diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 01fb6fa851..c28554ef6b 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -19674,6 +19674,11 @@ "source_path": "education/windows/change-history-edu.md", "redirect_url": "/education/windows", "redirect_document_id": false + }, + { + "source_path": "education/windows/set-up-school-pcs-shared-pc-mode.md", + "redirect_url": "/windows/configuration/set-up-shared-or-guest-pc", + "redirect_document_id": false } ] } diff --git a/education/breadcrumb/toc.yml b/education/breadcrumb/toc.yml index 41fb052a33..7955da8797 100644 --- a/education/breadcrumb/toc.yml +++ b/education/breadcrumb/toc.yml @@ -14,6 +14,6 @@ items: tocHref: /education/windows topicHref: /education/windows/index - name: Windows - tocHref: /windows/security/ + tocHref: /windows/configuration/ topicHref: /education/windows/index diff --git a/education/context/context.yml b/education/context/context.yml new file mode 100644 index 0000000000..861f88f272 --- /dev/null +++ b/education/context/context.yml @@ -0,0 +1,4 @@ +### YamlMime: ContextObject +brand: windows +breadcrumb_path: ../breadcrumb/toc.yml +toc_rel: ../windows/toc.yml \ No newline at end of file diff --git a/education/docfx.json b/education/docfx.json index 7aabd80dfc..5b55ed8983 100644 --- a/education/docfx.json +++ b/education/docfx.json @@ -32,6 +32,7 @@ "ms.technology": "windows", "manager": "aaroncz", "breadcrumb_path": "/education/breadcrumb/toc.json", + "uhfHeaderId": "MSDocsHeader-M365-IT", "feedback_system": "GitHub", "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332", diff --git a/education/windows/TOC.yml b/education/windows/TOC.yml index 78055a03b4..d3f96435a9 100644 --- a/education/windows/TOC.yml +++ b/education/windows/TOC.yml @@ -12,8 +12,10 @@ items: items: - name: Overview href: windows-11-se-overview.md - - name: Settings and CSP list + - name: Settings list href: windows-11-se-settings-list.md + - name: Frequently Asked Questions (FAQ) + href: windows-11-se-faq.yml - name: Windows in S Mode items: - name: Test Windows 10 in S mode on existing Windows 10 education devices @@ -22,8 +24,8 @@ items: href: enable-s-mode-on-surface-go-devices.md - name: Windows 10 editions for education customers href: windows-editions-for-education-customers.md - - name: Shared PC mode for school devices - href: set-up-school-pcs-shared-pc-mode.md + - name: Considerations for shared and guest devices + href: /windows/configuration/shared-devices-concepts?context=/education/context/context - name: Windows 10 configuration recommendations for education customers href: configure-windows-for-education.md - name: Take tests and assessments in Windows @@ -38,6 +40,8 @@ items: href: edu-take-a-test-kiosk-mode.md - name: Configure federated sign-in href: federated-sign-in.md + - name: Configure Shared PC + href: /windows/configuration/set-up-shared-or-guest-pc?context=/education/context/context - name: Use the Set up School PCs app href: use-set-up-school-pcs-app.md - name: Change Windows edition @@ -96,4 +100,7 @@ items: href: set-up-school-pcs-whats-new.md - name: Take a Test technical reference href: take-a-test-app-technical.md + - name: Shared PC technical reference + href: /windows/configuration/shared-pc-technical?context=/education/context/context + diff --git a/education/windows/images/takeatest/flow-chart.png b/education/windows/images/takeatest/flow-chart.png index ce9aae2853..220ef54a00 100644 Binary files a/education/windows/images/takeatest/flow-chart.png and b/education/windows/images/takeatest/flow-chart.png differ diff --git a/education/windows/index.yml b/education/windows/index.yml index 4b42f4d9bb..fa426ef022 100644 --- a/education/windows/index.yml +++ b/education/windows/index.yml @@ -87,11 +87,15 @@ landingContent: links: - text: Take tests and assessments in Windows url: take-tests-in-windows.md + - text: Considerations for shared and guest devices + url: /windows/configuration/shared-devices-concepts?context=/education/context/context - text: Change Windows editions url: change-home-to-edu.md - - text: "Deploy Minecraft: Education Edition" - url: get-minecraft-for-education.md - linkListType: how-to-guide links: - text: Configure Take a Test in kiosk mode - url: edu-take-a-test-kiosk-mode.md \ No newline at end of file + url: edu-take-a-test-kiosk-mode.md + - text: Configure Shared PC + url: /windows/configuration/set-up-shared-or-guest-pc?context=/education/context/context + - text: "Deploy Minecraft: Education Edition" + url: get-minecraft-for-education.md \ No newline at end of file diff --git a/education/windows/set-up-school-pcs-azure-ad-join.md b/education/windows/set-up-school-pcs-azure-ad-join.md index 428ea7ffa1..4a1f0c0e1d 100644 --- a/education/windows/set-up-school-pcs-azure-ad-join.md +++ b/education/windows/set-up-school-pcs-azure-ad-join.md @@ -86,13 +86,7 @@ Automated Azure AD tokens expire after 180 days. The expiration date for each to ## Next steps Learn more about setting up devices with the Set up School PCs app. * [What's in my provisioning package?](set-up-school-pcs-provisioning-package.md) -* [Shared PC mode for schools](set-up-school-pcs-shared-pc-mode.md) * [Set up School PCs technical reference](set-up-school-pcs-technical.md) * [Set up Windows 10 devices for education](set-up-windows-10.md) -When you're ready to create and apply your provisioning package, see [Use Set up School PCs app](use-set-up-school-pcs-app.md). - - - - - +When you're ready to create and apply your provisioning package, see [Use Set up School PCs app](use-set-up-school-pcs-app.md). \ No newline at end of file diff --git a/education/windows/set-up-school-pcs-provisioning-package.md b/education/windows/set-up-school-pcs-provisioning-package.md index feb7da1b70..ca2a39cea1 100644 --- a/education/windows/set-up-school-pcs-provisioning-package.md +++ b/education/windows/set-up-school-pcs-provisioning-package.md @@ -18,12 +18,12 @@ appliesto: --- # What's in my provisioning package? -The Set up School PCs app builds a specialized provisioning package with school-optimized settings. +The Set up School PCs app builds a specialized provisioning package with school-optimized settings. -A key feature of the provisioning package is Shared PC mode. To view the technical framework of Shared PC mode, including the description of each setting, see the [SharedPC configuration service provider (CSP)](/windows/client-management/mdm/sharedpc-csp) article. +A key feature of the provisioning package is Shared PC mode. To view the technical framework of Shared PC mode, including the description of each setting, see the [Manage multi-user and guest Windows devices with Shared PC](/windows/configuration/shared-pc-technical) article. ## Shared PC Mode policies -This table outlines the policies applied to devices in shared PC mode. If you [selected to optimize a device for use by a single student](set-up-school-pcs-shared-pc-mode.md#optimize-device-for-use-by-a-single-student), the table notes the differences. Specifically, you'll see differences in the following policies: +This table outlines the policies applied to devices in shared PC mode. If you select to optimize a device for use by a single student, you'll see differences in the following policies: * Disk level deletion * Inactive threshold * Restrict local storage @@ -128,7 +128,6 @@ Review the table below to estimate your expected provisioning time. A package th ## Next steps Learn more about setting up devices with the Set up School PCs app. * [Azure AD Join with Set up School PCs](set-up-school-pcs-azure-ad-join.md) -* [Shared PC mode for schools](set-up-school-pcs-shared-pc-mode.md) * [Set up School PCs technical reference](set-up-school-pcs-technical.md) * [Set up Windows 10 devices for education](set-up-windows-10.md) diff --git a/education/windows/set-up-school-pcs-shared-pc-mode.md b/education/windows/set-up-school-pcs-shared-pc-mode.md deleted file mode 100644 index fa010834d5..0000000000 --- a/education/windows/set-up-school-pcs-shared-pc-mode.md +++ /dev/null @@ -1,79 +0,0 @@ ---- -title: Shared PC mode for school devices -description: Describes how shared PC mode is set for devices set up with the Set up School PCs app. -keywords: shared PC, school, set up school pcs -ms.prod: windows -ms.mktglfcycl: plan -ms.sitesec: library -ms.pagetype: edu -ms.localizationpriority: medium -ms.collection: education -author: paolomatarazzo -ms.author: paoloma -ms.date: 08/10/2022 -ms.reviewer: -manager: aaroncz -appliesto: -- ✅ Windows 10 ---- - -# Shared PC mode for school devices - -Shared PC mode optimizes Windows 10 for shared use scenarios, such as classrooms and school libraries. A Windows 10 PC in shared PC mode requires minimal to zero maintenance and management. Update settings are optimized for classroom