ButtonLockdownList>
<Button name="Back">
<ButtonEvent name="PressAndHold" />
</Button>
</ButtonLockdownList>
</Buttons>
```
If you don't specify a button event, all actions for the button are disabled. In the next example, all actions are disabled for the camera button.
```xml
<Buttons>
<ButtonLockdownList>
<Button name="Camera">
</Button>
</ButtonLockdownList>
</Buttons>
```
### ButtonRemapList
ButtonRemapList lets you change the app that a button will run. You can remap the Search button and any custom buttons included by the OEM. You can't remap the Back, Start, or Camera buttons.
> [!WARNING]
> Button remapping can enable a user to open an application that is not in the allow list for that user role. Use button lock down to prevent application access for a user role.
To remap a button, you specify the button, the event, and the product ID for the app that you want the event to open.
In the following example, when a user presses the Search button, the phone dialer will open instead of the Search app.
```xml
<Buttons>
<ButtonRemapList>
<Button name="Search">
<ButtonEvent name="Press">
<!-- Phone dialer -->
<Application productID="{F41B5D0E-EE94-4F47-9CFE-3D3934C5A2C7 }" parameters="" />
</ButtonEvent>
</Button>
</ButtonRemapList>
</Buttons>
```
## CSPRunner
![XML for CSP Runner](images/CSPRunnerXML.jpg)
You can use CSPRunner to include settings that are not defined in AssignedAccessXML. For example, you can include settings from other sections of EnterpriseAssignedAccess CSP, such as lockscreen, theme, and time zone. You can also include settings from other CSPs, such as [Wi-Fi CSP](https://go.microsoft.com/fwlink/p/?LinkID=717460) or [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962%28v=vs.85%29.aspx).
CSPRunner is helpful when you are configuring a device to support multiple roles. It lets you apply different policies according to the role that is signed on. For example, Wi-Fi could be enabled for a supervisor role and disabled for a stocking clerk role.
In CSPRunner, you specify the CSP and settings using SyncML, a standardized markup language for device management. A SyncML section can include multiple settings, or you can use multiple SyncML sections -- it's up to you how you want to organize settings in this section.
> [!NOTE]
> This description of SyncML is just the information that you need to use SyncML in a lockdown XML file. To learn more about SyncML, see [Structure of OMA DM provisioning files](https://msdn.microsoft.com/windows/hardware/dn914774.aspx).
Let's start with the structure of SyncML in the following example:
```xml
SyncML>
<SyncBody>
<Add>|<Replace>
<CmdID>#</CmdID>
<Item>
<Target>
<LocURI>CSP Path</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">Data Type</Format>
</Meta>
<Data>Value</Data>
</Item>
</Add>|</Replace>
<Final/>
</SyncBody>
</SyncML>
```
This table explains the parts of the SyncML structure.
SyncML entry | Description
---|---
**Add** or **Replace** | Use **Add** to apply a setting or policy that is not already configured. Use **Replace** to change an existing setting or policy.
**CmdID** | SyncBody can contain multiple commands. Each command in a lockdown XML file must have a different **CmdID** value.
**Item** | **Item** is a wrapper for a single setting. You can include multiple items for the command if they all use the same **Add** or **Replace** operation.
**Target > LocURI** | **LocURI** is the path to the CSP.
**Meta > Format** | The data format required by the CSP.
**Data** | The value for the setting.
## Menu items
![XML for menu items](images/MenuItemsXML.png)
Use DisableMenuItems to prevent use of the context menu, which is displayed when a user presses and holds an application in the All Apps list. You can include this entry in the default profile and in any additional user role profiles that you create.
```xml
<MenuItems>
<DisableMenuItems/>
</MenuItems>
```
## Settings
![XML for settings](images/SettingsXML.png)
The **Settings** section contains an `allow` list of pages in the Settings app. The following example allows all settings.
```xml
<Settings>
<!-- Allow all settings -->
</Settings>
```
In the following example, all system setting pages are enabled.
```xml
<Settings>
<System name="SettingsPageGroupPCSystem" />
<System name="SettingsPageDisplay" />
<System name="SettingsPageAppsNotifications" />
<System name="SettingsPageCalls" />
<System name="SettingsPageMessaging" />
<System name="SettingsPageBatterySaver" />
<System name="SettingsPageStorageSenseStorageOverview" />
<System name="SettingsPageGroupPCSystemDeviceEncryption" />
<System name="SettingsPageDrivingMode" />
<System name="SettingsPagePCSystemInfo" />
</Settings>
```
If you list a setting or quick action in **Settings**, all settings and quick actions that are not listed are blocked. To remove access to all of the settings in the system, do not include the settings application in [Apps](#apps).
For a list of the settings and quick actions that you can allow or block, see [Settings and quick actions that can be locked down in Windows 10 Mobile](settings-that-can-be-locked-down.md).
## Tiles
![XML for tiles](images/TilesXML.png)
By default, under Assigned Access, tile manipulation is turned off (blocked) and only available if enabled in the users profile. If tile manipulation is enabled in the users profile, they can pin/unpin, move, and resize tiles based on their preferences. When multiple people use one device and you want to enable tile manipulation for multiple users, you must enable it for each user in their user profile.
> [!IMPORTANT]
> If a device is turned off then back on, the tiles reset to their predefined layout. If a device has only one profile, the only way to reset the tiles is to turn off then turn on the device. If a device has multiple profiles, the device resets the tiles to the predefined layout based on the logged-in users profile.
```xml
<Tiles>
<EnableTileManipulation/>
</Tiles>
```
## Start screen size
Specify the size of the Start screen. In addition to 4/6 columns, you can also use 4/6/8 depending on screen resolutions. Valid values:
* Small sets the width to 4 columns on devices with short axis (less than 400epx) or 6 columns on devices with short axis (greater than or equal to 400epx).
* Large sets the width to 6 columns on devices with short axis (less than 400epx) or 8 columns on devices with short axis (greater than or equal to 400epx).
If you have existing lockdown xml, you must update start screen size if your device has >=400epx on its short axis so that tiles on Start can fill all 8 columns if you want to use all 8 columns instead of 6, or use 6 columns instead of 4.
[Learn about effective pixel width (epx) for different device size classes.](https://go.microsoft.com/fwlink/p/?LinkId=733340)
## Configure additional roles
You can add custom configurations by role. In addition to the role configuration, you must also install a login application on the device. The app displays a list of available roles on the device; the user taps a role, such as "Manager"; the configuration defined for the "Manager" role is applied.
[Learn how to create a login application that will work with your Lockdown XML file.](https://github.com/Microsoft/Windows-universal-samples/tree/master/Samples/DeviceLockdownAzureLogin) For reference, see the [Windows.Embedded.DeviceLockdown API](https://msdn.microsoft.com/library/windows/apps/windows.embedded.devicelockdown).
In the XML file, you define each role with a GUID and name, as shown in the following example:
```xml
<Role guid="{7bb62e8c-81ba-463c-b691-74af68230b42}" name="Manager">
```
You can create a GUID using a GUID generator -- free tools are available online. The GUID needs to be unique within this XML file.
You can configure the same settings for each role as you did for the default role, except Start screen size which can only be configured for the default role. If you use CSPRunner with roles, be aware that the last CSP setting applied will be retained across roles unless explicitly changed in each role configuration. CSP settings applied by CSPRunner may conflict with settings applied by MDM.
```xml
<?xml version "1.0" encoding "utf-8"?>
<HandheldLockdown version "1.0" >
<Default>
<ActionCenter>
<Apps>
<Buttons>
<CSPRunner>
<MenuItems>
<Settings>
<Tiles>
<StartScreenSize>
</Default>
<RoleList>
<Role>
<ActionCenter>
<Apps>
<Buttons>
<CSPRunner>
<MenuItems>
<Settings>
<Tiles>
</Role>
</RoleList>
</Default>
</HandheldLockdown>
```
## Add lockdown XML to a provisioning package
Use the Windows ICD tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package. [Install the ADK.](https://go.microsoft.com/fwlink/p/?LinkId=526740)
1. Follow the instructions at [Build and apply a provisioning package](https://go.microsoft.com/fwlink/p/?LinkID=629651) to create a project, selecting **Common to all Windows mobile editions** for your project.
2. In **Available customizations**, go to **Runtime settings** &gt; **EmbeddedLockdownProfiles** &gt; **AssignedAccessXml**.
3. In the center pane, click **Browse** to locate and select the lockdown XML file that you created.
![browse button](images/icdbrowse.png)
4. On the **File** menu, select **Save.**
5. On the **Export** menu, select **Provisioning package**.
6. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.**
7. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing.
- **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
- **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select** and choosing the certificate you want to use to sign the package.
8. Click **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows ICD uses the project folder as the output location.
Optionally, you can click **Browse** to change the default output location.
9. Click **Next**.
10. Click **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status.
If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
11. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
- If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
- If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
After you build the provisioning package, follow the instructions for [applying a provisioning package at runtime to Windows 10 Mobile](https://go.microsoft.com/fwlink/p/?LinkID=619164).
## Push lockdown XML using MDM
After you deploy your devices, you can still configure lockdown settings through your MDM solution if it supports the [EnterpriseAssignedAccess CSP](https://go.microsoft.com/fwlink/p/?LinkID=618601).
To push lockdown settings to enrolled devices, use the AssignedAccessXML setting and use the lockdown XML as the value. The lockdown XML will be in a HandheldLockdown section that becomes XML embedded in XML, so the XML that you enter must use escaped characters (such as &lt; in place of &lt;). After the MDM provider pushes your lockdown settings to the device, the CSP processes the file and updates the device.
## Full Lockdown.xml example
```xml
<?xml version="1.0" encoding="utf-8"?>
<HandheldLockdown version="1.0" >
<Default>
<ActionCenter enabled="true" />
<Apps>
<!-- Settings -->
<Application productId="{2A4E62D8-8809-4787-89F8-69D0F01654FB}">
<PinToStart>
<Size>Large</Size>
<Location>
<LocationX>0</LocationX>
<LocationY>0</LocationY>
</Location>
</PinToStart>
</Application>
<!-- Outlook Calendar -->
<Application productId="{A558FEBA-85D7-4665-B5D8-A2FF9C19799B}" aumid="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.calendar">
<PinToStart>
<Size>Small</Size>
<Location>
<LocationX>0</LocationX>
<LocationY>2</LocationY>
</Location>
</PinToStart>
</Application>
<!-- Photos -->
<Application productId="{FCA55E1B-B9A4-4289-882F-084EF4145005}">
<PinToStart>
<Size>Medium</Size>
<Location>
<LocationX>2</LocationX>
<LocationY>2</LocationY>
</Location>
</PinToStart>
</Application>
<!-- Edge -->
<Application productId="{395589FB-5884-4709-B9DF-F7D558663FFD}" />
<!-- Login App -->
<Application productId="{C85DC60D-30D4-4C67-A4B4-58282F1D152C}" />
</Apps>
<Buttons>
<ButtonLockdownList>
<!-- Lockdown all buttons -->
<Button name="Search">
</Button>
<Button name="Camera">
</Button>
<Button name="Custom1">
</Button>
<Button name="Custom2">
</Button>
<Button name="Custom3">
</Button>
</ButtonLockdownList>
<ButtonRemapList>
<Button name="Search">
<ButtonEvent name="Press">
<!-- Edge-->
<Application productId="{395589FB-5884-4709-B9DF-F7D558663FFD}" parameters="" />
</ButtonEvent>
</Button>
</ButtonRemapList>
</Buttons>
<CSPRunner>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseAssignedAccess/Theme/ThemeAccentColorID</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<!-- zero based index of available theme colors -->
<Data>7</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseAssignedAccess/Theme/ThemeBackground</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<!-- 0 for "light", 1 for "dark" -->
<Data>1</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseAssignedAccess/LockScreenWallpaper/BGFileName</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
<Type xmlns="syncml:metinf">text/plain</Type>
</Meta>
<Data>c:\windows\system32\lockscreen\480x800\Wallpaper_05.jpg</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
</CSPRunner>
<MenuItems>
<DisableMenuItems/>
</MenuItems>
<Settings>
<!-- Quick actions: Brightness, Rotation -->
<System name="SystemSettings_System_Display_QuickAction_Brightness"/>
<System name="SystemSettings_System_Display_Internal_Rotation"/>
<!-- Brightness+Rotation, About -->
<System name="SettingsPageGroupPCSystem"/>
<System name="SettingsPageDisplay"/>
<System name="SettingsPagePCSystemInfo"/>
<!-- Ringtones, sounds -->
<System name="SettingsPageGroupPersonalization"/>
<System name="SettingsPageSounds"/>
</Settings>
<Tiles>
<EnableTileManipulation/>
</Tiles>
<StartScreenSize>Small</StartScreenSize>
</Default>
<RoleList>
<Role guid="{88501844-3b51-4c9f-9da7-7ca745e7da6b}" name="Associate">
<ActionCenter enabled="0"/>
<Apps>
<!-- Settings -->
<Application productId="{2A4E62D8-8809-4787-89F8-69D0F01654FB}">
<PinToStart>
<Size>Small</Size>
<Location>
<LocationX>0</LocationX>
<LocationY>0</LocationY>
</Location>
</PinToStart>
</Application>
<!-- Outlook Calendar -->
<Application productId="{A558FEBA-85D7-4665-B5D8-A2FF9C19799B}" aumid="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.calendar">
<PinToStart>
<Size>Large</Size>
<Location>
<LocationX>0</LocationX>
<LocationY>2</LocationY>
</Location>
</PinToStart>
</Application>
<!-- Login App -->
<Application productId="{C85DC60D-30D4-4C67-A4B4-58282F1D152C}" />
</Apps>
<Buttons />
<CSPRunner>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseAssignedAccess/Theme/ThemeAccentColorID</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<!-- zero based index of available theme colors -->
<Data>10</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseAssignedAccess/Theme/ThemeBackground</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<!-- 0 for "light", 1 for "dark" -->
<Data>0</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseAssignedAccess/LockScreenWallpaper/BGFileName</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
<Type xmlns="syncml:metinf">text/plain</Type>
</Meta>
<Data>c:\windows\system32\lockscreen\480x800\Wallpaper_08.jpg</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
</CSPRunner>
<MenuItems>
<DisableMenuItems/>
</MenuItems>
<Settings>
<!-- Brightness+Rotation, Notifications, About -->
<System name="SettingsPageGroupPCSystem"/>
<System name="SettingsPageAppsNotifications"/>
<System name="SettingsPageDisplay"/>
<System name="SettingsPagePCSystemInfo"/>
<!-- Ringtones, sounds -->
<System name="SettingsPageGroupPersonalization"/>
<System name="SettingsPageSounds"/>
<!-- Workplace -->
<System name="SettingsPageGroupAccounts"/>
<System name="SettingsPageAccountsWorkplace"/>
</Settings>
</Role>
<Role guid="{7bb62e8c-81ba-463c-b691-74af68230b42}" name="Manager">
<ActionCenter enabled="true" />
<Apps>
<!-- Alarms and Clock -->
<Application productId="{44F7D2B4-553D-4BEC-A8B7-634CE897ED5F}">
<PinToStart>
<Size>Small</Size>
<Location>
<LocationX>0</LocationX>
<LocationY>0</LocationY>
</Location>
</PinToStart>
</Application>
<!-- Settings -->
<Application productId="{2A4E62D8-8809-4787-89F8-69D0F01654FB}">
<PinToStart>
<Size>Small</Size>
<Location>
<LocationX>1</LocationX>
<LocationY>0</LocationY>
</Location>
</PinToStart>
</Application>
<!-- Outlook Calendar -->
<Application productId="{A558FEBA-85D7-4665-B5D8-A2FF9C19799B}" aumid="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.calendar">
<PinToStart>
<Size>Medium</Size>
<Location>
<LocationX>2</LocationX>
<LocationY>0</LocationY>
</Location>
</PinToStart>
</Application>
<!-- Calculator -->
<Application productId="{B58171C6-C70C-4266-A2E8-8F9C994F4456}" />
<!-- Photos -->
<Application productId="{FCA55E1B-B9A4-4289-882F-084EF4145005}">
<PinToStart>
<Size>Small</Size>
<Location>
<LocationX>0</LocationX>
<LocationY>2</LocationY>
</Location>
</PinToStart>
</Application>
<!-- Store -->
<Application productId="{7D47D89A-7900-47C5-93F2-46EB6D94C159}">
<PinToStart>
<Size>Medium</Size>
<Location>
<LocationX>2</LocationX>
<LocationY>2</LocationY>
</Location>
</PinToStart>
</Application>
<!-- Login App -->
<Application productId="{C85DC60D-30D4-4C67-A4B4-58282F1D152C}" />
</Apps>
<Buttons />
<CSPRunner>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseAssignedAccess/Theme/ThemeAccentColorID</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<!-- zero based index of available theme colors -->
<Data>2</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseAssignedAccess/Theme/ThemeBackground</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<!-- 0 for "light", 1 for "dark" -->
<Data>1</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseAssignedAccess/LockScreenWallpaper/BGFileName</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
<Type xmlns="syncml:metinf">text/plain</Type>
</Meta>
<Data>c:\windows\system32\lockscreen\480x800\Wallpaper_015.jpg</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
</CSPRunner>
<MenuItems>
<DisableMenuItems/>
</MenuItems>
<Settings>
<!-- Allow all settings -->
</Settings>
<Tiles>
<EnableTileManipulation/>
</Tiles>
</Role>
</RoleList>
</HandheldLockdown>
```
## Learn more
[Customizing Your Device Experience with Assigned Access](https://channel9.msdn.com/Events/Build/2016/P508)
## Related topics
[Settings and quick actions that can be locked down in Windows 10 Mobile](settings-that-can-be-locked-down.md)
[Product IDs in Windows 10 Mobile](product-ids-in-windows-10-mobile.md)
 
 

1362
windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
View File

File diff suppressed because it is too large Load Diff

5
windows/manage/manage-cortana-in-enterprise.md
View File

@ -1,5 +0,0 @@
---
title: Cortana integration in your business or enterprise (Windows 10)
description: The worlds first personal digital assistant helps users get things done, even at work. Cortana includes powerful configuration options specifically to optimize for unique small to medium-sized business and enterprise environments.
redirect_url: https://technet.microsoft.com/en-us/itpro/windows/manage/cortana-at-work-overview
---

10
windows/manage/manage-inventory-windows-store-for-business.md
View File

@ -1,10 +0,0 @@
---
title: Manage inventory in Windows Store for Business (Windows 10)
description: When you acquire apps from the Windows Store for Business, we add them to the Inventory for your organization. Once an app is part of your inventory, you can distribute the app, and manage licenses.
redirect_url: https://technet.microsoft.com/itpro/windows/manage/app-inventory-managemement-windows-store-for-business
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
---

64
windows/manage/manage-tips-and-suggestions.md
View File

@ -1,64 +0,0 @@
---
title: Manage Windows 10 and Windows Store tips, tricks, and suggestions (Windows 10)
description: Windows 10 provides organizations with various options to manage user experiences to provide a consistent and predictable experience for employees.
keywords: ["device management"]
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: devices
author: jdeckerMS
localizationpriority: high
---
# Manage Windows 10 and Windows Store tips, tricks, and suggestions
**Applies to**
- Windows 10
Since its inception, Windows 10 has included a number of user experience features that provide useful tips, tricks, and suggestions as you use Windows, as well as app suggestions from the Windows Store. These features are designed to help people get the most out of their Windows 10 experience by, for example, sharing new features, providing more details on the features they use, or sharing content available in the Windows Store. Examples of such user experiences include:
* **Windows Spotlight on the lock screen**. Daily updated images on the lock screen that can include additional facts and tips in “hotspots” that are revealed on hover.
* **Start menu app suggestions**. App suggestions in Start that recommend productivity tool or utilities from the Windows Store.
* **Additional apps on Start**. Additional apps pre-installed on the Start screen which can enhance the users experience.
* **Windows tips**. Contextual tips that appear based on specific user actions to reveal related Windows features or help users complete a scenario.
* **Microsoft account notifications**. For users who have a connected Microsoft account, toast notifications about their account like parental control notifications or subscription expiration.
>[!TIP]
> On all Windows desktop editions, users can directly enable and disable Windows 10 tips, tricks, and suggestions and Windows Store suggestions. For example, users are able to select personal photos for the lock screen as opposed to the images provided by Microsoft, or turn off tips, tricks, or suggestions as they use Windows.
Windows 10, version 1607 (also known as the Anniversary Update), provides organizations the ability to centrally manage the type of content provided by these features through Group Policy or mobile device management (MDM). The following table describes how administrators can manage suggestions and tips in Windows 10 commercial and education editions.
## Options available to manage Windows 10 tips and tricks and Windows Store suggestions
| Windows 10 edition | Disable |Show Microsoft apps only | Show Microsoft and popular third-party apps |
| --- | --- | --- | --- |
| Windows 10 Pro | No | Yes | Yes (default) |
| Windows 10 Enterprise | Yes | Yes | Yes (default) |
| Windows 10 Pro Education | Yes (default) | Yes | No (setting cannot be changed) |
| Windows 10 Education | Yes (default) | Yes | No (setting cannot be changed) |
## Related topics
- [Manage Windows 10 Start layout](windows-10-start-layout-options-and-policies.md)
- [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md)
- [Windows spotlight on the lock screen](../whats-new/windows-spotlight.md)
- [Windows 10 editions for education customers](https://technet.microsoft.com/en-us/edu/windows/windows-editions-for-education-customers)
 
 

99
windows/manage/manage-wifi-sense-in-enterprise.md
View File

@ -1,99 +0,0 @@
---
title: Manage Wi-Fi Sense in your company (Windows 10)
description: Wi-Fi Sense automatically connects you to Wi-Fi, so you can get online quickly in more places.
ms.assetid: 1845e00d-c4ee-4a8f-a5e5-d00f2735a271
keywords: ["WiFi Sense", "automatically connect to wi-fi", "wi-fi hotspot connection"]
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: mobile
author: eross-msft
localizationpriority: medium
---
# Manage Wi-Fi Sense in your company
**Applies to:**
- Windows 10
- Windows 10 Mobile
>Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare).
Wi-Fi Sense learns about open Wi-Fi hotspots your Windows PC or Windows phone connects to by collecting information about the network, like whether the open Wi-Fi network has a high-quality connection to the Internet. By using that information from your device and from other Wi-Fi Sense customers' devices too, Wi-Fi Sense builds a database of these high-quality networks. When youre in range of one of these Wi-Fi hotspots, you automatically get connected to it.
The initial settings for Wi-Fi Sense are determined by the options you chose when you first set up your PC with Windows 10.
**Note**<br>Wi-Fi Sense isnt available in all countries or regions.
## How does Wi-Fi Sense work?
Wi-Fi Sense connects your employees to open Wi-Fi networks. Typically, these are the open (no password required) Wi-Fi hotspots you see when youre out and about.
## How to manage Wi-Fi Sense in your company
In a company environment, you will most likely deploy Windows 10 to your employees' PCs using your preferred deployment method and then manage their settings globally. With that in mind, you have a few options for managing how your employees will use Wi-Fi Sense.
**Important**<br>Turning off Wi-Fi Sense stops employees from connecting automatically to open hotspots.
### Using Group Policy (available starting with Windows 10, version 1511)
You can manage your Wi-Fi Sense settings by using Group Policy and your Group Policy editor.
**To set up Wi-Fi Sense using Group Policy**
1. Open your Group Policy editor and go to the `Computer Configuration\Administrative Templates\Network\WLAN Service\WLAN Settings\Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services` setting.
![Group Policy Editor, showing the Wi-Fi Sense setting](images/wifisense-grouppolicy.png)
2. Turn Wi-Fi Sense on (enabled) or off (disabled), based on your company's environment.
### Using the Registry Editor
You can manage your Wi-Fi Sense settings by using registry keys and the Registry Editor.
**To set up Wi-Fi Sense using the Registry Editor**
1. Open your Registry Editor and go to `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config\`
2. Create and set a new **DWORD (32-bit) Value** named, **AutoConnectAllowedOEM**, with a **Value data** of **0 (zero)**.
<p>Setting this value to **0** turns off Wi-Fi Sense and all Wi-Fi sense features. When turned off, the Wi-Fi Sense settings still appear on the **Wi-Fi Settings** screen, but can't be controlled by the employee and all of the Wi-Fi Sense features are turned off. For more info, see [How to configure Wi-Fi Sense on Windows 10 in an enterprise](https://go.microsoft.com/fwlink/p/?LinkId=620959).
![Registry Editor, showing the creation of a new DWORD value](images/wifisense-registry.png)
### Using the Windows Provisioning settings
You can manage your Wi-Fi Sense settings by changing the Windows provisioning setting, **WiFISenseAllowed**.
**To set up Wi-Fi Sense using WiFISenseAllowed**
- Change the Windows Provisioning setting, **WiFISenseAllowed**, to **0**.
<p>Setting this value to **0** turns off Wi-Fi Sense and all Wi-Fi sense features. When turned off, the Wi-Fi Sense settings still appear on the **Wi-Fi Settings** screen, but can't be controlled by the employee and all of the Wi-Fi Sense features are turned off. For more info, see the Windows Provisioning settings reference topic, [WiFiSenseAllowed](https://go.microsoft.com/fwlink/p/?LinkId=620909).
### Using Unattended Windows Setup settings
If your company still uses Unattend, you can manage your Wi-Fi Sense settings by changing the Unattended Windows Setup setting, **WiFiSenseAllowed**.
**To set up Wi-Fi Sense using WiFISenseAllowed**
- Change the Unattended Windows Setup setting, **WiFISenseAllowed**, to **0**.
<p>Setting this value to **0** turns off Wi-Fi Sense and all Wi-Fi sense features. When turned off, the Wi-Fi Sense settings still appear on the **Wi-Fi Settings** screen, but can't be controlled by the employee and all of the Wi-Fi Sense features are turned off. For more info, see the Unattended Windows Setup Reference topic, [WiFiSenseAllowed](https://go.microsoft.com/fwlink/p/?LinkId=620910).
### How employees can change their own Wi-Fi Sense settings
If you dont turn off the ability for your employees to use Wi-Fi Sense, they can turn it on locally by selecting **Settings &gt; Network & Internet &gt; Wi-Fi &gt; Manage Wi-Fi settings**, and then turning on **Connect to suggested open hotspots**.
![Wi-Fi Sense options shown to employees if it's not turned off](images/wifisense-settingscreens.png)
**Important**<br>The service that was used to share networks with Facebook friends, Outlook.com contacts, or Skype contacts is no longer available. This means:
The **Connect to networks shared by my contacts** setting will still appear in **Settings &gt; Network & Internet &gt; Wi-Fi &gt; Manage Wi-Fi settings** on your PC and in **Settings &gt; Network & wireless &gt; WiFi &gt; WiFi Sense** on your phone. However, this setting will have no effect now. Regardless of what its set to, networks wont be shared with your contacts. Your contacts wont be connected to networks youve shared with them, and you wont be connected to networks theyve shared with you.
Even if you selected **Automatically connect to networks shared by your contacts** when you first set up your Windows 10 device, you still wont be connected to networks your contacts have shared with you.
If you select the **Share network with my contacts** check box the first time you connect to a new network, the network wont be shared.
## Related topics
- [Wi-Fi Sense and Privacy](https://go.microsoft.com/fwlink/p/?LinkId=620911)
- [How to configure Wi-Fi Sense on Windows 10 in an enterprise](https://go.microsoft.com/fwlink/p/?LinkId=620959)
 
 

2
windows/manage/mandatory-user-profile.md
View File

@ -164,7 +164,7 @@ When a user is configured with a mandatory profile, Windows 10 starts as though
- [Manage Windows 10 Start layout and taskbar options](windows-10-start-layout-options-and-policies.md)
- [Lock down Windows 10 to specific apps](lock-down-windows-10-to-specific-apps.md)
- [Windows Spotlight on the lock screen](windows-spotlight.md)
- [Windows Spotlight on the lock screen](../configure/windows-spotlight.md)
- [Configure devices without MDM](configure-devices-without-mdm.md)

262
windows/manage/product-ids-in-windows-10-mobile.md
View File

@ -1,262 +0,0 @@
---
title: Product IDs in Windows 10 Mobile (Windows 10)
description: You can use the product ID and Application User Model (AUMID) in Lockdown.xml to specify apps that will be available to the user.
ms.assetid: 31116BED-C16A-495A-BD44-93218A087A1C
keywords: ["lockdown"]
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: mobile
author: jdeckerMS
localizationpriority: high
---
# Product IDs in Windows 10 Mobile
**Applies to**
- Windows 10 Mobile
You can use the product ID and Application User Model (AUMID) in Lockdown.xml to specify apps that will be available to the user.
## Apps included in Windows 10 Mobile
The following table lists the product ID and AUMID for each app that is included in Windows 10 Mobile.
<table>
<thead>
<tr class="header">
<th align="left">App</th>
<th align="left">Product ID</th>
<th align="left">AUMID</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left">Alarms and clock</td>
<td align="left">44F7D2B4-553D-4BEC-A8B7-634CE897ED5F</td>
<td align="left">Microsoft.WindowsAlarms_8wekyb3d8bbwe!App</td>
</tr>
<tr class="even">
<td align="left">Calculator</td>
<td align="left">B58171C6-C70C-4266-A2E8-8F9C994F4456</td>
<td align="left">Microsoft.WindowsCalculator_8wekyb3d8bbwe!App</td>
</tr>
<tr class="odd">
<td align="left">Camera</td>
<td align="left">F0D8FEFD-31CD-43A1-A45A-D0276DB069F1</td>
<td align="left">Microsoft.WindowsCamera_8wekyb3d8bbwe!App</td>
</tr>
<tr class="even">
<td align="left">Contact Support</td>
<td align="left">0DB5FCFF-4544-458A-B320-E352DFD9CA2B</td>
<td align="left">Windows.ContactSupport_cw5n1h2txyewy!App</td>
</tr>
<tr class="odd">
<td align="left">Cortana</td>
<td align="left">FD68DCF4-166F-4C55-A4CA-348020F71B94</td>
<td align="left">Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI</td>
</tr>
<tr class="even">
<td align="left">Excel</td>
<td align="left">EAD3E7C0-FAE6-4603-8699-6A448138F4DC</td>
<td align="left">Microsoft.Office.Excel_8wekyb3d8bbwe!microsoft.excel</td>
</tr>
<tr class="odd">
<td align="left">Facebook</td>
<td align="left">82A23635-5BD9-DF11-A844-00237DE2DB9E</td>
<td align="left">Microsoft.MSFacebook_8wekyb3d8bbwe!x82a236355bd9df11a84400237de2db9e</td>
</tr>
<tr class="even">
<td align="left">File Explorer</td>
<td align="left">C5E2524A-EA46-4F67-841F-6A9465D9D515</td>
<td align="left">c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy!App</td>
</tr>
<tr class="odd">
<td align="left">FM Radio</td>
<td align="left">F725010E-455D-4C09-AC48-BCDEF0D4B626</td>
<td align="left">N/A</td>
</tr>
<tr class="even">
<td align="left">Get Started</td>
<td align="left">B3726308-3D74-4A14-A84C-867C8C735C3C</td>
<td align="left">Microsoft.Getstarted_8wekyb3d8bbwe!App</td>
</tr>
<tr class="odd">
<td align="left">Groove Music</td>
<td align="left">D2B6A184-DA39-4C9A-9E0A-8B589B03DEC0</td>
<td align="left">Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic</td>
</tr>
<tr class="even">
<td align="left">Maps</td>
<td align="left">ED27A07E-AF57-416B-BC0C-2596B622EF7D</td>
<td align="left">Microsoft.WindowsMaps_8wekyb3d8bbwe!App</td>
</tr>
<tr class="odd">
<td align="left">Messaging</td>
<td align="left">27E26F40-E031-48A6-B130-D1F20388991A</td>
<td align="left">Microsoft.Messaging_8wekyb3d8bbwe!x27e26f40ye031y48a6yb130yd1f20388991ax</td>
</tr>
<tr class="even">
<td align="left">Microsoft Edge</td>
<td align="left">395589FB-5884-4709-B9DF-F7D558663FFD</td>
<td align="left">Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge</td>
</tr>
<tr class="odd">
<td align="left">Money</td>
<td align="left">1E0440F1-7ABF-4B9A-863D-177970EEFB5E</td>
<td align="left">Microsoft.BingFinance_8wekyb3d8bbwe!AppexFinance</td>
</tr>
<tr class="even">
<td align="left">Movies and TV</td>
<td align="left">6AFFE59E-0467-4701-851F-7AC026E21665</td>
<td align="left">Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo</td>
</tr>
<tr class="odd">
<td align="left">News</td>
<td align="left">9C3E8CAD-6702-4842-8F61-B8B33CC9CAF1</td>
<td align="left">Microsoft.BingNews_8wekyb3d8bbwe!AppexNews</td>
</tr>
<tr class="even">
<td align="left">OneDrive</td>
<td align="left">AD543082-80EC-45BB-AA02-FFE7F4182BA8</td>
<td align="left">Microsoft.MicrosoftSkydrive_8wekyb3d8bbwe!App</td>
</tr>
<tr class="odd">
<td align="left">OneNote</td>
<td align="left">CA05B3AB-F157-450C-8C49-A1F127F5E71D</td>
<td align="left">Microsoft.Office.OneNote_8wekyb3d8bbwe!microsoft.onenoteim</td>
</tr>
<tr class="even">
<td align="left">Outlook Calendar</td>
<td align="left"><p>A558FEBA-85D7-4665-B5D8-A2FF9C19799B</p></td>
<td align="left"><p>Microsoft.WindowsCommunicationsApps_8wekyb3d8bbwe!Microsoft.WindowsLive.Calendar</p></td>
</tr>
<tr class="odd">
<td align="left">Outlook Mail</td>
<td align="left"><p>A558FEBA-85D7-4665-B5D8-A2FF9C19799B</p></td>
<td align="left"><p>Microsoft.WindowsCommunicationsApps_8wekyb3d8bbwe!Microsoft.WindowsLive.Mail</p></td>
</tr>
<tr class="even">
<td align="left">People</td>
<td align="left">60BE1FB8-3291-4B21-BD39-2221AB166481</td>
<td align="left">Microsoft.People_8wekyb3d8bbwe!xb94d6231y84ddy49a8yace3ybc955e769e85x</td>
</tr>
<tr class="odd">
<td align="left">Phone (dialer)</td>
<td align="left">F41B5D0E-EE94-4F47-9CFE-3D3934C5A2C7</td>
<td align="left">Microsoft.CommsPhone_8wekyb3d8bbwe!App</td>
</tr>
<tr class="even">
<td align="left">Photos</td>
<td align="left">FCA55E1B-B9A4-4289-882F-084EF4145005</td>
<td align="left">Microsoft.Windows.Photos_8wekyb3d8bbwe!App</td>
</tr>
<tr class="odd">
<td align="left">Podcasts</td>
<td align="left">C3215724-B279-4206-8C3E-61D1A9D63ED3</td>
<td align="left">Microsoft.MSPodcast_8wekyb3d8bbwe!xc3215724yb279y4206y8c3ey61d1a9d63ed3x</td>
</tr>
<tr class="even">
<td align="left">Powerpoint</td>
<td align="left">B50483C4-8046-4E1B-81BA-590B24935798</td>
<td align="left">Microsoft.Office.PowerPoint_8wekyb3d8bbwe!microsoft.pptim</td>
</tr>
<tr class="odd">
<td align="left">Settings</td>
<td align="left">2A4E62D8-8809-4787-89F8-69D0F01654FB</td>
<td align="left">2a4e62d8-8809-4787-89f8-69d0f01654fb_8wekyb3d8bbwe!App</td>
</tr>
<tr class="even">
<td align="left">Skype</td>
<td align="left">C3F8E570-68B3-4D6A-BDBB-C0A3F4360A51</td>
<td align="left">Microsoft.SkypeApp_kzf8qxf38zg5c!Skype.AppId</td>
</tr>
<tr class="odd">
<td align="left">Skype Video</td>
<td align="left">27E26F40-E031-48A6-B130-D1F20388991A</td>
<td align="left">Microsoft.Messaging_8wekyb3d8bbwe!App</td>
</tr>
<tr class="even">
<td align="left">Sports</td>
<td align="left">0F4C8C7E-7114-4E1E-A84C-50664DB13B17</td>
<td align="left">Microsoft.BingSports_8wekyb3d8bbwe!AppexSports</td>
</tr>
<tr class="odd">
<td align="left">Storage</td>
<td align="left">5B04B775-356B-4AA0-AAF8-6491FFEA564D</td>
<td align="left">N/A</td>
</tr>
<tr class="even">
<td align="left">Store</td>
<td align="left">7D47D89A-7900-47C5-93F2-46EB6D94C159</td>
<td align="left">Microsoft.WindowsStore_8wekyb3d8bbwe!App</td>
</tr>
<tr class="odd">
<td align="left">Voice recorder</td>
<td align="left">7311B9C5-A4E9-4C74-BC3C-55B06BA95AD0</td>
<td align="left">Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe!App</td>
</tr>
<tr class="even">
<td align="left">Wallet</td>
<td align="left">587A4577-7868-4745-A29E-F996203F1462</td>
<td align="left">Microsoft.MicrosoftWallet_8wekyb3d8bbwe!App</td>
</tr>
<tr class="odd">
<td align="left">Weather</td>
<td align="left">63C2A117-8604-44E7-8CEF-DF10BE3A57C8</td>
<td align="left">Microsoft.BingWeather_8wekyb3d8bbwe!App</td>
</tr>
<tr class="even">
<td align="left">Windows Feedback</td>
<td align="left">7604089D-D13F-4A2D-9998-33FC02B63CE3</td>
<td align="left">Microsoft.WindowsFeedback_8wekyb3d8bbwe!App</td>
</tr>
<tr class="odd">
<td align="left">Word</td>
<td align="left">258F115C-48F4-4ADB-9A68-1387E634459B</td>
<td align="left">Microsoft.Office.Word_8wekyb3d8bbwe!microsoft.word</td>
</tr>
<tr class="even">
<td align="left">Xbox</td>
<td align="left">B806836F-EEBE-41C9-8669-19E243B81B83</td>
<td align="left">Microsoft.XboxApp_8wekyb3d8bbwe!Microsoft.XboxApp</td>
</tr>
</tbody>
</table>
 
## Get product ID and AUMID for other apps
To get the product ID and AUMID for apps that are installed from Windows Store or installed locally ([side-loaded](https://go.microsoft.com/fwlink/p/?LinkID=623433)), use the following steps.
**Prerequisites**: a device with an SD card inserted and all apps installed that you want to get IDs for
1. On Start ![start](images/starticon.png), swipe over to the App list, then tap **Settings** ![settings](images/settingsicon.png) &gt; **Accounts** &gt; **Apps Corner**.
2. Tap **Apps**, tap to select the app that you want to get IDs for, and then tap done ![done button](images/doneicon.png)
3. Tap **advanced**, and then **tap export to SD card**.
4. Connect the device to a PC using USB, and then open the WEHLockdown.xml file on the SD card of the device to view the product ID and AUMID for each app.
## Related topics
[Configure Windows 10 Mobile using Lockdown XML](lockdown-xml.md)
[Settings and quick actions that can be locked down in Windows 10 Mobile](settings-that-can-be-locked-down.md)
 
 

89
windows/manage/set-up-a-device-for-anyone-to-use.md
View File

@ -1,89 +0,0 @@
---
title: Set up a device for anyone to use (kiosk mode) (Windows 10)
description: You can configure Windows 10 as a kiosk device, so that users can only interact with a single app.
ms.assetid: F1F4FF19-188C-4CDC-AABA-977639C53CA8
keywords: ["kiosk", "lockdown", "assigned access"]
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
localizationpriority: high
---
# Set up a device for anyone to use (kiosk mode)
**Applies to**
- Windows 10
- Windows 10 Mobile
**Looking for Windows Embedded 8.1 Industry information?**
- [Assigned Access]( https://go.microsoft.com/fwlink/p/?LinkId=613653)
You can configure a device running Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile, or Windows 10 Mobile Enterprise as a kiosk device, so that users can only interact with a single application that you select.
Do you need a computer that can only do one thing? For example:
- A device in the lobby that customers can use to view your product catalog.
- A portable device that drivers can use to check a route on a map.
- A device that a temporary worker uses to enter data.
The following table identifies the type of application that can be used on each Windows 10 edition to create a kiosk device.
> [!NOTE]  
> A Universal Windows app is built on the Universal Windows Platform (UWP), which was first introduced in Windows 8 as the Windows Runtime. A Classic Windows application uses the Classic Windows Platform (CWP) (e.g., COM, Win32, WPF, WinForms, etc.) and is typically launched using an .EXE or .DLL file.
 
| Windows 10 edition | Universal Windows app | Classic Windows application |
|--------------------|------------------------------------|--------------------------------------|
| Mobile | ![supported](images/checkmark.png) | ![unsupported](images/crossmark.png) |
| Mobile Enterprise | ![supported](images/checkmark.png) | ![unsupported](images/crossmark.png) |
| Pro | ![supported](images/checkmark.png) | ![unsupported](images/crossmark.png) |
| Enterprise | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) |
| Education | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) |
 
## In this section
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Topic</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>[Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md)</p></td>
<td align="left"><p>A single-use device is easy to set up in Windows 10 for desktop editions (Pro, Enterprise, and Education). For a kiosk device to run a Universal Windows app, use the <strong>assigned access</strong> feature. For a kiosk device (Windows 10 Enterprise or Education) to run a Classic Windows application, use <strong>Shell Launcher</strong> to set a custom user interface as the shell.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](set-up-a-kiosk-for-windows-10-for-mobile-edition.md)</p></td>
<td align="left"><p>A device in kiosk mode runs a specified app with no access to other device functions, menus, or settings. You configure a device running Windows 10 Mobile or Windows 10 Mobile Enterprise for kiosk mode by using the Apps Corner feature. You can also use the Enterprise Assigned Access configuration service provider (CSP) to configure a kiosk experience.</p></td>
</tr>
</tbody>
</table>
 ## Learn more
[Customizing Your Device Experience with Assigned Access](https://channel9.msdn.com/Events/Build/2016/P508)
 
 

444
windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
View File

@ -1,444 +0,0 @@
---
title: Set up a kiosk on Windows 10 Pro, Enterprise, or Education (Windows 10)
description: A single-use device is easy to set up in Windows 10 for desktop editions (Pro, Enterprise, and Education).
ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC
keywords: ["assigned access", "kiosk", "lockdown"]
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
localizationpriority: high
---
# Set up a kiosk on Windows 10 Pro, Enterprise, or Education
**Applies to**
- Windows 10
> **Looking for Windows Embedded 8.1 Industry information?** See [Assigned Access]( https://go.microsoft.com/fwlink/p/?LinkId=613653)
A single-use or *kiosk* device is easy to set up in Windows 10 for desktop editions (Pro, Enterprise, and Education). For a kiosk device to run a Universal Windows app, use the **assigned access** feature. For a kiosk device (Windows 10 Enterprise or Education) to run a Classic Windows application, use **Shell Launcher** to set a custom user interface as the shell. To return the device to the regular shell, see [Sign out of assigned access](#sign-out-of-assigned-access).
**Note**  
A Universal Windows app is built on the Universal Windows Platform (UWP), which was first introduced in Windows 8 as the Windows Runtime. A Classic Windows application uses the Classic Windows Platform (CWP) (e.g., COM, Win32, WPF, WinForms, etc.) and is typically launched using an .EXE or .DLL file.
 
## Other settings to lock down
For a more secure kiosk experience, we recommend that you make the following configuration changes to the device:
- Put device in **Tablet mode**.
If you want users to be able to use the touch (on screen) keyboard, go to **Settings** &gt; **System** &gt; **Tablet mode** and choose **On.**
- Hide **Ease of access** feature on the logon screen.
Go to **Control Panel** &gt; **Ease of Access** &gt; **Ease of Access Center**, and turn off all accessibility tools.
- Disable the hardware power button.
Go to **Power Options** &gt; **Choose what the power button does**, change the setting to **Do nothing**, and then **Save changes**.
- Remove the power button from the sign-in screen.
Go to **Computer Configuration** &gt; **Windows Settings** &gt; **Security Settings** &gt; **Local Policies** &gt;**Security Options** &gt; **Shutdown: Allow system to be shut down without having to log on** and select **Disabled.**
- Disable the camera.
Go to **Settings** &gt; **Privacy** &gt; **Camera**, and turn off **Let apps use my camera**.
- Turn off app notifications on the lock screen.
Go to **Group Policy Editor** &gt; **Computer Configuration** &gt; **Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen**.
- Disable removable media.
Go to **Group Policy Editor** &gt; **Computer Configuration** &gt; **Administrative Templates\\System\\Device Installation\\Device Installation Restrictions**. Review the policy settings available in **Device Installation Restrictions** for the settings applicable to your situation.
**Note**  
To prevent this policy from affecting a member of the Administrators group, in **Device Installation Restrictions**, enable **Allow administrators to override Device Installation Restriction policies**.
 
## <a href="" id="assigned-access-method"></a>Assigned access method for Universal Windows apps
Using assigned access, Windows 10 runs the designated Universal Windows app above the lockscreen, so that the assigned access account has no access to any other functionality on the device. You have these choices for setting up assigned access:
| Method | Account type | Windows 10 edition |
| --- | --- | --- |
| [Use Settings on the PC](#set-up-assigned-access-in-pc-settings) | Local standard | Pro, Enterprise, Education |
| [Apply a mobile device management (MDM) policy](#set-up-assigned-access-in-mdm) | All (domain, local standard, local administrator, etc) | Enterprise, Education |
| [Create a provisioning package using Windows Imaging and Configuration Designer (ICD)](#icd) | All (domain, local standard, local administrator, etc) | Enterprise, Education |
| [Run a PowerShell script](#set-up-assigned-access-using-windows-powershell) | Local standard | Pro, Enterprise, Education |
### Requirements
- A domain or local user account.
- A Universal Windows app that is installed or provisioned for that account and is an above lock screen app. For more information, see [Guidelines for choosing an app for assigned access](guidelines-for-assigned-access-app.md). For details on building an above lock screen app, see [Kiosk apps for assigned access: Best practices](https://go.microsoft.com/fwlink/p/?LinkId=708386).
The app can be your own company app that you have made available in your own app Store. To set up assigned access using MDM or PowerShell, you also need the Application User Model ID (AUMID) for the app. [Learn how to get the AUMID](https://go.microsoft.com/fwlink/p/?LinkId=614867).
The Universal Windows app must be able to handle multiple views and cannot launch other apps or dialogs.
**Note**  
Assigned access does not work on a device that is connected to more than one monitor.
 
### Set up assigned access in PC settings
1. Go to **Start** &gt; **Settings** &gt; **Accounts** &gt; **Other users**.
2. Choose **Set up assigned access**.
3. Choose an account.
4. Choose an app. Only apps that can run above the lock screen will be displayed. For more information, see [Guidelines for choosing an app for assigned access](guidelines-for-assigned-access-app.md).
5. Close **Settings** your choices are saved automatically, and will be applied the next time that user account logs on.
To remove assigned access, in step 3, choose **Don't use assigned access**.
### Set up assigned access in MDM
Assigned Access has one setting, KioskModeApp. In the KioskModeApp setting, you enter the user account name and AUMID for the app to run in kiosk mode.
[Learn how to get the AUMID](https://go.microsoft.com/fwlink/p/?LinkId=614867).
[See the technical reference for the Assigned Access configuration service provider.](https://go.microsoft.com/fwlink/p/?LinkId=626608)
### <a href="" id="icd"></a>Set up assigned access using Windows Imaging and Configuration Designer (ICD)
Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package that configures a device as a kiosk. [Install the ADK.](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit)
> **Important**
When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
**Create a provisioning package for a kiosk device**
1. Open Windows ICD (by default, %windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe).
2. Choose **Advanced provisioning**.
3. Name your project, and click **Next**.
4. Choose **All Windows desktop editions** and click **Next**.
5. On **New project**, click **Finish**. The workspace for your package opens.
6. Expand **Runtime settings** &gt; **AssignedAccess**, and click **AssignedAccessSettings**.
7. Enter a string to specify the user account and app (by AUMID). For example:
"Account":"contoso\\\\kiosk","AUMID":"8f82d991-f842-44c3-9a95-521b58fc2084"
8. On the **File** menu, select **Save.**
9. On the **Export** menu, select **Provisioning package**.
10. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.**
11. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing.
- **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
- **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select** and choosing the certificate you want to use to sign the package.
12. Click **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows ICD uses the project folder as the output location.
Optionally, you can click **Browse** to change the default output location.
13. Click **Next**.
14. Click **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status.
If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
15. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
- If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
- If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
**Apply the provisioning package**
1. Select the provisioning package that you want to apply, double-click the file, and then allow admin privileges.
2. Consent to allow the package to be installed.
After you allow the package to be installed, the settings will be applied to the device
[Learn how to apply a provisioning package in audit mode or OOBE.](https://go.microsoft.com/fwlink/p/?LinkID=692012)
### Set up assigned access using Windows PowerShell
You can use any of the following PowerShell cmdlets to set up assigned access on multiple devices.
To open PowerShell on Windows 10, search for PowerShell and find **Windows PowerShell Desktop app** in the results. Run PowerShell as administrator.
```
Set-AssignedAccess -AppUserModelId <AUMID> -UserName <username>
```
```
Set-AssignedAccess -AppUserModelId <AUMID> -UserSID <usersid>
```
```
Set-AssignedAccess -AppName <CustomApp> -UserName <username>
```
```
Set-AssignedAccess -AppName <CustomApp> -UserSID <usersid>
```
> **Note:** To set up assigned access using `-AppName`, the user account that you specify for assigned access must have logged on at least once.
[Learn how to get the AUMID](https://go.microsoft.com/fwlink/p/?LinkId=614867).
[Learn how to get the AppName](https://msdn.microsoft.com/library/windows/hardware/mt620046%28v=vs.85%29.aspx) (see **Parameters**).
[Learn how to get the SID](https://go.microsoft.com/fwlink/p/?LinkId=615517).
To remove assigned access, using PowerShell, run the following cmdlet.
```
Clear-AssignedAccess
```
### Set up automatic logon
When your kiosk device restarts, whether from an update or power outage, you can log on the assigned access account manually or you can configure the device to log on to the assigned access account automatically. Make sure that Group Policy settings applied to the device do not prevent automatic logon.
Edit the registry to have an account automatically logged on.
1. Open Registry Editor (regedit.exe).
**Note**  
If you are not familiar with Registry Editor, [learn how to modify the Windows registry](https://go.microsoft.com/fwlink/p/?LinkId=615002).
 
2. Go to
**HKEY\_LOCAL\_MACHINE\SOFTWARE\\Microsoft\WindowsNT\CurrentVersion\Winlogon**
3. Set the values for the following keys.
- *AutoAdminLogon*: set value as **1**.
- *DefaultUserName*: set value as the account that you want logged in.
- *DefaultPassword*: set value as the password for the account.
> **Note**  If *DefaultUserName* and *DefaultPassword* aren't there, add them as **New** &gt; **String Value**.
- *DefaultDomainName*: set value for domain, only for domain accounts. For local accounts, do not add this key.
4. Close Registry Editor. The next time the computer restarts, the account will be logged on automatically.
### Sign out of assigned access
To exit the assigned access (kiosk) app, press **Ctrl + Alt + Del**, and then sign in using another account. When you press **Ctrl + Alt + Del** to sign out of assigned access, the kiosk app will exit automatically. If you sign in again as the assigned access account or wait for the login screen timeout, the kiosk app will be re-launched. The assigned access user will remain signed in until an admin account opens **Task Manager** > **Users** and signs out the user account.
If you press **Ctrl + Alt + Del** and do not sign in to another account, after a set time, assigned access will resume. The default time is 30 seconds, but you can change that in the following registry key:
**HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI**
To change the default time for assigned access to resume, add *IdleTimeOut* (DWORD) and enter the value data as milliseconds in hexadecimal.
## <a href="" id="local-user-policy"></a>Shell Launcher for Classic Windows applications
Using Shell Launcher, you can configure a kiosk device that runs a Classic Windows application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on.
### Requirements
- A domain or local user account.
- A Classic Windows application that is installed for that account. The app can be your own company application or a common app like Internet Explorer.
[See the technical reference for the shell launcher component.](https://go.microsoft.com/fwlink/p/?LinkId=618603)
### Configure Shell Launcher
To set a Classic Windows application as the shell, you first turn on the Shell Launcher feature, and then you can set your custom shell as the default using PowerShell.
**To turn on Shell Launcher in Windows features**
1. Go to Control Panel &gt; **Programs and Features** &gt; **Turn Windows features on or off**.
2. Select **Embedded Shell Launcher** and **OK**.
Alternatively, you can turn on Shell Launcher using the Deployment Image Servicing and Management (DISM.exe) tool.
**To turn on Shell Launcher using DISM**
1. Open a command prompt as an administrator.
2. Enter the following command.
```
Dism /online /Enable-Feature /all /FeatureName:Client-EmbeddedShellLauncher
```
**To set your custom shell**
Modify the following PowerShell script as appropriate. The comments in the sample script explain the purpose of each section and tell you where you will want to change the script for your purposes. Save your script with the extension .ps1, open Windows PowerShell as administrator, and run the script on the kiosk device.
```
# Check if shell launcher license is enabled
function Check-ShellLauncherLicenseEnabled
{
[string]$source = @"
using System;
using System.Runtime.InteropServices;
static class CheckShellLauncherLicense
{
const int S_OK = 0;
public static bool IsShellLauncherLicenseEnabled()
{
int enabled = 0;
if (NativeMethods.SLGetWindowsInformationDWORD("EmbeddedFeature-ShellLauncher-Enabled", out enabled) != S_OK) {
enabled = 0;
}
return (enabled != 0);
}
static class NativeMethods
{
[DllImport("Slc.dll")]
internal static extern int SLGetWindowsInformationDWORD([MarshalAs(UnmanagedType.LPWStr)]string valueName, out int value);
}
}
"@
$type = Add-Type -TypeDefinition $source -PassThru
return $type[0]::IsShellLauncherLicenseEnabled()
}
[bool]$result = $false
$result = Check-ShellLauncherLicenseEnabled
"`nShell Launcher license enabled is set to " + $result
if (-not($result))
{
"`nThis device doesn't have required license to use Shell Launcher"
exit
}
$COMPUTER = "localhost"
$NAMESPACE = "root\standardcimv2\embedded"
# Create a handle to the class instance so we can call the static methods.
try {
$ShellLauncherClass = [wmiclass]"\\$COMPUTER\${NAMESPACE}:WESL_UserSetting"
} catch [Exception] {
write-host $_.Exception.Message;
write-host "Make sure Shell Launcher feature is enabled"
exit
}
# This well-known security identifier (SID) corresponds to the BUILTIN\Administrators group.
$Admins_SID = "S-1-5-32-544"
# Create a function to retrieve the SID for a user account on a machine.
function Get-UsernameSID($AccountName) {
$NTUserObject = New-Object System.Security.Principal.NTAccount($AccountName)
$NTUserSID = $NTUserObject.Translate([System.Security.Principal.SecurityIdentifier])
return $NTUserSID.Value
}
# Get the SID for a user account named "Cashier". Rename "Cashier" to an existing account on your system to test this script.
$Cashier_SID = Get-UsernameSID("Cashier")
# Define actions to take when the shell program exits.
$restart_shell = 0
$restart_device = 1
$shutdown_device = 2
# Examples. You can change these examples to use the program that you want to use as the shell.
# This example sets the command prompt as the default shell, and restarts the device if the command prompt is closed.
$ShellLauncherClass.SetDefaultShell("cmd.exe", $restart_device)
# Display the default shell to verify that it was added correctly.
$DefaultShellObject = $ShellLauncherClass.GetDefaultShell()
"`nDefault Shell is set to " + $DefaultShellObject.Shell + " and the default action is set to " + $DefaultShellObject.defaultaction
# Set Internet Explorer as the shell for "Cashier", and restart the machine if Internet Explorer is closed.
$ShellLauncherClass.SetCustomShell($Cashier_SID, "c:\program files\internet explorer\iexplore.exe www.microsoft.com", ($null), ($null), $restart_shell)
# Set Explorer as the shell for administrators.
$ShellLauncherClass.SetCustomShell($Admins_SID, "explorer.exe")
# View all the custom shells defined.
"`nCurrent settings for custom shells:"
Get-WmiObject -namespace $NAMESPACE -computer $COMPUTER -class WESL_UserSetting | Select Sid, Shell, DefaultAction
# Enable Shell Launcher
$ShellLauncherClass.SetEnabled($TRUE)
$IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled()
"`nEnabled is set to " + $IsShellLauncherEnabled.Enabled
# Remove the new custom shells.
$ShellLauncherClass.RemoveCustomShell($Admins_SID)
$ShellLauncherClass.RemoveCustomShell($Cashier_SID)
# Disable Shell Launcher
$ShellLauncherClass.SetEnabled($FALSE)
$IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled()
"`nEnabled is set to " + $IsShellLauncherEnabled.Enabled
```
## Related topics
[Set up a device for anyone to use](set-up-a-device-for-anyone-to-use.md)
[Set up a kiosk for Windows 10 for mobile edition](set-up-a-kiosk-for-windows-10-for-mobile-edition.md)
[Manage and update Windows 10](index.md)
 
 

199
windows/manage/set-up-a-kiosk-for-windows-10-for-mobile-edition.md
View File

@ -1,199 +0,0 @@
---
title: Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise (Windows 10)
description: A device in kiosk mode runs a specified app with no access to other device functions, menus, or settings.
ms.assetid: 35EC82D8-D9E8-45C3-84E9-B0C8C167BFF7
keywords: kiosk, lockdown, assigned access
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: mobile
author: jdeckerMS
localizationpriority: high
---
# Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise
**Applies to**
- Windows 10 Mobile
A device in kiosk mode runs a specified app with no access to other device functions, menus, or settings. You configure a device running Windows 10 Mobile or Windows 10 Mobile Enterprise for kiosk mode by using the Apps Corner feature. You can also use the Enterprise Assigned Access configuration service provider (CSP) to configure a kiosk experience.
**Note**  
The specified app must be an above lock screen app. For details on building an above lock screen app, see [Kiosk apps for assigned access: Best practices](https://go.microsoft.com/fwlink/p/?LinkId=708386).
 
## Apps Corner
Apps Corner lets you set up a custom Start screen on your Windows 10 Mobile or Windows 10 Mobile Enterprise device, where you can share only the apps you choose with the people you let use your device. You configure a device for kiosk mode by selecting a single app to use in Apps Corner.
**To set up Apps Corner**
1. On Start ![start](images/starticon.png), swipe over to the App list, then tap **Settings** ![settings](images/settingsicon.png) &gt; **Accounts** &gt; **Apps Corner**.
2. Tap **Apps**, tap to select the app that you want people to use in the kiosk mode, and then tap done ![](images/doneicon.png)
3. If your phone doesn't already have a lock screen password, you can set one now to ensure that people can't get to your Start screen from Apps Corner. Tap **Protect my phone with a password**, click **Add**, type a PIN in the **New PIN** box, type it again in the **Confirm PIN** box, and then tap **OK**. Press **Back** ![back](images/backicon.png) to the Apps Corner settings.
4. Turn **Action center** on or off, depending on whether you want people to be able to use these features when using the device in kiosk mode.
5. Tap **advanced**, and then turn features on or off, depending on whether you want people to be able to use them.
6. Press **Back** ![back](images/backicon.png) when you're done.
**To use Apps Corner**
1. On Start ![start](images/starticon.png), swipe over to the App list, then tap **Settings** ![settings](images/settingsicon.png) &gt; **Accounts** &gt; **Apps Corner** &gt; launch ![launch](images/launchicon.png).
**Tip**  
Want to get to Apps Corner with one tap? In **Settings**, tap **Apps Corner** &gt; **pin** to pin the Apps Corner tile to your Start screen.
 
2. Give the device to someone else, so they can use the device and only the one app you chose.
3. When they're done and you get the device back, press and hold Power ![power](images/powericon.png), and then swipe right to exit Apps Corner.
## Enterprise Assigned Access
Enterprise Assigned Access allows you to lock down your Windows 10 Mobile or Windows 10 Mobile Enterprise device in kiosk mode by creating a user role that has only a single app, set to run automatically, in the Allow list.
**Note**  The app can be a Universal Windows app, Universal Windows Phone 8 app, or a legacy Silverlight app.
 
### Set up Enterprise Assigned Access in MDM
In AssignedAccessXml, for Application, you enter the product ID for the app to run in kiosk mode. Find product IDs at [Product IDs in Windows 10 Mobile](product-ids-in-windows-10-mobile.md).
[See the technical reference for the Enterprise Assigned Access configuration service provider (CSP).](https://go.microsoft.com/fwlink/p/?LinkID=618601)
### Set up assigned access using Windows Imaging and Configuration Designer (ICD)
> **Important**
When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
**To create and apply a provisioning package for a kiosk device**
1. Create an *AssignedAccess*.xml file that specifies the app the device will run. (You can name use any file name.) For instructions on AssignedAccessXml, see [EnterpriseAssignedAccess CSP](https://go.microsoft.com/fwlink/p/?LinkID=618601).
**Note**  
Do not escape the xml in *AssignedAccess*.xml file as Windows Imaging and Configuration Designer (ICD) will do that when building the package. Providing escaped xml in Windows ICD will cause building the package fail.
 
2. Open Windows ICD (by default, `%windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe`).
3. Choose **Advanced provisioning**.
4. Name your project, and click **Next**.
5. Choose **All Windows mobile editions** and click **Next**.
6. On **New project**, click **Finish**. The workspace for your package opens.
7. Expand **Runtime settings** &gt; **EmbeddedLockdownProfiles**, and click **AssignedAccessXml**.
8. Click **Browse** to select the *AssignedAccess*.xml file.
9. On the **File** menu, select **Save.**
10. On the **Export** menu, select **Provisioning package**.
11. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.**
12. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing.
- **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
- **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select** and choosing the certificate you want to use to sign the package.
13. Click **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows ICD uses the project folder as the output location.
Optionally, you can click **Browse** to change the default output location.
14. Click **Next**.
15. Click **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status.
If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
16. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
- If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
- If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
17. Select the **output location** link to go to the location of the package. You can distribute that .ppkg to mobile devices using any of the following methods:
- Removable media (USB/SD)
**To apply a provisioning package from removable media**
1. Copy the provisioning package file to the root directory on a micro SD card.
2. On the device, insert the micro SD card containing the provisioning package.
3. Go to **Settings** &gt; **Accounts** &gt; **Provisioning.**
4. Tap **Add a package**.
5. On the **Choose a method** screen, in the **Add from** dropdown menu, select **Removable Media**.
6. Select a package will list all available provisioning packages on the micro SD card. Tap the desired package, and then tap **Add**.
7. You will see a message that tells you what the package will do the device, such as **Adding it will: Lock down the user interface**. Tap **Yes, add it**.
8. Restart the device and verify that the runtime settings that were configured in the provisioning package were applied to the device.
- Email
**To apply a provisioning package sent in email**
1. Send the provisioning package in email to an account on the device.
2. Open the email on the device, and then double-tap the attached file.
3. You will see a message that tells you what the package will do the device, such as **Adding it will: Lock down the user interface**. Tap **Yes, add it**.
4. Restart the device and verify that the runtime settings that were configured in the provisioning package were applied to the device.
- USB tether (mobile only)
**To apply a provisioning package using USB tether**
1. Connect the device to your PC by USB.
2. Select the provisioning package that you want to use to provision the device, and then drag and drop the file to your device.
3. The provisioning package installation dialog will appear on the phone.
4. You will see a message that tells you what the package will do the device, such as **Adding it will: Lock down the user interface**. Tap **Yes, add it**.
5. Restart the device and verify that the runtime settings that were configured in the provisioning package were applied to the device.
[Learn how to apply a provisioning package in audit mode or OOBE.](https://go.microsoft.com/fwlink/p/?LinkID=692012)
## Related topics
[Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md)
[Configure Windows 10 Mobile using Lockdown XML](lockdown-xml.md)
[Product IDs in Windows 10 Mobile](product-ids-in-windows-10-mobile.md)
 
 

517
windows/manage/settings-that-can-be-locked-down.md
View File

@ -1,517 +0,0 @@
---
title: Settings and quick actions that can be locked down in Windows 10 Mobile (Windows 10)
description: This topic lists the settings and quick actions that can be locked down in Windows 10 Mobile.
ms.assetid: 69E2F202-D32B-4FAC-A83D-C3051DF02185
keywords: ["lockdown"]
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: mobile
author: jdeckerMS
localizationpriority: high
---
# Settings and quick actions that can be locked down in Windows 10 Mobile
**Applies to**
- Windows 10 Mobile
This topic lists the settings and quick actions that can be locked down in Windows 10 Mobile.
## Settings lockdown
You can use Lockdown.xml to configure lockdown settings.
The following table lists the settings pages and page groups. Use the page name in the Settings section of Lockdown.xml. The Settings section contains an allow list of pages in the Settings app.
<table>
<thead>
<tr class="header">
<th align="left">Main menu</th>
<th align="left">Sub-menu</th>
<th align="left">Page name</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left">System</td>
<td align="left"></td>
<td align="left">SettingsPageGroupPCSystem</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Display</td>
<td align="left">SettingsPageDisplay</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Notifications & actions</td>
<td align="left">SettingsPageAppsNotifications</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Phone</td>
<td align="left">SettingsPageCalls</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Messaging</td>
<td align="left">SettingsPageMessaging</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Battery</td>
<td align="left">SettingsPageBatterySaver</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Apps for websites</td>
<td align="left">SettingsPageAppsForWebsites</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Storage</td>
<td align="left">SettingsPageStorageSenseStorageOverview</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Driving mode</td>
<td align="left">SettingsPageDrivingMode</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Offline maps</td>
<td align="left">SettingsPageMaps</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">About</td>
<td align="left">SettingsPagePCSystemInfo</td>
</tr>
<tr class="even">
<td align="left">Devices</td>
<td align="left"></td>
<td align="left">SettingsPageGroupDevices</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Default camera</td>
<td align="left">SettingsPagePhotos</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Bluetooth</td>
<td align="left">SettingsPagePCSystemBluetooth</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">NFC</td>
<td align="left">SettingsPagePhoneNFC</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Mouse</td>
<td align="left">SettingsPageMouseTouchpad</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">USB</td>
<td align="left">SettingsPageUsb</td>
</tr>
<tr class="even">
<td align="left">Network and wireless</td>
<td align="left"></td>
<td align="left">SettingsPageGroupNetwork</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Cellular & SIM</td>
<td align="left">SettingsPageNetworkCellular</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Wi-Fi</td>
<td align="left">SettingsPageNetworkWiFi</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Airplane mode</td>
<td align="left">SettingsPageNetworkAirplaneMode</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Data usage</td>
<td align="left">SettingsPageDataSenseOverview</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Mobile hotspot</td>
<td align="left">SettingsPageNetworkMobileHotspot</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">VPN</td>
<td align="left">SettingsPageNetworkVPN</td>
</tr>
<tr class="odd">
<td align="left">Personalization</td>
<td align="left"></td>
<td align="left">SettingsPageGroupPersonalization</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Start</td>
<td align="left">SettingsPageBackGround</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Colors</td>
<td align="left">SettingsPageColors</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Sounds</td>
<td align="left">SettingsPageSounds</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Lock screen</td>
<td align="left">SettingsPageLockscreen</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Glance screen</td>
<td align="left">SettingsPageGlance</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Navigation bar</td>
<td align="left">SettingsNagivationBar</td>
</tr>
<tr class="odd">
<td align="left">Accounts</td>
<td align="left"></td>
<td align="left">SettingsPageGroupAccounts</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Your info</td>
<td align="left">SettingsPageAccountsPicture</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Sign-in options</td>
<td align="left">SettingsPageAccountsSignInOptions</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Email & app accounts</td>
<td align="left">SettingsPageAccountsEmailApp</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Access work or school</td>
<td align="left">SettingsPageWorkAccess</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Sync your settings</td>
<td align="left">SettingsPageAccountsSync</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left"><p>Apps corner</p>
<p>(disabled in Assigned Access)</p></td>
<td align="left">SettingsPageAppsCorner</td>
</tr>
<tr class="odd">
<td align="left">Time & language</td>
<td align="left"></td>
<td align="left">SettingsPageGroupTimeRegion</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Date & time</td>
<td align="left">SettingsPageTimeRegionDateTime</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Language</td>
<td align="left">SettingsPageTimeLanguage</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Region</td>
<td align="left">SettingsPageTimeRegion</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Keyboard</td>
<td align="left">SettingsPageKeyboard</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Speech</td>
<td align="left">SettingsPageSpeech</td>
</tr>
<tr class="odd">
<td align="left">Ease of access</td>
<td align="left"></td>
<td align="left">SettingsPageGroupEaseOfAccess</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Narrator</td>
<td align="left">SettingsPageEaseOfAccessNarrator</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Magnifier</td>
<td align="left">SettingsPageEaseOfAccessMagnifier</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">High contrast</td>
<td align="left">SettingsPageEaseOfAccessHighContrast</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Closed captions</td>
<td align="left">SettingsPageEaseOfAccessClosedCaptioning</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">More options</td>
<td align="left">SettingsPageEaseOfAccessMoreOptions</td>
</tr>
<tr class="odd">
<td align="left">Privacy</td>
<td align="left"></td>
<td align="left">SettingsPageGroupPrivacy</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Location</td>
<td align="left">SettingsPagePrivacyLocation</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Camera</td>
<td align="left">SettingsPagePrivacyWebcam</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Microphone</td>
<td align="left">SettingsPagePrivacyMicrophone</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Motion</td>
<td align="left">SettingsPagePrivacyMotionData</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Notifications</td>
<td align="left">SettingsPagePrivacyNotifications</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Speech. inking, & typing</td>
<td align="left">SettingsPagePrivacyPersonalization</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Account info</td>
<td align="left">SettingsPagePrivacyAccountInfo</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Contacts</td>
<td align="left">SettingsPagePrivacyContacts</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Calendar</td>
<td align="left">SettingsPagePrivacyCalendar</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Phone calls</td>
<td align="left">SettingsPagePrivacyPhoneCall</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Call history</td>
<td align="left">SettingsPagePrivacyCallHistory</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Email</td>
<td align="left">SettingsPagePrivacyEmail</td>
</tr><tr class="even">
<td align="left"></td>
<td align="left">Messaging</td>
<td align="left">SettingsPagePrivacyMessaging</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Radios</td>
<td align="left">SettingsPagePrivacyRadios</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Continue App Experiences</td>
<td align="left">SettingsPagePrivacyCDP</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Background apps</td>
<td align="left">SettingsPagePrivacyBackgroundApps</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Accessory apps</td>
<td align="left">SettingsPageAccessories</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Advertising ID</td>
<td align="left">SettingsPagePrivacyAdvertisingId</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Other devices</td>
<td align="left">SettingsPagePrivacyCustomPeripherals</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Feedback and diagnostics</td>
<td align="left">SettingsPagePrivacySIUFSettings</td>
</tr>
<tr class="odd">
<td align="left">Update and security</td>
<td align="left"></td>
<td align="left">SettingsPageGroupRestore</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Phone update</td>
<td align="left">SettingsPageRestoreMusUpdate</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Windows Insider Program</td>
<td align="left">SettingsPageFlights</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Device encryption</td>
<td align="left">SettingsPageGroupPCSystemDeviceEncryption</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Backup</td>
<td align="left">SettingsPageRestoreOneBackup</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Find my phone</td>
<td align="left">SettingsPageFindMyDevice</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">For developers</td>
<td align="left">SettingsPageSystemDeveloperOptions</td>
</tr>
<tr class="even">
<td align="left">OEM</td>
<td align="left"></td>
<td align="left">SettingsPageGroupExtensibility</td>
</tr>
<tr class="odd">
<td align="left"></td>
<td align="left">Extensibility</td>
<td align="left">SettingsPageExtensibility</td>
</tr>
</tbody>
</table>
 
## Quick actions lockdown
Quick action buttons are locked down in exactly the same way as Settings pages/groups. By default they are always conditional.
You can specify the quick actions as follows:
``` syntax
<Settings>
<System name="SystemSettings_System_Display_QuickAction_Brightness"/>
<System name="SystemSettings_System_Display_Internal_Rotation"/>
<System name="SystemSettings_QuickAction_WiFi"/>
<System name="SystemSettings_QuickAction_InternetSharing"/>
<System name="SystemSettings_QuickAction_CellularData"/>
<System name="SystemSettings_QuickAction_AirplaneMode"/>
<System name="SystemSettings_Privacy_LocationEnabledUserPhone"/>
<System name="SystemSettings_Network_VPN_QuickAction"/>
<System name="SystemSettings_Flashlight_Toggle"/>
<System name="SystemSettings_Device_BluetoothQuickAction"/>
<System name="SystemSettings_BatterySaver_LandingPage_OverrideControl" />
<System name="SystemSettings_QuickAction_QuietHours" />
<System name="SystemSettings_QuickAction_Camera" />
<System name="SystemSettings_Launcher_QuickNote" />
<System name="QuickActions_Launcher_AllSettings" />
<System name="QuickActions_Launcher_DeviceDiscovery" />
</Settings>
```
Some quick actions are dependent on related settings pages/page groups. When a dependent page/group is not available, then the corresponding quick action will also be hidden.
**Note**  
Dependent settings group/pages will be automatically enabled when a quick action is specified in the lockdown xml file. For example, if the Rotation quick setting is specified, the following group and page will automatically be added to the allow list: “SettingsPageSystemDisplay” and “SettingsPageDisplay”.
 
The following table lists the dependencies between quick actions and Settings groups/pages.
| Quick action | Settings group | Settings page |
|-----|-------|-------|
| SystemSettings\_System\_Display\_QuickAction\_Brightness | SettingsPageSystemDisplay| SettingsPageDisplay |
| SystemSettings\_System\_Display\_Internal\_Rotation | SettingsPageSystemDisplay | SettingsPageDisplay |
| SystemSettings\_QuickAction\_WiFi | SettingsPageNetworkWiFi | SettingsPageNetworkWiFi |
| SystemSettings\_QuickAction\_InternetSharing | SettingsPageNetworkInternetSharing | SettingsPageNetworkInternetSharing |
| SystemSettings\_QuickAction\_CellularData | SettingsGroupCellular | SettingsPageNetworkCellular |
| SystemSettings\_QuickAction\_AirplaneMode | SettingsPageNetworkAirplaneMode | SettingsPageNetworkAirplaneMode |
| SystemSettings\_Privacy\_LocationEnabledUserPhone | SettingsGroupPrivacyLocationGlobals | SettingsPagePrivacyLocation |
| SystemSettings\_Network\_VPN\_QuickAction | SettingsPageNetworkVPN | SettingsPageNetworkVPN |
| SystemSettings\_Launcher\_QuickNote | N/A | N/A |
| SystemSettings\_Flashlight\_Toggle | N/A | N/A |
| SystemSettings\_Device\_BluetoothQuickAction | SettingsPagePCSystemBluetooth | SettingsPagePCSystemBluetooth |
| SystemSettings\_BatterySaver\_LandingPage\_OverrideControl | BatterySaver\_LandingPage\_SettingsConfiguration | SettingsPageBatterySaver |
| QuickActions\_Launcher\_DeviceDiscovery | N/A | N/A |
| QuickActions\_Launcher\_AllSettings | N/A | N/A |
| SystemSettings\_QuickAction\_QuietHours | N/A | N/A |
| SystemSettings\_QuickAction\_Camera | N/A | N/A |
 
## Related topics
[Configure Windows 10 Mobile using Lockdown XML](lockdown-xml.md)
[Product IDs in Windows 10 Mobile](product-ids-in-windows-10-mobile.md)
 
 

495
windows/manage/start-layout-xml-desktop.md
View File

@ -1,495 +0,0 @@
---
title: Start layout XML for desktop editions of Windows 10 (Windows 10)
description: This topic describes the options for customizing Start layout in LayoutModification.xml for Windows 10 desktop editions.
keywords: ["start screen"]
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
localizationpriority: high
---
# Start layout XML for desktop editions of Windows 10 (reference)
**Applies to**
- Windows 10
>**Looking for consumer information?** See [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630)
On Windows 10 for desktop editions, the customized Start works by:
- Windows 10 checks the chosen base default layout, such as the desktop edition and whether Cortana is supported for the country/region.
- Windows 10 reads the LayoutModification.xml file and allows groups to be appended to Start. The groups have the following constraints:
- 2 groups that are 6 columns wide, or equivalent to the width of 3 medium tiles.
- 2 medium-sized tile rows in height. Windows 10 ignores any tiles that are pinned beyond the second row.
- No limit to the number of apps that can be pinned. There is a theoretical limit of 24 tiles per group (4 small tiles per medium square x 3 columns x 2 rows).
>[!NOTE]
>Using the layout modification XML to configure Start is not supported with roaming user profiles. For more information, see [Deploy Roaming User Profiles](https://technet.microsoft.com/en-US/library/jj649079.aspx).
## LayoutModification XML
IT admins can provision the Start layout using a LayoutModification.xml file. This file supports several mechanisms to modify or replace the default Start layout and its tiles. The easiest method for creating a LayoutModification.xml file is by using the Export-StartLayout cmdlet; see [Customize and export Start layout](customize-and-export-start-layout.md) for instructions.
>[!NOTE]
>To make sure the Start layout XML parser processes your file correctly, follow these guidelines when working with your LayoutModification.xml file:
>- Do not leave spaces or white lines in between each element.
>- Do not add comments inside the StartLayout node or any of its children elements.
>- Do not add multiple rows of comments.
The following table lists the supported elements and attributes for the LayoutModification.xml file.
| Element | Attributes | Description |
| --- | --- | --- |
| LayoutModificationTemplate | xmlns</br>xmlns:defaultlayout</br>xmlns:start</br>Version | Use to describe the changes to the default Start layout |
| [LayoutOptions](#layoutoptions)</br></br>Parent:</br>LayoutModificationTemplate | StartTileGroupsColumnCount</br>FullScreenStart | Use to specify:</br>- Whether to use full screen Start on the desktop</br>- The number of tile columns in the Start menu |
| RequiredStartGroupsCollection</br></br>Parent:</br>LayoutModificationTemplate | n/a | Use to contain collection of RequiredStartGroups |
| [RequiredStartGroups](#requiredstartgroups)</br></br>Parent:</br>RequiredStartGroupsCollection | Region | Use to contain the AppendGroup tags, which represent groups that can be appended to the default Start layout |
| [AppendGroup](#appendgroup)</br></br>Parent:</br>RequiredStartGroups | Name | Use to specify the tiles that need to be appended to the default Start layout |
| [start:Tile](#specify-start-tiles)</br></br>Parent:</br>AppendGroup | AppUserModelID</br>Size</br>Row</br>Column | Use to specify any of the following:</br>- A Universal Windows app</br>- A Windows 8 or Windows 8.1 app |
| start:DesktopApplicationTile</br></br>Parent:</br>AppendGroup | DesktopApplicationID</br>DesktopApplicationLinkPath</br>Size</br>Row</br>Column | Use to specify any of the following:</br>- A Windows desktop application with a known AppUserModelID</br>- An application in a known folder with a link in a legacy Start Menu folder</br>- A Windows desktop application link in a legacy Start Menu folder</br>- A Web link tile with an associated .url file that is in a legacy Start Menu folder |
| start:SecondaryTile</br></br>Parent:</br>AppendGroup | AppUserModelID</br>TileID</br>Arguments</br>DisplayName</br>Square150x150LogoUri</br>ShowNameOnSquare150x150Logo</br>ShowNameOnWide310x150Logo</br>Wide310x150LogoUri</br>BackgroundColor</br>ForegroundText</br>IsSuggestedApp</br>Size</br>Row</br>Column | Use to pin a Web link through a Microsoft Edge secondary tile |
| TopMFUApps</br></br>Parent:</br>LayoutModificationTemplate | n/a | Use to add up to 3 default apps to the frequently used apps section in the system area |
| Tile</br></br>Parent:</br>TopMFUApps | AppUserModelID | Use with the TopMFUApps tags to specify an app with a known AppUserModelID |
| DesktopApplicationTile</br></br>Parent:</br>TopMFUApps | LinkFilePath | Use with the TopMFUApps tags to specify an app without a known AppUserModelID |
| AppendOfficeSuite</br></br>Parent:</br>LayoutModificationTemplate | n/a | Use to add the in-box installed Office suite to Start</br></br>Do not use this tag with AppendDownloadOfficeTile |
| AppendDownloadOfficeTile</br></br>Parent:</br>LayoutModificationTemplate | n/a | Use to add a specific **Download Office** tile to a specific location in Start</br></br>Do not use this tag with AppendOfficeSuite |
### LayoutOptions
New devices running Windows 10 for desktop editions will default to a Start menu with 2 columns of tiles unless boot to tablet mode is enabled. Devices with screens that are under 10" have boot to tablet mode enabled by default. For these devices, users see the full screen Start on the desktop. You can adjust the following features:
- Boot to tablet mode can be set on or off.
- Set full screen Start on desktop to on or off.
To do this, add the LayoutOptions element in your LayoutModification.xml file and set the FullScreenStart attribute to true or false.
- Specify the number of columns in the Start menu to 1 or 2.
To do this, add the LayoutOptions element in your LayoutModification.xml file and set the StartTileGroupsColumnCount attribute to 1 or 2.
The following example shows how to use the LayoutOptions element to specify full screen Start on the desktop and to use 1 column in the Start menu:
```XML
<LayoutModificationTemplate
xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"
xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout"
xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout"
Version="1">
<LayoutOptions
StartTileGroupsColumnCount="1"
FullScreenStart="true"
/>
</LayoutModificationTemplate>
```
For devices being upgraded to Windows 10 for desktop editions:
- Devices being upgraded from Windows 7 will default to a Start menu with 1 column.
- Devices being upgraded from Windows 8.1 or Windows 8.1 Upgrade will default to a Start menu with 2 columns.
### RequiredStartGroups
The **RequiredStartGroups** tag contains **AppendGroup** tags that represent groups that you can append to the default Start layout.
>[!IMPORTANT]
>For Windows 10 for desktop editions, you can add a maximum of two (2) **AppendGroup** tags per **RequiredStartGroups** tag.
You can also assign regions to the append groups in the **RequiredStartGroups** tag's using the optional **Region** attribute or you can use the multivariant capabilities in Windows provisioning. If you are using the **Region** attribute, you must use a two-letter country code to specify the country/region that the append group(s) apply to. To specify more than one country/region, use a pipe ("|") delimiter as shown in the following example:
```XML
<RequiredStartGroups
Region="DE|ES|FR|GB|IT|US">
```
If the country/region setting for the Windows device matches a **RequiredStartGroups**, then the tiles laid out within the **RequiredStartGroups** is applied to Start.
If you specify a region-agnostic **RequiredStartGroups** (or one without the optional Region attribute) then the region-agnostic **RequiredStartGroups** is applied to Start.
### AppendGroup
**AppendGroup** tags specify a group of tiles that will be appended to Start. There is a maximum of two **AppendGroup** tags allowed per **RequiredStartGroups** tag.
For Windows 10 for desktop editions, AppendGroup tags contain start:Tile, start:DesktopApplicationTile, or start:SecondaryTile tags.
You can specify any number of tiles in an **AppendGroup**, but you cannot specify a tile with a **Row** attribute greater than 4. The Start layout does not support overlapping tiles.