settings, so that they automatically occur outside of school hours. - -Shared PC mode can be applied on devices running: -* Windows 10 Pro -* Windows 10 Pro Education -* Windows 10 Education -* Windows 10 Enterprise - -To learn more about how to set up a device in shared PC mode, see [Set up a shared or guest PC with Windows 10](/windows/configuration/set-up-shared-or-guest-pc). - -## Windows Updates -Shared PC mode configures power and Windows Update settings so that computers update regularly. Computers that are set up through the Set up School PCs app are configured to: -* Wake nightly. -* Check for and install updates. -* Forcibly reboot, when necessary, to complete updates. - -These configurations reduce the need to update and reboot computers during daytime work hours. Notifications about needed updates are also blocked from disrupting students. - -## Default admin accounts in Azure Active Directory -By default, the account that joins your computer to Azure AD will be given admin permissions on the computer. Global administrators in the joined Azure AD domain will also have admin permissions when signed in to the joined computer. - -An Azure AD Premium subscription lets you specify the accounts that get admin accounts on a computer. These accounts are configured in Intune in the Azure portal. - -## Account deletion policies -This section describes the deletion behavior for the accounts configured in shared PC mode. A delete policy makes sure that outdated or stale accounts are regularly removed to make room for new accounts. - -### Azure AD accounts - -The default deletion policy is set to automatically cache accounts. Cached accounts are automatically deleted when disk space gets too low, or when there's an extended period of inactivity. Accounts continue to delete until the computer reclaims sufficient disk space. Deletion policies behave the same for Azure AD and Active Directory domain accounts. - -### Guest and Kiosk accounts -Guest accounts and accounts created through Kiosk are deleted after they sign out of their account. - -### Local accounts -Local accounts that you created before enabling shared PC mode aren't deleted. Local accounts that you create through the following path, after enabling PC mode, are not deleted: **Settings** app > **Accounts** > **Other people** > **Add someone** - -## Create custom Windows images -Shared PC mode is compatible with custom Windows images. - -To create a compatible image, first create your custom Windows image with all software, updates, and drivers. Then use the System Preparation (Sysprep) tool with the `/oobe` flag to create the SharedPC-compatible version. For example, `sysrep/oobe`. - -Teachers can then run the Set up School PCs package on the computer. - -## Optimize device for use by a single student -Shared PC mode is enabled by default. This mode optimizes device settings for schools where PCs are shared by students. The Set up School PCs app also offers the option to configure settings for devices that aren't shared. - -If you select this setting, the app modifies shared PC mode so that it's appropriate for a single device. To see how the settings differ, refer to the Shared PC mode policy table in the article [What's in my provisioning package?](set-up-school-pcs-provisioning-package.md) -1. In the app, go to the **Create package** > **Settings** step. -2. Select **Optimize device for a single student, instead of a shared cart or lab**. - -## Next steps -Learn more about setting up devices with the Set up School PCs app. -* [Azure AD Join with Set up School PCs](set-up-school-pcs-azure-ad-join.md) -* [Set up School PCs technical reference](set-up-school-pcs-technical.md) -* [What's in my provisioning package](set-up-school-pcs-provisioning-package.md) -* [Set up Windows 10 devices for education](set-up-windows-10.md) - -When you're ready to create and apply your provisioning package, see [Use Set up School PCs app](use-set-up-school-pcs-app.md). \ No newline at end of file diff --git a/education/windows/set-up-school-pcs-technical.md b/education/windows/set-up-school-pcs-technical.md index 21c1721e3a..cf39af9cb4 100644 --- a/education/windows/set-up-school-pcs-technical.md +++ b/education/windows/set-up-school-pcs-technical.md @@ -67,7 +67,6 @@ The following table describes the Set up School PCs app features and lists each ## Next steps Learn more about setting up devices with the Set up School PCs app. * [Azure AD Join with Set up School PCs](set-up-school-pcs-azure-ad-join.md) -* [Shared PC mode for schools](set-up-school-pcs-shared-pc-mode.md) * [What's in my provisioning package](set-up-school-pcs-provisioning-package.md) * [Set up Windows 10 devices for education](set-up-windows-10.md) diff --git a/education/windows/set-up-school-pcs-whats-new.md b/education/windows/set-up-school-pcs-whats-new.md index d83fe32329..abaff7bccc 100644 --- a/education/windows/set-up-school-pcs-whats-new.md +++ b/education/windows/set-up-school-pcs-whats-new.md @@ -104,7 +104,6 @@ The Skype and Messaging apps are part of a selection of apps that are, by defaul ## Next steps Learn how to create provisioning packages and set up devices in the app. * [What's in my provisioning package?](set-up-school-pcs-provisioning-package.md) -* [Shared PC mode for schools](set-up-school-pcs-shared-pc-mode.md) * [Set up School PCs technical reference](set-up-school-pcs-technical.md) * [Set up Windows 10 devices for education](set-up-windows-10.md) diff --git a/education/windows/take-tests-in-windows.md b/education/windows/take-tests-in-windows.md index c60b202ae2..2b204ae77e 100644 --- a/education/windows/take-tests-in-windows.md +++ b/education/windows/take-tests-in-windows.md @@ -34,7 +34,7 @@ There are different ways to use Take a Test, depending on the use case: - For lower stakes assessments, such a quick quiz in a class, a teacher can generate a *secure assessment URL* and share it with the students. Students can then open the URL to access the assessment through Take a Test. To learn more, see the next section: [Create a secure assessment link](#create-a-secure-assessment-link) - For higher stakes assessments, you can configure Windows devices to use a dedicated account for testing and execute Take a Test in a locked-down mode, called **kiosk mode**. Once signed in with the dedicated account, Windows will execute Take a Test in a lock-down mode, preventing the execution of any applications other than Take a Test. For more information, see [Configure Take a Test in kiosk mode](edu-take-a-test-kiosk-mode.md) -![Set up and user flow for the Take a Test app.](images/takeatest/flow-chart.png) +:::image type="content" source="./images/takeatest/flow-chart.png" alt-text="Set up and user flow for the Take a Test app." border="false"::: ## Create a secure assessment link @@ -95,6 +95,6 @@ To take the test, have the students open the link. ## Additional information -Teachers can use **Microsoft Forms** to create tests. For more information, see [Create tests using Microsoft Forms](https://support.microsoft.com/office/). +Teachers can use **Microsoft Forms** to create tests. For more information, see [Create tests using Microsoft Forms](https://support.microsoft.com/en-us/office/create-a-quiz-with-microsoft-forms-a082a018-24a1-48c1-b176-4b3616cdc83d). -To learn more about the policies and settings set by the Take a Test app, see [Take a Test app technical reference](take-a-test-app-technical.md). +To learn more about the policies and settings set by the Take a Test app, see [Take a Test app technical reference](take-a-test-app-technical.md). \ No newline at end of file diff --git a/education/windows/tutorial-school-deployment/enroll-overview.md b/education/windows/tutorial-school-deployment/enroll-overview.md index 1a0048e8b2..0d58d8889b 100644 --- a/education/windows/tutorial-school-deployment/enroll-overview.md +++ b/education/windows/tutorial-school-deployment/enroll-overview.md @@ -33,15 +33,10 @@ This [table][INT-1] describes the ideal scenarios for using either option. It's :::image type="content" source="./images/enroll.png" alt-text="The device lifecycle for Intune-managed devices - enrollment" border="false"::: Select one of the following options to learn the next steps about the enrollment method you chose: - -> [!div class="nextstepaction"] -> [Next: Automatic Intune enrollment via Azure AD join >](enroll-aadj.md) - -> [!div class="nextstepaction"] -> [Next: Bulk enrollment with provisioning packages >](enroll-package.md) - -> [!div class="nextstepaction"] -> [Next: Enroll devices with Windows Autopilot >](enroll-autopilot.md) +> [!div class="op_single_selector"] +> - [Automatic Intune enrollment via Azure AD join](enroll-aadj.md) +> - [Bulk enrollment with provisioning packages](enroll-package.md) +> - [Enroll