### Specify Start tiles
To pin tiles to Start, partners must use the right kind of tile depending on what you want to pin.
#### Tile size and coordinates
All tile types require a size (**Size**) and coordinates (**Row** and **Column**) attributes regardless of the tile type that you use when prepinning items to Start.
The following table describes the attributes that you must use to specify the size and location for the tile.
| Attribute | Description |
| --- | --- |
| Size | Determines how large the tile will be.</br></br>- 1x1 - small tile</br>- 2x2 - medium tile</br>- 4x2 - wide tile</br>- 4x4 - large tile |
| Row | Specifies the row where the tile will appear. |
| Column | Specifies the column where the tile will appear. |
For example, a tile with Size="2x2", Row="2", and Column="2" results in a tile located at (2,2) where (0,0) is the top-left corner of a group.
#### start:Tile
You can use the **start:Tile** tag to pin any of the following apps to Start:
- A Universal Windows app
- A Windows 8 app or Windows 8.1 app
To specify any one of these apps, you must set the **AppUserModelID** attribute to the application user model ID that's associated with the corresponding app.
The following example shows how to pin the Microsoft Edge Universal Windows app:
```XML
<start:Tile
AppUserModelID="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge"
Size="2x2"
Row="0"
Column="0"/>
```
#### start:DesktopApplicationTile
You can use the **start:DesktopApplicationTile** tag to pin a Windows desktop application to Start. There are two ways you can specify a Windows desktop application:
- By using a path to a shortcut link (.lnk file) to a Windows desktop application.
To pin a Windows desktop application through this method, you must first add the .lnk file in the specified location when the device first boots.
The following example shows how to pin the Command Prompt:
```XML
<start:DesktopApplicationTile
DesktopApplicationLinkPath="%appdata%\Microsoft\Windows\Start Menu\Programs\System Tools\Command Prompt.lnk"
Size="2x2"
Row="0"
Column="4"/>
```
You must set the **DesktopApplicationLinkPath** attribute to the .lnk file that points to the Windows desktop application. The path also supports environment variables.
If you are pointing to a third-party Windows desktop application, you must put the .lnk file in a legacy Start Menu directory before first boot; for example, "%APPDATA%\Microsoft\Windows\Start Menu\Programs\" or the all users profile "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\".
- By using the application's application user model ID, if this is known. If the Windows desktop application doesn't have one, use the shortcut link option.
To pin a Windows desktop application through this method, you must set the **DesktopApplicationID** attribute to the application user model ID that's associated with the corresponding app.
The following example shows how to pin the Internet Explorer Windows desktop application:
```XML
<start:DesktopApplicationTile
DesktopApplicationID="Microsoft.Windows.Explorer"
Size="2x2"
Row="0"
Column="2"/>
```
You can also use the **start:DesktopApplicationTile** tag as one of the methods for pinning a Web link to Start. The other method is to use a Microsoft Edge secondary tile.
To pin a legacy .url shortcut to Start, you must create .url file (right-click on the desktop, select **New** > **Shortcut**, and then type a Web URL). You must add this .url file in a legacy Start Menu directory before first boot; for example, `%APPDATA%\Microsoft\Windows\Start Menu\Programs\` or the all users profile `%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\`.
The following example shows how to create a tile of the Web site's URL, which you can treat similarly to a Windows desktop application tile:
```XML
<start:DesktopApplicationTile
DesktopApplicationID="http://www.contoso.com/"
Size="2x2"
Row="0"
Column="2"/>
```
#### start:SecondaryTile
You can use the **start:SecondaryTile** tag to pin a Web link through a Microsoft Edge secondary tile. This method doesn't require any additional action compared to the method of using legacy .url shortcuts (through the start:DesktopApplicationTile tag).
The following example shows how to create a tile of the Web site's URL using the Microsoft Edge secondary tile:
```XML
<start:SecondaryTile
AppUserModelID="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge"
TileID="MyWeblinkTile"
Arguments="http://msn.com"
DisplayName="MySite"
Square150x150LogoUri="ms-appx:///Assets/MicrosoftEdgeSquare150x150.png"
Wide310x150LogoUri="ms-appx:///Assets/MicrosoftEdgeWide310x150.png"
ShowNameOnSquare150x150Logo="true"
ShowNameOnWide310x150Logo="false"
BackgroundColor="#FF112233"
Size="2x2"
Row="0"
Column="4"/>
```
The following table describes the other attributes that you can use with the **start:SecondaryTile** tag in addition to **Size**, **Row**, and **Column**.
| Attribute | Required/optional | Description |
| --- | --- | --- |
| AppUserModelID | Required | Must point to Microsoft Edge. |
| TileID | Required | Must uniquely identify your Web site tile. |
| Arguments | Required | Must contain the URL of your Web site. |
| DisplayName | Required | Must specify the text that you want users to see. |
| Square150x150LogoUri | Required | Specifies the logo to use on the 2x2 tile. |
| Wide310x150LogoUri | Optional | Specifies the logo to use on the 4x2 tile. |
| ShowNameOnSquare150x150Logo | Optional | Specifies whether the display name is shown on the 2x2 tile. The values you can use for this attribute are true or false. |
| ShowNameOnWide310x150Logo | Optional | Specifies whether the display name is shown on the 4x2 tile. The values you can use for this attribute are true or false. |
| BackgroundColor | Optional | Specifies the color of the tile. You can specify the value in ARGB hexadecimal (for example, #FF112233) or specify "transparent". |
| ForegroundText | Optional | Specifies the color of the foreground text. Set the value to either "light" or "dark". |
Secondary Microsoft Edge tiles have the same size and location behavior as a Universal Windows app, Windows 8 app, or Windows 8.1 app.
#### TopMFUApps
You can use the **TopMFUApps** tag to add up to 3 default apps to the frequently used apps section in the system area, which delivers system-driven lists to the user including important or frequently accessed system locations and recently installed apps.
You can use this tag to add:
- Apps with an **AppUserModelID** attribute - This includes Windows desktop applications that have a known application user model ID. Use a **Tile** tag with the **AppUserModelID** attribute set to the app's application user model ID.
- Apps without a **AppUserModelID** attribute - For these apps, you must create a .lnk file that points to the installed app and place the .lnk file in the `%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs` directory. Use a **DesktopApplicationTile** tag with the **LinkFilePath** attribute set to the .lnk file name and path.
The following example shows how to modify your LayoutModification.xml file to add both kinds of apps to the system area in Start:
```XML
<LayoutModificationTemplate
xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"
xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout"
xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout"
Version="1">
<TopMFUApps>
<Tile AppUserModelID="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
<Tile AppUserModelID="Microsoft.Getstarted_8wekyb3d8bbwe!App" />
<DesktopApplicationTile LinkFilePath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Win32App.lnk" />
</TopMFUApps>
</LayoutModificationTemplate>
```
#### AppendOfficeSuite
You can use the **AppendOfficeSuite** tag to add the in-box installed Office suite of apps to Start.
The following example shows how to add the **AppendOfficeSuite** tag to your LayoutModification.xml file to append the full Universal Office suite to Start:
```XML
<LayoutModificationTemplate
xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"
xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout"
xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout"
Version="1">
<AppendOfficeSuite/>
</LayoutModificationTemplate>
```
#### AppendDownloadOfficeTile
You can use the **AppendDownloadOfficeTile** tag to append the Office trial installer to Start. This tag adds the Download Office tile to Start and the download tile will appear at the bottom right-hand side of the second group.
The following example shows how to add the **AppendDownloadOfficeTile** tag to your LayoutModification.xml file:
```XML
<LayoutModificationTemplate
xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"
xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout"
xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout"
Version="1">
<AppendDownloadOfficeTile/>
</LayoutModificationTemplate>
```
## Sample LayoutModification.xml
The following sample LayoutModification.xml shows how you can configure the Start layout for devices running Windows 10 for desktop editions:
```XML
<LayoutModificationTemplate
xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"
xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout"
xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout"
Version="1">
<RequiredStartGroupsCollection>
<RequiredStartGroups
Region="DE|ES|FR|GB|IT|US">
<AppendGroup
Name="Fabrikam Group 1">
<start:Tile
AppUserModelID="Microsoft.Office.Word_8wekyb3d8bbwe!microsoft.word"
Size="2x2"
Row="0"
Column="0"/>
<start:DesktopApplicationTile
DesktopApplicationID="Microsoft.Windows.Explorer"
Size="2x2"
Row="0"
Column="2"/>
<start:Tile
AppUserModelID="Microsoft.Office.Excel_8wekyb3d8bbwe!microsoft.excel"
Size="2x2"
Row="0"
Column="4"/>
</AppendGroup>
<AppendGroup
Name="Fabrikam Group 2">
<start:Tile
AppUserModelID="Microsoft.Reader_8wekyb3d8bbwe!Microsoft.Reader"
Size="2x2"
Row="0"
Column="0"/>
<start:DesktopApplicationTile
DesktopApplicationID="http://www.bing.com/"
Size="2x2"
Row="0"
Column="2"/>
<start:DesktopApplicationTile
DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk"
Size="2x2"
Row="0"
Column="4"/>
</AppendGroup>
</RequiredStartGroups>
<RequiredStartGroups>
<AppendGroup
Name="Fabrikam Group 1">
<start:Tile
AppUserModelID="Microsoft.Office.Word_8wekyb3d8bbwe!microsoft.word"
Size="2x2"
Row="0"
Column="0"/>
<start:SecondaryTile
AppUserModelID="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge"
TileID="FabrikamWeblinkTile"
Arguments="http://www.fabrikam.com"
DisplayName="Fabrikam"
Square150x150LogoUri="ms-appx:///Assets/MicrosoftEdgeSquare150x150.png"
ShowNameOnSquare150x150Logo="true"
BackgroundColor="#FF112233"
Size="2x2"
Row="0"
Column="2"/>
</AppendGroup>
</RequiredStartGroups>
</RequiredStartGroupsCollection>
<TopMFUApps>
<Tile AppUserModelID="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
</TopMFUApps>
</LayoutModificationTemplate>
```
## Use Windows Provisioning multivariant support
The Windows Provisioning multivariant capability allows you to declare target conditions that, when met, supply specific customizations for each variant condition. For Start customization, you can create specific layouts for each variant that you have. To do this, you must create a separate LayoutModification.xml file for each variant that you want to support and then include these in your provisioning package. For more information on how to do this, see [Create a provisioning package with multivariant settings](https://msdn.microsoft.com/library/windows/hardware/dn916108.aspx).
The provisioning engine chooses the right customization file based on the target conditions that were met, adds the file in the location that's specified for the setting, and then uses the specific file to customize Start. To differentiate between layouts, you can add modifiers to the LayoutModification.xml filename such as "LayoutCustomization1". Regardless of the modifier that you use, the provsioning engine will always output "LayoutCustomization.xml" so that the operating system has a consistent file name to query against.
For example, if you want to ensure that there's a specific layout for a certain condition, you can:
1. Create a specific layout customization file and then name it LayoutCustomization1.xml.
2. Include the file as part of your provisioning package.
3. Create your multivariant target and reference the XML file within the target condition in the main customization XML file.
The following example shows what the overall customization file might look like with multivariant support for Start:
```XML
<?xml version="1.0" encoding="utf-8"?>
<WindowsCustomizatons>
<PackageConfig xmlns="urn:schemas-Microsoft-com:Windows-ICD-Package-Config.v1.0">
<ID>{6aaa4dfa-00d7-4aaa-8adf-73c6a7e2501e}</ID>
<Name>My Provisioning Package</Name>
<Version>1.0</Version>
<OwnerType>OEM</OwnerType>
<Rank>50</Rank>
</PackageConfig>
<Settings xmlns="urn:schemas-microsoft-com:windows-provisioning">
<Customizations>
<Targets>
<Target Id="Processor ABC">
<TargetState>
<TargetState>
<Condition Name="ProcessorName" Value="Pattern:.*Celeron.*" />
<Condition Name="ProcessorType" Value="Pattern:.*I|intel.*" />
</TargetState>
</TargetState>
</Target>
</Targets>
<Common>
<Settings>
<Policies>
<AllowBrowser>1</AllowBrowser>
<AllowCamera>1</AllowCamera>
<AllowBluetooth>1</AllowBluetooth>
</Policies>
<HotSpot>
<Enabled>1</Enabled>
</HotSpot>
</Settings>
</Common>
<Variant>
<TargetRefs>
<TargetRef Id="Processor ABC" />
</TargetRefs>
<Settings>
<StartLayout>c:\users\<userprofile>\appdata\local\Microsoft\Windows\Shell\LayoutCustomization1.XML</StartLayout>
<HotSpot>
<Enabled>1</Enabled>
</HotSpot>
</Settings>
</Variant>
</Customizations>
</Settings>
</WindowsCustomizatons>
```
When the condition is met, the provisioning engine takes the XML file and places it in the location that the operating system has set and then the Start subsystem reads the file and applies the specific customized layout.
You must repeat this process for all variants that you want to support so that each variant can have a distinct layout for each of the conditions and targets that need to be supported. For example, if you add a **Language** condition, you can create a Start layout that has its own localized group.
## Add the LayoutModification.xml file to the device
Once you have created your LayoutModification.xml file to customize devices that will run Windows 10 for desktop editions, you can use Windows ICD methods to add the XML file to the device.
1. In the **Available customizations** pane, expand **Runtime settings**, select **Start** and then click the **StartLayout** setting.
2. In the middle pane, click **Browse** to open File Explorer.
3. In the File Explorer window, navigate to the location where you saved your LayoutModification.xml file.
4. Select the file and then click **Open**.
This should set the value of **StartLayout**. The setting appears in the **Selected customizations** pane.
>[!NOTE]
>There is currently no way to add the .url and .lnk files through Windows ICD.
Once you have created the LayoutModification.xml file and it is present in the device, the system overrides the base default layout and any Unattend settings used to customize Start.
## Related topics
[Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md)
[Configure Windows 10 taskbar](configure-windows-10-taskbar.md)
[Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
[Customize Windows 10 Start and taskbar with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
[Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
[Changes to Group Policy settings for Windows 10 Start](changes-to-start-policies-in-windows-10.md)
 
 

392
windows/manage/start-layout-xml-mobile.md
View File

@ -1,392 +0,0 @@
---
title: Start layout XML for mobile editions of Windows 10 (Windows 10)
description: This topic describes the options for customizing Start layout in LayoutModification.xml for Windows 10 mobile editions.
keywords: ["start screen"]
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
localizationpriority: high
---
# Start layout XML for mobile editions of Windows 10 (reference)
**Applies to**
- Windows 10
>**Looking for consumer information?** See [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630)
On Windows 10 Mobile, you can use the XML-based layout to modify the Start screen and provide the most robust and complete Start customization experience.
On Windows 10 Mobile, the customized Start works by:
- Windows 10 performs checks to determine the correct base default layout. The checks include the mobile edition, whether the device is dual SIM, the column width, and whether Cortana is supported for the country/region.
- Windows 10 ensures that it does not overwrite the layout that you have set and will sequence the level checks and read the file layout such that any multivariant settings that you have set is not overwritten.
- Windows 10 reads the LayoutModification.xml file and appends the group to the Start screen.
## Default Start layouts
The following diagrams show the default Windows 10, version 1607 Start layouts for single SIM and dual SIM devices with Cortana support, and single SIM and dual SIM devices with no Cortana support.
![Start layout for Windows 10 Mobile](images\mobile-start-layout.png)
The diagrams show:
- Tile coordinates - These are determined by the row number and the column number.
- Fold - Tiles "above the fold" are visible when users first navigate to the Start screen. Tiles "below the fold" are visible after users scroll up.
- Partner-customizable tiles - OEM and mobile operator partners can customize these areas of the Start screen by prepinning content. The partner configurable slots are:
- Rows 6-9
- Rows 16-19
## LayoutModification XML
IT admins can provision the Start layout by creating a LayoutModification.xml file. This file supports several mechanisms to modify or replace the default Start layout and its tiles.
>[!NOTE]
>To make sure the Start layout XML parser processes your file correctly, follow these guidelines when writing your LayoutModification.xml file:
>- Do not leave spaces or white lines in between each element.
>- Do not add comments inside the StartLayout node or any of its children elements.
>- Do not add multiple rows of comments.
The following table lists the supported elements and attributes for the LayoutModification.xml file.
| Element | Attributes | Description |
| --- | --- | --- |
| LayoutModificationTemplate | xmlns</br>xmlns:defaultlayout</br>xmlns:start</br>Version | Use to describe the changes to the default Start layout. |
| DefaultLayoutOverride</br></br>Parent:</br>LayoutModificationTemplate | n/a | Use to specify the customized Start layout for mobile devices. |
| StartLayoutCollection</br></br>Parent:</br>DefaultLayoutOverride | n/a | Use to contain a collection of Start layouts. |
| StartLayout</br></br>Parent:</br>StartLayoutCollection | n/a | Use to specify the tile groups that will be appended to the Start screen. |
| start:Group</br></br>Parent:</br>StartLayout | Name | Use to specify the tiles that need to be appended to the default Start layout. |
| start:Tile</br></br>Parent:</br>start:Group | AppUserModelID</br>Size</br>Row</br>Column | Use to specify any Universal Windows app that has a valid **AppUserModelID** attribute. |
| start:SecondaryTile</br></br>Parent:</br>start:Group | AppUserModelID</br>TileID</br>Arguments</br>DisplayName</br>Square150x150LogoUri</br>ShowNameOnSquare150x150Logo</br>ShowNameOnWide310x150Logo</br>Wide310x150LogoUri</br>BackgroundColor</br>ForegroundText</br>IsSuggestedApp</br>Size</br>Row</br>Column | Use to pin a Web link through a Microsoft Edge secondary tile. |
| start:PhoneLegacyTile</br></br>Parent:</br>start:Group | ProductID</br>Size</br>Row</br>Column | Use to add a mobile app that has a valid **ProductID** attribute. |
| start:Folder</br></br>Parent:</br>start:Group | Name</br>Size</br>Row</br>Column | Use to add a folder to the mobile device's Start screen. |
| RequiredStartTiles</br></br>Parent:</br>LayoutModificationTemplate | n/a | Use to specify the tiles that will be pinned to the bottom of the Start screen even if a restored Start screen does not have the tiles during backup or restore. |
### start:Group
**start:Group** tags specify a group of tiles that will be appended to Start. You can set the **Name** attribute to specify a name for the Start group.
>[!NOTE]
>Windows 10 Mobile only supports one Start group.
For Windows 10 Mobile, **start:Group** tags can contain the following tags or elements:
- **start:Tile**
- **start:SecondaryTile**
- **start:PhoneLegacyTile**
- **start:Folder**
### Specify Start tiles
To pin tiles to Start, you must use the right kind of tile depending on what you want to pin.
#### Tile size and coordinates
All tile types require a size (**Size**) and coordinates (**Row** and **Column**) attributes regardless of the tile type that you use when prepinning items to Start.
The following table describes the attributes that you must use to specify the size and location for the tile.
| Attribute | Description |
| --- | --- |
| Size | Determines how large the tile will be. </br>- 1x1 - small tile</br>- 2x2 - medium tile</br>- 4x2 - wide tile</br>- 4x4 - large tile |
| Row | Specifies the row where the tile will appear. |
| Column | Specifies the column where the tile will appear. |
For example, a tile with Size="2x2", Row="2", and Column="2" results in a tile located at (2,2) where (0,0) is the top-left corner of a group.
#### start:Tile
You can use the **start:Tile** tag to pin a Universal Windows app to Start.
To specify an app, you must set the **AppUserModelID** attribute to the application user model ID that's associated with the corresponding app.
The following example shows how to pin the Microsoft Edge Universal Windows app:
```XML
<start:Tile
AppUserModelID="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge"
Size="2x2"
Row="0"
Column="0"/>
```
#### start:SecondaryTile
You can use the **start:SecondaryTile** tag to pin a Web link through a Microsoft Edge secondary tile.
The following example shows how to create a tile of the Web site's URL using the Microsoft Edge secondary tile:
```XML
<start:SecondaryTile
AppUserModelID="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge"
TileID="MyWeblinkTile"
Arguments="http://msn.com"
DisplayName="MySite"
Square150x150LogoUri="ms-appx:///Assets/MicrosoftEdgeSquare150x150.png"
Wide310x150LogoUri="ms-appx:///Assets/MicrosoftEdgeWide310x150.png"
ShowNameOnSquare150x150Logo="true"
ShowNameOnWide310x150Logo="false"
BackgroundColor="#FF112233"
Size="2x2"
Row="0"
Column="4"/>
```
The following table describes the other attributes that you can use with the **start:SecondaryTile** tag in addition to **Size**, **Row**, and **Column**.
| Attribute | Required/optional | Description |
| --- | --- | --- |
| AppUserModelID | Required | Must point to Microsoft Edge. |
| TileID | Required | Must uniquely identify your Web site tile. |
| Arguments | Required | Must contain the URL of your Web site. |
| DisplayName | Required | Must specify the text that you want users to see. |
| Square150x150LogoUri | Required | Specifies the logo to use on the 2x2 tile. |
| Wide310x150LogoUri | Optional | Specifies the logo to use on the 4x2 tile. |
| ShowNameOnSquare150x150Logo | Optional | Specifies whether the display name is shown on the 2x2 tile. You can set the value for this attribute to true or false. By default, this is set to false. |
| ShowNameOnWide310x150Logo | Optional | Specifies whether the display name is shown on the 4x2 tile. You can set the value for this attribute to true or false. By default, this is set to false. |
| BackgroundColor | Optional | Specifies the color of the tile. You can specify the value in ARGB hexadecimal (for example, #FF112233) or specify "transparent". |
| ForegroundText | Optional | Specifies the color of the foreground text. Set the value to either "light" or "dark". |
Secondary Microsoft Edge tiles have the same size and location behavior as a Universal Windows app.
#### start:PhoneLegacyTile
You can use the **start:PhoneLegacyTile** tag to add a mobile app that has a valid ProductID, which you can find in the app's manifest file. The **ProductID** attribute must be set to the GUID of the app.
The following example shows how to add a mobile app with a valid ProductID using the start:PhoneLegacyTile tag:
```XML
<start:PhoneLegacyTile
ProductID="{00000000-0000-0000-0000-000000000000}"
Size="2x2"
Row="0"
Column="2"/>
```
#### start:Folder
You can use the **start:Folder** tag to add a folder to the mobile device's Start screen.
You must set these attributes to specify the size and location of the folder: **Size**, **Row**, and **Column**.
Optionally, you can also specify a folder name by using the **Name** attribute. If you specify a name, set the value to a string.
The position of the tiles inside a folder is relative to the folder. You can add any of the following tile types to the folder:
- Tile - Use to pin a Universal Windows app to Start.
- SecondaryTile - Use to pin a Web link through a Microsoft Edge secondary tile.
- PhoneLegacyTile - Use to pin a mobile app that has a valid ProductID.
The following example shows how to add a medium folder that contains two apps inside it:
```XML
<start:Folder
Name="Contoso apps"
Size="2x2"
Row="0"
Column="2">
<start:Tile
AppUserModelID="Microsoft.BingMaps_8wekyb3d8bbwe!ApplicationID"
Size="2x2"
Row="0"
Column="0"/>
<start:PhoneLegacyTile
ProductID="{00000000-0000-0000-0000-000000000000}"
Size="1x1"
Row="0"
Column="2"/>
</start:Folder>
```
#### RequiredStartTiles
You can use the **RequiredStartTiles** tag to specify the tiles that will be pinned to the bottom of the Start screen even if a restored Start screen does not have the tiles during backup or restore.
>[!NOTE]
>Enabling this Start customization may be disruptive to the user experience.
For Windows 10 Mobile, **RequiredStartTiles** tags can contain the following tags or elements. These are similar to the tiles supported in **start:Group**.
- Tile - Use to pin a Universal Windows app to Start.
- SecondaryTile - Use to pin a Web link through a Microsoft Edge secondary tile.
- PhoneLegacyTile - Use to pin a mobile app that has a valid ProductID.
- Folder - Use to pin a folder to the mobile device's Start screen.
Tiles specified within the **RequiredStartTiles** tag have the following behavior:
- The partner-pinned tiles will begin in a new row at the end of the user-restored Start screen.
- If theres a duplicate tile between what the user has in their Start screen layout and what the OEM has pinned to the Start screen, only the app or tile shown in the user-restored Start screen layout will be shown and the duplicate tile will be omitted from the pinned partner tiles at the bottom of the Start screen.
The lack of duplication only applies to pinned apps. Pinned Web links may be duplicated.
- If partners have prepinned folders to the Start screen, Windows 10 treats these folders in the same way as appended apps on the Start screen. Duplicate folders will be removed.
- All partner tiles that are appended to the bottom of the user-restored Start screen will be medium-sized. There will be no gaps in the appended partner Start screen layout. Windows 10 will shift tiles accordingly to prevent gaps.
## Sample LayoutModification.xml
The following sample LayoutModification.xml shows how you can configure the Start layout for devices running Windows 10 Mobile:
```XML
<?xml version="1.0" encoding="utf-8"?>
<LayoutModificationTemplate
xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"
xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout"
xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout"
Version="1">
<DefaultLayoutOverride>
<StartLayoutCollection>
<defaultlayout:StartLayout>
<start:Group
Name="First Group">
<start:Tile
AppUserModelID="Microsoft.BingFinance_8wekyb3d8bbwe!ApplicationID"
Size="2x2"
Row="0"
Column="0"/>
<start:Tile
AppUserModelID="Microsoft.BingMaps_8wekyb3d8bbwe!ApplicationID"
Size="1x1"
Row="0"
Column="2"/>
</start:Group>
</defaultlayout:StartLayout>
</StartLayoutCollection>
</DefaultLayoutOverride>
<RequiredStartTiles>
<PhoneLegacyTile ProductID="{b00d3141-1caa-43aa-b0b5-78c1acf778fd}"/>
<PhoneLegacyTile ProductID="{C3F8E570-68B3-4D6A-BDBB-C0A3F4360A51}"/>
<PhoneLegacyTile ProductID="{C60904B7-8DF4-4C2E-A417-C8E1AB2E51C7}"/>
<Tile AppUserModelID="Microsoft.MicrosoftFeedback_8wekyb3d8bbwe!ApplicationID"/>
</RequiredStartTiles>
</LayoutModificationTemplate>
```
## Use Windows Provisioning multivariant support
The Windows Provisioning multivariant capability allows you to declare target conditions that, when met, supply specific customizations for each variant condition. For Start customization, you can create specific layouts for each variant that you have. To do this, you must create a separate LayoutModification.xml file for each variant that you want to support and then include these in your provisioning package. For more information on how to do this, see Create a provisioning package with multivariant settings.
The provisioning engine chooses the right customization file based on the target conditions that were met, adds the file in the location that's specified for the setting, and then uses the specific file to customize Start. To differentiate between layouts, you can add modifiers to the LayoutModification.xml filename such as "LayoutCustomization1". Regardless of the modifier that you use, the provsioning engine will always output "LayoutCustomization.xml" so that the OS has a consistent file name to query against.
For example, if you want to ensure that there's a specific layout for a certain mobile operator in a certain country/region, you can:
1. Create a specific layout customization file and then name it LayoutCustomization1.xml.
2. Include the file as part of your provisioning package.
3. Create your multivariant target and reference the XML file within the target condition in the main customization XML file.
The following example shows what the overall customization file might look like with multivariant support for Start:
```XML
<?xml version="1.0" encoding="utf-8"?>
<WindowsCustomizatons>
<PackageConfig xmlns="urn:schemas-Microsoft-com:Windows-ICD-Package-Config.v1.0">
<ID>{6aaa4dfa-00d7-4aaa-8adf-73c6a7e2501e}</ID>
<Name>My Provisioning Package</Name>
<Version>1.0</Version>
<OwnerType>OEM</OwnerType>
<Rank>50</Rank>
</PackageConfig>
<Settings xmlns="urn:schemas-microsoft-com:windows-provisioning">
<Customizations>
<Targets>
<Target Id="Operator XYZ">
<TargetState>
<Condition Name="MCC" Value="Range:310, 320" />
<Condition Name="MNC" Value="!Range:400, 550" />
</TargetState>
</Target>
<Target Id="Processor ABC">
<TargetState>
<TargetState>
<Condition Name="ProcessorName" Value="Pattern:.*Celeron.*" />
<Condition Name="ProcessorType" Value="Pattern:.*I|intel.*" />
</TargetState>
</TargetState>
</Target>
</Targets>
<Common>
<Settings>
<Policies>
<AllowBrowser>1</AllowBrowser>
<AllowCamera>1</AllowCamera>
<AllowBluetooth>1</AllowBluetooth>
</Policies>
<HotSpot>
<Enabled>1</Enabled>
</HotSpot>
</Settings>
</Common>
<Variant>
<TargetRefs>
<TargetRef Id="Operator XYZ" />
</TargetRefs>
<Settings>
<StartLayout>c:\users\<userprofile>\appdata\local\Microsoft\Windows\Shell\LayoutCustomization1.XML</StartLayout>
<HotSpot>
<Enabled>1</Enabled>
</HotSpot>
</Settings>
</Variant>
</Customizations>
</Settings>
</WindowsCustomizatons>
```
When the condition is met, the provisioning engine takes the XML file and places it in the location that Windows 10 has set and then the Start subsystem reads the file and applies the specific customized layout.
You must repeat this process for all variants that you want to support so that each variant can have a distinct layout for each of the conditions and targets that need to be supported. For example, if you add a **Language** condition, you can create a Start layout that has it's own localized group or folder titles.
## Add the LayoutModification.xml file to the image
Once you have created your LayoutModification.xml file to customize devices that will run Windows 10 Mobile, you can use Windows ICD to add the XML file to the device:
1. In the **Available customizations** pane, expand **Runtime settings**, select **Start** and then click the **StartLayout** setting.
2. In the middle pane, click **Browse** to open File Explorer.
3. In the File Explorer window, navigate to the location where you saved your LayoutModification.xml file.
4. Select the file and then click **Open**.
This should set the value of **StartLayout**. The setting appears in the **Selected customizations** pane.
## Related topics
[Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md)
[Configure Windows 10 taskbar](configure-windows-10-taskbar.md)
[Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
[Customize Windows 10 Start and taskbar with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
[Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
[Changes to Group Policy settings for Windows 10 Start](changes-to-start-policies-in-windows-10.md)
 
 

124
windows/manage/stop-employees-from-using-the-windows-store.md
View File

@ -1,124 +0,0 @@
---
title: Configure access to Windows Store (Windows 10)
description: IT Pros can configure access to Windows Store for client computers in their organization. For some organizations, business policies require blocking access to Windows Store.
ms.assetid: 7AA60D3D-2A69-45E7-AAB0-B8AFC29C2E97
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store, mobile
author: TrudyHa
localizationpriority: high
---
# Configure access to Windows Store
**Applies to**
- Windows 10
- Windows 10 Mobile
>For more info about the features and functionality that are supported in each edition of Windows, see [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare).
IT pros can configure access to Windows Store for client computers in their organization. For some organizations, business policies require blocking access to Windows Store.
## Options to configure access to Windows Store
You can use these tools to configure access to Windows Store: AppLocker or Group Policy. For Windows 10, this is only supported on Windows 10 Enterprise edition.
## <a href="" id="block-store-applocker"></a>Block Windows Store using AppLocker
Applies to: Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile
AppLocker provides policy-based access control management for applications. You can block access to Windows Store app with AppLocker by creating a rule for packaged apps. You'll give the name of the Windows Store app as the packaged app that you want to block from client computers.
For more information on AppLocker, see [What is AppLocker?](../keep-secure/what-is-applocker.md) For more information on creating an AppLocker rule for app packages, see [Create a rule for packaged apps](../keep-secure/create-a-rule-for-packaged-apps.md).
**To block Windows Store using AppLocker**
1. Type secpol in the search bar to find and start AppLocker.
2. In the console tree of the snap-in, click **Application Control Policies**, click **AppLocker**, and then click **Packaged app Rules**.
3. On the **Action** menu, or by right-clicking on **Packaged app Rules**, click **Create New Rule**.
4. On **Before You Begin**, click **Next**.
5. On **Permissions**, select the action (allow or deny) and the user or group that the rule should apply to, and then click **Next**.
6. On **Publisher**, you can select **Use an installed app package as a reference**, and then click **Select**.
7. On **Select applications**, find and click **Store** under **Applications** column, and then click **OK**. Click **Next**.
[Create a rule for packaged apps](../keep-secure/create-a-rule-for-packaged-apps.md) has more information on reference options and setting the scope on packaged app rules.
8. Optional: On **Exceptions**, specify conditions by which to exclude files from being affected by the rule. This allows you to add exceptions based on the same rule reference and rule scope as you set before. Click **Next**.
## <a href="" id="block-store-group-policy"></a>Block Windows Store using Group Policy
Applies to: Windows 10 Enterprise, version 1511, Windows 10 Education
> [!Note]
> Not supported on Windows 10 Pro.
You can also use Group Policy to manage access to Windows Store.
**To block Windows Store using Group Policy**
1. Type gpedit in the search bar to find and start Group Policy Editor.
2. In the console tree of the snap-in, click **Computer Configuration**, click **Administrative Templates** , click **Windows Components**, and then click **Store**.
3. In the Setting pane, click **Turn off Store application**, and then click **Edit policy setting**.
4. On the **Turn off Store application** setting page, click **Enabled**, and then click **OK**.
## <a href="" id="block-store-mdm"></a>Block Windows Store using management tool
Applies to: Windows 10 Mobile
If you have mobile devices in your organization that you upgraded from earlier versions of Windows Phone 8 to Windows 10 Mobile, existing policies created using the Windows Phone 8.1 configuration service providers (CSP) with your MDM tool will continue to work on Windows 10 Mobile. If you are starting with Windows 10 Mobile, we recommend using [AppLocker](#block-store-applocker) to manage access to Windows Store app.
When your MDM tool supports Windows Store for Business, the MDM can use these CSPs to block Windows Store app:
- [Policy](https://go.microsoft.com/fwlink/p/?LinkId=717030)
- [EnterpriseAssignedAccess](https://msdn.microsoft.com/library/windows/hardware/mt157024.aspx) (Windows 10 Mobile, only)
For more information, see [Configure an MDM provider](configure-mdm-provider-windows-store-for-business.md).
## Show private store only using Group Policy
Applies to Windows 10 Enterprise, version 1607, Windows 10 Education
If you're using Windows Store for Business and you want employees to only see apps you're managing in your private store, you can use Group Policy to show only the private store. Windows Store app will still be available, but employees can't view or purchase apps. Employees can view and install apps that the admin has added to your organization's private store.
**To show private store only in Windows Store app**
1. Type **gpedit** in the search bar, and then select **Edit group policy (Control panel)** to find and start Group Policy Editor.
2. In the console tree of the snap-in, go to **User Configuration** or **Computer Configuration** > **Administrative Templates** > **Windows Components**, and then click **Store**.
3. Right-click **Only display the private store within the Windows Store app** in the right pane, and click **Edit**.
This opens the **Only display the private store within the Windows Store app** policy settings.
4. On the **Only display the private store within the Windows Store app** setting page, click **Enabled**, and then click **OK**.
## Related topics
[Distribute apps using your private store](distribute-apps-from-your-private-store.md)
[Manage access to private store](manage-access-to-private-store.md)
 
 

4
windows/manage/uev-accessibility.md
View File

@ -1,4 +0,0 @@
---
title: Accessibility for UE-V
redirect_url: https://technet.microsoft.com/itpro/windows/manage/uev-for-windows
---

4
windows/manage/uev-privacy-statement.md
View File

@ -1,4 +0,0 @@
---
title: User Experience Virtualization Privacy Statement
redirect_url: https://technet.microsoft.com/en-us/itpro/windows/manage/uev-security-considerations
---

130
windows/manage/update-compliance-get-started.md
View File

@ -1,130 +0,0 @@
---
title: Get started with Update Compliance (Windows 10)
description: Explains how to configure Update Compliance.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: deploy
author: greg-lindsay
---
# Get started with Update Compliance
This topic explains the steps necessary to configure your environment for Windows Analytics: Update Compliance.
Steps are provided in sections that follow the recommended setup process:
1. Ensure that [prerequisites](#update-compliance-prerequisites) are met.
2. [Add Update Compliance](#add-update-compliance-to-microsoft-operatiions-management-suite) to Microsoft Operations Management Suite
3. [Deploy your Commercial ID](#deploy-your-commercial-id-to-your-windows-10-devices) to your organizations devices
## Update Compliance Prerequisites
Update Compliance has the following requirements:
1. Update Compliance is currently only compatible with Windows 10 devices. The solution is intended to be used with desktop devices (Windows 10 workstations and laptops).
2. The solution requires that Windows 10 telemetry is enabled on all devices that are intended to be displayed in the solution. These devices must have at least the [basic level of telemetry](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization#basic-level) enabled. To learn more about Windows telemetry, see [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md).
3. The telemetry of your organizations Windows devices must be successfully transmitted to Microsoft. Microsoft has specified [endpoints for different aspects of telemetry](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization#endpoints), which must be whitelisted by your organization so the data can be transmitted. The following table is taken from the article on telemetry endpoints and summarizes the use of each endpoint:
<TABLE BORDER=1>
<TR><TD BGCOLOR="#cceeff">Service<TD BGCOLOR="#cceeff">Endpoint
<TR><TD>Connected User Experience and Telemetry component<TD>v10.vortex-win.data.microsoft.com
<BR>settings-win.data.microsoft.com
<TR><TD>Windows Error Reporting <TD>watson.telemetry.microsoft.com
<TR><TD>Online Crash Analysis <TD>oca.telemetry.microsoft.com
</TABLE>
## Add Update Compliance to Microsoft Operations Management Suite
Update Compliance is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud-based servicing for monitoring and automating your on-premises and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/).
If you are already using OMS, youll find Update Compliance in the Solutions Gallery. Select the **Update Compliance** tile in the gallery and then click **Add** on the solution's details page. Update Compliance is now visible in your workspace.
If you are not yet using OMS, use the following steps to subscribe to OMS Update Compliance:
1. Go to [Operations Management Suites page](https://www.microsoft.com/en-us/cloud-platform/operations-management-suite) on Microsoft.com and click **Sign in**.
<P><TABLE BORDER=1><TR><TD>
<A HREF="images/uc-02.png"><img src="images/uc-02a.png"></A>
<TABLE>
2. Sign in to Operations Management Suite (OMS). You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory (Azure AD), use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS.
<P><TABLE BORDER=1><TR><TD>
<A HREF="images/uc-03.png"><img src="images/uc-03a.png"></A>
<TABLE>
3. Create a new OMS workspace.
<P><TABLE BORDER=1><TR><TD>
<A HREF="images/uc-04.png"><img src="images/uc-04a.png"></A>
<TABLE>
4. Enter a name for the workspace, select the workspace region, and provide the email address that you want associated with this workspace. Click **Create**.
<P><TABLE BORDER=1><TR><TD>
<A HREF="images/uc-05.png"><img src="images/uc-05a.png"></A>
<TABLE>
5. If your organization already has an Azure subscription, you can link it to your workspace. Note that you may need to request access from your organizations Azure administrator. If your organization does not have an Azure subscription, create a new one or select the default OMS Azure subscription from the list. If you do not yet have an Azure subscription, follow [this guide](https://blogs.technet.microsoft.com/upgradeanalytics/2016/11/08/linking-operations-management-suite-workspaces-to-microsoft-azure/) to create and link an Azure subscription to an OMS workspace.
<P><TABLE BORDER=1><TR><TD>
<A HREF="images/uc-06.png"><img src="images/uc-06a.png"></A>
<TABLE>
6. To add the Update Compliance solution to your workspace, go to the Solutions Gallery.
<P><TABLE BORDER=1><TR><TD>
<A HREF="images/uc-07.png"><img src="images/uc-07a.png"></A>
<TABLE>
7. Select the **Update Compliance** tile in the gallery and then select **Add** on the solutions details page. You might need to scroll to find **Update Compliance**. The solution is now visible on your workspace.
<P><TABLE BORDER=1><TR><TD>
<A HREF="images/uc-08.png"><img src="images/uc-08a.png"></A>
<TABLE>
8. Click the **Update Compliance** tile to configure the solution. The **Settings Dashboard** opens.
<P><TABLE BORDER=1><TR><TD>
<A HREF="images/uc-09.png"><img src="images/uc-09a.png"></A>
<TABLE>
9. Click **Subscribe** to subscribe to OMS Update Compliance. You will then need to distribute your Commercial ID across all your organizations devices. More information on the Commercial ID is provided below.
<P><TABLE BORDER=1><TR><TD>
<A HREF="images/uc-10.png"><img src="images/uc-10a.png"></A>
<TABLE>
After you are subscribed to OMS Update Compliance and your devices have a Commercial ID, you will begin receiving data. It will typically take 24 hours for the first data to begin appearing. The following section explains how to deploy your Commercial ID to your Windows 10 devices.
>You can unsubscribe from the Update Compliance solution if you no longer want to monitor your organizations devices. User device data will continue to be shared with Microsoft while the opt-in keys are set on user devices and the proxy allows traffic.
## Deploy your Commercial ID to your Windows 10 devices
In order for your devices to show up in Windows Analytics: Update Compliance, they must be configured with your organizations Commercial ID. This is so that Microsoft knows that a given device is a member of your organization and to feed that devices data back to you. There are two primary methods for widespread deployment of your Commercial ID: Group Policy and Mobile Device Management (MDM).
- Using Group Policy<BR><BR>
Deploying your Commercial ID using Group Policy can be accomplished by configuring domain Group Policy Objects with the Group Policy Management Editor, or by configuring local Group Policy using the Local Group Policy Editor.
1. In the console tree, navigate to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds**
2. Double-click **Configure the Commercial ID**
3. In the **Options** box, under **Commercial Id**, type the Commercial ID GUID, and then click **OK**.<P>
- Using Microsoft Mobile Device Management (MDM)<BR><BR>
Microsofts Mobile Device Management can be used to deploy your Commercial ID to your organizations devices. The Commercial ID is listed under **Provider/ProviderID/CommercialID**. More information on deployment using MDM can be found [here](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/dmclient-csp).