devices with Windows Autopilot ](enroll-autopilot.md) diff --git a/education/windows/windows-11-se-faq.yml b/education/windows/windows-11-se-faq.yml new file mode 100644 index 0000000000..36582145e0 --- /dev/null +++ b/education/windows/windows-11-se-faq.yml @@ -0,0 +1,68 @@ +### YamlMime:FAQ +metadata: + title: Windows 11 SE Frequently Asked Questions (FAQ) + description: Use these frequently asked questions (FAQ) to learn important details about Windows 11 SE. + ms.prod: windows + ms.technology: windows + author: paolomatarazzo + ms.author: paoloma + manager: aaroncz + ms.reviewer: + ms.collection: education + ms.topic: faq + localizationpriority: medium + ms.date: 09/14/2022 + appliesto: + - ✅ Windows 11 SE + +title: Common questions about Windows 11 SE +summary: Windows 11 SE combines the power and privacy of Windows 11 with educator feedback to create a simplified experience on devices built for education. This Frequently Asked Questions (FAQ) article is intended to help you learn more about Windows 11 SE so you can get to what matters most. + +sections: + - name: General + questions: + - question: What is Windows 11 SE? + answer: | + Windows 11 SE is a new cloud-first operating system that offers the power and reliability of Windows 11 with a simplified design and tools specially designed for schools. + To learn more, see [Windows 11 SE Overview](/education/windows/windows-11-se-overview). + - question: Who is the Windows 11 SE designed for? + answer: | + Windows 11 SE is designed for students in grades K-8 who use a laptop provided by their school, in a 1:1 scenario. + - question: What are the major differences between Windows 11 and Windows 11 SE? + answer: | + Windows 11 SE was created based on feedback from educators who wanted a distraction-free experience for their students. Here are some of the differences that you'll find in Windows 11 SE: + - Experience a simplified user interface so you can stay focused on the important stuff + - Only IT admins can install apps. Users will not be able to access the Microsoft Store or download apps from the internet + - Use Snap Assist to maximize screen space on smaller screens with two-window snapping + - Store your Desktop, Documents, and Photos folders in the cloud using OneDrive, so your work is backed up and easy to find + - Express yourself and celebrate accomplishments with the *emoji and GIF panel* and *Stickers* + - name: Deployment + questions: + - question: Can I load Windows 11 SE on any hardware? + answer: | + Windows 11 SE is only available on devices that are built for education. To learn more, see [Windows 11 SE Overview](/education/windows/windows-11-se-overview). + - name: Applications and settings + questions: + - question: How can I install applications on Windows 11 SE? + answer: | + You can use Microsoft Intune to install applications on Windows 11 SE. + For more information, see [Configure applications with Microsoft Intune](/education/windows/tutorial-school-deployment/configure-device-apps). + - question: What apps will work on Windows 11 SE? + answer: | + Windows 11 SE supports all web applications and a curated list of desktop applications. You can prepare and add a desktop app to Microsoft Intune as a Win32 app from the [approved app list](/education/windows/windows-11-se-overview), then distribute it. + For more information, see [Considerations for Windows 11 SE](/education/windows/tutorial-school-deployment/configure-device-apps#considerations-for-windows-11-se). + - question: Why there's no application store on Windows 11 SE? + answer: | + IT Admins can manage system settings (including application installation and the application store) to ensure all students have a safe, distraction-free experience. On Windows SE devices, you have pre-installed apps from Microsoft, from your IT admin, and from your device manufacturer. You can continue to use web apps on the Microsoft Edge browser, as web apps do not require installation. + For more information, see [Configure applications with Microsoft Intune](/education/windows/tutorial-school-deployment/configure-device-apps). + - question: What does the error 0x87D300D9 mean in the Intune for Education portal? + answer: | + This error means that the app you are trying to install is not supported on Windows 11 SE. If you have an app that fails with this error, then: + - Make sure the app is on the [available applications list](/education/windows/windows-11-se-overview#available-applications). Or, make sure your app is [approved for Windows 11 SE](/education/windows/windows-11-se-overview#add-your-own-applications) + - If the app is approved, then it's possible the app is not packaged correctly. For more information, [Configure applications with Microsoft Intune](/education/windows/tutorial-school-deployment/configure-device-apps) + - If the app isn't approved, then it won't run on Windows 11 SE. To get apps approved, see [Add your own applications](/education/windows/windows-11-se-overview#add-your-own-applications). Or, use an app that runs in a web browser, such as a web app or PWA + - name: Out-of-box experience (OOBE) + questions: + - question: My Windows 11 SE device is stuck in OOBE, how can I troubleshoot it? + answer: | + To access the Settings application during OOBE on a Windows 11 SE device, press Shift+F10, then select the accessibility icon :::image type="icon" source="images/icons/accessibility.svg"::: on the bottom-right corner of the screen. From the Settings application, you can troubleshoot the OOBE process and, optionally, trigger a device reset. diff --git a/education/windows/windows-11-se-overview.md b/education/windows/windows-11-se-overview.md index 5141fbd618..6827ee275a 100644 --- a/education/windows/windows-11-se-overview.md +++ b/education/windows/windows-11-se-overview.md @@ -88,7 +88,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us |-----------------------------------------|-------------------|----------|------------------------------| | AirSecure | 8.0.0 | Win32 | AIR | | Alertus Desktop | 5.4.44.0 | Win32 | Alertus technologies | -| Brave Browser | 1.34.80 | Win32 | Brave | +| Brave Browser | 106.0.5249.65 | Win32 | Brave | | Bulb Digital Portfolio | 0.0.7.0 | Store | Bulb | | CA Secure Browser | 14.0.0 | Win32 | Cambium Development | | Cisco Umbrella | 3.0.110.0 | Win32 | Cisco | @@ -167,14 +167,6 @@ When the app is ready, Microsoft will update you. Then, you add the app to the I For more information on Intune requirements for adding education apps, see [Configure applications with Microsoft Intune][EDUWIN-1]. -### 0x87D300D9 error with an app - -When you deploy an app using Intune for Education, you may get a `0x87D300D9` error code with a `Failed` state in the [Intune for Education portal](https://intuneeducation.portal.azure.com). If you have an app that fails with this error, then: - -- Make sure the app is on the [available applications list](#available-applications). Or, make sure your app is [approved for Windows 11 SE](#add-your-own-applications) -- If the app is approved, then it's possible the app is packaged wrong. For more information, see [Add your own apps](#add-your-own-applications) and [Configure applications with Microsoft Intune][EDUWIN-1] -- If the app isn't approved, then it won't run on Windows 11 SE. To get apps approved, see [Add your own apps](#add-your-own-applications). Or, use an app that runs in a web browser, such as a web app or PWA - ## Related articles - [Tutorial: deploy and manage Windows devices in a school][EDUWIN-2] diff --git a/education/windows/windows-11-se-settings-list.md b/education/windows/windows-11-se-settings-list.md index 0dda7bbc35..92038f93e9 100644 --- a/education/windows/windows-11-se-settings-list.md +++ b/education/windows/windows-11-se-settings-list.md @@ -17,7 +17,7 @@ appliesto: # Windows 11 SE for Education settings list -Windows 11 SE automatically configures settings and features in the operating system. These settings use the Configuration Service Provider (CSPs) provided by Microsoft. You can use an MDM provider to configure these settings. +Windows 11 SE automatically configures certain settings and features in the operating system. You can use Microsoft Intune to customize these settings. This article lists the settings automatically configured. For more information on Windows 11 SE, see [Windows 11 SE for Education overview](windows-11-se-overview.md). @@ -61,45 +61,6 @@ The following settings can't be changed. | Administrative tools | Administrative tools, such as the command prompt and Windows PowerShell, can't be opened. Windows PowerShell scripts deployed using Microsoft Endpoint Manager can run. | | Apps | Only certain apps are allowed to run on Windows 11 SE. For more info on what apps can run on Windows 11 SE, see [Windows 11 SE for Education overview](windows-11-se-overview.md). | -## What's available in the Settings app - -On Windows 11 SE devices, the Settings app shows the following setting pages. Depending on the hardware, some setting pages might not be shown. - -- Accessibility - -- Accounts - - Email & accounts - -- Apps - -- Bluetooth & devices - - Bluetooth - - Printers & scanners - - Mouse - - Touchpad - - Typing - - Pen - - AutoPlay - -- Network & internet - - WiFi - - VPN - -- Personalization - - Taskbar - -- Privacy & security - -- System - - Display - - Notifications - - Tablet mode - - Multitasking - - Projecting to this PC - -- Time & Language - - Language & region - ## Next steps [Windows 11 SE for Education overview](windows-11-se-overview.md) diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md index 8687773b6b..c78db44623 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md @@ -52,7 +52,7 @@ ms.date: 08/01/2022 - [Experience/AllowManualMDMUnenrollment](policy-csp-experience.md#experience-allowmanualmdmunenrollment) - [MixedReality/AADGroupMembershipCacheValidityInDays](policy-csp-mixedreality.md#mixedreality-aadgroupmembershipcachevalidityindays) - [MixedReality/AADGroupMembershipCacheValidityInDays](./policy-csp-mixedreality.md#mixedreality-aadgroupmembershipcachevalidityindays) 9 -- [MixedReality/AllowCaptivePortalBeforeSignIn](./policy-csp-mixedreality.md#mixedreality-allowcaptiveportalpeforesignin) Insider +- [MixedReality/AllowCaptivePortalBeforeLogon](./policy-csp-mixedreality.md#mixedreality-allowcaptiveportalpeforelogon) Insider - [MixedReality/AllowLaunchUriInSingleAppKiosk](./policy-csp-mixedreality.md#mixedreality-allowlaunchuriinsingleappkiosk)10 - [MixedReality/AutoLogonUser](./policy-csp-mixedreality.md#mixedreality-autologonuser) 11 - [MixedReality/BrightnessButtonDisabled](./policy-csp-mixedreality.md#mixedreality-brightnessbuttondisabled) 9 diff --git a/windows/client-management/mdm/policy-csp-mixedreality.md b/windows/client-management/mdm/policy-csp-mixedreality.md index e49f9c7be8..e308bcc662 100644 --- a/windows/client-management/mdm/policy-csp-mixedreality.md +++ b/windows/client-management/mdm/policy-csp-mixedreality.md @@ -23,7 +23,7 @@ manager: aaroncz MixedReality/AADGroupMembershipCacheValidityInDays
- MixedReality/AllowCaptivePortalBeforeSignIn + MixedReality/AllowCaptivePortalBeforeLogon
MixedReality/AllowLaunchUriInSingleAppKiosk @@ -103,7 +103,7 @@ Steps to use this policy correctly:
-**MixedReality/AllowCaptivePortalBeforeSignIn** +**MixedReality/AllowCaptivePortalBeforeLogon** @@ -127,11 +127,14 @@ Steps to use this policy correctly: This new feature is an opt-in policy that IT Admins can enable to help with the setup of new devices in new areas or new users. When this policy is turned on it allows a captive portal on the sign-in screen, which allows a user to enter credentials to connect to the Wi-Fi access point. If enabled, sign in will implement similar logic as OOBE to display captive portal if necessary. -MixedReality/AllowCaptivePortalBeforeSignIn +MixedReality/AllowCaptivePortalBeforeLogon -The OMA-URI of new policy: `./Device/Vendor/MSFT/Policy/Config/MixedReality/AllowCaptivePortalBeforeSignIn` +The OMA-URI of new policy: `./Device/Vendor/MSFT/Policy/Config/MixedReality/AllowCaptivePortalBeforeLogon` -Bool value +Int value + +- 0: (Default) Off +- 1: On diff --git a/windows/client-management/mdm/sharedpc-csp.md b/windows/client-management/mdm/sharedpc-csp.md index 84c80b01df..9cc95c3534 100644 --- a/windows/client-management/mdm/sharedpc-csp.md +++ b/windows/client-management/mdm/sharedpc-csp.md @@ -74,37 +74,35 @@ A boolean value that specifies whether the policies for education environment ar The supported operations are Add, Get, Replace, and Delete. -The default value changed to false in Windows 10, version 1703. The default value is Not Configured and this node needs to be configured independent of EnableSharedPCMode. - -In Windows 10, version 1607, the value is set to True and the education environment is automatically configured when SharedPC mode is configured. +The default value is Not Configured. **SetPowerPolicies** -Optional. A boolean value that specifies that the power policies should be set when configuring SharedPC mode. +A boolean value that specifies that the power policies should be set when configuring SharedPC mode. The supported operations are Add, Get, Replace, and Delete. The default value is Not Configured and the effective power settings are determined by the OS's default power settings. Its value in the SharedPC provisioning package is True. **MaintenanceStartTime** -Optional. An integer value that specifies the daily start time of maintenance hour. Given in minutes from midnight. The range is 0-1440. +An integer value that specifies the daily start time of maintenance hour. Given in minutes from midnight. The range is 0-1440. The supported operations are Add, Get, Replace, and Delete. The default value is Not Configured and its value in the SharedPC provisioning package is 0 (12 AM). **SignInOnResume** -Optional. A boolean value that, when set to True, requires sign in whenever the device wakes up from sleep mode. +A boolean value that, when set to True, requires sign in whenever the device wakes up from sleep mode. The supported operations are Add, Get, Replace, and Delete. The default value is Not Configured and its value in the SharedPC provisioning package is True. **SleepTimeout** -The amount of time in seconds before the PC sleeps. 0 means the PC never sleeps. Default is 5 minutes. This node is optional. +The amount of time in seconds before the PC sleeps. 0 means the PC never sleeps. Default is 5 minutes. The supported operations are Add, Get, Replace, and Delete. -The default value is Not Configured, and effective behavior is determined by the OS's default settings. Its value in the SharedPC provisioning package for Windows 10, version 1703 is 300, and in Windows 10, version 1607 is 3600. +The default value is Not Configured, and effective behavior is determined by the OS's default settings. Its value in SharedPC provisioning package is 300. **EnableAccountManager** A boolean that enables the account manager for shared PC mode. @@ -120,9 +118,9 @@ The supported operations are Add, Get, Replace, and Delete. The following list shows the supported values: -- 0 (default) - Only guest accounts are allowed. -- 1 - Only domain-joined accounts are enabled. -- 2 - Domain-joined and guest accounts are allowed. +- 0 (default) - Only guest accounts are allowed. +- 1 - Only domain-joined accounts are enabled. +- 2 - Domain-joined and guest accounts are allowed. Its value in the SharedPC provisioning package is 1 or 2. @@ -131,12 +129,7 @@ Configures when accounts are deleted. The supported operations are Add, Get, Replace, and Delete. -For Windows 10, version 1607, here's the list shows the supported values: - -- 0 - Delete immediately. -- 1 (default) - Delete at disk space threshold. - -For Windows 10, version 1703, here's the list of supported values: +This is the list of supported values: - 0 - Delete immediately. - 1 - Delete at disk space threshold. @@ -163,23 +156,23 @@ For example, if the **DiskLevelCaching** number is set to 50 and the **DiskLevel The supported operations are Add, Get, Replace, and Delete. **RestrictLocalStorage** -Added in Windows 10, version 1703. Restricts the user from using local storage. This node is optional. +Restricts the user from using local storage. -The default value is Not Configured and behavior is no such restriction applied. Value type is bool. Supported operations are Add, Get, Replace, and Delete. Default in SharedPC provisioning package is False. +The default value is Not Configured. Value type is bool. Supported operations are Add, Get, Replace, and Delete. Default in SharedPC provisioning package is False. **KioskModeAUMID** -Added in Windows 10, version 1703. Specifies the AUMID of the app to use with assigned access. This node is optional. +Specifies the AUMID of the app to use with assigned access. - Value type is string. - Supported operations are Add, Get, Replace, and Delete. **KioskModeUserTileDisplayText** -Added in Windows 10, version 1703. Specifies the display text for the account shown on the sign-in screen that launches the app specified by KioskModeAUMID. This node is optional. +Specifies the display text for the account shown on the sign-in screen that launches the app specified by KioskModeAUMID. Value type is string. Supported operations are Add, Get, Replace, and Delete. **InactiveThreshold** -Added in Windows 10, version 1703. Accounts will start being deleted when they haven't been logged on during the specified period, given as number of days. +Accounts will start being deleted when