For information on how to use MDM configuration CSPs, see [Introduction to configuration service providers (CSPs) for IT pros](https://technet.microsoft.com/en-us/itpro/windows/manage/how-it-pros-can-use-configuration-service-providers).
When using the Intune console, you can use the OMA-URI settings of a [custom policy](https://go.microsoft.com/fwlink/p/?LinkID=616316) to configure the commercial ID. The OMA-URI (case sensitive) path for configuring the commerical ID is: <PRE>./Vendor/MSFT/DMClient/Provider/ProviderID/CommercialID</PRE>
For example, you can use the following values in **Add or edit OMA-URI Setting**:
**Setting Name**: Windows Analytics Commercial ID<BR>
**Setting Description**: Configuring commercial id for Windows Analytics solutions<BR>
**Data Type**: String<BR>
**OMA-URI (case sensitive)**: ./Vendor/MSFT/DMClient/Provider/ProviderID/CommercialID<BR>
**Value**: \<Use the GUID shown on the Windows Telemetry tab in your OMS workspace\><BR>
## Related topics
[Use Update Compliance to monitor Windows Updates](update-compliance-using.md)

59
windows/manage/update-compliance-monitor.md
View File

@ -1,59 +0,0 @@
---
title: Monitor Windows Updates with Update Compliance (Windows 10)
description: Introduction to Update Compliance.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: deploy
author: greg-lindsay
---
# Monitor Windows Updates with Update Compliance
## Introduction
With Windows 10, organizations need to change the way they approach monitoring and deploying updates. Update Compliance is a powerful set of tools that enable organizations to monitor and track all important aspects of Microsofts new servicing strategy: [Windows as a Service](waas-overview.md).
Update Compliance is a solution built within Operations Management Suite (OMS), a cloud-based monitoring and automation service which has a flexible servicing subscription based off data usage/retention. For more information about OMS, see [Operations Management Suite overview](http://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/).
Update Compliance uses the Windows telemetry that is part of all Windows 10 devices. It collects system data including update installation progress, Windows Update for Business (WUfB) configuration data, and other update-specific information, and then sends this data privately to a secure cloud to be stored for analysis and usage within the solution.
Update Compliance provides the following:
- An overview of your organizations devices that just works.
- Dedicated drill-downs for devices that might need attention.
- An inventory of devices, including the version of Windows they are running and their update status.
- An overview of WUfB deferral configurations (Windows 10 Anniversary Update [1607] and later).
- Powerful built-in [log analytics](https://www.microsoft.com/en-us/cloud-platform/insight-and-analytics?WT.srch=1&WT.mc_id=AID529558_SEM_%5B_uniqid%5D&utm_source=Bing&utm_medium=CPC&utm_term=log%20analytics&utm_campaign=Hybrid_Cloud_Management) to create useful custom queries.
- Cloud-connected access utilizing Windows 10 telemetry means no need for new complex, customized infrastructure.
See the following topics in this guide for detailed information about configuring and use the Update Compliance solution:
- [Get started with Update Compliance](update-compliance-get-started.md): How to add Update Compliance to your environment.
- [Using Update Compliance](update-compliance-using.md): How to begin using Update Compliance.
An overview of the processes used by the Update Compliance solution is provided below.
## Update Compliance architecture
The Update Compliance architecture and data flow is summarized by the following five step process:
**(1)** User computers send telemetry data to a secure Microsoft data center using the Microsoft Data Management Service.<BR>
**(2)** Telemetry data is analyzed by the Update Compliance Data Service.<BR>
**(3)** Telemetry data is pushed from the Update Compliance Data Service to your OMS workspace.<BR>
**(4)** Telemetry data is available in the Update Compliance solution.<BR>
**(5)** You are able to monitor and troubleshoot Windows updates on your network.<BR>
These steps are illustrated in following diagram:
![Update Compliance architecture](images/uc-01.png)
>This process assumes that Windows telemetry is enabled and devices are assigned your Commercial ID.
## Related topics
[Get started with Update Compliance](update-compliance-get-started.md)<BR>
[Use Update Compliance to monitor Windows Updates](update-compliance-using.md)

354
windows/manage/update-compliance-using.md
View File

@ -1,354 +0,0 @@
---
title: Using Update Compliance (Windows 10)
description: Explains how to begin usihg Update Compliance.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: deploy
author: greg-lindsay
---
# Use Update Compliance to monitor Windows Updates
This section describes how to use Update Compliance to monitor Windows Updates and troubleshoot update failures on your network.
Update Compliance:
- Uses telemetry gathered from user devices to form an all-up view of Windows 10 devices in your organization.
- Enables you to maintain a high-level perspective on the progress and status of updates across all devices.
- Provides a workflow that can be used to quickly identify which devices require attention.
- Enables you to track deployment compliance targets for updates.
>Information is refreshed daily so that update progress can be monitored. Changes will be displayed about 24 hours after their occurrence, so you always have a recent snapshot of your devices.
In OMS, the aspects of a solution's dashboard are usually divided into <I>blades</I>. Blades are a slice of information, typically with a summarization tile and an enumeration of the items that makes up that data. All data is presented through <I>queries</I>. <I>Perspectives</I> are also possible, wherein a given query has a unique view designed to display custom data. The terminology of blades, tiles, and perspectives will be used in the sections that follow.
Update Compliance has the following primary blades:
1. [OS Update Overview](#os-update-overview)
2. [Overall Quality Update Status](#overall-quality-update-status)
3. [Latest and Previous Security Update Status](#latest-and-previous-security-update-status)
4. [Overall Feature Update Status](#overall-feature-update-status)
5. [CB, CBB, LTSB Deployment Status](#cb-cbb-ltsb-deployment-status)
6. [List of Queries](#list-of-queries)
## OS Update Overview
The first blade of OMS Update Compliance is the General **OS Update Overview** blade:
![OS Update Overview](images/uc-11.png)
This blade is divided into three sections:
- Device Summary:
- Needs Attention Summary
- Update Status Summary
The **Device Summary** displays the total number of devices in your organization. These devices have the commercial ID configured, telemetry enabled, and have sent telemetry to Microsoft within the last 28 days. The tile also shows the devices that Need Attention.
The **Needs Attention Summary** summarizes devices that require action on your part. There are multiple reasons why a device might need attention, and these reasons are categorized and summarized in the tile. You can view details about devices that are categorized as Needs Attention using a table view. The following **Needs Attention** states are defined:
<TABLE>
<TR><TD BGCOLOR="#cceeff">Needs Attention<TD BGCOLOR="#cceeff" ALIGN=left>Definition
<TR><TD>Out of Support<TD>Total number of devices that are no longer receiving servicing updates
<TR><TD>Update failed<TD>When a device has reported a failure at some stage in its update deployment process, it will report that the Update Failed. You can click on this to see the full set of devices with more details about the stage at which a failure was reported, when the device reported a failure, and other data.
<TR><TD>Missing 2+ Security Updates<TD>Total number of devices that are missing two or more security updates
<TR><TD>Update Progress Stalled<TD>Total number of devices where an update installation has been “in progress” for more than 7 days
</TABLE>
The **Update Status Summary** summarizes your organization's devices per the Windows 10 "Windows as a Service" (WaaS) model. For more information about WaaS, see [Overview of Windows as a service](waas-overview.md). Devices are categorized as: **Current**, **Up-to-date**, and **Not up-to-date**. See the following graphical representation of this model:<BR>
![Device states](images/uc-12.png)
Update Status Summary definitions:
<TABLE>
<TR><TD BGCOLOR="#cceeff">Update Status<TD BGCOLOR="#cceeff" ALIGN=left>Definition
<TR><TD>Current and Up-to-date<TD>A device that is current is on the latest and greatest Microsoft offers. It is on the very newest feature update (ex. The Windows Anniversary Update, RS1), on the very latest quality update for its servicing branch.
<TR><TD>Up-to-date<TD>A device that is up-to-date is on the latest quality update for its servicing option (CB, CBB, LTSB), and the device is running an OS that is supported by Microsoft.
<TR><TD>Not up-to-date<TD>A device does not have the latest quality update for its servicing option.
</TABLE>
## Overall Quality Update Status
**Overall Quality Update Status** is the second blade in Update Compliance. It has a donut data tile and lists the breakdown of the Up-to-date status of devices pivoted on OS version. See the following example:
![OS Quality Update Status](images/uc-13.png)
The donut tile offers a summary of all devices in your organization, divided into **Up-to-date** and **Not up-to-date**. Recall that devices that are current are also up-to-date.
The list view contains the breakdown of Up-to-date, Not up-to-date, and Update failed, all pivoted on OS version (e.g., 1507, 1511, 1607). Clicking on any of the rows of this list view will display the **OS Quality Update Summary Perspective** for that OS version.
## Latest and Previous Security Update Status
Security updates are extremely important to your organization, so in addition to an overall view of Quality Updates, the deployment status for the latest two security updates are displayed for each supported OS build offered by Microsoft.
![Latest security update status](images/uc-14.png)
For the latest security update, a doughnut chart is displayed across all OS builds with a count of installed, in progress/deferred, update failed, and unknown status relative to that update. Two table views are provided below the doughnut displaying the same breakdown for each OS build supported by Microsoft.
See the following definitions:
<TABLE>
<TR><TD BGCOLOR="#cceeff">Term<TD BGCOLOR="#cceeff" ALIGN=left>Definition
<TR><TD>OS Build<TD>The OS build + Revision for the OS Version. The build + revision is a one-to-one mapping of the given security update in this context.
<TR><TD>Version<TD>The OS Version corresponding to the OS build.
<TR><TD>Installed<TD>The count of devices that have the given security update installed. In the case that the latest security update is not latest quality update (that is, an update has since been released but it did not contain any security fixes), then devices that are on a newer update will also be counted.
<BR><BR>For the previous security update, a device will display as **Installed** until it has at least installed the latest security update.
<TR><TD>In Progress or Deferred<TD>The count of devices that are either currently in the process of installing the given security update, or are deferring the install as per their WUFB policy.
<BR><BR> All devices in this category for Previous Security Update Status are missing 2 or more security updates, and therefore qualify as needing attention.
<TR><TD>Update Failed<TD>The count of devices that were **In Progress** for the given security update, but failed at some point in the process. They will no longer be shown as **In Progress or deferred** in this case, and only be counted as **Update failed**.
<TR><TD>Status Unknown<TD>If a device should be, in some way, progressing toward this security update, but its status cannot be inferred, it will count as **Status Unknown**. Devices that are not using Windows Update are the most likely devices to fall into this category.
</TABLE>
## Overall Feature Update Status
Windows 10 has two main update types: Quality and Feature updates. The third blade in Update Compliance provides the most essential data about your organizations devices for feature updates.
Microsoft has developed terms to help specify the state of a given device for how it fits into the Windows as a Service (WaaS) model. There are three update states for a device:
- Current
- Up-to-date
- Not up-to-date
See the **Update Status Summary** description under [OS Update Overview](#os-update-overview) in this guide for definitions of these terms.
The Overall Feature Update Status blade focuses around whether or not your devices are considered Current. See the following example:
![Overall feature update status](images/uc-15.png)
Devices are evaluated by OS Version (e.g., 1607) and the count of how many are Current, Not Current, and have Update Failures is displayed. Clicking on any of these counts will allow you to view all those devices, as well as select the **Update Deployment Status** perspective, described below.
## CB, CBB, LTSB Deployment Status
Following the overview with respect to how current your organizations devices are, there are three tables that show feature update deployment for all devices. The devices are split up by which branch they are on, as this directly impacts whether they are supported (for example, 1607 may be supported under CBB, but not under CB). This allows you a quick glance at how deployment is progressing across your organization with respect to feature updates.
See the following example:
![CB deployment status](images/uc-16.png)
The three tables break down devices by feature update. For each OS version, the following columns provide counts of the possible device states:
<TABLE>
<TR><TD BGCOLOR="#cceeff">Deployment Status<TD BGCOLOR="#cceeff" ALIGN=left>Description
<TR><TD>Feature Update<TD>A concatenation of servicing branch (CB, CBB, LTSB) and OS Version (e.g., 1607)
<TR><TD>Installed<TD>The number of devices that have reported to be on the given servicing train and feature update.
<TR><TD>In progress<TD>The number of devices that have reported to be at some stage in the installation process for the given feature update.
<BR><BR>Example: Device X running CB 1507 could be installing CB 1607. In this example, X would count as both **Installed** for **CB 1507** and **In Progress** for **CB 1607**.
<TR><TD>Scheduled next 7 days<TD>The total number of devices that are set to have a deferral period expire within 7 days, and after that deferral period expires are targeted to install the given update.
<BR><BR>Example: Device Y running CB 1507 could be scheduled to install CB 1607 in 5 days. In this example, X would count as both **Installed** for **CB 1507** and **Scheduled next 7 days** for **CB 1607**
<TR><TD>Update Failed<TD>The total number of devices that were **In progress** with the installation for the given feature update, but encountered a failure.
<BR><BR>Example: Device X running CB 1507 could be installing CB 1607. X then encounters an error during installation. In this example, X would count as both **Installed** for **CB 1507** and **Update failed** for **CB 1607**, but not as **In progress** for **CB 1607**.
<TR><TD>Status Unknown<TD>For devices not using Windows Update to get updates, some information on deployment progress cannot be known. It is possible to know the current installed Feature Update for a device, but not which devices are **In Progress**, **Scheduled next 7 days**, or devices with **Update Failed**.
<BR><BR>Devices that Update Compliance knows belongs to your organization, but it does not know update failures or installation progress, will be counted here.
</TABLE>
## Quality Update Perspective
The Quality Update Deployment Status perspective is a breakdown of the most essential data the user should know about the status of their devices with respect to being Up-to-date. The perspective shows a summary of the organizations devices for one specific OS version, or build.
### Quality Update Build Summary
The build summary blade attempts to summarize the most important data points to the user for the given build. It is divided into two sections. The first section is a summary of devices for that build the total number of devices, and the amount that need attention. Each row within the table below is a breakdown of why each device requires attention. The rows can be interacted with to be taken to a larger table view that shows detailed information about all the devices that meet the given criteria. See the following example:
![Quality update build summary](images/uc-17.png)
### Quality Update Deferral Configurations
The next blade is the Deferral configuration blade, which shows the WUFB Deferral configurations for all devices that are using WUFB and are reporting to Update Compliance. If no information can be gathered from a device or it is not configured to use WUFB, it will show up as **Not configured (-1)**. See the following example:
![Quality Update Deferral Configurations](images/uc-18.png)
### Quality Update Deployment Status
Under the three top-level blades is the deployment status for the newest quality update for the given build. It provides information on the revision number as well as how many days it has been since that revision has been released. See the following example:
![Quality Update Deployment Status](images/uc-19.png)
See the following table for a description of last reported states for devices deploying that quality update.
<TABLE>
<TR><TD BGCOLOR="#cceeff">Deployment State<TD BGCOLOR="#cceeff" ALIGN=left>Description
<TR><TD>Update Completed<TD>When a device has finished the update process and is on the given update, it will display here as **Update completed**.
<TR><TD>In Progress<TD>Devices that are “in progress” installing an update will fall within this category. This category is detailed in the following blade: **Detailed Deployment Status**.
<TR><TD>Deferred<TD>If a devices WUfB deferral policy dictates that it is not set to receive this update, the device will show as Update deferred.
<TR><TD>Cancelled<TD>A device will report that the update has been cancelled if the user, at some point, cancelled the update on the device.
<TR><TD>Blocked<TD>Devices that are blocked are prevented from proceeding further with the given update. This could be because another update is paused, or some other task on the device must be performed before the update process can proceed.
</TABLE>
<P>
### Quality Update Detailed Deployment Status
This blade provides more detail on the deployment process for the update in the Deployment Status blade. This blade is more of a deployment funnel for devices, enabling you to see at a more granular level how devices are progressing along in their deployment. See the following example:
![Quality Update Detailed Deployment Status](images/uc-20.png)
>Devices that are not managed using Windows Update (Windows Update for Business or otherwise) will not have detailed deployment information.
The following table provides a list of the detailed deployment states a device can report:
<TABLE>
<TR><TD BGCOLOR="#cceeff">Detailed Deployment State<TD BGCOLOR="#cceeff" ALIGN=left>Description
<TR><TD>Update deferred<TD>The WUfB policy of the device dictates the update is deferred.
<TR><TD>Pre-Download Tasks Passed<TD>The device has finished all tasks necessary prior to downloading the update.
<TR><TD>Download Started<TD>The update has begun downloading on the device.
<TR><TD>Download Succeeded<TD>The device has successfully downloaded the update.
<TR><TD>Pre-Install Tasks Passed<TD>The device has downloaded the update successfully, and successfully passed all checks prior to beginning installation of the update.
<TR><TD>Install Started<TD>The device has begun installing the update.
<TR><TD>Reboot Required<TD>The device has finished installing the update, and a reboot is required before the update can be completed.
<TR><TD>Reboot Pending<TD>The device is pending a scheduled reboot before the update can be completed.
<TR><TD>Reboot Initiated<TD>The device has reported to have initiated the reboot process for completing the update.
<TR><TD>Update completed<TD>The device has completed installing, rebooting, and applying the update.
</TABLE>
## Feature Update Perspective
Like Quality Updates, the Feature Update Deployment Status perspective is a breakdown of information most essential to an administrator. This information is viewed by clicking on a given build on the Feature Update Status blade and then navigating to the **Update Deployment Status** pane as displayed previously. In Update Compliance, a perspective is assigned to a query; the query used to generate the perspective can be altered to show other information, if desired.
Every piece of data shown in this view can be clicked; when clicked, it will alter the query to focus only on the data you need. If the perspective is not meaningful after the query is altered, you can use the other data views like the List and Table.
>After clicking on an OS version from the Feature Update Status blade, the query must fully load the results before you can select the Update Deployment Status perspective.
### Feature Update Build Summary
The Build Summary blade provides a summary for all devices on the given build. It gives a count of all devices, as well as a count of all devices that need attention. Below the counts, you can see why the devices need attention, with a count of devices that fall into each category. See the following example:
![Feature Update Build Summary](images/uc-21.png)
### Feature Update Deferral Configuration
This blade shows all deferral configurations for the devices on the given build. See the following example:
![Feature Update Deferral Configuration](images/uc-22.png)
Deferral configurations are WUfB-specific, and are shown as days. Some useful information regarding how deferral configurations are shown:
- The devices are grouped based off what their deferral policy is set at. For feature updates, this can be up to 120 days.
- A deferral of zero days means the device has WUfB configured, but is set to not defer the update. These devices will be under “0” for the Update Deferred field.
- Devices that are not configured to use WUfB deferral policies have a “-1” for their deferral days. In this table, the devices will show up as “Not Configured (-1)”.
### Feature Update Deployment Status
As stated earlier in this section, the Feature Updates blade focuses on how Current your devices are. A device is only Current when it is on the latest feature update and quality update Microsoft offers. Thus, the Deployment Status blade displays the deployment status for devices regarding their deployment to the latest feature update. See the following example:
![Feature Update Deployment Status](images/uc-23.png)
This blade breaks down the main states a device can be in through the deployment of a feature update. The possible states are as follows:
<TABLE>
<TR><TD BGCOLOR="#cceeff">Deployment State<TD BGCOLOR="#cceeff" ALIGN=left>Description
<TR><TD>Update completed<TD>When a device has completely finished the update process and is on the given update, it will show up here as **Update completed**.
<TR><TD>Inprogress<TD>Devices “in progress” of installing the given update will fall within this category. This category is iterated on with further granularity in the proceeding blade, “Detailed Deployment Status”.
<TR><TD>Update deferred<TD>If a devices WUfB deferral policy dictates that it is not set to receive this update yet, the device will show as Update deferred.
<TR><TD>Cancelled<TD>A device will report that the update has been cancelled if the user, at some point, cancelled the update on the device.
<TR><TD>Blocked<TD>Devices that are blocked are prevented from proceeding further with the given update. This could be because another update is paused, or some other task on the device must be performed before the update process can proceed.
</TABLE>
<P>
### Feature Update Detailed Deployment Status
This blade provides more detail on the deployment process for the update in the Deployment Status blade. This blade is more of a deployment funnel for devices, enabling you to see at a more granular level how devices are progressing along in their deployment. See the following example:
![Feature Update Detailed Deployment Status](images/uc-24.png)
The following table displays all states a device can report:
<TABLE>
<TR><TD BGCOLOR="#cceeff">Detailed Deployment State<TD BGCOLOR="#cceeff" ALIGN=left>Description
<TR><TD>Update deferred<TD>The WUfB policy of the device dictates the update is deferred.
<TR><TD>Pre-Download Tasks Passed<TD>The device has finished all tasks necessary prior to downloading the update.
<TR><TD>Download Started<TD>The update has begun downloading on the device.
<TR><TD>Download Succeeded<TD>The device has successfully downloaded the update.
<TR><TD>Pre-Install Tasks Passed<TD>The device has downloaded the update successfully, and successfully passed all checks prior to beginning installation of the update.
<TR><TD>Install Started<TD>The device has begun installing the update.
<TR><TD>Reboot Required<TD>The device has finished installing the update, and a reboot is required before the update can be completed.
<TR><TD>Reboot Pending<TD>The device is pending a scheduled reboot before the update can be completed.
<TR><TD>Reboot Initiated<TD>The device has reported to have initiated the reboot process for completing the update.
<TR><TD>Update completed<TD>The device has completed installing, rebooting, and applying the update.
</TABLE>
## List of Queries
Operations Management Suite leverages its powerful Log Analytics querying to perform all data calculations. For this blade, we provide examples of queries that show useful data to the user about their organizations devices. See the following example:
![List of Queries](images/uc-25.png)
The following **Common queries** are available:
<TABLE>
<TR><TD BGCOLOR="#cceeff">Query Title<TD BGCOLOR="#cceeff" ALIGN=left>Description
<TR><TD>OS Security Update Status<TD>This query provides an all-up view with respect to how many devices are on the latest security update for their OS version. The table will detail an aggregated count of the number of devices, out of the total (so count, or percent) are on the latest security update for their OS build.
<TR><TD>Update Deployment Failures<TD>This query provides a chart view, displaying an aggregation of all devices that have reported a deployment failure for either feature or quality updates. The aggregation of the data is on the given update for which a given device has reported a deployment failure.
<TR><TD>Devices pending reboot to complete update<TD>This query will provide a table showing all devices that are at the stage of "Reboot Pending" In the update deployment process.<BR><BR>This query will show devices which are in this state for both feature and quality updates; the data will be organized on precisely which update the given device(s) are pending a reboot to install.
<TR><TD>Servicing Option Distribution for the devices<TD>This query provides a chart view that aggregates all devices seen by the solution on for each servicing option available for Windows 10 devices (CB, CBB, LTSB)
OS Distribution for the devices This query provides a chart view displaying the distribution of the different editions of Windows 10 that devices seen by the solution are running (e.g., Enterprise, Professional, Education, etc.)
<TR><TD>Deferral configurations for Feature Update<TD>This query provides a chart view which displays a breakdown of the different Feature Update deferral configurations through WUfB that the devices seen by the solution are using.<BR><BR>The configuration is in days. 0 days means the device has WUfB deferrals configured, but is not set to defer feature updates. -1 means the device has no feature update deferral policies configured.
<TR><TD>Pause configurations for Feature Update<TD>The WUfB policy
<TR><TD>Update deferred<TD>This query provides a chart view displaying the breakdown of devices that are either paused, or not paused for feature updates.<BR><BR>“Not configured” means the device is not paused. “Paused” means it is currently paused.
<TR><TD>Deferral configurations for Quality Update<TD>This query provides a chart view which displays a breakdown of the different Quality Update deferral configurations through WUfB that the devices seen by the solution are using.<BR><BR>The configuration is in days. 0 days means the device has WUfB deferrals configured, but is not set to defer quality updates. -1 means the device has no quality update deferral policies configured.
<TR><TD>Pause configurations for Quality Update<TD>This query provides to a chart view displaying the breakdown of devices that are either paused, or not paused for quality updates.<BR><BR>**Not configured** means the device is not paused. **Paused** means it is currently paused.
</TABLE>
## Related topics
[Get started with Update Compliance](update-compliance-get-started.md)

66
windows/manage/waas-branchcache.md
View File

@ -1,66 +0,0 @@
---
title: Configure BranchCache for Windows 10 updates (Windows 10)
description: Use BranchCache to optimize network bandwidth during update deployment.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: DaniHalfin
localizationpriority: high
---
# Configure BranchCache for Windows 10 updates
**Applies to**
- Windows 10
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
BranchCache is a bandwidth-optimization feature that has been available since the Windows Server 2008 R2 and Windows 7 operating systems. Each client has a cache and acts as an alternate source for content that devices on its own network request. Windows Server Update Services (WSUS) and System Center Configuration Manager can use BranchCache to optimize network bandwidth during update deployment, and its easy to configure for either of them. BranchCache has two operating modes: Distributed Cache mode and Hosted Cache mode.
- Distributed Cache mode operates like the [Delivery Optimization](waas-delivery-optimization.md) feature in Windows 10: each client contains a cached version of the BranchCache-enabled files it requests and acts as a distributed cache for other clients requesting that same file.
>[!TIP]
>Distributed Cache mode is preferred to Hosted Cache mode for Windows 10 updates to get the most benefit from peer-to-peer distribution.
- In Hosted Cache mode, designated servers at specific locations act as a cache for files requested by clients in its area. Then, rather than clients retrieving files from a latent source, the hosted cache server provides the content on its behalf.
For detailed information about how Distributed Cache mode and Hosted Cache mode work, see [BranchCache Overview](https://technet.microsoft.com/library/dd637832(v=ws.10).aspx).
## Configure clients for BranchCache
Whether you use BranchCache with Configuration Manager or WSUS, each client that uses BranchCache must be configured to do so. You typically make your configurations through Group Policy. For step-by-step instructions on how to use Group Policy to configure BranchCache for Windows clients, see [Client Configuration](https://technet.microsoft.com/library/dd637820%28v=ws.10%29.aspx) in the [BranchCache Early Adopters Guide](https://technet.microsoft.com/library/dd637762(v=ws.10).aspx).
In Windows 10, version 1607, the Windows Update Agent uses Delivery Optimization by default, even when the updates are retrieved from WSUS. When using BranchCache with Windows 10, simply set the Delivery Optimization mode to Bypass to allow clients to use the Background Intelligent Transfer Service (BITS) protocol with BranchCache instead. For instructions on how to use BranchCache in Distributed Cache mode with WSUS, see the section WSUS and Configuration Manager with BranchCache in Distributed Cache mode.
## Configure servers for BranchCache
You can use WSUS and Configuration Manager with BranchCache in Distributed Cache mode. BranchCache in Distributed Cache mode is easy to configure for both WSUS and System Center Configuration Manager.
For a step-by-step guide to configuring BranchCache on Windows Server devices, see the [BranchCache Deployment Guide (Windows Server 2012)](https://technet.microsoft.com/library/jj572990) or [BranchCache Deployment Guide (Windows Server 2016)](https://technet.microsoft.com/windows-server-docs/networking/branchcache/deploy/branchcache-deployment-guide).
In addition to these steps, there is one requirement for WSUS to be able to use BranchCache in either operating mode: the WSUS server must be configured to download updates locally on the server to a shared folder. This way, you can select BranchCache publication for the share. For Configuration Manager, you can enable BranchCache on distribution points; no other server-side configuration is necessary for Distributed Cache mode.
>[!NOTE]
>Configuration Manager only supports Distributed Cache mode.
## Related topics
- [Update Windows 10 in the enterprise](waas-update-windows-10.md)
- [Overview of Windows as a service](waas-overview.md)
- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
- [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
- [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)
- [Configure Windows Update for Business](waas-configure-wufb.md)
- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
- [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
- [Manage Windows 10 updates using Configuration Manager](waas-manage-updates-configuration-manager.md)
- [Manage device restarts after updates](waas-restart.md)

233
windows/manage/waas-configure-wufb.md
View File

@ -1,233 +0,0 @@
---
title: Configure Windows Update for Business (Windows 10)
description: You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: DaniHalfin
localizationpriority: high
---
# Configure Windows Update for Business
**Applies to**
- Windows 10
- Windows 10 Mobile
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices. The sections in this topic provide the Group Policy and MDM policies for both Windows 10, version 1511, and Windows 10, version 1607. The MDM policies use the OMA-URI setting from the [Policy CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx).
>[!IMPORTANT]
>For Windows Update for Business policies to be honored, the Telemetry level of the device must be set to **1 (Basic)** or higher. If it is set to **0 (Security)**, Windows Update for Business policies will have no effect. For instructions, see [Configure the operating system telemetry level](https://technet.microsoft.com/en-us/itpro/windows/manage/configure-windows-telemetry-in-your-organization#configure-the-operating-system-telemetry-level).
Some Windows Update for Business policies are not applicable or behave differently for devices running Windows 10 Mobile Enterprise. Specifically, policies pertaining to Feature Updates will not be applied to Windows 10 Mobile Enterprise. All Windows 10 Mobile updates are recognized as Quality Updates, and can only be deferred or paused using the Quality Update policy settings. Additional information is provided in this topic and in [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md).
## Start by grouping devices
By grouping devices with similar deferral periods, administrators are able to cluster devices into deployment or validation groups which can be as a quality control measure as updates are deployed in Windows 10. With deferral windows and the ability to pause updates, administrators can effectively control and measure update deployments, updating a small pool of devices first to verify quality, prior to a broader roll-out to their organization. For more information, see [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md).
>[!TIP]
>In addition to setting up multiple rings for your update deployments, also incorporate devices enrolled in the Windows Insider Program as part of your deployment strategy. This will provide you the chance to not only evaluate new features before they are broadly available to the public, but it also increases the lead time to provide feedback and influence Microsofts design on functional aspects of the product. For more information on Windows Insider program, see [https://insider.windows.com/](https://insider.windows.com/).
## Configure devices for Current Branch (CB) or Current Branch for Business (CBB)
With Windows Update for Business, you can set a device to be on either the Current Branch (CB) or the Current Branch for Business (CBB) servicing branch. For more information on this servicing model, see [Windows 10 servicing options](https://technet.microsoft.com/en-us/itpro/windows/manage/introduction-to-windows-10-servicing).
**Release branch policies**
| Policy | Sets registry key under **HKLM\Software** |
| --- | --- |
| GPO for version 1607: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\BranchReadinessLevel |
| GPO for version 1511: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\DeferUpgrade |
| MDM for version 1607: </br>../Vendor/MSFT/Policy/Config/Update/</br>**BranchReadinessLevel** | \Microsoft\PolicyManager\default\Update\BranchReadinessLevel |
| MDM for version 1511: </br>../Vendor/MSFT/Policy/Config/Update/</br>**RequireDeferredUpgrade** | \Microsoft\PolicyManager\default\Update\RequireDeferUpgrade |
## Configure when devices receive Feature Updates
After you configure the servicing branch (CB or CBB), you can then define if, and for how long, you would like to defer receiving Feature Updates following their availability from Microsoft on Windows Update. You can defer receiving these Feature Updates for a period of 180 days from their release by setting the `DeferFeatureUpdatesPeriodinDays` value.
>[!IMPORTANT]
>This policy does not apply to Windows 10 Mobile Enterprise.
**Examples**
| Settings | Scenario and behavior |
| --- | --- |
| Device is on CB</br>DeferFeatureUpdatesPeriodinDays=30 | Feature Update X is first publically available on Windows Update as a CB in January. Device will not receive update until February, 30 days later. |
| Device is on CBB</br>DeferFeatureUpdatesPeriodinDays=30 | Feature Update X is first publically available on Windows Update as a CB in January. Four months later, in April, Feature Update X is released to CBB. Device will receive the Feature Update 30 days following this CBB release and will update in May. |
</br></br>
**Defer Feature Updates policies**
| Policy | Sets registry key under **HKLM\Software** |
| --- | --- |
| GPO for version 1607: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdates</br>\Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdatesPeriodInDays |
| GPO for version 1511: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\DeferUpgradePeriod |
| MDM for version 1607: </br>../Vendor/MSFT/Policy/Config/Update/</br>**DeferFeatureUpdatesPeriodInDays** | \Microsoft\PolicyManager\default\Update\DeferFeatureUpdatesPeriodInDays |
| MDM for version 1511: </br>../Vendor/MSFT/Policy/Config/Update/</br>**DeferUpgrade** | \Microsoft\PolicyManager\default\Update\RequireDeferUpgrade |
## Pause Feature Updates
You can also pause a device from receiving Feature Updates by a period of up to 60 days from when the value is set. After 60 days has passed, pause functionality will automatically expire and the device will scan Windows Update for applicable Feature Updates. Following this scan, Feature Updates for the device can then be paused again.
>[!IMPORTANT]
>This policy does not apply to Windows 10 Mobile Enterprise.
**Pause Feature Updates policies**
| Policy | Sets registry key under **HKLM\Software** |
| --- | --- |
| GPO for version 1607: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\PauseFeatureUpdates |
| GPO for version 1511: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\Pause |
| MDM for version 1607: </br>../Vendor/MSFT/Policy/Config/Update/</br>**PauseFeatureUpdates** | \Microsoft\PolicyManager\default\Update\PauseFeatureUpdates |
| MDM for version 1511: </br>../Vendor/MSFT/Policy/Config/Update/</br>**DeferUpgrade** | \Microsoft\PolicyManager\default\Update\Pause |
You can check the date Feature Updates were paused at by checking the registry key **PausedFeatureDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**.
The local group policy editor (GPEdit.msc) will not reflect if your Feature Update Pause period has expired. Although the device will resume Feature Updates after 60 days automatically, the pause checkbox will remain checked in the policy editor. To see if a device has auto-resumed taking Feature Updates, you can check the status registry key **PausedFeatureStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**.
| Value | Status|
| --- | --- |
| 0 | Feature Updates not paused |
| 1 | Feature Updates paused |
| 2 | Feature Updates have auto-resumed after being paused |
## Configure when devices receive Quality Updates
Quality Updates are typically published the first Tuesday of every month, though can be released at any time by Microsoft. You can define if, and for how long, you would like to defer receiving Quality Updates following their availability. You can defer receiving these Quality Updates for a period of up to 35 days from their release by setting the **DeferQualityUpdatesPeriodinDays** value.
You can set your system to receive updates for other Microsoft products—known as Microsoft Updates (such as Microsoft Office, Visual Studio)—along with Windows Updates by setting the **AllowMUUpdateService** policy. When this is done, these Microsoft Updates will follow the same deferral and pause rules as all other Quality Updates.
>[!IMPORTANT]
>This policy defers both Feature and Quality Updates on Windows 10 Mobile Enterprise.
**Defer Quality Updates policies**
| Policy | Sets registry key under **HKLM\Software** |
| --- | --- |
| GPO for version 1607: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Quality Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\DeferQualityUpdates</br>\Policies\Microsoft\Windows\WindowsUpdate\DeferQualityUpdatesPeriodInDays |
| GPO for version 1511: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\DeferUpdatePeriod |
| MDM for version 1607: </br>../Vendor/MSFT/Policy/Config/Update/</br>**DeferQualityUpdatesPeriodInDays** | \Microsoft\PolicyManager\default\Update\DeferQualityUpdatesPeriodInDays |
| MDM for version 1511: </br>../Vendor/MSFT/Policy/Config/Update/</br>**DeferUpgrade** | \Microsoft\PolicyManager\default\Update\RequireDeferUpdate |
## Pause Quality Updates
You can also pause a system from receiving Quality Updates for a period of up to 35 days from when the value is set. After 35 days has passed, pause functionality will automatically expire and the system will scan Windows Updates for applicable Quality Updates. Following this scan, Quality Updates for the device can then be paused again.
>[!IMPORTANT]
>This policy pauses both Feature and Quality Updates on Windows 10 Mobile Enterprise.
**Pause Quality Updates policies**
| Policy | Sets registry key under **HKLM\Software** |
| --- | --- |
| GPO for version 1607: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Quality Updates are received** |\Policies\Microsoft\Windows\WindowsUpdate\PauseQualityUpdates |
| GPO for version 1511: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\Pause |
| MDM for version 1607: </br>../Vendor/MSFT/Policy/Config/Update/</br>**PauseQualityUpdates** | \Microsoft\PolicyManager\default\Update\PauseQualityUpdates |
| MDM for version 1511: </br>../Vendor/MSFT/Policy/Config/Update/</br>**DeferUpgrade** | \Microsoft\PolicyManager\default\Update\Pause |
You can check the date that Quality Updates were paused at by checking the registry key **PausedQualityDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**.
The local group policy editor (GPEdit.msc) will not reflect if your Quality Update Pause period has expired. Although the device will resume Quality Updates after 35 days automatically, the pause checkbox will remain checked in the policy editor. To see if a device has auto-resumed taking Quality Updates, you can check the status registry key **PausedQualityStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**.
| Value | Status|
| --- | --- |
| 0 | Quality Updates not paused |
| 1 | Quality Updates paused |
| 2 | Quality Updates have auto-resumed after being paused |
## Exclude drivers from Quality Updates
In Windows 10, version 1607, you can selectively option out of receiving driver update packages as part of your normal quality update cycle. This policy will not pertain to updates to inbox drivers (which will be packaged within a security or critical update) or to Feature Updates, where drivers may be dynamically installed to ensure the Feature Update process can complete.
**Exclude driver policies**
| Policy | Sets registry key under **HKLM\Software** |
| --- | --- |
| GPO for version 1607: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Do not include drivers with Windows Updates** | \Policies\Microsoft\Windows\WindowsUpdate\ExcludeWUDriversInQualityUpdate |
| MDM for version 1607: </br>../Vendor/MSFT/Policy/Config/Update/</br>**ExcludeWUDriversInQualityUpdate** | \Microsoft\PolicyManager\default\Update\ExcludeWUDriversInQualityUpdate |
## Summary: MDM and Group Policy for version 1607
Below are quick-reference tables of the supported Windows Update for Business policy values for Windows 10, version 1607.
**GPO: HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate**
| GPO Key | Key type | Value |
| --- | --- | --- |
| BranchReadinessLevel | REG_DWORD | 16: systems take Feature Updates for the Current Branch (CB)</br>32: systems take Feature Updates for the Current Branch for Business (CBB)</br>Note: Other value or absent: receive all applicable updates (CB) |
| DeferQualityUpdates | REG_DWORD | 1: defer quality updates</br>Other value or absent: dont defer quality updates |
| DeferQualityUpdatesPeriodinDays | REG_DWORD | 0-30: defer quality updates by given days |
| PauseQualityUpdates | REG_DWORD | 1: pause quality updates</br>Other value or absent: dont pause quality updates |
|DeferFeatureUpdates | REG_DWORD | 1: defer feature updates</br>Other value or absent: dont defer feature updates |
| DeferFeatureUpdatesPeriodinDays | REG_DWORD | 0-180: defer feature updates by given days |
| PauseFeatureUpdates | REG_DWORD |1: pause feature updates</br>Other value or absent: dont pause feature updates |
| ExcludeWUDriversInQualityUpdate | REG_DWORD | 1: exclude Windows Update drivers</br>Other value or absent: offer Windows Update drivers |
**MDM: HKEY_LOCAL_MACHINE\Software\Microsoft\PolicyManager\default\Update**
| MDM Key | Key type | Value |
| --- | --- | --- |
| BranchReadinessLevel | REG_DWORD | 16: systems take Feature Updates for the Current Branch (CB)</br>32: systems take Feature Updates for the Current Branch for Business (CBB)</br>Note: Other value or absent: receive all applicable updates (CB) |
| DeferQualityUpdatesPeriodinDays | REG_DWORD | 0-30: defer quality updates by given days |
| PauseQualityUpdates | REG_DWORD | 1: pause quality updates</br>Other value or absent: dont pause quality updates |
| DeferFeatureUpdatesPeriodinDays | REG_DWORD | 0-180: defer feature updates by given days |
| PauseFeatureUpdates | REG_DWORD | 1: pause feature updates</br>Other value or absent: dont pause feature updates |
| ExcludeWUDriversinQualityUpdate | REG_DWORD | 1: exclude Windows Update drivers</br>Other value or absent: offer Windows Update drivers |
## Update devices from Windows 10, version 1511 to version 1607
Due to the changes in the Windows Update for Business feature set, Windows 10, version 1607, uses different GPO and MDM keys than those available in version 1511. However,Windows Update for Business clients running version 1511 will still see their policies honored after they update to version 1607; the old policy keys will continue to exist with their values ported forward during the update. Following the update to version 1607, it should be noted that only the version 1511 keys will be populated and not the new version 1607 keys, until the newer keys are explicitly defined on the device by the administrator.
### How version 1511 policies are respected on version 1607
When a client running version 1607 sees an update available on Windows Update, the client will first evaluate and execute against the Windows Updates for Business policy keys for version 1607. If these are not present, it will then check to see if any of the version 1511 keys are set and defer accordingly. Update keys for version 1607 will always supersede the version 1511 equivalent.
### Comparing the version 1511 keys to the version 1607 keys
In the Windows Update for Business policies in version 1511, all the deferral rules were grouped under a single policy where pausing affected both upgrades and updates. In Windows 10, version 1607, this functionality has been broken out into separate polices: deferral of Feature and Quality Updates can be enabled and paused independently of one other.
<table><caption>Group Policy keys</caption><thead><th>Version 1511 GPO keys</th><th>Version 1607 GPO keys</th></thead>
<tbody><tr><td valign="top">**DeferUpgrade**: *enable/disable*</br>&nbsp;&nbsp;&nbsp;
Enabling allows user to set deferral periods for upgrades and updates. It also puts the device on CBB (no ability to defer updates while on the CB branch).</br></br>**DeferUpgradePeriod**: *0 - 8 months*</br></br>**DeferUpdatePeriod**: *1 4 weeks*</br></br>**Pause**: *enable/disable*</br>&nbsp;&nbsp;&nbsp;Enabling will pause both upgrades and updates for a max of 35 days</td><td>**DeferFeatureUpdates**: *enable/disable*</br></br>**BranchReadinessLevel**</br>&nbsp;&nbsp;&nbsp;Set device on CB or CBB</br></br>**DeferFeatureUpdatesPeriodinDays**: *1 - 180 days*</br></br>**PauseFeatureUpdates**: *enable/disable*</br>&nbsp;&nbsp;&nbsp;Enabling will pause Feature updates for a max of 60 days</br></br>**DeferQualityUpdates**: *Enable/disable*</br></br>**DeferQualityUpdatesPeriodinDays**: *0 - 30 days*</br></br>**PauseQualityUpdates**: *enable/disable*</br>&nbsp;&nbsp;&nbsp;Enabling will pause Quality updates for a max of 35 days</br></br>**ExcludeWUDrivers**: *enable/disable*</td></tr>
</table>
<table><caption>MDM keys</caption><thead><th>Version 1511 MDM keys</th><th>Version 1607 MDM keys</th></thead>
<tbody><tr><td valign="top">**RequireDeferUpgade**: *bool*</br>&nbsp;&nbsp;&nbsp;Puts the device on CBB (no ability to defer updates while on the CB branch).</br></br>**DeferUpgradePeriod**: *0 - 8 months*</br></br>**DeferUpdatePeriod**: *1 4 weeks*</br></br>**PauseDeferrals**: *bool*</br>&nbsp;&nbsp;&nbsp;Enabling will pause both upgrades and updates for a max of 35 days</td><td>**BranchReadinessLevel**</br>&nbsp;&nbsp;&nbsp;Set system on CB or CBB</br></br>**DeferFeatureUpdatesPeriodinDays**: *1 - 180 days*</br></br>**PauseFeatureUpdates**: *enable/disable*</br>&nbsp;&nbsp;&nbsp;Enabling will pause Feature updates for a max of 60 days</br></br>**DeferQualityUpdatesPeriodinDays**: *0 - 30 days*</br></br>**PauseQualityUpdates**: *enable/disable*</br>&nbsp;&nbsp;&nbsp; Enabling will pause Quality updates for a max of 35 days</br></br>**ExcludeWUDriversInQualityUpdate**: *enable/disable<*/td></tr>
</tbody></table>
## Related topics
- [Update Windows 10 in the enterprise](waas-update-windows-10.md)
- [Overview of Windows as a service](waas-overview.md)
- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
- [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
- [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)
- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
- [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
- [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
- [Manage device restarts after updates](waas-restart.md)

175
windows/manage/waas-delivery-optimization.md
View File

@ -1,175 +0,0 @@
---
title: Configure Delivery Optimization for Windows 10 updates (Windows 10)
description: Delivery Optimization is a new peer-to-peer distribution method in Windows 10
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: DaniHalfin
localizationpriority: high
---
# Configure Delivery Optimization for Windows 10 updates
**Applies to**
- Windows 10
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
Delivery Optimization is a self-organizing distributed cache solution for businesses looking to reduce bandwidth consumption for operating system updates, operating system upgrades, and applications by allowing clients to download those elements from alternate sources (such as other peers on the network) in addition to the traditional Internet-based Windows Update servers. You can use Delivery Optimization in conjunction with stand-alone Windows Update, Windows Server Update Services (WSUS), and Windows Update for Business. This functionality is similar to BranchCache in other systems, such as System Center Configuration Manager.
Delivery Optimization is a cloud managed solution. Having access to the Delivery Optimization cloud services, is a requirement for it to be enabled. This mean that in order to utilize the peer-to-peer functionality of Delivery Optimization, machines need to have access to the internet.
For more details, see [Download mode](#download-mode).
>[!NOTE]
>WSUS can also use [BranchCache](waas-branchcache.md) for content sharing and caching. If Delivery Optimization is enabled on devices that use BranchCache, Delivery Optimization will be used instead.
By default in Windows 10 Enterprise and Education, Delivery Optimization allows peer-to-peer sharing on the organization's own network only, but you can configure it differently in Group Policy and mobile device management (MDM) solutions such as Microsoft Intune.
## Delivery Optimization options
You can use Group Policy or an MDM solution like Intune to configure Delivery Optimization.
You will find the Delivery Optimization settings in Group Policy under **Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization**.
In MDM, the same settings are under **.Vendor/MSFT/Policy/Config/DeliveryOptimization/**.
Several Delivery Optimization features are configurable:
| Group Policy setting | MDM setting |
| --- | --- |
| [Download mode](#download-mode) | DODownloadMode |
| [Group ID](#group-id) | DOGroupID |
| [Max Cache Age](#max-cache-age) | DOMaxCacheAge |
| [Max Cache Size](#max-cache-size) | DOMaxCacheSize |
| [Absolute Max Cache Size](#absolute-max-cache-size) | DOAbsoluteMaxCacheSize |
| [Modify Cache Drive](#modify-cache-drive) | DOModifyCacheDrive |
| [Maximum Download Bandwidth](#maximum-download-bandwidth) | DOMaxDownloadBandwidth |
| [Percentage of Maximum Download Bandwidth](#percentage-of-maximum-download-bandwidth) | DOPercentageMaxDownloadBandwidth |
| [Max Upload Bandwidth](#max-upload-bandwidth) | DOMaxUploadBandwidth |
| [Monthly Upload Data Cap](#monthly-upload-data-cap) | DOMonthlyUploadDataCap |
| [Minimum Background QoS](#minimum-background-qos) | DOMinBackgroundQoS |
When configuring Delivery Optimization on Windows 10 devices, the first and most important thing to configure, would be [Download mode](#download-mode). Download mode dictates how Delivery Optimization downloads Windows updates.
While every other feature setting is optional, they offer enhanced control of the Delivery Optimization behavior.
[Group ID](#group-id), combined with Group [Download mode](#download-mode), enables administrators to create custom device groups that will share content between devices in the group.
Delivery Optimization uses locally cached updates. In cases where devices have ample local storage and you would like to cache more content, or if you have limited storage and would like to cache less, use the settings below to adjust the Delivery Optimization cache to suit your scenario:
- [Max Cache Size](#max-cache-size) and [Absolute Max Cache Size](#absolute-max-cache-size) control the amount of space the Delivery Optimization cache can use.
- [Max Cache Age](#max-cache-age) controls the retention period for each update in the cache.
- The system drive is the default location for the Delivery Optimization cache. [Modify Cache Drive](#modify-cache-drive) allows administrators to change that location.
>[!NOTE]
>It is possible to configure preferred cache devices. For more information, see [Set “preferred” cache devices for Delivery Optimization](#set-preferred-cache-devices).
There are additional options available to robustly control the impact Delivery Optimization has on your network:
- [Maximum Download Bandwidth](#maximum-download-bandwidth) and [Percentage of Maximum Download Bandwidth](#percentage-of-maximum-download-bandwidth) controls the download bandwidth used by Delivery Optimization.
- [Max Upload Bandwidth](#max-upload-bandwidth) controls the Delivery Optimization upload bandwidth usage.
- [Monthly Upload Data Cap](#monthly-upload-data-cap) controls the amount of data a client can upload to peers per month.
- [Minimum Background QoS](#minimum-background-qos) lets administrators guarantee a minimum download speed for Windows updates. This is achieved by adjusting the amount of data downloaded directly from Windows Update or WSUS servers, rather than other peers in the network.
### How Microsoft uses Delivery Optimization
In Microsoft, to help ensure that ongoing deployments werent affecting our network and taking away bandwidth for other services, Microsoft IT used a couple of different bandwidth management strategies. Delivery Optimization, peer-to-peer caching enabled through Group Policy, was piloted and then deployed to all managed devices using Group Policy. Based on recommendations from the Delivery Optimization team, we used the "group" configuration to limit sharing of content to only the devices that are members of the same Active Directory domain. The content is cached for 24 hours. More than 76 percent of content came from peer devices versus the Internet.
For more details, check out the [Adopting Windows as a Service at Microsoft](https://www.microsoft.com/itshowcase/Article/Content/851/Adopting-Windows-as-a-service-at-Microsoft) technical case study.
Provided below is a detailed description of every configurable feature setting. Use these details when configuring any of the above settings.
### Download mode
Download mode dictates which download sources clients are allowed to use when downloading Windows updates in addition to Windows Update servers. The following table shows the available download mode options and what they do.
| Download mode option | Functionality when set |
| --- | --- |
| HTTP Only (0) | This setting disables peer-to-peer caching but still allows Delivery Optimization to download content from Windows Update servers or WSUS servers. This mode uses additional metadata provided by the Delivery Optimization cloud services for a peerless reliable and efficient download experience. |
| LAN (1 Default) | This default operating mode for Delivery Optimization enables peer sharing on the same network. |
| Group (2) | When group mode is set, the group is automatically selected based on the devices Active Directory Domain Services (AD DS) site (Windows 10, version 1607) or the domain the device is authenticated to (Windows 10, version 1511). In group mode, peering occurs across internal subnets, between devices that belong to the same group, including devices in remote offices. You can use the GroupID option to create your own custom group independently of domains and AD DS sites. Group download mode is the recommended option for most organizations looking to achieve the best bandwidth optimization with Delivery Optimization. |
| Internet (3) | Enable Internet peer sources for Delivery Optimization. |
| Simple (99) | Simple mode disables the use of Delivery Optimization cloud services completely (for offline environments). Delivery Optimization switches to this mode automatically when the Delivery Optimization cloud services are unavailable, unreachable or when the content file size is less than 10 MB. In this mode, Delivery Optimization provides a reliable download experience, with no peer-to-peer caching. |
|Bypass (100) | Bypass Delivery Optimization and use BITS, instead. For example, select this mode so that clients can use BranchCache. |
>[!NOTE]
>Group mode is a best effort optimization and should not be relied on for an authentication of identity of devices participating in the group.
### Group ID
By default, peer sharing on clients using the group download mode is limited to the same domain in Windows 10, version 1511, and the same domain and AD DS site in Windows 10, version 1607. By using the Group ID setting, you can optionally create a custom group that contains devices that should participate in Delivery Optimization but do not fall within those domain or AD DS site boundaries, including devices in another domain. Using Group ID, you can further restrict the default group (for example create a sub-group representing an office building), or extend the group beyond the domain, allowing devices in multiple domains in your organization to peer. This setting requires the custom group to be specified as a GUID on each device that participates in the custom group.
>[!NOTE]
>To generate a GUID using Powershell, use [```[guid]::NewGuid()```](https://blogs.technet.microsoft.com/heyscriptingguy/2013/07/25/powertip-create-a-new-guid-by-using-powershell/)
>
>This configuration is optional and not required for most implementations of Delivery Optimization.
### Max Cache Age
In environments configured for Delivery Optimization, you may want to set an expiration on cached updates and Windows application installation files. If so, this setting defines the maximum number of seconds each file can be held in the Delivery Optimization cache on each Windows 10 client computer. The default Max Cache Age value is 259,200 seconds (3 days). Alternatively, organizations may choose to set this value to “0” which means “unlimited” to avoid peers re-downloading content. When “Unlimited” value is set, Delivery Optimization will hold the files in the cache longer and will clean up the cache as needed (for example when the cache size exceeded the maximum space allowed).
### Max Cache Size
This setting limits the maximum amount of space the Delivery Optimization cache can use as a percentage of the available drive space, from 1 to 100. For example, if you set this value to 10 on a Windows 10 client computer that has 100 GB of available drive space, then Delivery Optimization will use up to 10 GB of that space. Delivery Optimization will constantly assess the available drive space and automatically clear the cache to keep the maximum cache size under the set percentage. The default value for this setting is 20.
### Absolute Max Cache Size
This setting specifies the maximum number of gigabytes the Delivery Optimization cache can use. This is different from the **DOMaxCacheSize** setting, which is a percentage of available disk space. Also, if you configure this policy, it will override the **DOMaxCacheSize** setting. The default value for this setting is 10 GB.
### Maximum Download Bandwidth
This setting specifies the maximum download bandwidth that can be used across all concurrent Delivery Optimization downloads in kilobytes per second (KB/s). A default value of 0 means that Delivery Optimization will dynamically adjust and optimize the maximum bandwidth used.
### Percentage of Maximum Download Bandwidth
This setting specifies the maximum download bandwidth that Delivery Optimization can use across all concurrent download activities as a percentage of available download bandwidth. The default value 0 means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads.
### Max Upload Bandwidth
This setting allows you to limit the amount of upload bandwidth individual clients can use for Delivery Optimization. Consider this setting when clients are providing content to requesting peers on the network. This option is set in kilobytes per second (KB/s). The default setting is 0, or “unlimited” which means Delivery Optimization dynamically optimizes for minimal usage of upload bandwidth; however it does not cap the upload bandwidth rate at a set rate.
### Minimum Background QoS
This value specifies the minimum download speed guarantee that a client attempts to achieve and will fulfill by downloading more bytes from Windows Update servers or WSUS. Simply put, the lower this value is, the more content will be sourced using peers on the network rather than Windows Update. The higher this value, the more content is received from Windows Update servers or WSUS, versus peers on the local network.
### Modify Cache Drive
This setting allows for an alternate Delivery Optimization cache location on the clients. By default, the cache is stored on the operating system drive through the %SYSTEMDRIVE% environment variable. You can set the value to an environment variable (e.g., %SYSTEMDRIVE%), a drive letter (e.g., D:), or a folder path (e.g., D:\DOCache).
### Monthly Upload Data Cap
This setting specifies the total amount of data in gigabytes that a Delivery Optimization client can upload to Internet peers per month. A value of 0 means that an unlimited amount of data can be uploaded. The default value for this setting is 20 GB.
<span id="set-preferred-cache-devices"/>
## Set “preferred” cache devices for Delivery Optimization
In some cases, IT pros may have an interest in identifying specific devices that will be “preferred” as sources to other devices—for example, devices that have hard-wired connections, large drives that you can use as caches, or a high-end hardware profile. These preferred devices will act as a “master” for the update content related to that devicess configuration (Delivery Optimization only caches content relative to the client downloading the content).
To specify which devices are preferred, you can set the **Max Cache Age** configuration with a value of **Unlimited** (0). As a result, these devices will be used more often as sources for other devices downloading the same files.
On devices that are not preferred, you can choose to set the following policy to prioritize data coming from local peers instead of the Internet:
- Set **DOMinBackgroundQoS** with a low value, for example `65536` which is the equivalent of 64 KB/s.
## Learn more
[Windows 10, Delivery Optimization, and WSUS](https://blogs.technet.microsoft.com/mniehaus/2016/08/16/windows-10-delivery-optimization-and-wsus-take-2/)
## Related topics
- [Update Windows 10 in the enterprise](waas-update-windows-10.md)
- [Overview of Windows as a service](waas-overview.md)
- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
- [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
- [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)
- [Configure Windows Update for Business](waas-configure-wufb.md)
- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
- [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
- [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
- [Manage device restarts after updates](waas-restart.md)

79
windows/manage/waas-deployment-rings-windows-10-updates.md
View File

@ -1,79 +0,0 @@
---
title: Build deployment rings for Windows 10 updates (Windows 10)
description: Deployment rings in Windows 10 are similar to the deployment groups most organizations constructed for previous major revision upgrades.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: DaniHalfin
localizationpriority: high
---
# Build deployment rings for Windows 10 updates
**Applies to**
- Windows 10
- Windows 10 Mobile
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
For Windows as a service, maintenance is ongoing and iterative. Deploying previous versions of Windows required organizations to build sets of users to roll out the changes in phases. Typically, these users ranged (in order) from the most adaptable and least risky to the least adaptable or riskiest. With Windows 10, a similar methodology exists, but construction of the groups is a little different.
Deployment rings in Windows 10 are similar to the deployment groups most organizations constructed for previous major revision upgrades. They are simply a method by which to separate machines into a deployment timeline. With Windows 10, you construct deployment rings a bit differently in each servicing tool, but the concepts remain the same. Each deployment ring should reduce the risk of issues derived from the deployment of the feature updates by gradually deploying the update to entire departments. As previously mentioned, consider including a portion of each departments employees in several deployment rings.
Defining deployment rings is generally a one-time event (or at least infrequent), but IT should revisit these groups to ensure that the sequencing is still correct. Also, there are times in which client computers could move between different deployment rings when necessary.
Table 1 provides an example of the deployment rings you might use.
**Table 1**
| Deployment ring | Servicing branch | Total weeks after Current Branch (CB) or Current Branch for Business (CBB) release |
| --- | --- | --- |
| Preview | Windows Insider | Pre-CB |
| Ring 1 Pilot IT | CB | CB + 0 weeks |
| Ring 2 Pilot business users | CB | CB + 4 weeks |
| Ring 3 Broad IT | CB | CB + 6 weeks |
| Ring 4 Broad business users | CBB | CBB + 0 weeks |
| Ring 5 Broad business users #2 | CBB | CBB + 2 weeks as required by capacity or other constraints |
>[!NOTE]
>In this example, there are no rings made up of the long-term servicing branch (LTSB). The LTSB servicing branch does not receive feature updates.
>
>Windows Insider is in the deployment ring list for informational purposes only. Windows Insider PCs must be enrolled manually on each device and serviced based on the Windows Insider level chosen in the **Settings** app on that particular PC. Feature update servicing for Windows Insiderdevices is done completely through Windows Update; no servicing tools can manage Windows Insider feature updates.
As Table 1 shows, each combination of servicing branch and deployment group is tied to a specific deployment ring. As you can see, the associated groups of devices are combined with a servicing branch to specify which deployment ring those devices and their users fall into. The naming convention used to identify the rings is completely customizable as long as the name clearly identifies the sequence. Deployment rings represent a sequential deployment timeline, regardless of the servicing branch they contain. Deployment rings will likely rarely change for an organization, but they should be periodically assessed to ensure that the deployment cadence still makes sense.
![illustration of rings](images/waas-rings.png)
## Steps to manage updates for Windows 10
<table><tbody>
<tr><td style="border: 0px;width: 24px">![done](images/checklistdone.png)</td><td align="left" style="border: 0px">[Learn about updates and servicing branches](waas-overview.md)</td></tr>
<tr><td style="border: 0px;width: 24px">![done](images/checklistdone.png)</td><td align="left" style="border: 0px">[Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)</td></tr>
<tr><td style="border: 0px;width: 24px">![done](images/checklistdone.png)</td><td align="left" style="border: 0px">Build deployment rings for Windows 10 updates
(this topic)</td></tr>
<tr><td style="border: 0px;width: 24px">![to do](images/checklistbox.gif)</td><td align="left" style="border: 0px">[Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)</td></tr>
<tr><td style="border: 0px;width: 24px">![to do](images/checklistbox.gif)</td><td align="left" style="border: 0px">[Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)</td></tr>
<tr><td style="border: 0px;width: 24px">![to do](images/checklistbox.gif)</td><td align="left" style="border: 0px">[Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)</br>
or [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)</br>
or [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)</td></tr>
</tbody></table>
</br>
## Related topics
- [Update Windows 10 in the enterprise](waas-update-windows-10.md)
- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
- [Configure Windows Update for Business](waas-configure-wufb.md)
- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
- [Manage device restarts after updates](waas-restart.md)

111
windows/manage/waas-integrate-wufb.md
View File

@ -1,111 +0,0 @@
---
title: Integrate Windows Update for Business with management solutions (Windows 10)
description: Use Windows Update for Business deployments with management tools such as Windows Server Update Services (WSUS) and System Center Configuration Manager.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: DaniHalfin
localizationpriority: high
---
# Integrate Windows Update for Business with management solutions
**Applies to**
- Windows 10
- Windows 10 Mobile
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
You can integrate Windows Update for Business deployments with existing management tools such as Windows Server Update Services (WSUS) and System Center Configuration Manager.
## Integrate Windows Update for Business with Windows Server Update Services
For Windows 10, version 1607, devices can now be configured to receive updates from both Windows Update (or Microsoft Update) and Windows Server Update Services (WSUS). In a joint WSUS and Windows Update for Business setup:
- Devices will receive their Windows content from Microsoft and defer these updates according to Windows Update for Business policy
- All other content synced from WSUS will be directly applied to the device; that is, updates to products other than Windows will not follow your Windows Update for Business deferral policies
### Configuration example \#1: Deferring Windows Update updates with other update content hosted on WSUS
**Configuration:**
- Device is configured to defer Windows Quality Updates using Windows Update for Business
- Device is also configured to be managed by WSUS
- Device is not configured to enable Microsoft Update (**Update/AllowMUUpdateService** = not enabled)
- Admin has opted to put updates to Office and other products on WSUS
- Admin has also put 3rd party drivers on WSUS
<table><thead><th>Content</th><th>Metadata source</th><th>Payload source</th><th>Deferred?</th><th></th></thead>
<tbody><tr><td>Updates to Windows</td><td>Windows Update</td><td>Windows Update</td><td>Yes</td><td rowspan="3">![diagram of content flow](images/wufb-config1a.png)</td></tr>
<tr><td>Updates to Office and other products</td><td>WSUS</td><td>WSUS</td><td>No</td></tr>
<tr><td>Third-party drivers</td><td>WSUS</td><td>WSUS</td><td>No</td></tr>
</table>
### Configuration example \#2: Excluding drivers from Windows Quality Updates using Windows Update for Business
**Configuration:**
- Device is configured to defer Windows Quality Updates and to exclude drivers from Windows Update Quality Updates (**ExcludeWUDriversInQualityUpdate** = enabled)
- Device is also configured to be managed by WSUS
- Admin has opted to put Windows Update drivers on WSUS
<table><thead><th>Content</th><th>Metadata source</th><th>Payload source</th><th>Deferred?</th><th></th></thead>
<tbody><tr><td>Updates to Windows (excluding drivers)</td><td>Windows Update</td><td>Windows Update</td><td>Yes</td><td rowspan="4">![diagram of content flow](images/wufb-config2.png)</td></tr>
<tr><td>Updates to Office and other products</td><td>WSUS</td><td>WSUS</td><td>No</td></tr>
<tr><td>Drivers</td><td>WSUS</td><td>WSUS</td><td>No</td></tr>
</table>
### Configuration example \#3: Device configured to receive Microsoft updates
**Configuration:**
- Device is configured to defer Quality Updates using Windows Update for Business and to be managed by WSUS
- Device is configured to “receive updates for other Microsoft products” along with updates to Windows (**Update/AllowMUUpdateService** = enabled)
- Admin has also placed Microsoft Update, third-paprty, and locally-published update content on the WSUS server
In this example, the deferral behavior for updates to Office and other non-Windows products is slightly different than if WSUS were not enabled.
- In a non-WSUS case, these updates would be deferred just as any update to Windows would be.
- However, with WSUS also configured, these updates are sourced from Microsoft but deferral policies are not applied.
<table><thead><th>Content</th><th>Metadata source</th><th>Payload source</th><th>Deferred?</th><th></th></thead>
<tbody><tr><td>Updates to Windows (excluding drivers)</td><td>Microsoft Update</td><td>Microsoft Update</td><td>Yes</td><td rowspan="3">![diagram of content flow](images/wufb-config3a.png)</td></tr>
<tr><td>Updates to Office and other products</td><td>Microsoft Update</td><td>Microsoft Update</td><td>No</td></tr>
<tr><td>Drivers, third-party applications</td><td>WSUS</td><td>WSUS</td><td>No</td></tr>
</table>
>[!NOTE]
> Because the admin enabled **Update/AllowMUUpdateService**, placing the content on WSUS was not needed for the particular device, as the device will always receive Microsoft Update content from Microsoft when configured in this manner.
## Integrate Windows Update for Business with System Center Configuration Manager
For Windows 10, version 1607, organizations already managing their systems with a Configuration Manager solution can also have their devices configured for Windows Update for Business (i.e. setting deferral policies on those devices). Such devices will be visible in the Configuration Manager console, however they will appear with a detection state of **Unknown**.
![Example of unknown devices](images/wufb-sccm.png)
## Related topics
- [Update Windows 10 in the enterprise](waas-update-windows-10.md)
- [Overview of Windows as a service](waas-overview.md)
- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
- [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
- [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)
- [Configure Windows Update for Business](waas-configure-wufb.md)
- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
- [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
- [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
- [Manage device restarts after updates](waas-restart.md)

410
windows/manage/waas-manage-updates-configuration-manager.md
View File

@ -1,410 +0,0 @@
---
title: Manage Windows 10 updates using System Center Configuration Manager (Windows 10)
description: System Center Configuration Manager provides maximum control over quality and feature updates for Windows 10.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: DaniHalfin
localizationpriority: high
---
# Manage Windows 10 updates using System Center Configuration Manager
**Applies to**
- Windows 10
- Windows 10 Mobile
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
System Center Configuration Manager provides maximum control over quality and feature updates for Windows 10. Unlike other servicing tools, Configuration Manager has capabilities that extend beyond servicing, such as application deployment, antivirus management, software metering, and reporting, and provides a secondary deployment method for LTSB clients. Configuration Manager can effectively control bandwidth usage and content distribution through a combination of BranchCache and distribution points. Microsoft encourages organizations currently using Configuration Manager for Windows update management to continue doing so for Windows 10 client computers.
You can use Configuration Manager to service Windows 10 devices in two ways. The first option is to use Windows 10 Servicing Plans to deploy Windows 10 feature updates automatically based on specific criteria, similar to an Automatic Deployment Rule for software updates. The second option is to use a task sequence to deploy feature updates, along with anything else in the installation.
>[!NOTE]
>This topic focuses on updating and upgrading Windows 10 after it has already been deployed. To use Configuration Manager to upgrade your systems from the Windows 8.1, Windows 8, or Windows 7 operating system, see [Upgrade to Windows 10 with System Center Configuration Manager](https://technet.microsoft.com/itpro/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager).
## Windows 10 servicing dashboard
The Windows 10 servicing dashboard gives you a quick-reference view of your active servicing plans, compliance for servicing plan deployment, and other key information about Windows 10 servicing. For details about what each tile on the servicing dashboard represents, see [Manage Windows as a service using System Center Configuration Manager](https://technet.microsoft.com/library/mt627931.aspx).
For the Windows 10 servicing dashboard to display information, you must adhere to the following requirements:
- **Heartbeat discovery**. Enable heartbeat discovery for the site receiving Windows 10 servicing information. Configuration for heartbeat discovery can be found in Administration\Overview\Hierarchy Configuration\Discovery Methods.
- **Windows Server Update Service (WSUS)**. System Center Configuration Manager must have the Software update point site system role added and configured to receive updates from a WSUS 4.0 server with the hotfix KB3095113 installed.
- **Service connection point**. Add the Service connection point site system role in Online, persistent connection mode.
- **Upgrade classification**. Select **Upgrade** from the list of synchronized software update classifications.
**To configure Upgrade classification**
1. Go to Administration\Overview\Site Configuration\Sites, and then select your site from the list.
2. On the Ribbon, in the **Settings** section, click **Configure Site Components**, and then click **Software Update Point**.
![Example of UI](images/waas-sccm-fig1.png)
3. In the **Software Update Point Component Properties** dialog box, on the **Classifications** tab, click **Upgrades**.
When you have met all these requirements and deployed a servicing plan to a collection, youll receive information on the Windows 10 servicing dashboard.
## Enable CBB clients in Windows 10, version 1511
When you use System Center Configuration Manager to manage Windows 10 servicing, you must first set the **Defer Updates or Upgrades** policy on the clients that should be on the Current Branch for Business (CBB) servicing branch so that you can use CBB servicing plans from Configuration Manager. You can do this either manually or through Group Policy. If you dont set this policy, Configuration Manager discovers all clients, as it would in Current Branch (CB) mode.
**To use Group Policy to configure a client for the CBB servicing branch**
>[!NOTE]
>In this example, a specific organizational unit (OU) called **Windows 10 Current Branch for Business Machines** contains the Windows 10 devices that should be configured for CBB. You can also use a security group to filter the computers to which the policy should be applied.
1. On a PC running the Remote Server Administration Tools or on a domain controller, open Group Policy Management Console (GPMC).
2. Expand Forest\Domains\\*Your_Domain*.
4. Right-click the **Windows 10 Current Branch for Business Machines** OU, and then click **Create a GPO in this domain, and Link it here**.
![Example of UI](images/waas-sccm-fig2.png)
5. In the **New GPO** dialog box, type **Enable Current Branch for Business** for the name of the new GPO.
>[!NOTE]
>In this example, youre linking the GPO to a specific OU. This is not a requirement. You can link the Windows Update for Business GPOs to any OU or the top-level domain, whichever is appropriate for your Active Directory Domain Services (AD DS) structure.
6. Right-click the **Enable Current Branch for Business** GPO, and then click **Edit**.
7. In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update.
8. Right-click the **Defer Upgrades and Updates** setting, and then click **Edit**.
![Example of UI](images/waas-sccm-fig3.png)
9. Enable the policy, and then click **OK**.
>[!NOTE]
>The additional options in this setting are only for Windows Update for Business, so be sure not to configure them when using System Center Configuration Manager for Windows 10 servicing.
10. Close the Group Policy Management Editor.
This policy will now be deployed to every device in the **Windows 10 Current Branch for Business Machines** OU.
## Enable CBB clients in Windows 10, version 1607
When you use Configuration Manager to manage Windows 10 servicing, you must first set the **Select when Feature Updates** are received policy on the clients that should be on the CBB servicing branch so that you can use CBB servicing plans from Configuration Manager. You can do this either manually or through Group Policy. If you dont set this policy, Configuration Manager discovers all clients, as it would in CB mode.
>[!NOTE]
>System Center Configuration Manager version 1606 is required to manage devices running Windows 10, version 1607.
**To use Group Policy to configure a client for the CBB servicing branch**
>[!NOTE]
>In this example, a specific organizational unit (OU) called **Windows 10 Current Branch for Business Machines** contains the Windows 10 devices that should be configured for CBB. You can also use a security group to filter the computers to which the policy should be applied.
1. On a PC running the Remote Server Administration Tools or on a domain controller, open GPMC.
2. Expand Forest\Domains\\*Your_Domain*.
3. Right-click the **Windows 10 Current Branch for Business Machines** OU, and then click **Create a GPO in this domain, and Link it here**.
![Example of UI](images/waas-sccm-fig2.png)
5. In the **New GPO** dialog box, type **Enable Current Branch for Business** for the name of the new GPO.
>[!NOTE]
>In this example, youre linking the GPO to a specific OU. This is not a requirement. You can link the Windows Update for Business GPOs to any OU or the top-level domain, whichever is appropriate for your Active Directory Domain Services (AD DS) structure.
6. Right-click the **Enable Current Branch for Business** GPO, and then click **Edit**.
7. In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update\Defer Windows Updates.
8. Right-click the **Select when Feature Updates are received** setting, and then click **Edit**.
9. Enable the policy, select the **CBB** branch readiness level, and then click **OK**.
10. Close the Group Policy Management Editor.
This policy will now be deployed to every device in the **Windows 10 Current Branch for Business Machines** OU.
## Create collections for deployment rings
Regardless of the method by which you deploy Windows 10 feature updates to your environment, you must start the Windows 10 servicing process by creating collections of computers that represent your deployment rings. In this example, you create two collections: **Windows 10 All Current Branch for Business** and **Ring 4 Broad business users**. Youll use the **Windows 10 All Current Branch for Business** collection for reporting and deployments that should go to all CBB clients. Youll use the **Ring 4 Broad business users** collection as a deployment ring for the first CBB users.
>[!NOTE]
>The following procedures use the groups from Table 1 in [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) as examples.
**To create collections for deployment rings**
1. In the Configuration Manager console, go to Assets and Compliance\Overview\Device Collections.
2. On the Ribbon, in the **Create** group, click **Create Device Collection**.
3. In the Create Device Collection Wizard, in the **name** box, type **Windows 10 All Current Branch for Business**.
4. Click **Browse** to select the limiting collection, and then click **All Systems**.
5. In **Membership rules**, click **Add Rule**, and then click **Query Rule**.
6. Name the rule **CBB Detection**, and then click **Edit Query Statement**.
7. On the **Criteria** tab, click the **New** icon.
![Example of UI](images/waas-sccm-fig4.png)
8. In the **Criterion Properties** dialog box, leave the type as **Simple Value**, and then click **Select**.
9. In the **Select Attribute** dialog box, from the **Attribute class** list, select **System Resource**. From the **Attribute** list, select **OSBranch**, and then click **OK**.
![Example of UI](images/waas-sccm-fig5.png)
>[!NOTE]
>Configuration Manager discovers clients servicing branch and stores that value in the **OSBranch** attribute, which you will use to create collections based on servicing branch. The values in this attribute can be **0 (Current Branch)**, **1 (Current Branch for Business)**, or **2 (Long-Term Servicing Branch)**.
10. Leave **Operator** set to **is equal to**; in the **Value** box, type **1**. Click **OK**.
![Example of UI](images/waas-sccm-fig6.png)
11. Now that the **OSBranch** attribute is correct, verify the operating system version.
12. On the **Criteria** tab, click the **New** icon again to add criteria.
13. In the **Criterion Properties** dialog box, click **Select**.
14. From the **Attribute class** list, select **System Resource**. From the **Attribute** list, select **Operating System Name and Version**, and then click **OK**.
![Example of UI](images/waas-sccm-fig7.png)
15. In the **Value** box, type **Microsoft Windows NT Workstation 10.0**, and then click **OK**.
![Example of UI](images/waas-sccm-fig8.png)
16. In the **Query Statement Properties** dialog box, you see two values. Click **OK**, and then click **OK** again to continue to the Create Device Collection Wizard.
17. Click **Summary**, and then click **Next**.
18. Close the wizard.
>[!IMPORTANT]
>Windows Insider PCs are discovered the same way as CB or CBB devices. If you have Windows Insider PCs that you use Configuration Manager to manage, then you should create a collection of those PCs and exclude them from this collection. You can create the membership for the Windows Insider collection either manually or by using a query where the operating system build doesnt equal any of the current CB or CBB build numbers. You would have to update each periodically to include new devices or new operating system builds.
After you have updated the membership, this new collection will contain all managed clients on the CBB servicing branch. You will use this collection as a limiting collection for future CBB-based collections and the **Ring 4 Broad broad business users** collection. Complete the following steps to create the **Ring 4 Broad business users** device collection, which youll use as a CBB deployment ring for servicing plans or task sequences.
1. In the Configuration Manager console, go to Assets and Compliance\Overview\Device Collections.
2. On the Ribbon, in the **Create** group, click **Create Device Collection**.
3. In the Create Device Collection Wizard, in the **name** box, type **Ring 4 Broad business users**.
4. Click **Browse** to select the limiting collection, and then click **Windows 10 All Current Branch for Business**.
5. In **Membership rules**, click **Add Rule**, and then click **Direct Rule**.
6. In the **Create Direct Membership Rule Wizard** dialog box, click **Next**.
7. In the **Value** field, type all or part of the name of a device to add, and then click **Next**.
8. Select the computer that will be part of the **Ring 4 Broad business users** deployment ring, and then click **Next**.
9. Click **Next**, and then click **Close**.
10. In the **Create Device Collection Wizard** dialog box, click **Summary**.
11. Click **Next**, and then click **Close**.
## Use Windows 10 servicing plans to deploy Windows 10 feature updates
There are two ways to deploy Windows 10 feature updates with System Center Configuration Manager. The first is to use servicing plans, which provide an automated method to update devices consistently in their respective deployment rings, similar to Automatic Deployment Rules for software updates.
**To configure Windows feature updates for CBB clients in the Ring 4 Broad business users deployment ring using a servicing plan**
1. In the Configuration Manager console, go to Software Library\Overview\Windows 10 Servicing, and then click **Servicing Plans**.
2. On the Ribbon, in the **Create** group, click **Create Servicing Plan**.
3. Name the plan **Ring 4 Broad business users Servicing Plan**, and then click **Next**.
4. On the **Servicing Plan page**, click **Browse**. Select the **Ring 4 Broad business users** collection, which you created in the [Create collections for deployment rings](#create-collections-for-deployment-rings) section, click **OK**, and then click **Next**.
>[!IMPORTANT]
>Microsoft added a new protection feature to Configuration Manager that prevents accidental installation of high-risk deployments such as operating system upgrades on site systems. If you select a collection (All Systems in this example) that has a site system in it, you may receive the following message.
>
>![This is a high-risk deployment](images/waas-sccm-fig9.png)
>
>For details about how to manage the settings for high-risk deployments in Configuration Manager, see [Settings to manage high-risk deployments for System Center Configuration Manager](https://technet.microsoft.com/library/mt621992.aspx).
5. On the **Deployment Ring** page, select the **Business Ready (Current Branch for Business)** readiness state, leave the delay at **0 days**, and then click **Next**.
Doing so deploys CBB feature updates to the broad business users deployment ring immediately after they are released to CBB.
On the Upgrades page, you specify filters for the feature updates to which this servicing plan is applicable. For example, if you wanted this plan to be only for Windows 10 Enterprise, you could select **Title**, and then type **Enterprise**.
6. For this example, on the **Upgrades** page, click **Next** to leave the criterion blank.
7. On the **Deployment Schedule** page, click **Next** to keep the default values of making the content available immediately and requiring installation by the 7-day deadline.
8. On the **User Experience** page, from the **Deadline behavior** list, select **Software Installation and System restart (if necessary)**. From the **Device restart behavior** list, select **Workstations**, and then click **Next**.
Doing so allows installation and restarts after the 7-day deadline on workstations only.
9. On the **Deployment Package** page, select **Create a new deployment package**. In **Name**, type **CBB Upgrades**, select a share for your package source location, and then click **Next**.
In this example, \\contoso-cm01\Sources\Windows 10 Feature Upgrades is a share on the Configuration Manager server that contains all the Windows 10 feature updates.
![Example of UI](images/waas-sccm-fig10.png)
10. On the **Distribution Points** page, from the **Add** list, select **Distribution Point**.
![Example of UI](images/waas-sccm-fig11.png)
Select the distribution points that serve the clients to which youre deploying this servicing plan, and then click **OK**.
11. Click **Summary**, click **Next** to complete the servicing plan, and then click **Close**.
You have now created a servicing plan for the **Ring 4 Broad business users** deployment ring. By default, this rule is evaluated each time the software update point is synchronized, but you can modify this schedule by viewing the service plans properties on the **Evaluation Schedule** tab.
![Example of UI](images/waas-sccm-fig12.png)
## Use a task sequence to deploy Windows 10 updates
There are times when deploying a Windows 10 feature update requires the use of a task sequence—for example:
- **LTSB feature updates**. With the LTSB servicing branch, feature updates are never provided to the Windows clients themselves. Instead, feature updates must be installed like a traditional in-place upgrade.
- **Additional required tasks**. When deploying a feature update requires additional steps (e.g., suspending disk encryption, updating applications), you must use task sequences to orchestrate the additional steps. Servicing plans do not have the ability to add steps to their deployments.
Each time Microsoft releases a new Windows 10 build, it releases a new .iso file containing the latest build, as well. Regardless of the scenario that requires a task sequence to deploy the Windows 10 upgrade, the base process is the same. Start by creating an Operating System Upgrade Package in the Configuration Manager console:
1. In the Configuration Manager console, go to Software Library\Overview\Operating Systems\Operating System Upgrade Packages.
2. On the Ribbon, in the **Create** group, click **Add Operating System Upgrade Package**.
3. On the **Data Source** page, type the path of the extracted .iso file of the new version of Windows 10 youre deploying, and then click **Next**.
In this example, the Windows 10 Enterprise 1607 installation media is deployed to \\contoso-cm01\Sources\Operating Systems\Windows 10 Enterprise\Windows 10 Enterprise - Version 1607.
>[!NOTE]
>System Center Configuration Manager version 1606 is required to manage machines running Windows 10, version 1607.
4. On the **General** page, in the **Name** field, type the name of the folder (**Windows 10 Enterprise - Version 1607** in this example). Set the **Version** to **1607**, and then click **Next**.
5. On the **Summary** page, click **Next** to create the package.
6. On the **Completion** page, click **Close**.
Now that the operating system upgrade package has been created, the content in that package must be distributed to the correct distribution points so that the clients can access the content. Complete the following steps to distribute the package content to distribution points:
1. In the Configuration Manager console, go to Software Library\Overview\Operating Systems\Operating System Upgrade Packages, and then select the **Windows 10 Enterprise Version 1607** software upgrade package.
2. On the Ribbon, in the **Deployment group**, click **Distribute Content**.
3. In the Distribute Content Wizard, on the **General** page, click **Next**.
4. On the **Content Destination** page, click **Add**, and then click **Distribution Point**.
5. In the **Add Distribution Points** dialog box, select the distribution point that will serve the clients receiving this package, and then click **OK**.
6. On the **Content Destination** page, click **Next**.
7. On the **Summary** page, click **Next** to distribute the content to the selected distribution point.
8. On the **Completion** page, click **Close**.
Now that the upgrade package has been created and its contents distributed, create the task sequence that will use it. Complete the following steps to create the task sequence, using the previously created deployment package:
1. In the Configuration Manager console, go to Software Library\Overview\Operating Systems\Task Sequences.
2. On the Ribbon, in the **Create** group, click **Create Task Sequence**.
3. In the Create Task Sequence Wizard, on the **Create a new task sequence** page, select **Upgrade an operating system from upgrade package**, and then click **Next**.
4. On the **Task Sequence Information** page, in **Task sequence name**, type **Upgrade Windows 10 Enterprise Version 1607**, and then click **Next**.
5. On the **Upgrade the Windows Operating system** page, click **Browse**, select the deployment package you created in the previous steps, and then click **OK**.