they haven't been logged on during the specified period, given as number of days. - The default value is Not Configured. - Value type is integer. @@ -188,7 +181,7 @@ Added in Windows 10, version 1703. Accounts will start being deleted when they h The default in the SharedPC provisioning package is 30. **MaxPageFileSizeMB** -Added in Windows 10, version 1703. Maximum size of the paging file in MB. Applies only to systems with less than 32-GB storage and at least 3 GB of RAM. This node is optional. +Maximum size of the paging file in MB. Applies only to systems with less than 32-GB storage and at least 3 GB of RAM. - Default value is Not Configured. - Value type is integer. diff --git a/windows/configuration/TOC.yml b/windows/configuration/TOC.yml index 0c16704142..177b63d3e2 100644 --- a/windows/configuration/TOC.yml +++ b/windows/configuration/TOC.yml @@ -68,8 +68,6 @@ href: kiosk-single-app.md - name: Set up a multi-app kiosk href: lock-down-windows-10-to-specific-apps.md - - name: Set up a shared or guest PC - href: set-up-shared-or-guest-pc.md - name: Kiosk reference information items: - name: More kiosk methods and reference information @@ -92,7 +90,15 @@ href: kiosk-mdm-bridge.md - name: Troubleshoot kiosk mode issues href: kiosk-troubleshoot.md - + +- name: Configure multi-user and guest devices + items: + - name: Shared devices concepts + href: shared-devices-concepts.md + - name: Configure shared devices with Shared PC + href: set-up-shared-or-guest-pc.md + - name: Shared PC technical reference + href: shared-pc-technical.md - name: Use provisioning packages items: diff --git a/windows/configuration/images/icons/accessibility.svg b/windows/configuration/images/icons/accessibility.svg new file mode 100644 index 0000000000..21a6b4f235 --- /dev/null +++ b/windows/configuration/images/icons/accessibility.svg @@ -0,0 +1,3 @@ + + + \ No newline at end of file diff --git a/windows/configuration/images/icons/group-policy.svg b/windows/configuration/images/icons/group-policy.svg new file mode 100644 index 0000000000..ace95add6b --- /dev/null +++ b/windows/configuration/images/icons/group-policy.svg @@ -0,0 +1,3 @@ + + + \ No newline at end of file diff --git a/windows/configuration/images/icons/intune.svg b/windows/configuration/images/icons/intune.svg new file mode 100644 index 0000000000..6e0d938aed --- /dev/null +++ b/windows/configuration/images/icons/intune.svg @@ -0,0 +1,24 @@ + + + + + + + + + + + + + + + + Icon-intune-329 + + + + + + + + \ No newline at end of file diff --git a/windows/configuration/images/icons/powershell.svg b/windows/configuration/images/icons/powershell.svg new file mode 100644 index 0000000000..ab2d5152ca --- /dev/null +++ b/windows/configuration/images/icons/powershell.svg @@ -0,0 +1,20 @@ + + + + + + + + + + MsPortalFx.base.images-10 + + + + + + + + + + \ No newline at end of file diff --git a/windows/configuration/images/icons/provisioning-package.svg b/windows/configuration/images/icons/provisioning-package.svg new file mode 100644 index 0000000000..dbbad7d780 --- /dev/null +++ b/windows/configuration/images/icons/provisioning-package.svg @@ -0,0 +1,3 @@ + + + \ No newline at end of file diff --git a/windows/configuration/images/icons/registry.svg b/windows/configuration/images/icons/registry.svg new file mode 100644 index 0000000000..06ab4c09d7 --- /dev/null +++ b/windows/configuration/images/icons/registry.svg @@ -0,0 +1,22 @@ + + + + + + + + + + + + + + + + + + + Icon-general-18 + + + \ No newline at end of file diff --git a/windows/configuration/images/icons/windows-os.svg b/windows/configuration/images/icons/windows-os.svg new file mode 100644 index 0000000000..da64baf975 --- /dev/null +++ b/windows/configuration/images/icons/windows-os.svg @@ -0,0 +1,3 @@ + + + \ No newline at end of file diff --git a/windows/configuration/images/shared-pc-intune.png b/windows/configuration/images/shared-pc-intune.png new file mode 100644 index 0000000000..401e937a2a Binary files /dev/null and b/windows/configuration/images/shared-pc-intune.png differ diff --git a/windows/configuration/images/shared-pc-wcd.png b/windows/configuration/images/shared-pc-wcd.png new file mode 100644 index 0000000000..a0f86ed11e Binary files /dev/null and b/windows/configuration/images/shared-pc-wcd.png differ diff --git a/windows/configuration/images/sharedpc-guest-win11.png b/windows/configuration/images/sharedpc-guest-win11.png new file mode 100644 index 0000000000..c6091c3b2d Binary files /dev/null and b/windows/configuration/images/sharedpc-guest-win11.png differ diff --git a/windows/configuration/images/sharedpc-kiosk-win11se.png b/windows/configuration/images/sharedpc-kiosk-win11se.png new file mode 100644 index 0000000000..1a0f0afeb1 Binary files /dev/null and b/windows/configuration/images/sharedpc-kiosk-win11se.png differ diff --git a/windows/configuration/set-up-shared-or-guest-pc.md b/windows/configuration/set-up-shared-or-guest-pc.md index 191ecb60c4..6490c7a003 100644 --- a/windows/configuration/set-up-shared-or-guest-pc.md +++ b/windows/configuration/set-up-shared-or-guest-pc.md @@ -1,353 +1,153 @@ --- -title: Set up a shared or guest PC with Windows 10/11 -description: Windows 10 and Windows has shared PC mode, which optimizes Windows client for shared use scenarios. -ms.prod: w10 -author: lizgt2000 -ms.author: lizlong -ms.topic: article +title: Set up a shared or guest Windows device +description: Description of how to configured Shared PC mode, which is a Windows feature that optimizes devices for shared use scenarios. +ms.date: 10/15/2022 +ms.prod: windows +ms.technology: windows +ms.topic: reference ms.localizationpriority: medium -ms.reviewer: sybruckm +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: manager: aaroncz -ms.collection: highpri +ms.collection: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows 11 SE --- -# Set up a shared or guest PC with Windows 10/11 +# Set up a shared or guest Windows device +**Shared PC** offers options to facilitate the management and optimization of shared devices. The customizations offered by Shared PC are listed in the following table. -**Applies to** +| Area Name | Setting name and description| +|---|---| +|Shared PC mode | **EnableSharedPCMode** or **EnableSharedPCModeWithOneDriveSync**: when enabled, **Shared PC mode** is turned on and different settings are configured in the local group policy object (LGPO). For a detailed list of settings enabled by Shared PC Mode in the LGPO, see the [Shared PC technical reference](shared-pc-technical.md#enablesharedpcmode-and-enablesharedpcmodewithonedrivesync).| +| Account management | **EnableAccountManager**: when enabled, automatic account management is turned on. The following settings define the behavior of *account manager*: For more information, see the [Shared PC CSP documentation][WIN-3].

**AccountModel**: this option controls which types of users can sign-in to the device, and can be used to enable the Guest and Kiosk accounts. For more information, see the [Shared PC CSP documentation][WIN-3].

**KioskModeAUMID**: configures an application (referred as Application User Model ID - AUMID) to automatically execute when the kiosk account is used to sign in. A new account will be created and will use assigned access to only run the app specified by the AUMID. [Find the Application User Model ID of an installed app][WIN-7].

**KioskModeUserTileDisplayText**: sets the display text on the kiosk account if **KioskModeAUMID** has been set.| +| Advanced customizations | **SetEduPolicies**: when enabled, specific settings designed for education devices are configured in the LGPO. For a detailed list of settings enabled by SetEduPolicies in the LGPO, see [Shared PC technical reference](shared-pc-technical.md#setedupolicy).
**SetPowerPolicies**: when enabled, different power settings optimized for shared devices are configured in the LGPO. For a detailed list of settings enabled by SetPowerPolicies in the LGPO, see [Shared PC technical reference](shared-pc-technical.md#setpowerpolicies).

**SleepTimeout**: specifies all timeouts for when the PC should sleep.

**SignInOnResume**: if enabled, specifies if the user is required to sign in with a password when the PC wakes from sleep.

**MaintenanceStartTime**: by default, the maintenance start time (which is when automatic maintenance tasks run, such as Windows Update or Search indexing) is midnight. You can adjust the start time in this setting by entering a new start time in minutes from midnight. For a detailed list of settings enabled by MaintenanceStartTime, see [Shared PC technical reference](shared-pc-technical.md#maintenancestarttime).

**MaxPageFileSizeMB**: adjusts the maximum page file size in MB. This can be used to fine-tune page file behavior, especially on low end PCs.