6. Click **Next**.
7. On the **Include Updates** page, select **Available for installation All software updates**, and then click **Next**.
8. On the **Install Applications** page, click **Next**.
9. On the **Summary** page, click **Next** to create the task sequence.
10. On the **Completion** page, click **Close**.
With the task sequence created, youre ready to deploy it. If youre using this method to deploy most of your Windows 10 feature updates, you may want to create deployment rings to stage the deployment of this task sequence, with delays appropriate for the respective deployment ring. In this example, you deploy the task sequence to the **Ring 4 Broad business users collection**.
>[!IMPORTANT]
>This process deploys a Windows 10 operating system feature update to the affected devices. If youre testing, be sure to select the collection to which you deploy this task sequence carefully.
**To deploy your task sequence**
1. In the Configuration Manager console, go to Software Library\Overview\Operating Systems\Task Sequences, and then select the **Upgrade Windows 10 Enterprise Version 1607** task sequence.
2. On the Ribbon, in the **Deployment** group, click **Deploy**.
3. In the Deploy Software Wizard, on the **General** page, click **Browse**. Select the target collection, click **OK**, and then click **Next**.
4. On the **Deployment Settings** page, for **purpose**, select **Required**, and then click **Next**.
5. On the **Scheduling** page, select the **Schedule when this deployment will become available** check box (it sets the current time by default). For **Assignment schedule**, click **New**.
6. In the **Assignment Schedule** dialog box, click **Schedule**.
7. In the **Custom Schedule** dialog box, select the desired deadline, and then click **OK**.
8. In the **Assignment Schedule** dialog box, click **OK**, and then click **Next**.
9. On the **User Experience** page, in the **When the scheduled assignment time is reached, allow the following activities to be performed outside of the maintenance window** section, select **Software Installation** and **System restart** (if required to complete the installation), and then click **Next**.
10. Use the defaults for the remaining settings.
11. Click **Summary**, and then click **Next** to deploy the task sequence.
12. Click **Close**.
</br>
## Steps to manage updates for Windows 10
<table><tbody>
<tr><td style="border: 0px;width: 24px">![done](images/checklistdone.png)</td><td align="left" style="border: 0px">[Learn about updates and servicing branches](waas-overview.md)</td></tr>
<tr><td style="border: 0px;width: 24px">![done](images/checklistdone.png)</td><td align="left" style="border: 0px">[Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)</td></tr>
<tr><td style="border: 0px;width: 24px">![done](images/checklistdone.png)</td><td align="left" style="border: 0px">[Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)</td></tr>
<tr><td style="border: 0px;width: 24px">![done](images/checklistdone.png)</td><td align="left" style="border: 0px">[Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)</td></tr>
<tr><td style="border: 0px;width: 24px">![done](images/checklistdone.png)</td><td align="left" style="border: 0px">[Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)</td></tr>
<tr><td style="border: 0px;width: 24px">![done](images/checklistdone.png)</td><td align="left" style="border: 0px">[Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)</br>
or [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)</br>
or Manage Windows 10 updates using System Center Configuration Manager (this topic)</td></tr>
</tbody></table>
</br>
## See also
[Manage Windows as a service using System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/manage-windows-as-a-service)
## Related topics
- [Update Windows 10 in the enterprise](waas-update-windows-10.md)
- [Overview of Windows as a service](waas-overview.md)
- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
- [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
- [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)
- [Configure Windows Update for Business](waas-configure-wufb.md)
- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
- [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
- [Manage device restarts after updates](waas-restart.md)

353
windows/manage/waas-manage-updates-wsus.md
View File

@ -1,353 +0,0 @@
---
title: Manage Windows 10 updates using Windows Server Update Services (Windows 10)
description: WSUS allows companies to defer, selectively approve, choose when delivered, and determine which devices receive updates.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: DaniHalfin
localizationpriority: high
---
# Manage Windows 10 updates using Windows Server Update Services (WSUS)
**Applies to**
- Windows 10
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
WSUS is a Windows Server role available in the Windows Server operating systems. It provides a single hub for Windows updates within an organization. WSUS allows companies not only to defer updates but also to selectively approve them, choose when theyre delivered, and determine which individual devices or groups of devices receive them. WSUS provides additional control over Windows Update for Business but does not provide all the scheduling options and deployment flexibility that System Center Configuration Manager provides.
When you choose WSUS as your source for Windows updates, you use Group Policy to point Windows 10 client devices to the WSUS server for their updates. From there, updates are periodically downloaded to the WSUS server and managed, approved, and deployed through the WSUS administration console or Group Policy, streamlining enterprise update management. If youre currently using WSUS to manage Windows updates in your environment, you can continue to do so in Windows 10.
## Requirements for Windows 10 servicing with WSUS
To be able to use WSUS to manage and deploy Windows 10 feature updates, you must have WSUS 4.0, which is available in the Windows Server 2012 R2 and Windows Server 2012 operating systems. In addition to WSUS 4.0, you must install the [KB3095113](https://support.microsoft.com/kb/3095113) and [KB3159706](https://support.microsoft.com/kb/3159706) patches on the WSUS server.
## WSUS scalability
To use WSUS to manage all Windows updates, some organizations may need access to WSUS from a perimeter network, or they might have some other complex scenario. WSUS is highly scalable and configurable for organizations of any size or site layout. For specific information about scaling WSUS, including upstream and downstream server configuration, branch offices, WSUS load balancing, and other complex scenarios, see [Choose a Type of WSUS Deployment](https://technet.microsoft.com/library/cc720448%28v=ws.10%29.aspx).
## Express Installation Files
With Windows 10, quality updates will be larger than traditional Windows Updates because theyre cumulative. To manage the bandwidth clients downloading large updates like these will need, WSUS has a feature called *Express Installation Files*.
At a binary level, files associated with updates may not change a lot. In fact, with cumulative quality updates, most of the content will be from previous updates. Rather than downloading the entire update when only a small percentage of the payload is actually different, Express Installation Files analyze the differences between the new files associated with an update and the existing files on the client. This approach significantly reduces the amount of bandwidth used because only a fraction of the update content is actually delivered.
**To configure WSUS to download Express Update Files**
1. Open the WSUS Administration Console.
2. In the navigation pane, go to *Your_Server*\\**Options**.
3. In the **Options** section, click **Update Files and Languages**.
![Example of UI](images/waas-wsus-fig1.png)
4. In the **Update Files and Languages** dialog box, select **Download express installation files**.
![Example of UI](images/waas-wsus-fig2.png)
>[!NOTE]
>Because Windows 10 updates are cumulative, enabling Express Installation Files when WSUS is configured to download Windows 10 updates will significantly increase the amount of disk space that WSUS requires. Alternatively, when using Express Installation Files for previous versions of Windows, the features positive effects arent noticeable because the updates arent cumulative.
## Configure automatic updates and update service location
When using WSUS to manage updates on Windows client devices, start by configuring the **Configure Automatic Updates** and **Intranet Microsoft Update Service Location** Group Policy settings for your environment. Doing so forces the affected clients to contact the WSUS server so that it can manage them. The following process describes how to specify these settings and deploy them to all devices in the domain.
**To configure the Configure Automatic Updates and Intranet Microsoft Update Service Location Group Policy settings for your environment**
1. Open GPMC.
2. Expand Forest\Domains\\*Your_Domain*.
3. Right-click *Your_Domain*, and then click **Create a GPO in this domain, and Link it here**.
![Example of UI](images/waas-wsus-fig3.png)
>[!NOTE]
>In this example, the **Configure Automatic Updates** and **Intranet Microsoft Update Service Location** Group Policy settings are specified for the entire domain. This is not a requirement; you can target these settings to any security group by using Security Filtering or a specific OU.
4. In the **New GPO** dialog box, name the new GPO **WSUS Auto Updates and Intranet Update Service Location**.
5. Right-click the **WSUS Auto Updates and Intranet Update Service Location** GPO, and then click **Edit**.
6. In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update.
7. Right-click the **Configure Automatic Updates** setting, and then click **Edit**.
![Example of UI](images/waas-wsus-fig4.png)
8. In the **Configure Automatic Updates** dialog box, select **Enable**.
9. Under **Options**, from the **Configure automatic updating** list, select **3 - Auto download and notify for install**, and then click **OK**.
![Example of UI](images/waas-wsus-fig5.png)
>[!NOTE]
?There are three other settings for automatic update download and installation dates and times. This is simply the option this example uses. For more examples of how to control automatic updates and other related policies, see [Configure Automatic Updates by Using Group Policy](https://technet.microsoft.com/library/cc720539%28v=ws.10%29.aspx).
9. Right-click the **Specify intranet Microsoft update service location** setting, and then click **Edit**.
9. In the **Specify intranet Microsoft update service location** dialog box, select **Enable**.
12. Under **Options**, in the **Set the intranet update service for detecting updates** and **Set the intranet statistics server** options, type **http://Your_WSUS_Server_FQDN:PortNumber**, and then click **OK**.
>[!NOTE]
>The URL `http://CONTOSO-WSUS1.contoso.com:8530` in the following image is just an example. In your environment, be sure to use the server name and port number for your WSUS instance.
![Example of UI](images/waas-wsus-fig6.png)
>[!NOTE]
>The default HTTP port for WSUS is 8530, and the default HTTP over Secure Sockets Layer (HTTPS) port is 8531. If youre unsure which port WSUS is using for client communication, right-click the WSUS Administration site in IIS Manager, and then click **Edit Bindings**.
As Windows clients refresh their computer policies (the default Group Policy refresh setting is 90 minutes and when a computer restarts), computers start to appear in WSUS. Now that clients are communicating with the WSUS server, create the computer groups that align with your deployment rings.
## Create computer groups in the WSUS Administration Console
>[!NOTE]
>The following procedures use the groups from Table 1 in [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) as examples.
You can use computer groups to target a subset of devices that have specific quality and feature updates. These groups represent your deployment rings, as controlled by WSUS. You can populate the groups either manually by using the WSUS Administration Console or automatically through Group Policy. Regardless of the method you choose, you must first create the groups in the WSUS Administration Console.
**To create computer groups in the WSUS Administration Console**
1. Open the WSUS Administration Console.
2. Go to *Server_Name*\Computers\All Computers, and then click **Add Computer Group**.
![Example of UI](images/waas-wsus-fig7.png)
3. Type **Ring 2 Pilot Business Users** for the name, and then click **Add**.
4. Repeat these steps for the **Ring 3 Broad IT** and **Ring 4 Broad Business Users** groups. When youre finished, there should be three deployment ring groups.
Now that the groups have been created, add the computers to the computer groups that align with the desired deployment rings. You can do this through [Group Policy](#wsus-gp) or manually by using the [WSUS Administration Console](#wsus-admin).
<span id="wsus-admin"/>
## Use the WSUS Administration Console to populate deployment rings
Adding computers to computer groups in the WSUS Administration Console is simple, but it could take much longer than managing membership through Group Policy, especially if you have many computers to add. Adding computers to computer groups in the WSUS Administration Console is called *server-side targeting*.
In this example, you add computers to computer groups in two different ways: by manually assigning unassigned computers and by searching for multiple computers.
### Manually assign unassigned computers to groups
When new computers communicate with WSUS, they appear in the **Unassigned Computers** group. From there, you can use the following procedure to add computers to their correct groups. For these examples, you use two Windows 10 PCs (WIN10-PC1 and WIN10-PC2) to add to the computer groups.
**To assign computers manually**
1. In the WSUS Administration Console, go to *Server_Name*\Computers\All Computers\Unassigned Computers.
Here, you see the new computers that have received the GPO you created in the previous section and started communicating with WSUS. This example has only two computers; depending on how broadly you deployed your policy, you will likely have many computers here.
2. Select both computers, right-click the selection, and then click **Change Membership**.
![Example of UI](images/waas-wsus-fig8.png)
3. In the **Set Computer Group Membership** dialog box, select the **Ring 2 Pilot Business Users** deployment ring, and then click **OK**.
Because they were assigned to a group, the computers are no longer in the **Unassigned Computers** group. If you select the **Ring 2 Pilot Business Users** computer group, you will see both computers there.
### Search for multiple computers to add to groups
Another way to add multiple computers to a deployment ring in the WSUS Administration Console is to use the search feature.
**To search for multiple computers**
1. In the WSUS Administration Console, go to *Server_Name*\Computers\All Computers, right-click **All Computers**, and then click **Search**.
2. In the search box, type **WIN10**.
3. In the search results, select the computers, right-click the selection, and then click **Change Membership**.
![Example of UI](images/waas-wsus-fig9.png)
4. Select the **Ring 3 Broad IT** deployment ring, and then click **OK**.
You can now see these computers in the **Ring 3 Broad IT** computer group.
<span id="wsus-gp"/>
## Use Group Policy to populate deployment rings
The WSUS Administration Console provides a friendly interface from which you can manage Windows 10 quality and feature updates. When you need to add many computers to their correct WSUS deployment ring, however, it can be time-consuming to do so manually in the WSUS Administration Console. For these cases, consider using Group Policy to target the correct computers, automatically adding them to the correct WSUS deployment ring based on an Active Directory security group. This process is called *client-side targeting*. Before enabling client-side targeting in Group Policy, you must configure WSUS to accept Group Policy computer assignment.
**To configure WSUS to allow client-side targeting from Group Policy**
1. Open the WSUS Administration Console, and go to *Server_Name*\Options, and then click **Computers**.
![Example of UI](images/waas-wsus-fig10.png)
2. In the **Computers** dialog box, select **Use Group Policy or registry settings on computers**, and then click **OK**.
>[!NOTE]
>This option is exclusively either-or. When you enable WSUS to use Group Policy for group assignment, you can no longer manually add computers through the WSUS Administration Console until you change the option back.
Now that WSUS is ready for client-side targeting, complete the following steps to use Group Policy to configure client-side targeting:
**To configure client-side targeting**
>[!TIP]
>When using client-side targeting, consider giving security groups the same names as your deployment rings. Doing so simplifies the policy-creation process and helps ensure that you dont add computers to the incorrect rings.
1. Open GPMC.
2. Expand Forest\Domains\\*Your_Domain*.
3. Right-click *Your_Domain*, and then click **Create a GPO in this domain, and Link it here**.
4. In the **New GPO** dialog box, type **WSUS Client Targeting Ring 4 Broad Business Users** for the name of the new GPO.
5. Right-click the **WSUS Client Targeting Ring 4 Broad Business Users** GPO, and then click **Edit**.
![Example of UI](images/waas-wsus-fig11.png)
6. In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update.
7. Right-click **Enable client-side targeting**, and then click **Edit**.
8. In the **Enable client-side targeting** dialog box, select **Enable**.
9. In the **Target group name for this computer** box, type **Ring 4 Broad Business Users**. This is the name of the deployment ring in WSUS to which these computers will be added.
![Example of UI](images/waas-wsus-fig12.png)
10. Close the Group Policy Management Editor.
Now youre ready to deploy this GPO to the correct computer security group for the **Ring 4 Broad Business Users** deployment ring.
**To scope the GPO to a group**
1. In GPMC, select the **WSUS Client Targeting Ring 4 Broad Business Users** policy.
2. Click the **Scope** tab.
3. Under **Security Filtering**, remove the default **AUTHENTICATED USERS** security group, and then add the **Ring 4 Broad Business Users** group.
![Example of UI](images/waas-wsus-fig13.png)
The next time the clients in the **Ring 4 Broad Business Users** security group receive their computer policy and contact WSUS, they will be added to the **Ring 4 Broad Business Users** deployment ring.
## Automatically approve and deploy feature updates
For clients that should have their feature updates approved as soon as theyre available, you can configure Automatic Approval rules in WSUS.
>[!NOTE]
>WSUS respects the clients servicing branch. If you approve a feature update while it is still Current Branch (CB), WSUS will install the update only on PCs that are in the CB servicing branch. When Microsoft releases the build for Current Branch for Business (CBB), the PCs in the CBB servicing branch will install it.
**To configure an Automatic Approval rule for Windows 10 feature updates and approve them for the Ring 3 Broad IT deployment ring**
1. In the WSUS Administration Console, go to Update Services\\*Server_Name*\Options, and then select **Automatic Approvals**.
2. On the **Update Rules** tab, click **New Rule**.
3. In the **Add Rule** dialog box, select the **When an update is in a specific classification**, **When an update is in a specific product**, and **Set a deadline for the approval** check boxes.
![Example of UI](images/waas-wsus-fig14.png)
4. In the **Edit the properties** area, select **any classification**. Clear everything except **Upgrades**, and then click **OK**.
5. In the **Edit the properties area**, click the **any product** link. Clear all check boxes except **Windows 10**, and then click **OK**.
Windows 10 is under All Products\Microsoft\Windows.
6. In the **Edit the properties** area, click the **all computers** link. Clear all the computer group check boxes except **Ring 3 Broad IT**, and then click **OK**.
7. Leave the deadline set for **7 days after the approval at 3:00 AM**.
8. In the **Step 3: Specify a name** box, type **Windows 10 Upgrade Auto-approval for Ring 3 Broad IT**, and then click **OK**.
![Example of UI](images/waas-wsus-fig15.png)
9. In the **Automatic Approvals** dialog box, click **OK**.
>[!NOTE]
>WSUS does not honor any existing month/week/day deferral settings for CB or CBB. That said, if youre using Windows Update for Business for a computer for which WSUS is also managing updates, when WSUS approves the update, it will be installed on the computer regardless of whether you configured Group Policy to wait.
Now, whenever Windows 10 feature updates are published to WSUS, they will automatically be approved for the **Ring 3 Broad IT** deployment ring with an installation deadline of 1 week.
## Manually approve and deploy feature updates
You can manually approve updates and set deadlines for installation within the WSUS Administration Console, as well. To simplify the manual approval process, start by creating a software update view that contains only Windows 10 updates.
**To approve and deploy feature updates manually**
1. In the WSUS Administration Console, go to Update Services\\*Server_Name*\Updates. In the **Action** pane, click **New Update View**.
2. In the **Add Update View** dialog box, select **Updates are in a specific classification** and **Updates are for a specific product**.
3. Under **Step 2: Edit the properties**, click **any classification**. Clear all check boxes except **Upgrades**, and then click **OK**.
4. Under **Step 2: Edit the properties**, click **any product**. Clear all check boxes except **Windows 10**, and then click **OK**.
Windows 10 is under All Products\Microsoft\Windows.
5. In the **Step 3: Specify a name** box, type **All Windows 10 Upgrades**, and then click **OK**.
![Example of UI](images/waas-wsus-fig16.png)
Now that you have the All Windows 10 Upgrades view, complete the following steps to manually approve an update for the **Ring 4 Broad Business Users** deployment ring:
1. In the WSUS Administration Console, go to Update Services\\*Server_Name*\Updates\All Windows 10 Upgrades.
2. Right-click the feature update you want to deploy, and then click **Approve**.
![Example of UI](images/waas-wsus-fig17.png)
3. In the **Approve Updates** dialog box, from the **Ring 4 Broad Business Users** list, select **Approved for Install**.
![Example of UI](images/waas-wsus-fig18.png)
4. In the **Approve Updates** dialog box, from the **Ring 4 Broad Business Users** list, click **Deadline**, click **One Week**, and then click **OK**.
![Example of UI](images/waas-wsus-fig19.png)
5. If the **Microsoft Software License Terms** dialog box opens, click **Accept**.
If the deployment is successful, you should receive a successful progress report.
![Example of UI](images/waas-wsus-fig20.png)
6. In the **Approval Progress** dialog box, click **Close**.
</br>
## Steps to manage updates for Windows 10
<table><tbody>
<tr><td style="border: 0px;width: 24px">![done](images/checklistdone.png)</td><td align="left" style="border: 0px">[Learn about updates and servicing branches](waas-overview.md)</td></tr>
<tr><td style="border: 0px;width: 24px">![done](images/checklistdone.png)</td><td align="left" style="border: 0px">[Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)</td></tr>
<tr><td style="border: 0px;width: 24px">![done](images/checklistdone.png)</td><td align="left" style="border: 0px">[Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)</td></tr>
<tr><td style="border: 0px;width: 24px">![done](images/checklistdone.png)</td><td align="left" style="border: 0px">[Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)</td></tr>
<tr><td style="border: 0px;width: 24px">![done](images/checklistdone.png)</td><td align="left" style="border: 0px">[Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)</td></tr>
<tr><td style="border: 0px;width: 24px">![done](images/checklistdone.png)</td><td align="left" style="border: 0px">[Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)</br>
or Manage Windows 10 updates using Windows Server Update Services (this topic)</br>
or [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)</td></tr>
</tbody></table>
</br>
## Related topics
- [Update Windows 10 in the enterprise](waas-update-windows-10.md)
- [Overview of Windows as a service](waas-overview.md)
- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
- [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
- [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)
- [Configure Windows Update for Business](waas-configure-wufb.md)
- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
- [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
- [Manage device restarts after updates](waas-restart.md)

142
windows/manage/waas-manage-updates-wufb.md
View File

@ -1,142 +0,0 @@
---
title: Manage updates using Windows Update for Business (Windows 10)
description: Windows Update for Business lets you manage when devices received updates from Windows Update.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: DaniHalfin
localizationpriority: high
---
# Manage updates using Windows Update for Business
**Applies to**
- Windows 10
- Windows 10 Mobile
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
Windows Update for Business enables information technology administrators to keep the Windows 10 devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Windows Update service. You can use Group Policy or MDM solutions such as Intune to configure the Windows Update for Business settings that control how and when Windows 10 devices are updated. In addition, by using Intune, organizations can manage devices that are not joined to a domain at all or are joined to Microsoft Azure Active Directory (Azure AD) alongside your on-premises domain-joined machines.
Specifically, Windows Update for Business allows for:
- The creation of deployment rings, where administrators can specify which devices go first in an update wave, and which ones will come later (to ensure any quality bars are met).
- Selectively including or excluding drivers as part of Microsoft-provided updates
- Integration with existing management tools such as Windows Server Update Services (WSUS), System Center Configuration Manager, and Microsoft Intune.
- Peer-to-peer delivery for Microsoft updates, which optimizes bandwidth efficiency and reduces the need for an on-site server caching solution.
Windows Update for Business is a free service that is available for Windows Pro, Enterprise, Pro Education, and Education.
>[!NOTE]
>See [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) to learn more about deployment rings in Windows 10.
## Update types
Windows Update for Business provides three types of updates to Windows 10 devices:
- **Feature Updates**: previously referred to as *upgrades*, Feature Updates contain not only security and quality revisions, but also significant feature additions and changes; they are released at a slower cadence, every 4 to 8 months.
- **Quality Updates**: these are traditional operating system updates, typically released the second Tuesday of each month (though they can be released at any time). These include security, critical, and driver updates. Windows Update for Business also treats non-Windows updates (such as those for Microsoft Office or Visual Studio) as Quality Updates. These non-Windows Updates are known as *Microsoft Updates* and devices can be optionally configured to receive such updates along with their Windows Updates.
- **Non-deferrable updates**: Currently, antimalware and antispyware Definition Updates from Windows Update cannot be deferred.
Both Feature and Quality Updates can be deferred from deploying to client devices by a Windows Update for Business administrator within a bounded range of time from when those updates are first made available on the Windows Update Service. This deferral capability allows administrators to validate deployments as they are pushed to all client devices configured for Windows Update for Business.
<table>
<tr>
<th>Category</th>
<th>Maximum deferral</th>
<th>Deferral increments</th>
<th>Example</th>
<th>Classification GUID</th>
</tr>
<tr>
<td>Feature Updates</td>
<td>180 days</td>
<td>Days</td>
<td>From Windows 10, version 1511 to version 1607</td>
<td>3689BDC8-B205-4AF4-8D4A-A63924C5E9D5</td>
</tr>
<tr>
<td rowspan="4">Quality Updates</td>
<td rowspan="4">30 days</td>
<td rowspan="4">Days</td>
<td>Security updates</td>
<td>0FA1201D-4330-4FA8-8AE9-B877473B6441</td>
</tr>
<tr>
<td>Drivers (optional)</td>
<td>EBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0</td>
</tr>
<tr>
<td>Non-security updates</td>
<td>CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83</td>
</tr><tr><td>Microsoft updates (Office, Visual Studio, etc.)</td><td>varies</td></tr>
<tr>
<td>Non-deferrable</td>
<td>No deferral</td>
<td>No deferral</td>
<td>Definition updates</td>
<td>E0789628-CE08-4437-BE74-2495B842F43B</td>
</tr>
</table>
>[!NOTE]
>For information about classification GUIDs, see [WSUS Classification GUIDs](https://msdn.microsoft.com/en-us/library/ff357803.aspx).
## Comparing Windows Update for Business in Windows 10, version 1511 and version 1607
Windows Update for Business was first made available in Windows 10, version 1511. In Windows 10, version 1607 (also known as the Anniversary Update), there are several new or changed capabilities provided as well as updated behavior.
>[!NOTE]
>For more information on Current Branch and Current Branch for Business, see [Windows 10 servicing options](introduction-to-windows-10-servicing.md).
<table>
<thead>
<tr><th>Capability</th><th>Windows 10, version 1511</th><th>Windows 10, version 1607</th>
</tr>
</thead>
<tbody>
<tr><td><p>Select Servicing Options: CB or CBB</p></td><td><p>Not available. To defer updates, all systems must be on the Current Branch for Business (CBB)</p></td><td><p>Ability to set systems on the Current Branch (CB) or Current Branch for Business (CBB).</p></td></tr>
<tr><td><p>Quality Updates</p></td><td><p>Able to defer receiving Quality Updates:</p><ul><li>Up to 4 weeks</li><li>In weekly increments</li></ul></td><td><p>Able to defer receiving Quality Updates:</p><ul><li>Up to 30 days</li><li>In daily increments</li></ul></td></tr>
<tr><td><p>Feature Updates</p></td><td><p>Able to defer receiving Feature Updates:</p><ul><li>Up to 8 months</li><li>In monthly increments</li></ul></td><td><p>Able to defer receiving Feature Updates:</p><ul><li>Up to 180 days</li><li>In daily increments</li></ul></td></tr>
<tr><td><p>Pause updates</p></td><td><ul><li>Feature Updates and Quality Updates paused together</li><li>Maximum of 35 days</li></ul></td><td><p>Features and Quality Updates can be paused separately.</p><ul><li>Feature Updates: maximum 60 days</li><li>Quality Updates: maximum 35 days</li></ul></td></tr>
<tr><td><p>Drivers</p></td><td><p>No driver-specific controls</p></td><td><p>Drivers can be selectively excluded from Windows Update for Business.</p></td></tr>
</tbody></table>
## Steps to manage updates for Windows 10
<table><tbody>
<tr><td style="border: 0px;width: 24px">![done](images/checklistdone.png)</td><td align="left" style="border: 0px">[Learn about updates and servicing branches](waas-overview.md)</td></tr>
<tr><td style="border: 0px;width: 24px">![done](images/checklistdone.png)</td><td align="left" style="border: 0px">[Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)</td></tr>
<tr><td style="border: 0px;width: 24px">![done](images/checklistdone.png)</td><td align="left" style="border: 0px">[Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)</td></tr>
<tr><td style="border: 0px;width: 24px">![done](images/checklistdone.png)</td><td align="left" style="border: 0px">[Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)</td></tr>
<tr><td style="border: 0px;width: 24px">![done](images/checklistdone.png)</td><td align="left" style="border: 0px">[Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)</td></tr>
<tr><td style="border: 0px;width: 24px">![done](images/checklistdone.png)</td><td align="left" style="border: 0px">Manage updates using Windows Update for Business (this topic)</br>
or [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)</br>
or [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)</td></tr>
</tbody></table>
</br>
## Related topics
- [Update Windows 10 in the enterprise](waas-update-windows-10.md)
- [Overview of Windows as a service](waas-overview.md)
- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
- [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
- [Configure Windows Update for Business](waas-configure-wufb.md)
- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
- [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
- [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
- [Manage device restarts after updates](waas-restart.md)

84
windows/manage/waas-mobile-updates.md
View File

@ -1,84 +0,0 @@
---
title: Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile (Windows 10)
description: tbd
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: DaniHalfin
localizationpriority: high
---
# Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile
**Applies to**
- Windows 10 Mobile
- [Windows 10 IoT Mobile](https://www.microsoft.com/en-us/WindowsForBusiness/windows-iot)
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
>[!TIP]
>If you're not familiar with the Windows 10 servicing or release branches, read [Servicing branches](waas-overview.md#servicing-branches) first.
Devices running Windows 10 Mobile and Windows 10 IoT Mobile receive updates from the Current Branch (CB) unless you [enroll the device in the Windows Insider Program](waas-servicing-branches-windows-10-updates.md#enroll-devices-in-the-windows-insider-program) or assign the device to Current Branch for Business (CBB). Only devices running Windows 10 Mobile Enterprise or Windows 10 IoT Mobile can be assigned to CBB.
[Learn how to upgrade Windows 10 Mobile to Windows 10 Mobile Enterprise](https://technet.microsoft.com/itpro/windows/deploy/windows-10-edition-upgrades)
</br>
| Windows 10 edition | CB | CBB | Insider Program |
| --- | --- | --- | --- | --- |
| Mobile | ![yes](images/checkmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) |
| Mobile Enterprise | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) |
| IoT Mobile | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) |
</br>
Configuration of Windows 10 Mobile and Windows 10 IoT Mobile devices is limited to the feature set pertaining to Quality Updates only. That is, Windows Mobile Feature Updates are categorized the same as Quality Updates, and can only be deferred by setting the Quality Update deferral period, for a maximum period of 30 days. You can use mobile device management (MDM) to manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile. Updates cannot be managed for Windows 10 Mobile.
## Windows 10, version 1511
Only the following Windows Update for Business policies are supported for Windows 10 Mobile and Windows 10 IoT Mobile:
- ../Vendor/MSFT/Policy/Config/Update/RequireDeferredUpgrade
- ../Vendor/MSFT/Policy/Config/Update/DeferUpdatePeriod
- ../Vendor/MSFT/Policy/Config/Update/PauseDeferrals
To defer the update period or pause deferrals, the device must be configured for CBB servicing branch by applying the **RequireDeferredUpgrade** policy.
## Windows 10, version 1607
Only the following Windows Update for Business policies are supported for Windows 10 Mobile and Windows 10 IoT Mobile:
- ../Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel
- ../Vendor/MSFT/Policy/Config/Update/DeferQualityUpdatesInDays
- ../Vendor/MSFT/Policy/Config/Update/PauseQualityUpdates
In version 1607, you can defer and pause updates for devices on both the CB and CBB servicing branches.
If a device running Windows 10 Mobile Enterprise or Windows 10 IoT Mobile, version 1511, has Windows Update for Business policies applied and is then updated to version 1607, version 1511 policies continue to apply until version 1607 policies are applied.
## Related topics
- [Update Windows 10 in the enterprise](waas-update-windows-10.md)
- [Overview of Windows as a service](waas-overview.md)
- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
- [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
- [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)
- [Configure Windows Update for Business](waas-configure-wufb.md)
- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
- [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
- [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
- [Manage device restarts after updates](waas-restart.md)

106
windows/manage/waas-optimize-windows-10-updates.md
View File

@ -1,106 +0,0 @@
---
title: Optimize update delivery for Windows 10 updates (Windows 10)
description: Two methods of peer-to-peer content distribution are available in Windows 10, Delivery Optimization and BranchCache.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: DaniHalfin
localizationpriority: high
---
# Optimize update delivery for Windows 10 updates
**Applies to**
- Windows 10
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
When considering your content distribution strategy for Windows 10, think about enabling a form of peer-to-peer content sharing to reduce bandwidth issues during updates. Windows 10 offers two peer-to-peer options for update content distribution: Delivery Optimization and BranchCache. These technologies can be used with several of the servicing tools for Windows 10.
Two methods of peer-to-peer content distribution are available in Windows 10.
- [Delivery Optimization](waas-delivery-optimization.md) is a new peer-to-peer distribution method in Windows 10. Windows 10 clients can source content from other devices on their local network that have already downloaded the updates or from peers over the internet. Using the settings available for Delivery Optimization, clients can be configured into groups, allowing organizations to identify devices that are possibly the best candidates to fulfil peer-to-peer requests.
Windows Update, Windows Update for Business, and Windows Server Update Services (WSUS) can use Delivery Optimization. Delivery Optimization can significantly reduce the amount of network traffic to external Windows Update sources as well as the time it takes for clients to retrieve the updates.
- [BranchCache](waas-branchcache.md) is a bandwidth optimization technology that is included in some editions of the Windows Server 2016 Technical Preview and Windows 10 operating systems, as well as in some editions of Windows Server 2012 R2, Windows 8.1, Windows Server 2012, Windows 8, Windows Server 2008 R2, and Windows 7.
>[!NOTE]
>Full BranchCache functionality is supported in Windows 10 Enterprise and Education; Windows 10 Pro supports some BranchCache functionality, including BITS transfers used for servicing operations.
Windows Server Update Services (WSUS) and System Center Configuration Manager can use BranchCache to allow peers to source content from each other versus always having to contact a server. Using BranchCache, files are cached on each individual client, and other clients can retrieve them as needed. This approach distributes the cache rather than having a single point of retrieval, saving a significant amount of bandwidth while drastically reducing the time that it takes for clients to receive the requested content.
</br></br>
| Method | Windows Update | Windows Update for Business | WSUS | Configuration Manager |
| --- | --- | --- | --- | --- |
| Delivery Optimization | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![no](images/crossmark.png) |
| BranchCache | ![no](images/crossmark.png) | ![no](images/crossmark.png) |![yes](images/checkmark.png) | ![yes](images/checkmark.png) |
>[!NOTE]
>System Center Configuration Manager has an additional feature called Client Peer Cache that allows peer-to-peer content sharing between clients you use System Center Configuration Manager to manage, in the same Configuration Manager boundary Group. For more information, see [Client Peer Cache](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/client-peer-cache).
>
>In addition to Client Peer Cache, similar functionality is available in the Windows Preinstallation Environment (Windows PE) for imaging-related content. Using this technology, clients imaging with System Center Configuration Manager task sequences can source operating system images, driver packages, boot images, packages, and programs from peers instead of distribution points. For detailed information about how Windows PE Peer Cache works and how to configure it, see [Prepare Windows PE peer cache to reduce WAN traffic in System Center Configuration Manager](https://technet.microsoft.com/library/mt613173.aspx).
## Express update delivery
Windows 10 update downloads can be large because every package contains all previously released fixes to ensure consistency and simplicity. Windows has been able to reduce the size of Windows Update downloads with a feature called Express.
### How Microsoft supports Express
- **Express on WSUS Standalone**
Express update delivery is available on [all support versions of WSUS](https://technet.microsoft.com/library/cc708456(v=ws.10).aspx).
- **Express on devices directly connected to Windows Update**
- **Enterprise devices managed using [Windows Update for Business](waas-manage-updates-wufb.md)** also get the benefit of Express update delivery support without any change in configuration.
### How Express download works
For OS updates that support Express, there are two versions of the file payload stored on the service:
1. **Full-file version** - essentially replacing the local versions of the update binaries.
2. **Express version** - containing the deltas needed to patch the existing binaries on the device.
Both the full-file version and the Express version are referenced in the update's metadata, which has been downloaded to the client as part of the scan phase.
**Express download works as follows:**
The Windows Update client will try to download Express first, and under certain situations fall back to full-file if needed (for example, if going through a proxy that doesn't support byte range requests).
1. When the Windows Update client initiates an Express download, **Windows Update first downloads a stub**, which is part of the Express package.
2. **The Windows Update client passes this stub to the Windows installer**, which uses the stub to do a local inventory, comparing the deltas of the file on the device with what is needed to get to the latest version of the file being offered.
3. **The Windows installer then requests the Windows Update client to download the ranges**, which have been determined to be required.
4. **The client downloads these ranges and passes them to the Windows Installer**, which applies the ranges and then determines if additional ranges are needed. This repeats until the Windows installer tells the Windows Update client that all necessary ranges have been downloaded.
At this point, the download is complete and the update is ready to be installed.
>[!TIP]
>Express will **always** be leveraged if your machines are updated regularly with the latest cumulative updates.
## Steps to manage updates for Windows 10
<table><tbody>
<tr><td style="border: 0px;width: 24px">![done](images/checklistdone.png)</td><td align="left" style="border: 0px">[Learn about updates and servicing branches](waas-overview.md)</td></tr>
<tr><td style="border: 0px;width: 24px">![done](images/checklistdone.png)</td><td align="left" style="border: 0px">[Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)</td></tr>
<tr><td style="border: 0px;width: 24px">![done](images/checklistdone.png)</td><td align="left" style="border: 0px">[Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)</td></tr>
<tr><td style="border: 0px;width: 24px">![done](images/checklistdone.png)</td><td align="left" style="border: 0px">[Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)</td></tr>
<tr><td style="border: 0px;width: 24px">![done](images/checklistdone.png)</td><td align="left" style="border: 0px">Optimize update delivery for Windows 10 updates (this topic)</td></tr>
<tr><td style="border: 0px;width: 24px">![to do](images/checklistbox.gif)</td><td align="left" style="border: 0px">[Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)</br>
or [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)</br>
or [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)</td></tr>
</tbody></table>
</br>
## Related topics
- [Update Windows 10 in the enterprise](waas-update-windows-10.md)
- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
- [Configure Windows Update for Business](waas-configure-wufb.md)
- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
- [Manage device restarts after updates](waas-restart.md)

193
windows/manage/waas-overview.md
View File

@ -1,193 +0,0 @@
---
title: Overview of Windows as a service (Windows 10)
description: In Windows 10, Microsoft has streamlined servicing to make operating system updates simpler to test, manage, and deploy.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: DaniHalfin
localizationpriority: high
---
# Overview of Windows as a service
**Applies to**
- Windows 10
- Windows 10 Mobile
- Windows 10 IoT Mobile
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
The Windows 10 operating system introduces a new way to build, deploy, and service Windows: Windows as a service. Microsoft has reimagined each part of the process, to simplify the lives of IT pros and maintain a consistent Windows 10 experience for its customers. These improvements focus on maximizing customer involvement in Windows development, simplifying the deployment and servicing of Windows client computers, and leveling out the resources needed to deploy and maintain Windows over time.
## Building
Prior to Windows 10, Microsoft released new versions of Windows every few years. This traditional deployment schedule imposed a training burden on users because the feature revisions were often significant. That schedule also meant waiting long periods without new features — a scenario that doesnt work in todays rapidly changing world, a world in which new security, management, and deployment capabilities are necessary to address challenges. Windows as a service will deliver smaller feature updates two to three times per year to help address these issues.
In the past, when Microsoft developed new versions of Windows, it typically released technical previews near the end of the process, when Windows was nearly ready to ship. With Windows 10, new features will be delivered to the [Windows Insider community](https://insider.windows.com/) as soon as possible — during the development cycle, through a process called *flighting* — so that organizations can see exactly what Microsoft is developing and start their testing as soon as possible.
Microsoft also depends on receiving feedback from organizations throughout the development process so that it can make adjustments as quickly as possible rather than waiting until after release. For more information about the Windows Insider Program and how to sign up, see the section [Windows Insider](#windows-insider).
Of course Microsoft also performs extensive internal testing, with engineering teams installing new builds daily, and larger groups of employees installing builds frequently, all before those builds are ever released to the Windows Insider Program.
## Deploying
Deploying Windows 10 is simpler than with previous versions of Windows. When migrating from earlier versions of Windows, an easy in-place upgrade process can be used to automatically preserve all apps, settings, and data. And once running Windows 10, deployment of Windows 10 feature updates will be equally simple.
One of the biggest challenges for organizations when it comes to deploying a new version of Windows is compatibility testing. Whereas compatibility was previously a concern for organizations upgrading to a new version of Windows, Windows 10 is compatible with most hardware and software capable of running on Windows 7 or later. Because of this high level of compatibility, the app compatibility testing process can be greatly simplified.
### Application compatibility
Application compatibility testing has historically been a burden when approaching a Windows deployment or upgrade. With Windows 10, application compatibility from the perspective of desktop applications, websites, and apps built on the Universal Windows Platform (UWP) has improved tremendously. Microsoft understands the challenges organizations experienced when they migrated from the Windows XP operating system to Windows 7 and has been working to make Windows 10 upgrades a much better experience.
Most Windows 7compatible desktop applications will be compatible with Windows 10 straight out of the box. Windows 10 achieved such high compatibility because the changes in the existing Win32 application programming interfaces were minimal. Combined with valuable feedback via the Windows Insider Program and telemetry data, this level of compatibility can be maintained through each feature update. As for websites, Windows 10 includes Internet Explorer 11 and its backward-compatibility modes for legacy websites. Finally, UWP apps follow a compatibility story similar to desktop applications, so most of them will be compatible with Windows 10.
For the most important business-critical applications, organizations should still perform testing on a regular basis to validate compatibility with new builds. For remaining applications, consider validating them as part of a pilot deployment process to reduce the time spent on compatibility testing. If its unclear whether an application is compatible with Windows 10, IT pros can either consult with the ISV or check the supported software directory at [http://www.readyforwindows.com](http://www.readyforwindows.com).
### Device compatibility
Device compatibility in Windows 10 is also very strong; new hardware is not needed for Windows 10 as any device capable of running Windows 7 or later can run Windows 10. In fact, the minimum hardware requirements to run Windows 10 are the same as those required for Windows 7. Most hardware drivers that functioned in Windows 8.1, Windows 8, or Windows 7 will continue to function in Windows 10.
## Servicing
Traditional Windows servicing has included several release types: major revisions (e.g., the Windows 8.1, Windows 8, and Windows 7 operating systems), service packs, and monthly updates. With Windows 10, there are two release types: feature updates that add new functionality two to three times per year, and quality updates that provide security and reliability fixes at least once a month.
With Windows 10, organizations will need to change the way they approach deploying updates. Servicing branches are the first way to separate users into deployment groups for feature and quality updates. With the introduction of servicing branches comes the concept of a [deployment ring](waas-deployment-rings-windows-10-updates.md), which is simply a way to categorize the combination of a deployment group and a servicing branch to group devices for successive waves of deployment. For more information about developing a deployment strategy that leverages servicing branches and deployment rings, see [Plan servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md).