**RestrictLocalStorage**: when enabled, users are prevented from saving or viewing local storage while using File Explorer.| -- Windows 10 -- Windows 11 +## Configure Shared PC -Windows client has a *shared PC mode*, which optimizes Windows client for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. You can apply shared PC mode to Windows client Pro, Pro Education, Education, and Enterprise. +Shared PC can be configured using the following methods: -> [!NOTE] -> If you're interested in using Windows client for shared PCs in a school, see [Use Set up School PCs app](/education/windows/use-set-up-school-pcs-app) which provides a simple way to configure PCs with shared PC mode plus additional settings specific for education. +- Microsoft Intune/MDM +- Provisioning package (PPKG) +- PowerShell script -## Shared PC mode concepts -A Windows client PC in shared PC mode is designed to be management- and maintenance-free with high reliability. In shared PC mode, only one user can be signed in at a time. When the PC is locked, the currently signed in user can always be signed out at the lock screen. +Follow the instructions below to configure your devices, selecting the option that best suits your needs. -### Account models -It is intended that shared PCs are joined to an Active Directory or Azure Active Directory domain by a user with the necessary rights to perform a domain join as part of a setup process. This enables any user that is part of the directory to sign-in to the PC. If using Azure Active Directory Premium, any domain user can also be configured to sign in with administrative rights. Additionally, shared PC mode can be configured to enable a **Guest** option on the sign-in screen, which doesn't require any user credentials or authentication, and creates a new local account each time it is used. Windows client has a **kiosk mode** account. Shared PC mode can be configured to enable a **Kiosk** option on the sign-in screen, which doesn't require any user credentials or authentication, and creates a new local account each time it is used to run a specified app in assigned access (kiosk) mode. +#### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune) -### Account management -When the account management service is turned on in shared PC mode, accounts are automatically deleted. Account deletion applies to Active Directory, Azure Active Directory, and local accounts that are created by the **Guest** and **Kiosk** options. Account management is performed both at sign-off time (to make sure there is enough disk space for the next user) as well as during system maintenance time periods. Shared PC mode can be configured to delete accounts immediately at sign-out or when disk space is low. In Windows client, an inactive option is added which deletes accounts if they haven't signed in after a specified number of days. +To configure devices using Microsoft Intune, [create a **Settings catalog** policy][MEM-2], and use the settings listed under the category **`Shared PC`**: -### Maintenance and sleep -Shared PC mode is configured to take advantage of maintenance time periods which run while the PC is not in use. Therefore, sleep is strongly recommended so that the PC can wake up when it is not in use to perform maintenance, clean up accounts, and run Windows Update. The recommended settings can be set by choosing **SetPowerPolicies** in the list of shared PC options. Additionally, on devices without Advanced Configuration and Power Interface (ACPI) wake alarms, shared PC mode will always override real-time clock (RTC) wake alarms to be allowed to wake the PC from sleep (by default, RTC wake alarms are off). This ensures that the widest variety of hardware will take advantage of maintenance periods. +:::image type="content" source="./images/shared-pc-intune.png" alt-text="Screenshot that shows the Shared PC policies in the Intune settings catalog." lightbox="./images/shared-pc-intune.png" border="True"::: -While shared PC mode does not configure Windows Update itself, it is strongly recommended to configure Windows Update to automatically install updates and reboot (if necessary) during maintenance hours. This will help ensure the PC is always up to date and not interrupting users with updates. +Assign the policy to a security group that contains as members the devices or users that you want to configure. -Use one of the following methods to configure Windows Update: +Alternatively, you can configure devices using a [custom policy][MEM-1] with the [SharedPC CSP][WIN-3]. -- Group Policy: Set **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure Automatic Updates** to `4` and check **Install during automatic maintenance**. -- MDM: Set **Update/AllowAutoUpdate** to `4`. -- Provisioning: In Windows Imaging and Configuration Designer (ICD), set **Policies/Update/AllowAutoUpdate** to `4`. +#### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg) -[Learn more about the AllowAutoUpdate settings](/windows/client-management/mdm/policy-configuration-service-provider#Update_AllowAutoUpdate) +To configure devices using a provisioning package, [create a provisioning package][WIN-1] using WCD, and use the settings listed under the category **`SharedPC`**: -### App behavior +:::image type="content" source="./images/shared-pc-wcd.png" alt-text="Screenshot that shows the Shared PC policies in WCD." lightbox="./images/shared-pc-wcd.png" border="False"::: -Apps can take advantage of shared PC mode with the following three APIs: +For a list and description of CSP settings exposed in Windows Configuration Designer, see the [SharedPC WCD reference][WIN-4]. -- [IsEnabled](/uwp/api/windows.system.profile.sharedmodesettings) - This informs apps when the PC has been configured for shared use scenarios. For example, an app might only download content on demand on a device in shared PC mode, or might skip first run experiences. -- [ShouldAvoidLocalStorage](/uwp/api/windows.system.profile.sharedmodesettings) - This informs apps when the PC has been configured to not allow the user to save to the local storage of the PC. Instead, only cloud save locations should be offered by the app or saved automatically by the app. -- [IsEducationEnvironment](/uwp/api/windows.system.profile.educationsettings) - This informs apps when the PC is used in an education environment. Apps may want to handle diagnostic data differently or hide advertising functionality. - +Follow the steps in [Apply a provisioning package][WIN-2] to apply the package that you created. -### Customization -Shared PC mode exposes a set of customizations to tailor the behavior to your requirements. These customizations are the options that you'll set either using MDM or a provisioning package as explained in [Configuring Shared PC mode for Windows](#configuring-shared-pc-mode-for-windows). The options are listed in the following table. +#### [:::image type="icon" source="images/icons/powershell.svg"::: **PowerShell**](#tab/powershell) -| Setting | Value | -|:---|:---| -| EnableSharedPCMode | Set as **True**. If this is not set to **True**, shared PC mode is not turned on and none of the other settings apply. This setting controls this API: [IsEnabled](/uwp/api/windows.system.profile.sharedmodesettings)

Some of the remaining settings in **SharedPC** are optional, but we strongly recommend that you also set `EnableAccountManager` to **True**. | -| AccountManagement: AccountModel | This option controls how users can sign-in on the PC. Choosing domain-joined will enable any user in the domain to sign-in.

Specifying the guest option will add the **Guest** option to the sign-in screen and enable anonymous guest access to the PC.

- **Only guest** allows anyone to use the PC as a local standard (non-admin) account.
- **Domain-joined only** allows users to sign in with an Active Directory or Azure AD account.
- **Domain-joined and guest** allows users to sign in with an Active Directory, Azure AD, or local standard account. | -| AccountManagement: DeletionPolicy | - **Delete immediately** will delete the account on sign-out.

- **Delete at disk space threshold** will start deleting accounts when available disk space falls below the threshold you set for **DiskLevelDeletion**, and it will stop deleting accounts when the available disk space reaches the threshold you set for **DiskLevelCaching**. Accounts are deleted in order of oldest accessed to most recently accessed.

Example: The caching number is 50 and the deletion number is 25. Accounts will be cached while the free disk space is above 25%. When the free disk space is less than 25% (the deletion number) at a maintenance period, accounts will be deleted (oldest last used first) until the free disk space is above 50% (the caching number). Accounts will be deleted immediately at sign-off of an account if free space is under the deletion threshold and disk space is very low, regardless if the PC is actively in use or not.