For information about each servicing tool available for Windows 10, see [Servicing tools](#servicing-tools).
To align with this new update delivery model, Windows 10 has three servicing branches, each of which provides different levels of flexibility over when these updates are delivered to client computers. For information about the servicing branches available in Windows 10, see [Servicing branches](#servicing-branches).
### Feature updates
With Windows 10, Microsoft will package new features into feature updates that can be deployed using existing management tools. Because feature updates are delivered more frequently than with previous Windows releases — two to three times per year rather than every 35 years — changes will be in bite-sized chunks rather than all at once and end user readiness time much shorter.
### Quality updates
Monthly updates in previous Windows versions were often overwhelming because of the sheer number of updates available each month. Many organizations selectively chose which updates they wanted to install and which they didnt, and this created countless scenarios in which organizations deployed essential security updates but picked only a subset of nonsecurity fixes.
In Windows 10, rather than receiving several updates each month and trying to figure out which the organization needs, which ultimately causes platform fragmentation, administrators will see one cumulative monthly update that supersedes the previous months update, containing both security and nonsecurity fixes. This approach makes patching simpler and ensures that customers devices are more closely aligned with the testing done at Microsoft, reducing unexpected issues resulting from patching. The left side of Figure 1 provides an example of Windows 7 devices in an enterprise and what their current patch level might look like. On the right is what Microsofts test environment PCs contain. This drastic difference is the basis for many compatibility issues and system anomalies related to Windows updates.
**Figure 1**
![Comparison of patch environment in enterprise compared to test](images/waas-overview-patch.png)
## Servicing branches
To align with the new method of delivering feature updates and quality updates in Windows 10, Microsoft introduced the concept of servicing branches to allow customers to designate how aggressively their individual devices are updated. For example, an organization may have test devices that the IT department can update with new features as soon as possible, and then specialized devices that require a longer feature update cycle to ensure continuity. With that in mind, Microsoft offers three servicing branches for Windows 10: Current Branch (CB), Current Branch for Business (CBB), and Long-Term Servicing Branch (LTSB). In addition, the Windows Insider Program provides IT pros and other interested parties with prerelease Windows builds that they can test and ultimately provide feedback on to Microsoft. For details about the versions in each servicing branch, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx).
The concept of servicing branches is new, but organizations can use the same management tools they used to manage updates and upgrades in previous versions of Windows. For more information about the servicing tool options for Windows 10 and their capabilities, see [Servicing tools](#servicing-tools).
>[!NOTE]
>Servicing branches are not the only way to separate groups of devices when consuming updates. Each branch can contain subsets of devices, which staggers servicing even further. For information about the servicing strategy and ongoing deployment process for Windows 10, including the role of servicing branches, see [Plan servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md).
### Current Branch
In the CB servicing model, feature updates are available as soon as Microsoft releases them. Windows 10 version 1511 had few servicing tool options to delay CB feature updates, limiting the use of the CB servicing branch. Windows 10 version 1607, however, includes more servicing tools that can delay CB feature updates for up to 180 days. The CB servicing model is ideal for pilot deployments and testing of Windows 10 feature updates and for users such as developers who need to work with the latest features immediately.
When Microsoft officially releases a feature update for Windows 10, that update is marked for CB, making it available to any PC not configured to defer feature updates so that those devices can immediately install it. Organizations that use Windows Server Update Services (WSUS), Microsoft System Center Configuration Manager, or Windows Update for Business, however, can defer CB feature updates to selective devices by withholding their approval and deployment. In this scenario, the content available for CB will be available but not necessarily immediately mandatory, depending on the policy of the management system. Only one CB build of Windows is supported at a time, so those clients not on the most current build will not receive quality updates (after a 60 day grace period) until the most current feature update has been installed. For more details about Windows 10 servicing tools, see [Servicing tools](#servicing-tools).
### Current Branch for Business
Organizations typically prefer to have a testing cycle before broadly deploying new features to business users. For Windows 10, most pilot testing will be done using the CB servicing branch. In contrast, the CBB servicing branch is typically used for broad deployment. Windows 10 clients in the CBB servicing branch receive the same build of Windows 10 as those in the CB servicing branch, just at a later time. CB releases are transitioned to CBB after about 4 months, indicating that Microsoft, independent software vendors (ISVs), partners, and customers believe that the release is ready for broad deployment. Therefore, CB and CBB have an inherent “staging” effect. Both of these branches have a purpose in the overall deployment process for an enterprise, providing another layer of testing capabilities in addition to the traditional phased deployment methods to specific groups of machines. Microsoft will support two CBB builds at a time, plus a 60 day grace period. Each feature update release will be supported and updated for a minimum of 18 months.
>[!NOTE]
>Organizations can electively delay CB and CBB updates into as many phases as they wish by using one of the servicing tools mentioned in the section Servicing tools.
Basically, CBB is a configuration state, meaning that if a computer has the **Defer Updates and Upgrades** flag enabled—either through Group Policy, a mobile device management product like Microsoft Intune, or manually on the client—its considered to be in the CBB servicing branch. The benefit of tying this servicing model and CB to a configuration state rather than a SKU is that they are easily interchangeable. If an organization accidentally selects CBB on a machine that doesnt need delayed updates, its simple to change it back.
### Long-term Servicing Branch
Specialized systems—such as PCs that control medical equipment, point-of-sale systems, and ATMs—often require a longer servicing option because of their purpose. These devices typically perform a single important task and dont need feature updates as frequently as other devices in the organization. Its more important that these devices be kept as stable and secure as possible than up to date with user interface changes. The LTSB servicing model prevents Windows 10 Enterprise LTSB devices from receiving the usual feature updates and provides only quality updates to ensure that device security stays up to date. With this in mind, quality updates are still immediately available to Windows 10 Enterprise LTSB clients, but customers can choose to defer them by using one of the servicing tools mentioned in the section Servicing tools.
>[!NOTE]
>LTSB is not intended for deployment on most or all the PCs in an organization; it should be used only for special-purpose devices. As a general guideline, a PC with Microsoft Office installed is a general-purpose device, typically used by an information worker, and therefore it is better suited for the CB or CBB servicing branch.
Microsoft never publishes feature updates through Windows Update on devices that run Windows 10 Enterprise LTSB. Instead, it typically offers new LTSB releases every 23 years, and organizations can choose to install them as in-place upgrades or even skip releases over a 10-year life cycle.
>[!NOTE]
>Windows 10 LTSB will support the currently released silicon at the time of release of the LTSB. As future silicon generations are released, support will be created through future Windows 10 LTSB releases that customers can deploy for those systems. For more information, see **Supporting the latest processor and chipsets on Windows** in [Lifecycle support policy FAQ - Windows Products](https://support.microsoft.com/help/18581/lifecycle-support-policy-faq-windows-products).
LTSB is available only in the Windows 10 Enterprise LTSB edition. This build of Windows doesnt contain many in-box applications, such as Microsoft Edge, Windows Store client, Cortana (limited search capabilities remain available), Microsoft Mail, Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, and Clock. Therefore, its important to remember that Microsoft has positioned the LTSB model primarily for specialized devices.
>[!NOTE]
>If an organization has devices currently running Windows 10 Enterprise LTSB that it would like to change to the CB or CBB servicing branch, it can make the change without losing user data. Because LTSB is its own SKU, however, an upgrade is required from Windows 10 Enterprise LTSB to Windows 10 Enterprise, which supports CB and CBB.
### Windows Insider
For many IT pros, gaining visibility into feature updates early—before theyre available to the CB servicing branch—can be both intriguing and valuable for future end user communications as well as provide additional prestaging for CB machines. With Windows 10, feature flighting enables Windows Insiders to consume and deploy preproduction code to their test machines, gaining early visibility into the next build. Testing the early builds of Windows 10 helps both Microsoft and its customers because they have the opportunity to discover possible issues before the update is ever publicly available and can report it to Microsoft. Also, as flighted builds get closer to their release to CB, organizations can test their deployment on test devices for compatibility validation.
Microsoft recommends that all organizations have at least a few PCs enrolled in the Windows Insider Program and provide feedback on any issues they encounter. For information about how to sign up for the Windows Insider Program and enroll test devices, go to [https://insider.windows.com](https://insider.windows.com).
>[!NOTE]
>Microsoft recommends that all organizations have at least a few PCs enrolled in the Windows Insider Program, to include the Windows Insider Program in their deployment plans and to provide feedback on any issues they encounter to Microsoft via our Feedback Hub app.
>
>The Windows Insider Program isnt intended to replace CB deployments in an organization. Rather, it provides IT pros and other interested parties with pre-release Windows builds that they can test and ultimately provide feedback on to Microsoft.
## Servicing tools
There are many tools with which IT pros can service Windows as a service. Each option has its pros and cons, ranging from capabilities and control to simplicity and low administrative requirements. The following are examples of the servicing tools available to manage Windows as a service updates:
- **Windows Update (stand-alone)** provides limited control over feature updates, with IT pros manually configuring the device to be in the CBB servicing branch. Organizations can control which devices defer updates and stay in the CBB servicing branch or remain in CB by selecting the Defer upgrades check box in Start\Settings\Update & Security\Advanced Options on a Windows 10 client.
- **Windows Update for Business** is the second option for servicing Windows as a service. This servicing tool includes a little more control over update deferment and provides centralized management using Group Policy. In Windows 10 version 1511, Windows Update for Business can be used to defer feature updates for up to 8 months and quality updates for up to 4 weeks. Also, these deferment options were available only to clients in the CBB servicing branch. In Windows 10 version 1607 and later, Windows Update for Business can be used to defer feature updates for up to 180 days and quality updates for up to 30 days. These deployment options are available to clients in either the CB or CBB servicing branch. In addition to being able to use Group Policy to manage Windows Update for Business, either option can be configured without requiring any on-premises infrastructure by using Intune.
- **Windows Server Update Services (WSUS)** provides extensive control over Windows 10 updates and is natively available in the Windows Server operating system. In addition to the ability to defer updates, organizations can add an approval layer for updates and choose to deploy them to specific computers or groups of computers whenever ready.
- **System Center Configuration Manager** provides the greatest control over servicing Windows as a service. IT pros can defer updates, approve them, and have multiple options for targeting deployments and managing bandwidth usage and deployment times.
With all these options, which an organization chooses depends on the resources, staff, and expertise its IT organization already has. For example, if IT already uses System Center Configuration Manager to manage Windows updates, it can continue to use it. Similarly, if IT is using WSUS, it can continue to use that. For a consolidated look at the benefits of each tool, see Table 1.
**Table 1**
| Servicing tool | Can updates be deferred? | Ability to approve updates | Peer-to-peer option | Additional features |
| --- | --- | --- | --- | --- |
| Windows Update | Yes (manual) | No | Delivery Optimization | None|
| Windows Update for Business | Yes | No | Delivery Optimization | Other Group Policy objects |
| WSUS | Yes | Yes | BranchCache or Delivery Optimization | Upstream/downstream server scalability |
| Configuration Manager | Yes | Yes | BranchCache, Client Peer Cache | Distribution points, multiple deployment options |
</br>
## Steps to manage updates for Windows 10
<table><tbody>
<tr><td style="border: 0px;width: 24px">![to do](images/checklistdone.png)</td><td align="left" style="border: 0px">Learn about updates and servicing branches (this topic)</td></tr>
<tr><td style="border: 0px;width: 24px">![to do](images/checklistbox.gif)</td><td align="left" style="border: 0px">[Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)</td></tr>
<tr><td style="border: 0px;width: 24px">![to do](images/checklistbox.gif)</td><td align="left" style="border: 0px">[Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)</td></tr>
<tr><td style="border: 0px;width: 24px">![to do](images/checklistbox.gif)</td><td align="left" style="border: 0px">[Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)</td></tr>
<tr><td style="border: 0px;width: 24px">![to do](images/checklistbox.gif)</td><td align="left" style="border: 0px">[Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)</td></tr>
<tr><td style="border: 0px;width: 24px">![to do](images/checklistbox.gif)</td><td align="left" style="border: 0px">[Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)</br>
or [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)</br>
or [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)</td></tr>
</tbody></table>
</br>
## Related topics
- [Update Windows 10 in the enterprise](waas-update-windows-10.md)
- [Quick guide to Windows as a service](waas-quick-start.md)
- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
- [Configure Windows Update for Business](waas-configure-wufb.md)
- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
- [Manage device restarts after updates](waas-restart.md)

82
windows/manage/waas-quick-start.md
View File

@ -1,82 +0,0 @@
---
title: Quick guide to Windows as a service (Windows 10)
description: In Windows 10, Microsoft has streamlined servicing to make operating system updates simpler to test, manage, and deploy.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: DaniHalfin
localizationpriority: high
---
# Quick guide to Windows as a service
**Applies to**
- Windows 10
- Windows 10 Mobile
- Windows 10 IoT Mobile
Windows as a service is a new concept, introduced with the release of Windows 10. While [an extensive set of documentation](waas-update-windows-10.md) is available explaining all the specifics and nuances, here is a quick guide to the most important concepts.
## Definitions
Some new terms have been introduced as part of Windows as a service, so you should know what these terms mean.
- **Feature updates** will be released two to three times per year. As the name suggests, these will add new features to Windows 10, delivered in bite-sized chunks compared to the previous practice of Windows releases every 3-5 years.
- **Quality updates** are released monthly, delivering both security and non-security fixes. These are cumulative, so installing the latest quality update is sufficient to get all the available fixes for a specific Windows 10 feature update.
- **Insider Preview** builds are made available during the development of the features that will be shipped in the next feature update, enabling organizations to validate new features as well as compatibility with existing apps and infrastructure, providing feedback to Microsoft on any issues encountered.
- **Servicing branches** allow organizations to choose when to deploy new features. Current Branch (CB) deploys the fastest, soon after a feature update is released. Current Branch for Business (CBB) defers the installation of the same feature update by about four months, until that feature update is considered ready for broad deployment. Long Term Servicing Branch (LTSB) is different, used only for specialized devices (which typically dont run Office) such as those that control medical equipment or ATM machines that need to be kept stable and secure.
- **Deployment rings** are groups of devices used to initially pilot, and then to broadly deploy, each feature update in an organization.
See [Overview of Windows as a service](waas-overview.md) for more information.
## Key Concepts
New feature update releases are initially considered **Current Branch (CB) releases**; organizations will use these for pilot deployments to ensure compatibility with existing apps and infrastructure. After about four months, the feature update will be declared as **Current Branch for Business (CBB)**, indicating that it is ready for broad deployment.
Each Windows 10 feature update (which initially begins as CB and then is declared as CBB) will be serviced with quality updates for a minimum of 18 months after it is released. The total length of time can be longer, as there will be two CBB releases serviced at all times. There will be a minimum of 60 days advanced notice (a grace period) after a CBB declaration occurs before an older feature update is no longer serviced.
Windows 10 Enterprise LTSB is a separate **Long Term Servicing Branch (LTSB)** version. Each release is supported for a total of 10 years (five years standard support, five years extended support). New releases are expected about every three years.
See [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md) for more information.
## Staying up to date
The process for keeping Windows 10 up to date involves deploying a feature update, at an appropriate time after its release. A variety of tools management and patching tools such as Windows Update, Windows Update for Business, Windows Server Update Services, System Center Configuration Manager, and third-party products) can be used to help with this process. [Windows Upgrade Analytics](https://www.microsoft.com/en-us/WindowsForBusiness/upgrade-analytics), a free tool to streamline Windows upgrade projects, is another important tool to help.
Because app compatibility, both for desktop apps and web apps, is outstanding with Windows 10, extensive advanced testing isnt required. Instead, only business-critical apps need to be tested, with the remaining apps validated through a series of pilot deployment rings. Once these pilot deployments have validated most apps and CBB has been declared, broad deployment can begin.
This process repeats with each new feature update, two to three times per year. These are small deployment projects, compared to the big projects that were necessary with the old three-to-five-year Windows release cycles.
Additional technologies such as BranchCache and Delivery Optimization, both peer-to-peer distribution tools, can help with the distribution of the feature update installation files.
See [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) and [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) for more information.
## Video: An overview of Windows as a service
<iframe width="560" height="315" src="https://www.youtube.com/embed/MLc4-Suv0LU" frameborder="0" allowfullscreen></iframe>
## Learn more
[Adopting Windows as a service at Microsoft](https://www.microsoft.com/itshowcase/Article/Content/851/Adopting-Windows-as-a-service-at-Microsoft)
## Related topics
- [Update Windows 10 in the enterprise](waas-update-windows-10.md)
- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
- [Configure Windows Update for Business](waas-configure-wufb.md)
- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
- [Manage device restarts after updates](waas-restart.md)

151
windows/manage/waas-restart.md
View File

@ -1,151 +0,0 @@
---
title: Manage device restarts after updates (Windows 10)
description: tbd
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: DaniHalfin
localizationpriority: high
---
# Manage device restarts after updates
**Applies to**
- Windows 10
- Windows 10 Mobile
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
You can use Group Policy settings, mobile device management (MDM) or Registry (not recommended) to configure when devices will restart after a Windows 10 update is installed. You can schedule update installation and set policies for restart, configure active hours for when restarts will not occur, or you can do both.
## Schedule update installation
In Group Policy, within **Configure Automatic Updates**, you can configure a forced restart after a specified instllation time.
To set the time, you need to go to **Configure Automatic Updates**, select option **4 - Auto download and schedule the instal**, and then enter a time in the **Scheduled install time** dropdown. Alternatively, you can specify that installtion will occur during the automatic maintenance time (configured using **Computer Configuration\Administrative Templates\Windows Components\Maintenance Scheduler**).
**Always automatically restart at the scheduled time** forces a restart after the specified installation time and lets you configure a timer to warn a signed-in user that a restart is going to occur.
While not recommended, the same result can be achieved through Registry. Under **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU**, set **AuOptions** to **4**, set the install time with **ScheduledInstallTime**, enable **AlwaysAutoRebootAtScheduledTime** and specify the delay in minutes through **AlwaysAutoRebootAtScheduledTimeMinutes**. Similar to Group Policy, **AlwaysAutoRebootAtScheduledTimeMinutes** sets the timer to warn a signed-in user that a restart is going to occur.
For a detailed description of these regsitry keys, see [Registry keys used to manage restart](#registry-keys-used-to-manage-restart).
## Delay automatic reboot
When **Configure Automatic Updates** is enabled in Group Policy, you can enable one of the following additional policies to delay an automatic reboot after update installtion:
- **Turn off auto-restart for updates during active hours** prevents automatic restart during active hours.
- **No auto-restart with logged on users for scheduled automatic updates installations** prevents automatic restart when a user is signed in. If a user schedules the restart in the update notification, the device will restart at the time the user specifies even if a user is signed in at the time. This policy only applies when **Configure Automatic Updates** is set to option **4-Auto download and schedule the install**.
You can also use Registry, to prevent automatic restarts when a user is signed in. Under **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU**, set **AuOptions** to **4** and enable **NoAutoRebootWithLoggedOnUsers**. As with Group Policy, if a user schedules the restart in the update notification, it will override this setting.
For a detailed description of these regsitry keys, see [Registry keys used to manage restart](#registry-keys-used-to-manage-restart).
## Configure active hours
*Active hours* identify the period of time when you expect the device to be in use. Automatic restarts after an update will occur outside of the active hours.
By default, active hours are from 8 AM to 5 PM on PCs and from 5 AM to 11 PM on phones. Users can change the active hours manually.
Administrators can use multiple ways to set active hours for managed devices:
- You can use Group Policy, as described in the procedure that follows.
- You can use MDM, as described in [Configuring active hours with MDM](#configuring-active-hours-with-mdm).
- While not recommended, you can also configure active hours, as descrbied in [Configuring active hours through Registry](#configuring-active-hours-through-registry).
### Configuring active hours with Group Policy
To configure active hours using Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and open the **Turn off auto-restart for updates during active hours** policy setting. When the policy is enabled, you can set the start and end times for active hours.
![Use Group Policy to configure active hours](images/waas-active-hours-policy.png)
### Configuring active hours with MDM
MDM uses the [Update/ActiveHoursStart and Update/ActiveHoursEnd](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_ActiveHoursEnd) settings in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) to configure active hours.
### Configuring active hours through Registry
This method is not recommended, and should only be used when neither Group Policy or MDM are available.
Any settings configured through Registry may conflict with any existing configuration that uses any of the methods mentioned above.
You should set a combination of the following registry values, in order to configure active hours.
Under **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate** use **SetActiveHours** to enable or disable active hours and **ActiveHoursStart**,**ActiveHoursEnd** to specify the range of active hours.
For a detailed description of these regsitry keys, see [Registry keys used to manage restart](#registry-keys-used-to-manage-restart).
>[!NOTE]
>To configure active hours manually on a single device, go to **Settings** > **Update & security** > **Windows Update** and select **Change active hours**.
>
>![Change active hours](images/waas-active-hours.png)
## Limit restart delays
After an update is installed, Windows 10 attemtps automatic restart outside of active hours. If the restart does not succeed after 7 days (by default), the user will see a notification that restart is required. You can use the **Specify deadline before auto-restart for update installation** policy to change the delay from 7 days to a number of days between 2 and 14.
## Group Policy settings for restart
In the Group Policy editor, you will see a number of policy settings that pertain to restart behavior in **Computer Configuration\Administrative Templates\Windows Components\Windows Update**. The following table shows which policies apply to Windows 10.
| Policy | Applies to Windows 10 | Notes |
| --- | --- | --- |
| Turn off auto-restart for updates during active hours | ![yes](images/checkmark.png) | Use this policy to configure active hours, during which the device will not be restarted. This policy has no effect if the **No auto-restart with logged on users for scheduled automatic updates installations** or **Always automatically restart at the scheduled time** policies are enabled. |
| Always automatically restart at the scheduled time | ![yes](images/checkmark.png) | Use this policy to configure a restart timer (between 15 and 180 minutes) that will start immediately after Windows Update installs important updates. This policy has no effect if the **No auto-restart with logged on users for scheduled automatic updates installations** policy is enabled. |
| Specify deadline before auto-restart for update installation | ![yes](images/checkmark.png) | Use this policy to specify how many days (between 2 and 14) an automatic restart can be delayed. This policy has no effect if the **No auto-restart with logged on users for scheduled automatic updates installations** or **Always automatically restart at the scheduled time** policies are enabled. |
| No auto-restart with logged on users for scheduled automatic updates installations | ![yes](images/checkmark.png) | Use this policy to prevent automatic restart when a user is logged on. This policy applies only when the **Configure Automatic Updates** policy is configured to perform scheduled installations of updates. <br>There is no equivalent MDM policy setting for Windows 10 Mobile. |
| Re-prompt for restart with scheduled installations | ![no](images/crossmark.png) | |
| Delay Restart for scheduled installations | ![no](images/crossmark.png) | |
| Reschedule Automatic Updates scheduled installations | ![no](images/crossmark.png) | |
>[!NOTE]
>You can only choose one path for restart behavior.
>
>If you set conflicting restart policies, the actual restart behavior may not be what you expected.
## Registry keys used to manage restart
The following tables list registry values that correspond to the Group Policy settings for controlling restarts after updates in Windows 10.
**HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate**
| Registry key | Key type | Value |
| --- | --- | --- |
| ActiveHoursEnd | REG_DWORD | 0-23: set active hours to end at a specific hour</br>starts with 12 AM (0) and ends with 11 PM (23) |
| ActiveHoursStart | REG_DWORD | 0-23: set active hours to start at a specific hour</br>starts with 12 AM (0) and ends with 11 PM (23) |
| SetActiveHours | REG_DWORD | 0: disable automatic restart after updates outside of active hours</br>1: enable automatic restart after updates outside of active hours |
**HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU**
| Registry key | Key type | Value |
| --- | --- | --- |
| AlwaysAutoRebootAtScheduledTime | REG_DWORD | 0: disable automatic reboot after update installation at scheduled time</br>1: enable automatic reboot after update installation at ascheduled time |
| AlwaysAutoRebootAtScheduledTimeMinutes | REG_DWORD | 15-180: set automatic reboot to occur after given minutes |
| AUOptions | REG_DWORD | 2: notify for download and automatically install updates</br>3: automatically download and notify for instllation of updates</br>4: Automatically download and schedule installation of updates</br>5: allow the local admin to configure these settings</br>**Note:** To configure restart behavior, set this value to **4** |
| NoAutoRebootWithLoggedOnUsers | REG_DWORD | 0: disable do not reboot if users are logged on</br>1: do not reboot after an update installation if a user is logged on</br>**Note:** If disabled : Automatic Updates will notify the user that the computer will automatically restarts in 5 minutes to complete the installation |
| ScheduledInstallTime | REG_DWORD | 0-23: schedule update installation time to a specific hour</br>starts with 12 AM (0) and ends with 11 PM (23) |
There are 3 different registry combinations for controlling restart behavior:
- To set active hours, **SetActiveHours** should be **1**, while **ActiveHoursStart** and **ActiveHoursEnd** should define the time range.
- To schedule a specific instllation and reboot time, **AUOptions** should be **4**, **ScheduledInstallTime** should specify the installation time, **AlwaysAutoRebootAtScheduledTime** set to **1** and **AlwaysAutoRebootAtScheduledTimeMinutes** should specify number of minutes to wait before rebooting.
- To delay rebooting if a user is logged on, **AUOptions** should be **4**, while **NoAutoRebootWithLoggedOnUsers** is set to **1**.
## Related topics
- [Update Windows 10 in the enterprise](waas-update-windows-10.md)
- [Overview of Windows as a service](waas-overview.md)
- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
- [Configure Windows Update for Business](waas-configure-wufb.md)
- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)

220
windows/manage/waas-servicing-branches-windows-10-updates.md
View File

@ -1,220 +0,0 @@
---
title: Assign devices to servicing branches for Windows 10 updates (Windows 10)
description: tbd
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: DaniHalfin
localizationpriority: high
---
# Assign devices to servicing branches for Windows 10 updates
**Applies to**
- Windows 10
- Windows 10 Mobile
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
>[!TIP]
>If you're not familiar with the Windows 10 servicing or release branches, read [Servicing branches](waas-overview.md#servicing-branches) first.
Current Branch is the default servicing branch for all Windows 10 devices except those with the long-term servicing branch edition installed. The following table shows the servicing branches available to each edition of Windows 10.
| Windows 10 edition | Current branch (CB) | Current branch for business (CBB) | Long-term servicing branch (LTSB) | Insider Program |
| --- | --- | --- | --- | --- |
| Home | ![yes](images/checkmark.png) | ![no](images/crossmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) |
| Pro | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) |
| Enterprise | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) |
| Enterprise LTSB | ![no](images/crossmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) | ![no](images/crossmark.png) |
| Pro Education | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) |
| Education | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) |
| Mobile | ![yes](images/checkmark.png) | ![no](images/crossmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) |
| Mobile Enterprise | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) |
>[!NOTE]
>The LTSB edition of Windows 10 is only available through the [Microsoft Volume Licensing Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx).
## Assign devices to Current Branch for Business
**To assign a single PC locally to CBB**
1. Go to **Settings** > **Update & security** > **Windows Update** > **Advanced options**.
2. Select **Defer feature updates**.
**To assign PCs to CBB using Group Policy**
- In Windows 10, version 1511:
Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates**
- In Windows 10, version 1607:
Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** - enable policy and set branch readiness level to CBB
**To assign PCs to CBB using MDM**
- In Windows 10, version 1511:
../Vendor/MSFT/Policy/Config/Update/**RequireDeferredUpgrade**
- In Windows 10, version 1607:
../Vendor/MSFT/Policy/Config/Update/**BranchReadinessLevel**
**To assign Windows 10 Mobile Enterprise to CBB using MDM**
- In Windows 10 Mobile Enterprise, version 1511:
../Vendor/MSFT/Policy/Config/Update/RequireDeferredUpgrade
- In Windows 10 Mobile Enterprise, version 1607:
../Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel
## Enroll devices in the Windows Insider Program
Enrolling devices in the Windows Insider Program is simple and requires only a Microsoft account. To enroll a device in the Windows Insider Program, complete the following steps on the device that you want to enroll:
1. Go to **Start** > **Settings** > **Update & security** > **Windows Insider Program**.
2. Select **Get started**.
>[!NOTE]
>If you didnt use a Microsoft account to log in to the computer, youll be prompted to log in. If you dont have a Microsoft account, you can create one now.
3. Read the privacy statement and program terms, and then click **Next**.
6. Click **Confirm**, and then select a time to restart the computer.
## Install your first preview build from the Windows Insider Program
After enrolling your devices, you are ready to install your first preview build. To do so, go to **Start** > **Settings** > **Update & security** > **Windows Insider Program** to select your Insider level. The device receives the most recent Windows Insider build for the Insider level you select.
The options for Insider level are:
- **Release Preview**: Insiders on this level receive builds of Windows just before Microsoft releases them for CB. Although these builds arent final, they are the most complete and stable builds available to Windows Insider Program participants. This level provides the best testing platform for organizations that conduct early application compatibility testing on Windows Insider PCs.
- **Slow**: The Slow Windows Insider level is for users who enjoy seeing new builds of Windows with minimal risk to their devices but still want to provide feedback to Microsoft about their experience with the new build.
- **Fast**: This level is best for Insiders who would like to be the first to experience new builds of Windows, participate in identifying and reporting issues to Microsoft, and provide suggestions on new functionality.
>[!NOTE]
>Once your machine is updated to Windows 10 and you select your desired flight ring, the process known as "Compatibility check" will need to run in the background. There is no manual way to force this process to run. This process allows for the discovery of your OS type (32-bit, 64-bit), build edition (Home, Pro, Enterprise), country and language settings, and other required information. Once this process is complete, your machine will be auto-targeted for the next available flight for your selected ring. For the first build on any given machine, this may take up to 24 hours to complete.
## Block access to Windows Insider Program
To prevent devices in your enterprise from being enrolled in the Insider Program for early releases of Windows 10:
- Group Policy: Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds\\**Toggle user control over Insider builds**
- MDM: Policy CSP - [System/AllowBuildPreview](https://msdn.microsoft.com/library/windows/hardware/dn904962%28v=vs.85%29.aspx#System_AllowBuildPreview)
## Switching branches
During the life of a device, it may be necessary or desirable to switch between the available branches. Depending on the branch you are using, the exact mechanism for doing this can be different; some will be simple, others more involved.
<table>
<colgroup>
<col width="33%" />
<col width="33%" />
<col width="33%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">From this branch</th>
<th align="left">To this branch</th>
<th align="left">You need to</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left" rowspan="3">Windows Insider Program</td>
<td align="left">Current Branch</td>
<td align="left">Wait for the final Current Branch release.</td>
</tr>
<tr class="even">
<td align="left">Current Branch for Business</td>
<td align="left">Not directly possible, because Windows Insider Program devices are automatically upgraded to the Current Branch release at the end of the development cycle.</td>
</tr>
<tr class="odd">
<td align="left">Long-Term Servicing Branch</td>
<td align="left">Not directly possible (requires wipe-and-load).</td>
</tr>
<tr class="even">
<td align="left" rowspan="3">Current Branch</td>
<td align="left">Insider</td>
<td align="left">Use the Settings app to enroll the device in the Windows Insider Program.</td>
</tr>
<tr class="odd">
<td align="left">Current Branch for Business</td>
<td align="left">Select the <strong>Defer upgrade</strong> setting, or move the PC to a target group or flight that will not receive the next upgrade until it is business ready. Note that this change will not have any immediate impact; it only prevents the installation of the next Current Branch release.</td>
</tr>
<tr class="even">
<td align="left">Long-Term Servicing Branch</td>
<td align="left">Not directly possible (requires wipe-and-load).</td>
</tr>
<tr class="odd">
<td align="left" rowspan="3">Current Branch for Business</td>
<td align="left">Insider</td>
<td align="left">Use the Settings app to enroll the device in the Windows Insider Program.</td>
</tr>
<tr class="even">
<td align="left">Current Branch</td>
<td align="left">Disable the <strong>Defer upgrade</strong> setting, or move the device to a target group or flight that will receive the latest Current Branch release.</td>
</tr>
<tr class="odd">
<td align="left">Long-Term Servicing Branch</td>
<td align="left">Not directly possible (requires wipe-and-load).</td>
</tr>
<tr class="even">
<td align="left" rowspan="3">Long-Term Servicing Branch</td>
<td align="left">Insider</td>
<td align="left">Use media to upgrade to the latest Windows Insider Program build.</td>
</tr>
<tr class="odd">
<td align="left">Current Branch</td>
<td align="left">Use media to upgrade to a later Current Branch build. (Note that the Current Branch build must be a later build.)</td>
</tr>
<tr class="even">
<td align="left">Current Branch for Business</td>
<td align="left">Use media to upgrade to a later Current Branch for Business build (Current Branch build plus fixes). Note that it must be a later build.</td>
</tr>
</tbody>
</table>
## Steps to manage updates for Windows 10
<table><tbody>
<tr><td style="border: 0px;width: 24px">![done](images/checklistdone.png)</td><td align="left" style="border: 0px">[Learn about updates and servicing branches](waas-overview.md)</td></tr>
<tr><td style="border: 0px;width: 24px">![done](images/checklistdone.png)</td><td align="left" style="border: 0px">[Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)</td></tr>
<tr><td style="border: 0px;width: 24px">![done](images/checklistdone.png)</td><td align="left" style="border: 0px">[Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)</td></tr>
<tr><td style="border: 0px;width: 24px">![done](images/checklistdone.png)</td><td align="left" style="border: 0px">Assign devices to servicing branches for Windows 10 updates (this topic)</td></tr>
<tr><td style="border: 0px;width: 24px">![to do](images/checklistbox.gif)</td><td align="left" style="border: 0px">[Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)</td></tr>
<tr><td style="border: 0px;width: 24px">![to do](images/checklistbox.gif)</td><td align="left" style="border: 0px">[Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)</br>
or [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)</br>
or [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)</td></tr>
</tbody></table>
</br>
## Block user access to Windows Update settings
In Windows 10, administrators can control user access to Windows Update.
By enabling the Group Policy setting under **Computer Configuration\Administrative Templates\Windows Components\Windows update\Remove access to use all Windows update features**, administrators can disable the "Check for updates" option for users. Any background update scans, downloads and installations will continue to work as configured.
>[!NOTE]
> In Windows 10, any Group Policy user configuration settings for Windows Update were deprecated and are no longer supported on this platform.
## Related topics
- [Update Windows 10 in the enterprise](waas-update-windows-10.md)
- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
- [Configure Windows Update for Business](waas-configure-wufb.md)
- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
- [Manage device restarts after updates](waas-restart.md)

70
windows/manage/waas-servicing-strategy-windows-10-updates.md
View File

@ -1,70 +0,0 @@
---
title: Prepare servicing strategy for Windows 10 updates (Windows 10)
description: A strong Windows 10 deployment strategy begins with establishing a simple, repeatable process for testing and deploying each feature update.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: DaniHalfin
localizationpriority: high
---
# Prepare servicing strategy for Windows 10 updates
**Applies to**
- Windows 10
- Windows 10 Mobile
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
In the past, traditional Windows deployments tended to be large, lengthy, and expensive. Windows 10 offers a new approach to deploying both quality and feature updates, making the process much simpler and therefore the planning much more straightforward. With Windows as a service, the methodology around updating Windows has completely changed, moving away from major upgrades every few years to iterative updates twice per year. Each iteration contains a smaller subset of changes so that they wont seem like substantial differences, like they do today. Figure 1 shows the level of effort needed for traditional Windows deployments versus servicing Windows 10 and how it is now spread evenly over time versus spiking every few years.
**Figure 1**
![Compare traditional servicing to Windows 10](images/waas-strategy-fig1a.png)
Windows 10 spreads the traditional deployment effort of a Windows upgrade, which typically occurred every few years, over smaller, continuous updates. With this change, you must approach the ongoing deployment and servicing of Windows differently. A strong Windows 10 deployment strategy begins with establishing a simple, repeatable process for testing and deploying each feature update. Heres an example of what this process might look like:
- **Configure test devices.** Configure testing PCs in the Windows Insider Program so that Insiders can test feature updates before theyre available to the Current Branch (CB) servicing branch. Typically, this would be a small number of test machines that IT staff members use to evaluate prereleased builds of Windows. Microsoft provides current development builds to Windows Insider members approximately every week so that interested users can see the functionality Microsoft is adding. See the section Windows Insider for details on how to enroll in the Windows Insider Program on a Windows 10 device.
- **Identify excluded PCs.** For some organizations, special-purpose devices such as those used to control factory or medical equipment or run ATMs require a stricter, less frequent feature update cycle than CB or Current Branch for Business (CBB) can offer. For those machines, you must install Windows 10 Enterprise LTSB to avoid feature updates for up to 10 years. Identify these PCs, and separate them from the phased deployment and servicing cycles to help remove confusion for your administrators and ensure that devices are handled correctly.
- **Recruit volunteers.** The purpose of testing a deployment is to receive feedback. One effective way to recruit pilot users is to request volunteers. When doing so, clearly state that youre looking for feedback rather than people to just “try it out” and that there could be occasional issues involved with accepting feature updates right away. With Windows as a service, the expectation is that there should be few issues, but if an issue does arise, you want testers to let you know as soon as possible. When considering whom to recruit for pilot groups, be sure to include members who provide the broadest set of applications and devices to validate the largest number of apps and devices possible.
- **Choose a servicing tool.** Decide which product youll use to manage the Windows updates in your environment. If youre currently using Windows Server Update Services (WSUS) or System Center Configuration Manager to manage your Windows updates, you can continue using those products to manage Windows 10 updates. Alternatively, you can use Windows Update for Business. In addition to which product youll use, consider how youll deliver the updates. With Windows 10, multiple peer-to-peer options are available to make update distribution faster. For a comparison of tools, see [Servicing tools](waas-overview.md#servicing-tools).
- **Prioritize applications.** First, create an application portfolio. This list should include everything installed in your organization and any webpages your organization hosts. Next, prioritize this list to identify those that are the most business critical. Because the expectation is that application compatibility with Windows 10 will be high, only the most business critical applications should be tested before the pilot phase; everything else can be tested afterwards. For more information about identifying compatibility issues withe applications, see [Manage Windows upgrades with Upgrade Analytics](https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics).
>[!NOTE]
>This strategy is applicable to approaching an environment in which Windows 10 already exists. For information about how to deploy or upgrade to Windows 10 where another version of Windows exists, see [Plan for Windows 10 deployment](https://technet.microsoft.com/itpro/windows/plan/index).
Each time Microsoft releases a Windows 10 feature update, the IT department should use the following high-level process to help ensure that the broad deployment is successful:
1. **Validate compatibility of business critical apps.** Test your most important business-critical applications for compatibility with the new Windows 10 feature update running on your Windows Insider machines identified in the earlier “Configure test machines” step of the Predeployment strategy section. The list of applications involved in this validation process should be small because most applications can be tested during the pilot phase. For more information about device and application compatibility in Windows 10, see the section Compatibility.
2. **Pilot and react to feedback.** With Windows 10, Microsoft expects application and device compatibility to be high, but its still important to have pilot groups within both the IT department and business units to verify application compatibility for the remaining applications in your application portfolio. Because only the most business-critical applications are tested beforehand, this will represent the majority of application compatibility testing in your environment. This should not necessarily be a formal process but rather user validation through the use of a particular application. So, the next step is to deploy the feature update to early-adopting IT users and your pilot groups running in the CB servicing branch that you identified in the “Recruit volunteers” step of the Predeployment strategy section. Be sure to communicate clearly that youre looking for feedback as soon as possible, and state exactly how users can submit feedback to you. Should an issue arise, have a remediation plan in place to address it.
3. **Deploy broadly.** Finally, focus on the large-scale deployment using deployment rings, like the ones discussed in Table 1. Build deployment rings that target groups of computers in your selected update-management product. To reduce risk as much as possible, construct your deployment rings in a way that splits individual departments into multiple rings. This way, if you were to encounter an issue, you dont prevent any critical business from continuing. By using this method, each deployment ring reduces risk as more and more people have been updated in any particular department.
## Steps to manage updates for Windows 10
<table><tbody>
<tr><td style="border: 0px;width: 30px">![to do](images/checklistdone.png)</td><td align="left" style="border: 0px">[Learn about updates and servicing branches](waas-overview.md)</td></tr>
<tr><td style="border: 0px;width: 30px">![to do](images/checklistdone.png)</td><td align="left" style="border: 0px">Prepare servicing strategy for Windows 10 updates (this topic)</td></tr>
<tr><td style="border: 0px;width: 30px">![to do](images/checklistbox.gif)</td><td align="left" style="border: 0px">[Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)</td></tr>
<tr><td style="border: 0px;width: 30px">![to do](images/checklistbox.gif)</td><td align="left" style="border: 0px">[Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)</td></tr>
<tr><td style="border: 0px;width: 30px">![to do](images/checklistbox.gif)</td><td align="left" style="border: 0px">[Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)</td></tr>
<tr><td style="border: 0px;width: 30px">![to do](images/checklistbox.gif)</td><td align="left" style="border: 0px">[Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)</br>
or [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)</br>
or [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)</td></tr>
</tbody></table>
</br>
## Related topics
- [Update Windows 10 in the enterprise](waas-update-windows-10.md)
- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
- [Configure Windows Update for Business](waas-configure-wufb.md)
- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
- [Manage device restarts after updates](waas-restart.md)

62
windows/manage/waas-update-windows-10.md
View File

@ -1,62 +0,0 @@
---
title: Update Windows 10 in the enterprise (Windows 10)
description: Windows as a service provides an all-new way to think about building, deploying, and servicing Windows 10.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: DaniHalfin
localizationpriority: high
---
# Update Windows 10 in the enterprise
**Applies to**
- Windows 10
- Windows 10 Mobile
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
Windows as a service provides a new way to think about building, deploying, and servicing the Windows operating system. The Windows as a service model is focused on continually providing new capabilities and updates while maintaining a high level of hardware and software compatibility. Deploying new versions of Windows is simpler than ever before: Microsoft releases new features two to three times per year rather than the traditional upgrade cycle where new features are only made available every few years. Ultimately, this model replaces the need for traditional Windows deployment projects, which can be disruptive and costly, and spreads the required effort out into a continuous updating process, reducing the overall effort required to maintain Windows 10 devices in your environment. In addition, with the Windows 10 operating system, organizations have the chance to try out “flighted” builds of Windows as Microsoft develops them, gaining insight into new features and the ability to provide continual feedback about them.
>[!TIP]
>See [Windows 10 update history](https://support.microsoft.com/help/12387/windows-10-update-history) for details about each Windows 10 update released to date.
## In this section
| Topic | Description|
| --- | --- |
| [Quick guide to Windows as a service](waas-quick-start.md) | Provides a brief summary of the key points for the new servicing model for Windows 10. |
| [Overview of Windows as a service](waas-overview.md) | Explains the differences in building, deploying, and servicing Windows 10; introduces feature updates, quality updates, and the different servicing branches; compares servicing tools. |
| [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) | Explains the decisions you need to make in your servicing strategy. |
| [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) | Explains how to make use of servicing branches and update deferrals to manage Windows 10 updates. |
| [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md) | Explains how to assign devices to Current Branch (CB) or Current Branch for Business (CBB) for feature and quality updates, and how to enroll devices in Windows Insider. |
| [Monitor Windows Updates with Update Compliance](update-compliance-monitor.md) | Explains how to use Windows Analytics: Update Compliance to monitor and manage Windows Updates on devices in your organization. |
| [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) | Explains the benefits of using Delivery Optimization or BranchCache for update distribution. |
| [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) | Explains updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile. |
| [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md) | Explains how to use Windows Update for Business to manage when devices receive updates directly from Windows Update. Includes walkthroughs for configuring Windows Update for Business using Group Policy and Microsoft Intune. |
| [Manage Windows 10 updates using Windows Server Update Services (WSUS)](waas-manage-updates-wsus.md) | Explains how to use WSUS to manage Windows 10 updates. |
| [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) | Explains how to use Configuration Manager to manage Windows 10 updates. |
| [Manage device restarts after updates](waas-restart.md) | Explains how to use Group Policy to manage device restarts. |
>[!TIP]
>Windows servicing is changing, but for disaster recovery scenarios and bare-metal deployments of Windows 10, you still can use traditional imaging software such as System Center Configuration Manager or the Microsoft Deployment Toolkit. Using these tools to deploy Windows 10 images is similar to deploying previous versions of Windows.
>With each release of a new feature update for CB, Microsoft makes available new .iso files for use in updating your custom images. Each Windows 10 build has a finite servicing lifetime, so its important that images stay up to date with the latest build. For detailed information about how to deploy Windows 10 to bare-metal machines or to upgrade to Windows 10 from previous builds of Windows, see [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](https://technet.microsoft.com/itpro/windows/deploy/deploy-windows-10-with-system-center-2012-r2-configuration-manager).
## Related topics
- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
- [Configure Windows Update for Business](waas-configure-wufb.md)
- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)

352
windows/manage/waas-wufb-group-policy.md
View File

@ -1,352 +0,0 @@
---
title: Walkthrough use Group Policy to configure Windows Update for Business (Windows 10)
description: Configure Windows Update for Business settings using Group Policy.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: DaniHalfin
localizationpriority: high
---
# Walkthrough: use Group Policy to configure Windows Update for Business
**Applies to**
- Windows 10
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
Using Group Policy to manage Windows Update for Business is simple and familiar: use the same Group Policy Management Console (GPMC) you use to manage other device and user policy settings in your environment. Before configuring the Windows Update for Business Group Policy settings, consider a [deployment strategy](waas-servicing-strategy-windows-10-updates.md) for updates and feature updates in your environment.
In Windows 10 version 1511, only Current Branch for Business (CBB) upgrades could be delayed, restricting the Current Branch (CB) builds to a single deployment ring. Windows 10 version 1607, however, has a new Group Policy setting that allows you to delay feature updates for both CB and CBB, broadening the use of the CB servicing branch.
>[!NOTE]
>The terms *feature updates* and *quality updates* in Windows 10, version 1607, correspond to the terms *upgrades* and *updates* in version 1511.
To use Group Policy to manage quality and feature updates in your environment, you must first create Active Directory security groups that align with your constructed deployment rings. Most customers have many deployment rings already in place in their environment, and these rings likely align with existing phased rollouts of current patches and operating system upgrades.
## Configure Windows Update for Business in Windows 10 version 1511
In this example, you use two security groups to manage your updates: **Ring 4 Broad business users** and **Ring 5 Broad business users #2** from Table 1 in [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md).
- The **Ring 4 Broad business users** group contains PCs of IT members who test the updates as soon as theyre released for Windows clients in the Current Branch for Business (CBB) servicing branch. This phase typically occurs after testing on Current Branch (CB) devices.
- The **Ring 5 Broad business users #2** group consists of the first line-of-business (LOB) users, who consume quality updates after 1 week and feature updates 1 month after the CBB release.
>[!NOTE]
>Although the [sample deployment rings](waas-deployment-rings-windows-10-updates.md) specify a feature update deferral of 2 weeks for Ring 5, deferrals in Windows 10, version 1511 are in increments of months only.
>
>Windows 10 version 1511 does not support deferment of CB builds of Windows 10, so you can establish only one CB deployment ring. In version 1607 and later, CB builds can be delayed, making it possible to have multiple CB deployment rings.
Complete the following steps on a PC running the Remote Server Administration Tools or on a domain controller.
### Configure the Ring 4 Broad business users deployment ring for CBB with no deferral
1. Open GPMC (gpmc.msc).
2. Expand **Forest** > **Domains** > *your domain*.
3. Right-click *your domain* and select **Create a GPO in this domain, and Link it here**.
![UI for Create GPO menu](images/waas-wufb-gp-create.png)
4. In the **New GPO** dialog box, type **Windows Update for Business - CBB1** for the name of the new GPO.
>[!NOTE]
>In this example, youre linking the GPO to the top-level domain. This is not a requirement: you can link the Windows Update for Business GPOs to any organizational unit (OU) thats appropriate for your Active Directory Domain Services (AD DS) structure.
5. Right-click the **Windows Update for Business - CBB1** GPO, and then click **Edit**.
![UI for Edit GPO](images/waas-wufb-gp-edit.png)
6. In the Group Policy Management Editor, go to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Windows Update**.
7. Right-click **Defer Upgrades and Updates**, and then click **Edit**.
![UI to edit Defer Upgrades and Updates](images/waas-wufb-gp-edit-defer.png)
In the **Defer Upgrades and Updates** Group Policy setting configuration, you see several options:
- **Enable/Disable Deferred Updates**. Enabling this policy setting sets the receiving client to the CBB servicing branch. Specifically disabling this policy forces the client into the CB servicing branch, making it impossible for users to change it.
- **Defer upgrades for the following**. This option allows you to delay feature updates up to 8 months, a number added to the default CBB delay (approximately 4 months from CB). By using Windows Update for Business, you can use this option to stagger CBB feature updates, making the total offset up to 12 months from CB.
- **Defer updates for the following**. This option allows you to delay the installation of quality updates on a Windows 10 device for up to 4 weeks, allowing for phased rollouts of updates in your enterprise, but not all quality updates are deferrable with this option. Table 1 shows the deferment capabilities by update type.
- **Pause Upgrades and Updates**. Should an issue arise with a feature update, this option allows a one-time skip of the current months quality and feature update. Quality updates will resume after 35 days, and feature updates will resume after 60 days. For example, deploy this setting as a stand-alone policy to the entire organization in an emergency.
Table 1 summarizes the category of update in Windows 10 and how long Windows Update for Business can defer its installation.
**Table 1**
<table>
<tr>
<th>Category</th>
<th>Maximum deferral</th>
<th>Deferral increments</th>
<th>Classification type</th>
<th>Classification GUID</th>
</tr>
<tr>
<td>OS upgrades</td>
<td>8 months</td>
<td>1 month</td>
<td>Upgrade</td>
<td>3689BDC8-B205-4AF4-8D4A-A63924C5E9D5</td>
</tr>
<tr>
<td rowspan="3">OS updates</td>
<td rowspan="3">4 weeks</td>
<td rowspan="3">1 week</td>
<td>Security updates</td>
<td>0FA1201D-4330-4FA8-8AE9-B877473B6441</td>
</tr>
<tr>
<td>Drivers</td>
<td>EBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0</td>
</tr>
<tr>
<td>Updates</td>
<td>CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83</td>
</tr>
<tr>
<td>Other/non-deferrable</td>
<td>No deferral</td>
<td>No deferral</td>
<td>Definition updates</td>
<td>E0789628-CE08-4437-BE74-2495B842F43B</td>
</tr>
</table>
Simply enabling the **Defer Upgrades and Updates** policy sets the receiving client to the CBB servicing branch, which is what you want for your first deployment ring, **Ring 4 Broad business users**.
8. Enable the **Defer Updates and Upgrades** setting, and then click **OK**.
9. Close the Group Policy Management Editor.
Because the **Windows Update for Business - CBB1** GPO contains a computer policy and you only want to apply it to computers in the **Ring 4 Broad business users** group, use **Security Filtering** to scope the policys effect.
### Scope the policy to the Ring 4 Broad business users group
1. In the GPMC, select the **Windows Update for Business - CBB1** policy.
2. In **Security Filtering** on the **Scope** tab, remove the default **AUTHENTICATED USERS** security group, and add the **Ring 4 Broad business users** group.
![Scope policy to group](images/waas-wufb-gp-scope.png)
The **Ring 4 Broad business users** deployment ring has now been configured. Next, configure **Ring 5 Broad business users #2** to accommodate a 1-week delay for quality updates and a 2-week delay for feature updates.
### Configure the Ring 5 Broad business users \#2 deployment ring for CBB with deferrals
1. Open GPMC (gpmc.msc).
2. Expand **Forest** > **Domains** > *your domain*.
3. Right-click *your domain* and select **Create a GPO in this domain, and Link it here**.
![UI for Create GPO menu](images/waas-wufb-gp-create.png)
4. In the **New GPO** dialog box, type **Windows Update for Business - CBB2** for the name of the new GPO.
5. Right-click the **Windows Update for Business - CBB2** GPO, and then click **Edit**.
![UI for Edit GPO](images/waas-wufb-gp-edit.png)
6. In the Group Policy Management Editor, go to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Windows Update**.
7. Right-click **Defer Upgrades and Updates**, and then click **Edit**.
8. Enable the **Defer Updates and Upgrades** setting, configure the **Defer upgrades for the following** option for 1 month, and then configure the **Defer updates for the following** option for 1 week.
![Example of policy settings](images/waas-wufb-gp-broad.png)
9. Click **OK** and close the Group Policy Management Editor.
### Scope the policy to the Ring 5 Broad business users \#2 group
1. In the GPMC, select the **Windows Update for Business - CBB2** policy.
2. In **Security Filtering** on the **Scope** tab, remove the default **AUTHENTICATED USERS** security group, and add the **Ring 5 Broad business users \#2** group.
## Configure Windows Update for Business in Windows 10 version 1607
To use Group Policy to manage quality and feature updates in your environment, you must first create Active Directory security groups that align with your constructed deployment rings. Most customers have many deployment rings already in place in their environment, and these rings likely align with existing phased rollouts of current patches and operating system upgrades.
In this example, you use three security groups from Table 1 in [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) to manage your updates:
- **Ring 2 Pilot Business Users** contains the PCs of business users which are part of the pilot testing process, receiving CB builds 4 weeks after they are released.
- **Ring 4 Broad business users** consists of IT members who receive updates after Microsoft releases a Windows 10 build to the CBB servicing branch.
- **Ring 5 Broad business users #2** consists of LOB users on CBB, who receive quality updates after 7 days and feature updates after 14 days.
In this example, you configure and scope the update schedules for all three groups.
### Configure Ring 2 Pilot Business Users policy
1. Open GPMC (gpmc.msc).
2. Expand **Forest** > **Domains** > *your domain*.
3. Right-click *your domain* and select **Create a GPO in this domain, and Link it here**.
![UI for Create GPO menu](images/waas-wufb-gp-create.png)
4. In the **New GPO** dialog box, type **Windows Update for Business - CB2** for the name of the new GPO.
>[!NOTE]
>In this example, youre linking the GPO to the top-level domain. This is not a requirement: you can link the Windows Update for Business GPOs to any organizational unit (OU) thats appropriate for your Active Directory Domain Services (AD DS) structure.
5. Right-click the **Windows Update for Business - CB2** GPO, and then click **Edit**.
![Edit menu for this GPO](images/waas-wufb-gp-cb2.png)
6. In the Group Policy Management Editor, go to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Defer Windows Updates**.
7. Right-click **Select when Feature Updates are received**, and then click **Edit**.
8. In the **Select when Feature Updates are received** policy, enable it, select a branch readiness level of **CB**, set the feature update delay to **28** days, and then click **OK**.
![Settings for this GPO](images/waas-wufb-gp-cb2-settings.png)
Table 3 summarizes the category of updates in Windows 10, version 1607, and how long Windows Update for Business can defer its installation.
**Table 3**
<table>
<tr>
<th>Category</th>
<th>Maximum deferral</th>
<th>Deferral increments</th>
<th>Example</th>
<th>Classification GUID</th>
</tr>
<tr>
<td>Feature Updates</td>
<td>180 days</td>
<td>Days</td>
<td>From Windows 10, version 1511 to version 1607</td>
<td>3689BDC8-B205-4AF4-8D4A-A63924C5E9D5</td>
</tr>
<tr>
<td rowspan="4">Quality Updates</td>
<td rowspan="4">30 days</td>
<td rowspan="4">Days</td>
<td>Security updates</td>
<td>0FA1201D-4330-4FA8-8AE9-B877473B6441</td>
</tr>
<tr>
<td>Drivers (optional)</td>
<td>EBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0</td>
</tr>
<tr>
<td>Non-security updates</td>
<td>CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83</td>
</tr><tr><td>Microsoft updates (Office, Visual Studio, etc.)</td><td>varies</td></tr>
<tr>
<td>Non-deferrable</td>
<td>No deferral</td>
<td>No deferral</td>
<td>Definition updates</td>
<td>E0789628-CE08-4437-BE74-2495B842F43B</td>
</tr>
</table>
9. Close the Group Policy Management Editor.
Because the **Windows Update for Business CB2** GPO contains a computer policy and you only want to apply it to computers in the **Ring 2 Pilot Business Users** group, use **Security Filtering** to scope the policys effect.
### Scope the policy to the Ring 2 Pilot Business Users group
1. In the GPMC, select the **Windows Update for Business - CB2** policy.
2. In **Security Filtering** on the **Scope** tab, remove the default **AUTHENTICATED USERS** security group, and add the **Ring 2 Pilot Business Users** group.
![Scope policy to group](images/waas-wufb-gp-scope-cb2.png)
The **Ring 2 Pilot Business Users** deployment ring has now been configured. Next, configure **Ring 4 Broad business users** to set those clients into the CBB servicing branch so that they receive feature updates as soon as theyre made available for the CBB servicing branch.
### Configure Ring 4 Broad business users policy
1. Open GPMC (gpmc.msc).
2. Expand **Forest** > **Domains** > *your domain*.
3. Right-click *your domain* and select **Create a GPO in this domain, and Link it here**.
4. In the **New GPO** dialog box, type **Windows Update for Business - CBB1** for the name of the new GPO.
5. Right-click the **Windows Update for Business - CBB1** GPO, and then click **Edit**.
6. In the Group Policy Management Editor, go to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Defer Windows Updates**.
7. Right-click **Select when Feature Updates are received**, and then click **Edit**.
8. In the **Select when Feature Updates are received** policy, enable it, select a branch readiness level of **CBB**, and then click **OK**.
![Settings for this GPO](images/waas-wufb-gp-cbb1-settings.png)
9. Close the Group Policy Management Editor.
### Scope the policy to the Ring 4 Broad business users group
1. In the GPMC, select the **Windows Update for Business - CBB1** policy.
2. In **Security Filtering** on the **Scope** tab, remove the default **AUTHENTICATED USERS** security group, and add the **Ring 4 Broad business users** group.
The **Ring 4 Broad business users** deployment ring has now been configured. Finally, configure **Ring 5 Broad business users #2** to accommodate a 7-day delay for quality updates and a 14-day delay for feature updates
### Configure Ring 5 Broad business users \#2 policy
1. Open GPMC (gpmc.msc).
2. Expand **Forest** > **Domains** > *your domain*.
3. Right-click *your domain* and select **Create a GPO in this domain, and Link it here**.
4. In the **New GPO** dialog box, type **Windows Update for Business - CBB2** for the name of the new GPO.
5. Right-click the **Windows Update for Business - CBB2** GPO, and then click **Edit**.
6. In the Group Policy Management Editor, go to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Defer Windows Updates**.
7. Right-click **Select when Feature Updates are received**, and then click **Edit**.
8. In the **Select when Feature Updates are received** policy, enable it, select a branch readiness level of **CBB**, set the feature update delay to **14** days, and then click **OK**.
![Settings for this GPO](images/waas-wufb-gp-cbb2-settings.png)
9. Right-click **Select when Quality Updates are received**, and then click **Edit**.
10. In the **Select when Quality Updates are received** policy, enable it, set the quality update delay to **7** days, and then click **OK**.
![Settings for this GPO](images/waas-wufb-gp-cbb2q-settings.png)
11. Close the Group Policy Management Editor.
### Scope the policy to the Ring 5 Broad business users \#2 group
1. In the GPMC, select the **Windows Update for Business - CBB2** policy.
2. In **Security Filtering** on the **Scope** tab, remove the default **AUTHENTICATED USERS** security group, and add the **Ring 5 Broad business users #2** group.
## Related topics
- [Update Windows 10 in the enterprise](waas-update-windows-10.md)
- [Overview of Windows as a service](waas-overview.md)
- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
- [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
- [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)
- [Configure Windows Update for Business](waas-configure-wufb.md)
- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
- [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
- [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
- [Manage device restarts after updates](waas-restart.md)

283
windows/manage/waas-wufb-intune.md
View File

@ -1,283 +0,0 @@
---
title: Walkthrough use Intune to configure Windows Update for Business (Windows 10)
description: Configure Windows Update for Business settings using Microsoft Intune.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: DaniHalfin
localizationpriority: high
---
# Walkthrough: use Microsoft Intune to configure Windows Update for Business
**Applies to**
- Windows 10
- Windows 10 Mobile
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
You can use Intune to configure Windows Update for Business even if you dont have on-premises infrastructure when you use Intune in conjunction with Azure AD. Before configuring Windows Update for Business, consider a [deployment strategy](waas-servicing-strategy-windows-10-updates.md) for updates and feature updates in your environment.
Windows Update for Business in Windows 10 version 1511 allows you to delay quality updates up to 4 weeks and feature updates up to an additional 8 months after Microsoft releases builds to the Current Branch for Business (CBB) servicing branch. In Windows 10 version 1607 and later, you can delay quality updates for up to 30 days and feature updates up to an additional 180 days after the release of either a Current Branch (CB) or CBB build.
To use Intune to manage quality and feature updates in your environment, you must first create computer groups that align with your constructed deployment rings.
>[!NOTE]
>Coming soon: [Intune Groups will be converted to Azure Active Directory-based Security Groups](https://docs.microsoft.com/en-us/intune/deploy-use/use-groups-to-manage-users-and-devices-with-microsoft-intune)
## Configure Windows Update for Business in Windows 10, version 1511
In this example, you use two security groups to manage your updates: **Ring 4 Broad business users** and **Ring 5 Broad business users #2** from Table 1 in [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md).
- The **Ring 4 Broad business users** group contains PCs of IT members who test the updates as soon as theyre released for Windows clients in the Current Branch for Business (CBB) servicing branch. This phase typically occurs after testing on Current Branch (CB) devices.
- The **Ring 5 Broad business users #2** group consists of the first line-of-business (LOB) users, who consume quality updates after 1 week and feature updates 1 month after the CBB release.
>[!NOTE]
>Although the [sample deployment rings](waas-deployment-rings-windows-10-updates.md) specify a feature update deferral of 2 weeks for Ring 5, deferrals in Windows 10, version 1511 are in increments of months only.
### Configure the Ring 4 Broad business users deployment ring for CBB with no deferral
1. Sign in to [https://manage.microsoft.com](https://manage.microsoft.com) with your Intune administrator credentials.
2. Click the **Policy** workspace. In the middle pane, click **Configuration Policies**, and then click **Add** in the details pane.
![Shows the UI for this step](images/waas-wufb-intune-step2a.png)
3. In the Create a New Policy Wizard, select **Windows\Custom Configuration (Windows 10 Desktop and Mobile and later)**, and then click **Create Policy**.
4. Name the policy **Windows Update for Business - CBB1**. Then, in the **OMA-URI Settings** section, click **Add**.
5. In **Setting name**, type **Enable Clients for CBB**, and then select **Integer** from the **Data type** list.
6. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/RequireDeferUpgrade**.
7. In the **Value** box, type **1**, and then click **OK**.
>[!NOTE]
>The OMA-URI settings are case sensitive, so be sure to review [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) for the proper syntax.
![Settings for this policy](images/waas-wufb-intune-step7a.png)
8. For this deployment ring, youre required to enable only CBB, so click **Save Policy**.
9. In the **Deploy Policy: Windows Update for Business CBB1** dialog box, click **Yes**.
>[!NOTE]
>If this dialog box doesn't appear, select the policy, and then click **Manage Deployment**.
10. In the **Manage Deployment: Windows Update for Business CBB1** dialog box, select the **Ring 4 Broad business users** group, click **Add**, and then click **OK**.
You have now configured the **Ring 4 Broad business users** deployment ring to enable the CBB servicing branch. Now, you must configure **Ring 5 Broad business users #2** to accommodate a 1-week delay for quality updates and a 1-month delay for feature updates.
### Configure the Ring 5 Broad business users \#2 deployment ring for CBB with deferrals
1. In the Policy workspace, click **Configuration Policies**, and then click **Add**.
2. In the Create a New Policy Wizard, select **Windows\Custom Configuration (Windows 10 Desktop and Mobile and later)**, and then click **Create Policy**.
3. Name the policy **Windows Update for Business CBB2**. Then, in the **OMA-URI Settings** section, click **Add**.
In this policy, you add two OMA-URI settings, one for each deferment type.
4. In **Setting name**, type **Enable Clients for CBB**, and then in the **Data type** list, select **Integer**.
6. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/RequireDeferUpgrade**. Then, in the **Value** box, type **1**.
7. Click **OK** to save the setting.
8. In the **OMA-URI Settings** section, click **Add**.
9. For this setting, in **Setting name**, type **Defer Updates for 1 Week**, and then in the **Data type** list, select **Integer**.
11. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/DeferUpdatePeriod**.
12. In the **Value** box, type **1**.
13. Click **OK** to save the setting.
14. In the **OMA-URI Settings** section, click **Add**.
15. For this setting, in **Setting name**, type **Defer Upgrades for 1 Month**, and then in the **Data type** list, select **Integer**.
17. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/DeferUpgradePeriod**.
18. In the **Value** box, type **1**.
19. Click **OK** to save the setting.
Three settings should appear in the **Windows Update for Business CBB2** policy.
![Settings for CBB2 policy](images/waas-wufb-intune-step19a.png)
20. Click **Save Policy**, and then click **Yes** at the **Deploy Policy** prompt.
21. In the **Manage Deployment** dialog box, select the **Ring 5 Broad business users #2** computer group, click **Add**, and then click **OK**.
## Configure Windows Update for Business in Windows 10 version 1607
To use Intune to manage quality and feature updates in your environment, you must first create computer groups that align with your constructed deployment rings.
In this example, you use three security groups from Table 1 in [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) to manage your updates:
- **Ring 2 Pilot Business Users** contains the PCs of business users which are part of the pilot testing process, receiving CB builds 28 days after they are released.
- **Ring 4 Broad business users** consists of IT members who receive updates after Microsoft releases a Windows 10 build to the CBB servicing branch.
- **Ring 5 Broad business users #2** consists of LOB users on CBB, who receive quality updates after 7 days and feature updates after 14 days.
### Configure Ring 2 Pilot Business Users policy
1. Sign in to [https://manage.microsoft.com](https://manage.microsoft.com) with your Intune administrator credentials.
2. Click the **Policy** workspace. In the middle pane, click **Configuration Policies**, and then click **Add** in the details pane.
![Shows the UI for this step](images/waas-wufb-intune-step2a.png)
3. In the Create a New Policy Wizard, select **Windows\Custom Configuration (Windows 10 Desktop and Mobile and later)**, and then click **Create Policy**.
4. Name the policy **Windows Update for Business - CB2**. Then, in the **OMA-URI Settings** section, click **Add**.
4. In **Setting name**, type **Enable Clients for CB**, and then select **Integer** from the **Data type** list.
6. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel**.
7. In the **Value** box, type **0**, and then click **OK**.
>[!NOTE]
>The OMA-URI settings are case sensitive, so be sure to review [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) for the proper syntax.
![Settings for this policy](images/waas-wufb-intune-cb2a.png)
8. Because the **Ring 2 Pilot Business Users** deployment ring receives the CB feature updates after 28 days, in the **OMA-URI Settings** section, click **Add** to add another OMA-URI setting.
8. In **Setting name**, type **Defer feature updates for 28 days**, and then select **Integer** from the **Data type** list.
10. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/DeferFeatureUpdatesPeriodInDays**.
11. In the **Value** box, type **28**, and then click **OK**.
![Settings for this policy](images/waas-wufb-intune-step11a.png)
9. Click **Save Policy**.
9. In the **Deploy Policy: Windows Update for Business CB2** dialog box, click **Yes**.
>[!NOTE]
>If this dialog box doesn't appear, select the policy, and then click **Manage Deployment**.
10. In the **Manage Deployment: Windows Update for Business CB2** dialog box, select the **Ring 2 Pilot Business Users** group, click **Add**, and then click **OK**.
You have now configured the **Ring 2 Pilot Business Users** deployment ring to enable CB feature update deferment for 14 days. Now, you must configure **Ring 4 Broad business users** to receive CBB features updates as soon as theyre available.
### Configure Ring 4 Broad business users policy
2. Click the **Policy** workspace. In the middle pane, click **Configuration Policies**, and then click **Add** in the details pane.
![Shows the UI for this step](images/waas-wufb-intune-step2a.png)
3. In the Create a New Policy Wizard, select **Windows\Custom Configuration (Windows 10 Desktop and Mobile and later)**, and then click **Create Policy**.
4. Name the policy **Windows Update for Business - CBB1**. Then, in the **OMA-URI Settings** section, click **Add**.
4. In **Setting name**, type **Enable Clients for CBB**, and then select **Integer** from the **Data type** list.
6. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel**.
7. In the **Value** box, type **1**, and then click **OK**.
>[!NOTE]
>The OMA-URI settings are case sensitive, so be sure to review [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) for the proper syntax.
8. Because the **Ring 4 Broad business users** deployment ring receives the CBB feature updates immediately, in the **OMA-URI Settings** section, click **Add** to add another OMA-URI setting.
8. In **Setting name**, type **Defer feature updates for 0 days**, and then select **Integer** from the **Data type** list.
10. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/DeferFeatureUpdatesPeriodInDays**.
11. In the **Value** box, type **0**, and then click **OK**.
![Settings for this policy](images/waas-wufb-intune-cbb1a.png)
9. Click **Save Policy**.
9. In the **Deploy Policy: Windows Update for Business CBB1** dialog box, click **Yes**.
>[!NOTE]
>If this dialog box doesn't appear, select the policy, and then click **Manage Deployment**.
10. In the **Manage Deployment: Windows Update for Business CBB1** dialog box, select the **Ring 4 Broad business users** group, click **Add**, and then click **OK**.
You have now configured the **Ring 4 Broad business users** deployment ring to receive CBB feature updates as soon as theyre available. Finally, configure **Ring 5 Broad business users #2** to accommodate a 7-day delay for quality updates and a 14-day delay for feature updates.
### Configure Ring 5 Broad business users \#2 policy
2. Click the **Policy** workspace. In the middle pane, click **Configuration Policies**, and then click **Add** in the details pane.
![Shows the UI for this step](images/waas-wufb-intune-step2a.png)
3. In the Create a New Policy Wizard, select **Windows\Custom Configuration (Windows 10 Desktop and Mobile and later)**, and then click **Create Policy**.
4. Name the policy **Windows Update for Business - CBB2**. Then, in the **OMA-URI Settings** section, click **Add**.
4. In **Setting name**, type **Enable Clients for CBB**, and then select **Integer** from the **Data type** list.
6. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel**.
7. In the **Value** box, type **1**, and then click **OK**.
>[!NOTE]
>The OMA-URI settings are case sensitive, so be sure to review [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) for the proper syntax.
8. In the **OMA-URI Settings** section, click **Add** to add another OMA-URI setting.
8. In **Setting name**, type **Defer quality updates for 7 days**, and then select **Integer** from the **Data type** list.
10. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/DeferQualityUpdatesPeriodInDays**.
11. In the **Value** box, type **7**, and then click **OK**.
8. In the **OMA-URI Settings** section, click **Add** to add another OMA-URI setting.
8. In **Setting name**, type **Defer feature updates for 14 days**, and then select **Integer** from the **Data type** list.
10. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/DeferFeatureUpdatesPeriodInDays**.
11. In the **Value** box, type **14**, and then click **OK**.
![Settings for this policy](images/waas-wufb-intune-cbb2a.png)
9. Click **Save Policy**.
9. In the **Deploy Policy: Windows Update for Business CBB2** dialog box, click **Yes**.
>[!NOTE]
>If this dialog box doesn't appear, select the policy, and then click **Manage Deployment**.
10. In the **Manage Deployment: Windows Update for Business CBB2** dialog box, select the **Ring 5 Broad Business Users #2** group, click **Add**, and then click **OK**.
## Related topics
- [Update Windows 10 in the enterprise](waas-update-windows-10.md)
- [Overview of Windows as a service](waas-overview.md)
- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
- [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
- [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)
- [Configure Windows Update for Business](waas-configure-wufb.md)
- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
- [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
- [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
- [Manage device restarts after updates](waas-restart.md)

180
windows/manage/windows-10-start-layout-options-and-policies.md
View File

@ -1,180 +0,0 @@
---
title: Manage Windows 10 Start and taskbar layout (Windows 10)
description: Organizations might want to deploy a customized Start and taskbar layout to devices running Windows 10 Enterprise or Windows 10 Education.
ms.assetid: 2E94743B-6A49-463C-9448-B7DD19D9CD6A
keywords: ["start screen", "start menu"]
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
localizationpriority: high
---
# Manage Windows 10 Start and taskbar layout
**Applies to**
- Windows 10
> **Looking for consumer information?** See [Customize the Start menu](http://windows.microsoft.com/windows-10/getstarted-see-whats-on-the-menu)
Organizations might want to deploy a customized Start and taskbar configuration to devices running Windows 10 Enterprise or Windows 10 Education. A standard, customized Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. Configuring the taskbar allows the organization to pin useful apps for their employees and to remove apps that are pinned by default.
>[!NOTE]
>Taskbar configuration is available starting in Windows 10, version 1607.
>
>Using the layout modification XML to configure Start is not supported with roaming user profiles. For more information, see [Deploy Roaming User Profiles](https://technet.microsoft.com/en-US/library/jj649079.aspx).
## Start options
![start layout sections](images/startannotated.png)
Some areas of Start can be managed using Group Policy. The layout of Start tiles can be managed using either Group Policy or Mobile Device Management (MDM) policy.
The following table lists the different parts of Start and any applicable policy settings or Settings options. Group Policy settings are in the **User Configuration**\\**Administrative Templates**\\**Start Menu and Taskbar** path except where a different path is listed in the table.
<table>
<thead>
<tr class="header">
<th align="left">Start</th>
<th align="left">Policy</th>
<th align="left">Setting</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left">User tile</td>
<td align="left">Group Policy: <strong>Remove Logoff on the Start menu</strong></td>
<td align="left"></td>
</tr>
<tr class="even">
<td align="left">Most used</td>
<td align="left">Group Policy: <strong>Remove frequent programs from the Start menu</strong></td>
<td align="left"><strong>Settings</strong> &gt; <strong>Personalization</strong> &gt; <strong>Start</strong> &gt; <strong>Show most used apps</strong></td>
</tr>
<tr class="odd">
<td align="left"><p>Suggestions</p>
<p>-and-</p>
<p>Dynamically inserted app tile</p></td>
<td align="left"><p>MDM: <strong>Allow Windows Consumer Features</strong></p>
<p>Group Policy: <strong>Computer Configuration</strong>\\<strong>Administrative Templates</strong>\\<strong>Windows Components</strong>\\<strong>Cloud Content</strong>\\<strong>Turn off Microsoft consumer experiences</strong></p>
<div class="alert">
<strong>Note</strong>  
<p>This policy also enables or disables notifications for a user's Microsoft account and app tiles from Microsoft dynamically inserted in the default Start menu.</p>
</div>
<div>
 
</div></td>
<td align="left"><strong>Settings</strong> &gt; <strong>Personalization</strong> &gt; <strong>Start</strong> &gt; <strong>Occasionally show suggestions in Start</strong></td>
</tr>
<tr class="even">
<td align="left">Recently added</td>
<td align="left">not applicable</td>
<td align="left"><strong>Settings</strong> &gt; <strong>Personalization</strong> &gt; <strong>Start</strong> &gt; <strong>Show recently added apps</strong></td>
</tr>
<tr class="odd">
<td align="left">Pinned folders</td>
<td align="left">not applicable</td>
<td align="left"><strong>Settings</strong> &gt; <strong>Personalization</strong> &gt; <strong>Start</strong> &gt; <strong>Choose which folders appear on Start</strong></td>
</tr>
<tr class="even">
<td align="left">Power</td>
<td align="left">Group Policy: <strong>Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands</strong></td>
<td align="left">None</td>
</tr>
<tr class="even">
<td align="left">Start layout</td>
<td align="left"><p>MDM: <strong>Start layout</strong></p>
<p>Group Policy: <strong>Start layout</strong></p>
<p>Group Policy: <strong>Prevent users from customizing their Start Screen</strong></p>
<div class="alert">
<strong>Note</strong>  
<p> When a full Start screen layout is imported with Group Policy or MDM, the users cannot pin, unpin, or uninstall apps from the Start screen. Users can view and open all apps in the <strong>All Apps</strong> view, but they cannot pin any apps to the Start screen. When a partial Start screen layout is imported, users cannot change the tile groups applied by the partial layout, but can modify other tile groups and create their own.</p><p><strong>Start layout</strong> policy can be used to pin apps to the taskbar based on an XML File that you provide. Users will be able to change the order of pinned apps, unpin apps, and pin additional apps to the taskbar.
</div>
<div>
 
</div></td>
<td align="left">None</td>
</tr>
<tr class="odd">
<td align="left">Jump lists</td>
<td align="left">Group Policy: <strong>Do not keep history of recently opened documents</strong></td>
<td align="left"><strong>Settings</strong> &gt; <strong>Personalization</strong> &gt; <strong>Start</strong> &gt; <strong>Show recently opened items in Jump Lists on Start or the taskbar</strong></td>
</tr>
<tr class="even">
<td align="left">Start size</td>
<td align="left"><p>MDM: <strong>Force Start size</strong></p>
<p>Group Policy: <strong>Force Start to be either full screen size or menu size</strong></p></td>
<td align="left"><strong>Settings</strong> &gt; <strong>Personalization</strong> &gt; <strong>Start</strong> &gt; <strong>Use Start full screen</strong></td>
</tr>
<tr class="odd">
<td align="left">All Settings</td>
<td align="left">Group Policy: <strong>Prevent changes to Taskbar and Start Menu Settings</strong></td>
<td align="left">None</td>
</tr>
</tbody>
</table>
 ## Taskbar options
Starting in Windows 10, version 1607, you can pin additional apps to the taskbar and remove default pinned apps from the taskbar. You can specify different taskbar configurations based on device locale or region.
There are three categories of apps that might be pinned to a taskbar:
* Apps pinned by the user
* Default Windows apps, pinned during operating system installation (Microsoft Edge, File Explorer, Store)
* Apps pinned by the enterprise, such as in an unattended Windows setup
**Note**  
The earlier method of using [TaskbarLinks](https://go.microsoft.com/fwlink/p/?LinkId=761230) in an unattended Windows setup file is deprecated in Windows 10, version 1607.
The following example shows how apps will be pinned - Windows default apps to the left (blue circle), apps pinned by the user in the center (orange triangle), and apps that you pin using XML to the right (green square).
> **Note**  In operating systems configured to use a right-to-left language, the taskbar order will be reversed.
![Windows left, user center, enterprise to the right](images/taskbar-generic.png)
Whether you apply the taskbar configuration to a clean install or an update, users will still be able to:
* Pin additional apps
* Change the order of pinned apps
* Unpin any app
### Taskbar configuration applied to clean install of Windows 10
In a clean install, if you apply a taskbar layout, only the apps that you specify and default apps that you do not remove will be pinned to the taskbar. Users can pin additional apps to the taskbar after the layout is applied.
### Taskbar configuration applied to Windows 10 upgrades
When a device is upgraded to Windows 10, apps will be pinned to the taskbar already. Some apps may have been pinned to the taskbar by a user, and others may have been pinned to the taskbar through a customized base image or by using Windows Unattend setup.
The new taskbar layout for upgrades to Windows 10, version 1607 or later, will apply the following behavior:
* If the user pinned the app to the taskbar, those pinned apps remain and new apps will be added to the right.
* If the user didn't pin the app (it was pinned during installation or by policy) and the app is not in updated layout file, the app will be unpinned.
* If the user didn't pin the app and the app is in the updated layout file, the app will be pinned to the right.
* New apps specified in updated layout file are pinned to right of user's pinned apps.
## Related topics
[Customize and export Start layout](customize-and-export-start-layout.md)
[Configure Windows 10 taskbar](configure-windows-10-taskbar.md)
[Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
[Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
[Customize Windows 10 Start and taskbar with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
[Changes to Group Policy settings for Windows 10 Start](changes-to-start-policies-in-windows-10.md)
 
 

85
windows/manage/windows-spotlight.md
View File

@ -1,85 +0,0 @@
---
title: Windows Spotlight on the lock screen (Windows 10)
description: Windows Spotlight is an option for the lock screen background that displays different background images on the lock screen.
ms.assetid: 1AEA51FA-A647-4665-AD78-2F3FB27AD46A
keywords: ["lockscreen"]
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
author: jdeckerMS
localizationpriority: high
---
# Windows Spotlight on the lock screen
**Applies to**
- Windows 10
Windows Spotlight is an option for the lock screen background that displays different background images and occasionally offers suggestions on the lock screen. Windows Spotlight is available in all desktop editions of Windows 10.
For managed devices running Windows 10 Enterprise and Windows 10 Education, enterprise administrators can configure a mobile device management (MDM) or Group Policy setting to prevent users from using the Windows Spotlight background. For managed devices running Windows 10 Pro, version 1607, administrators can disable suggestions for third party apps.
>[!NOTE]
>In Windows 10, version 1607, the lock screen background does not display if you disable the **Animate windows when minimizing and mazimizing** setting in **This PC** > **Properties** > **Advanced system settings** > **Performance settings** > **Visual Effects**, or if you enable the Group Policy setting **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Desktop Windows Manager** > **Do not allow windows animations**.
## What does Windows Spotlight include?
- **Background image**
The Windows Spotlight displays a new image on the lock screen each day. The initial background image is included during installation. Additional images are downloaded on ongoing basis.
![lock screen image](images/lockscreen.png)
- **Feature suggestions, fun facts, tips**
The lock screen background will occasionally suggest Windows 10 features that the user hasn't tried yet, such as **Snap assist**.
## How do you turn off Windows Spotlight locally?
To turn off Windows Spotlight locally, go to **Settings** &gt; **Personalization** &gt; **Lock screen** &gt; **Background** &gt; **Windows spotlight** &gt; select a different lock screen background
![personalization background](images/spotlight.png)
## How do you disable Windows Spotlight for managed devices?
Windows 10, version 1607, provides three new Group Policy settings to help you manage Windows Spotlight on enterprise computers.
**Windows 10 Pro, Enterprise, and Education**
- **User Configuration\Administrative Templates\Windows Components\Cloud Content\Do not suggest third-party content in Windows spotlight** enables enterprises to restrict suggestions to Microsoft apps and services.
**Windows 10 Enterprise and Education**
* **User Configuration\Administrative Templates\Windows Components\Cloud Content\Turn off all Windows Spotlight features** enables enterprises to completely disable all Windows Spotlight features in a single setting.
* **User Configuration\Administrative Templates\Windows Components\Cloud Content\Configure Spotlight on lock screen** specifically controls the use of the dynamic Windows Spotlight image on the lock screen, and can be enabled or disabled. (The Group Policy setting **Enterprise Spotlight** does not work in Windows 10, version 1607.)
Windows Spotlight is enabled by default. Administrators can replace Windows Spotlight with a selected image using the Group Policy setting **Computer Configuration** &gt; **Administrative Templates** &gt; **Control Panel** &gt; **Personalization** &gt; **Force a specific default lock screen image**.
>[!WARNING]
> In Windows 10, version 1607, the **Force a specific default lock screen image** policy setting will prevent users from changing the lock screen image. This behavior will be corrected in a future release.
![lockscreen policy details](images/lockscreenpolicy.png)
Pay attention to the checkbox in **Options**. In addition to providing the path to the lock screen image, administrators can choose to allow or **Turn off fun facts, tips, tricks, and more on lock screen**. If the checkbox is not selected, users will see the lock screen image that is defined in the policy setting, and will also see occasional messages, such as the example in the following image.
![fun facts](images/funfacts.png)
## Related topics
[Manage Windows 10 Start layout options](../manage/windows-10-start-layout-options-and-policies.md)