- **Delete at disk space threshold and inactive threshold** will apply the same disk space checks as noted above, but also delete accounts if they have not signed in within the number of days specified by **InactiveThreshold** | -| AccountManagement: DiskLevelCaching | If you set **DeletionPolicy** to **Delete at disk space threshold**, set the percent of total disk space to be used as the disk space threshold for account caching. | -| AccountManagement: DiskLevelDeletion | If you set **DeletionPolicy** to **Delete at disk space threshold**, set the percent of total disk space to be used as the disk space threshold for account deletion. | -| AccountManagement: InactiveThreshold | If you set **DeletionPolicy** to **Delete at disk space threshold and inactive threshold**, set the number of days after which an account that has not signed in will be deleted. | -| AccountManagement: EnableAccountManager | Set as **True** to enable automatic account management. If this is not set to true, no automatic account management will be done. | -| AccountManagement: KioskModeAUMID | Set an Application User Model ID (AUMID) to enable the kiosk account on the sign-in screen. A new account will be created and will use assigned access to only run the app specified by the AUMID. Note that the app must be installed on the PC. Set the name of the account using **KioskModeUserTileDisplayText**, or a default name will be used. [Find the Application User Model ID of an installed app](/previous-versions/windows/embedded/dn449300(v=winembedded.82)) | -| AccountManagement: KioskModeUserTileDisplayText | Sets the display text on the kiosk account if **KioskModeAUMID** has been set. | -| Customization: MaintenanceStartTime | By default, the maintenance start time (which is when automatic maintenance tasks run, such as Windows Update) is midnight. You can adjust the start time in this setting by entering a new start time in minutes from midnight. For example, if you want maintenance to begin at 2 AM, enter `120` as the value. | -| Customization: MaxPageFileSizeMB | Adjusts the maximum page file size in MB. This can be used to fine-tune page file behavior, especially on low end PCs. | -| Customization: RestrictLocalStorage | Set as **True** to restrict the user from saving or viewing local storage when using File Explorer. This setting controls this API: [ShouldAvoidLocalStorage](/uwp/api/windows.system.profile.sharedmodesettings) | -| Customization: SetEduPolicies | Set to **True** for PCs that will be used in a school. For more information, see [Windows client configuration recommendations for education customers](/education/windows/configure-windows-for-education). This setting controls this API: [IsEducationEnvironment](/uwp/api/windows.system.profile.educationsettings) | -| Customization: SetPowerPolicies | When set as **True**:
- Prevents users from changing power settings
- Turns off hibernate
- Overrides all power state transitions to sleep (e.g. lid close) | -| Customization: SignInOnResume | This setting specifies if the user is required to sign in with a password when the PC wakes from sleep. | -| Customization: SleepTimeout | Specifies all timeouts for when the PC should sleep. Enter the amount of idle time in seconds. If you don't set sleep timeout, the default of 1 hour applies. | -[Policies: Authentication](wcd/wcd-policies.md#authentication) (optional related setting) | Enables a quick first sign-in experience for a user by automatically connecting new non-admin Azure AD accounts to the pre-configured candidate local accounts. +To configure devices using a PowerShell script, you can use the [MDM Bridge WMI Provider][WIN-6]. -## Configuring Shared PC mode for Windows +> [!TIP] +> PowerShell scripts can be executed as scheduled tasks via Group Policy. -You can configure Windows to be in shared PC mode in a couple different ways: +> [!IMPORTANT] +> For all device settings, the WMI Bridge client must be executed as SYSTEM (LocalSystem) account. +> +> To test a PowerShell script, you can: +> 1. [Download the psexec tool](/sysinternals/downloads/psexec) +> 1. Open an elevated command prompt and run: `psexec.exe -i -s powershell.exe` +> 1. Run the script in the PowerShell session -- Mobile device management (MDM): Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](/windows/client-management/mdm/sharedpc-csp). To set up a shared device policy for Windows client in Intune, complete the following steps: +Edit the following sample PowerShell script to customize the settings that you want to configure: +```powershell +$namespaceName = "root\cimv2\mdm\dmmap" +$parentID="./Vendor/MSFT/Policy/Config" +$className = "MDM_SharedPC" +$cimObject = Get-CimInstance -Namespace $namespaceName -ClassName $className +if (-not ($cimObject)) { + $cimObject = New-CimInstance -Namespace $namespaceName -ClassName $className -Property @{ParentID=$ParentID;InstanceID=$instance} +} +$cimObject.EnableSharedPCMode = $True +$cimObject.SetEduPolicies = $True +$cimObject.SetPowerPolicies = $True +$cimObject.MaintenanceStartTime = 0 +$cimObject.SignInOnResume = $True +$cimObject.SleepTimeout = 0 +$cimObject.EnableAccountManager = $True +$cimObject.AccountModel = 2 +$cimObject.DeletionPolicy = 1 +$cimObject.DiskLevelDeletion = 25 +$cimObject.DiskLevelCaching = 50 +$cimObject.RestrictLocalStorage = $False +$cimObject.KioskModeAUMID = "" +$cimObject.KioskModeUserTileDisplayText = "" +$cimObject.InactiveThreshold = 0 +Set-CimInstance -CimInstance $cimObject +``` - 1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). - - 2. Select **Devices** > **Windows** > **Configuration profiles** > **Create profile**. - - 3. Enter the following properties: +For more information, see [Using PowerShell scripting with the WMI Bridge Provider][WIN-5]. - - **Platform**: Select **Windows 10 and later**. - - **Profile**: Select **Templates** > **Shared multi-user device**. - - 4. Select **Create**. - - 5. In **Basics**, enter the following properties: - - - **Name**: Enter a descriptive name for the new profile. - - **Description**: Enter a description for the profile. This setting is optional, but recommended. - - 6. Select **Next**. - - 7. In **Configuration settings**, depending on the platform you chose, the settings you can configure are different. Choose your platform for detailed settings: - - 8. On the **Configuration settings** page, set the ‘Shared PC Mode’ value to **Enabled**. - - > [!div class="mx-imgBorder"] - > ![Shared PC mode in the Configuration settings page.](images/shared_pc_3.png) - - 11. From this point on, you can configure any additional settings you’d like to be part of this policy, and then follow the rest of the set-up flow to its completion by selecting **Create** after **Step 6**. - -- A provisioning package created with the Windows Configuration Designer: You can apply a provisioning package when you initially set up the PC (also known as the out-of-box-experience or OOBE), or you can apply the provisioning package to a Windows client that's already in use. The provisioning package is created in Windows Configuration Designer. Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](/windows/client-management/mdm/sharedpc-csp), exposed in Windows Configuration Designer as **SharedPC**. - - ![Shared PC settings in ICD.](images/icd-adv-shared-pc.png) - -- WMI bridge: Environments that use Group Policy can use the [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal) to configure the [MDM_SharedPC class](/windows/win32/dmwmibridgeprov/mdm-sharedpc). For all device settings, the WMI Bridge client must be executed under local system user; for more information, see [Using PowerShell scripting with the WMI Bridge Provider](/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider). For example, open PowerShell as an administrator and enter the following: - - ```powershell - $sharedPC = Get-CimInstance -Namespace "root\cimv2\mdm\dmmap" -ClassName "MDM_SharedPC" - $sharedPC.EnableSharedPCMode = $True - $sharedPC.SetEduPolicies = $True - $sharedPC.SetPowerPolicies = $True - $sharedPC.MaintenanceStartTime = 0 - $sharedPC.SignInOnResume = $True - $sharedPC.SleepTimeout = 0 - $sharedPC.EnableAccountManager = $True - $sharedPC.AccountModel = 2 - $sharedPC.DeletionPolicy = 1 - $sharedPC.DiskLevelDeletion = 25 - $sharedPC.DiskLevelCaching = 50 - $sharedPC.RestrictLocalStorage = $False - $sharedPC.KioskModeAUMID = "" - $sharedPC.KioskModeUserTileDisplayText = "" - $sharedPC.InactiveThreshold = 0 - Set-CimInstance -CimInstance $sharedPC - Get-CimInstance -Namespace "root\cimv2\mdm\dmmap" -ClassName MDM_SharedPC - ``` - -### Create a provisioning package for shared use - -1. [Install Windows Configuration Designer](provisioning-packages/provisioning-install-icd.md) - -2. Open Windows Configuration Designer. -3. On the **Start page**, select **Advanced provisioning**. -4. Enter a name and (optionally) a description for the project, and click **Next**. -5. Select **All Windows desktop editions**, and click **Next**. -6. Click **Finish**. Your project opens in Windows Configuration Designer. -7. Go to **Runtime settings** > **SharedPC**. [Select the desired settings for shared PC mode.](#customization) -8. On the **File** menu, select **Save.** -9. On the **Export** menu, select **Provisioning package**. -10. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.** -11. Set a value for **Package Version**. - > [!TIP] - > You can make changes to existing packages and change the version number to update previously applied packages. - -12. (*Optional*) In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing. - - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen. - - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select...** and choosing the certificate you want to use to sign the package. - - > [!IMPORTANT] - > We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store and any package signed with that certificate thereafter can be applied silently. - -13. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows Configuration Designer uses the project folder as the output location. - Optionally, you can click **Browse** to change the default output location. -14. Click **Next**. -15. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status. - If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**. -16. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again. - If your build is successful, the name of the provisioning package, output directory, and project directory will be shown. - - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build. - - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**. -17. Select the **output location** link to go to the location of the package. You can provide that .ppkg to others through any of the following methods: - - - Shared network folder - - - SharePoint site - - - Removable media (USB/SD) (select this option to apply to a PC during initial setup) - - -### Apply the provisioning package - -Provisioning packages can be applied to a device during initial setup (out-of-box experience or "OOBE") and after ("runtime"). For more information, see [Apply a provisioning package](./provisioning-packages/provisioning-apply-package.md). - -> [!NOTE] -> If you apply the setup file to a computer that has already been set up, existing accounts and data might be lost. +--- ## Guidance for accounts on shared PCs -* We recommend no local admin accounts on the PC to improve the reliability and security of the PC. +- When a device is configured in *shared PC mode* with the default deletion policy, accounts will be cached automatically until disk space is low. Then, accounts will be deleted to reclaim disk space. This account management happens automatically. Both Azure AD and Active Directory domain accounts are managed in this way. Any accounts created through **Guest** and **Kiosk** will be deleted automatically at sign out. -* When a PC is set up in shared PC mode with the default deletion policy, accounts will be cached automatically until disk space is low. Then, accounts will be deleted to reclaim disk space. This account management happens automatically. Both Azure AD and Active Directory domain accounts are managed in this way. Any accounts created through **Guest** and **Kiosk** will be deleted automatically at sign-out. -* On a Windows PC joined to Azure Active Directory: - * By default, the account that joined the PC to Azure AD will have an admin account on that PC. Global administrators for the Azure AD domain will also have admin accounts on the PC. - * With Azure AD Premium, you can specify which accounts have admin accounts on a PC using the **Additional administrators on Azure AD Joined devices** setting on the Azure portal. +- Local accounts that already exist on a PC won't be deleted when turning on shared PC mode. New local accounts that are created using **Settings > Accounts > Other people > Add someone else to this PC** after shared PC mode is turned on won't be deleted. However, any new guest accounts created by the **Guest** and **Kiosk** options on the sign-in screen (if enabled) will automatically be deleted at sign out. To set a general policy on all local accounts, you can configure the following local Group Policy setting: **Computer Configuration** > **Administrative Templates** > **System** > **User Profiles**: **Delete User Profiles Older Than A Specified Number Of Days On System Restart**. -* Local accounts that already exist on a PC won’t be deleted when turning on shared PC mode. New local accounts that are created using **Settings > Accounts > Other people > Add someone else to this PC** after shared PC mode is turned on won't be deleted. However, any new guest accounts created by the **Guest** and **Kiosk** options on the sign-in screen (if enabled) will automatically be deleted at sign-out. To set a general policy on all local accounts, you can configure the following local Group Policy setting: **Computer Configuration** > **Administrative Templates** > **System** > **User Profiles**: **Delete User Profiles Older Than A Specified Number Of Days On System Restart**. +- The account management service supports accounts that are exempt from deletion. An account can be marked exempt from deletion by adding the account SID to the registry key: `HKEY_LOCAL_MACHINE\SOFTARE\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\`. To add the account SID to the registry key using PowerShell, use the following example as a reference: -* If admin accounts are necessary on the PC - * Ensure the PC is joined to a domain that enables accounts to be signed on as admin, or - * Create admin accounts before setting up shared PC mode, or - * Create exempt accounts before signing out when turning shared pc mode on. + ```powershell + $adminName = "LocalAdmin" + $adminPass = 'Pa$$word123' + invoke-expression "net user /add $adminName $adminPass" + $user = New-Object System.Security.Principal.NTAccount($adminName) + $sid = $user.Translate([System.Security.Principal.SecurityIdentifier]) + $sid = $sid.Value; + New-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\$sid" -Force + ``` -* The account management service supports accounts that are exempt from deletion. - * An account can be marked exempt from deletion by adding the account SID to the registry key: `HKEY_LOCAL_MACHINE\SOFTARE\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\`. - * To add the account SID to the registry key using PowerShell: +## Troubleshooting Shared PC - ```powershell - $adminName = "LocalAdmin" - $adminPass = 'Pa$$word123' - iex "net user /add $adminName $adminPass" - $user = New-Object System.Security.Principal.NTAccount($adminName) - $sid = $user.Translate([System.Security.Principal.SecurityIdentifier]) - $sid = $sid.Value; - New-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\$sid" -Force - ``` +To troubleshoot Shared PC, you can use the following tools: +- Check the log `C:\Windows\SharedPCSetup.log` +- Check the registry keys under `HKLM\Software\Microsoft\Windows\CurrentVersion\SharedPC` + - `AccountManagement` key contains settings on how profiles are managed + - `NodeValues` contains what values are set for the features managed by Shared PC -## Policies set by shared PC mode +## Technical reference -Shared PC mode sets local group policies to configure the device. Some of these are configurable using the shared pc mode options. +- For a list of settings configured by the different options offered by Shared PC mode, see the [Shared PC technical reference](shared-pc-technical.md). +- For a list of settings exposed by the SharedPC configuration service provider, see [SharedPC CSP][WIN-3]. +- For a list of settings exposed by Windows Configuration Designer, see [SharedPC CSP][WIN-4]. -> [!IMPORTANT] -> It is not recommended to set additional policies on PCs configured for **Shared PC Mode**. The shared PC mode has been optimized to be fast and reliable over time with minimal to no manual maintenance required. +----------- -### Admin Templates > Control Panel > Personalization +[WIN-1]: /windows/configuration/provisioning-packages/provisioning-create-package +[WIN-2]: /windows/configuration/provisioning-packages/provisioning-apply-package +[WIN-3]: /windows/client-management/mdm/sharedpc-csp +[WIN-4]: /windows/configuration/wcd/wcd-sharedpc +[WIN-5]: /windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider +[WIN-6]: /windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal +[WIN-7]: /previous-versions/windows/embedded/dn449300(v=winembedded.82) -|Policy Name| Value|When set?| -|--- |--- |--- | -|Prevent enabling lock screen slide show|Enabled|Always| -|Prevent changing lock screen and logon image|Enabled|Always| +[MEM-1]: /mem/intune/configuration/custom-settings-windows-10 +[MEM-2]: /mem/intune/configuration/settings-catalog -### Admin Templates > System > Power Management > Button Settings - -|Policy Name| Value|When set?| -|--- |--- |--- | -|Select the Power button action (plugged in)|Sleep|SetPowerPolicies=True| -|Select the Power button action (on battery)|Sleep|SetPowerPolicies=True| -|Select the Sleep button action (plugged in)|Sleep|SetPowerPolicies=True| -|Select the lid switch action (plugged in)|Sleep|SetPowerPolicies=True| -|Select the lid switch action (on battery)|Sleep|SetPowerPolicies=True| - -### Admin Templates > System > Power Management > Sleep Settings - -|Policy Name| Value|When set?| -|--- |--- |--- | -|Require a password when a computer wakes (plugged in)|Enabled|SignInOnResume=True| -|Require a password when a computer wakes (on battery)|Enabled|SignInOnResume=True| -|Specify the system sleep timeout (plugged in)|*SleepTimeout*|SetPowerPolicies=True| -|Specify the system sleep timeout (on battery)|*SleepTimeout*|SetPowerPolicies=True| -|Turn off hybrid sleep (plugged in)|Enabled|SetPowerPolicies=True| -|Turn off hybrid sleep (on battery)|Enabled|SetPowerPolicies=True| -|Specify the unattended sleep timeout (plugged in)|*SleepTimeout*|SetPowerPolicies=True| -|Specify the unattended sleep timeout (on battery)|*SleepTimeout*|SetPowerPolicies=True| -|Allow standby states (S1-S3) when sleeping (plugged in)|Enabled|SetPowerPolicies=True| -|Allow standby states (S1-S3) when sleeping (on battery)|Enabled |SetPowerPolicies=True| -|Specify the system hibernate timeout (plugged in)|Enabled, 0|SetPowerPolicies=True| -|Specify the system hibernate timeout (on battery)|Enabled, 0|SetPowerPolicies=True| - -### Admin Templates>System>Power Management>Video and Display Settings - -|Policy Name| Value|When set?| -|--- |--- |--- | -|Turn off the display (plugged in)|*SleepTimeout*|SetPowerPolicies=True| -|Turn off the display (on battery|*SleepTimeout*|SetPowerPolicies=True| - -### Admin Templates>System>Power Management>Energy Saver Settings - -|Policy Name| Value|When set?| -|--- |--- |--- | -|Energy Saver Battery Threshold (on battery)|70|SetPowerPolicies=True| - -### Admin Templates>System>Logon - -|Policy Name| Value|When set?| -|--- |--- |--- | -|Show first sign-in animation|Disabled|Always| -|Hide entry points for Fast User Switching|Enabled|Always| -|Turn on convenience PIN sign-in|Disabled|Always| -|Turn off picture password sign-in|Enabled|Always| -|Turn off app notification on the lock screen|Enabled|Always| -|Allow users to select when a password is required when resuming from connected standby|Disabled|SignInOnResume=True| -|Block user from showing account details on sign-in|Enabled|Always| - -### Admin Templates>System>User Profiles - -|Policy Name| Value|When set?| -|--- |--- |--- | -|Turn off the advertising ID|Enabled|SetEduPolicies=True| - -### Admin Templates>Windows Components - -|Policy Name| Value|When set?| -|--- |--- |--- | -|Do not show Windows Tips |Enabled|SetEduPolicies=True| -|Turn off Microsoft consumer experiences |Enabled|SetEduPolicies=True| -|Microsoft Passport for Work|Disabled|Always| -|Prevent the usage of OneDrive for file storage|Enabled|Always| - -### Admin Templates>Windows Components>Biometrics - -|Policy Name| Value|When set?| -|--- |--- |--- | -|Allow the use of biometrics|Disabled|Always| -|Allow users to log on using biometrics|Disabled|Always| -|Allow domain users to log on using biometrics|Disabled|Always| - -### Admin Templates>Windows Components>Data Collection and Preview Builds - -|Policy Name| Value|When set?| -|--- |--- |--- | -|Toggle user control over Insider builds|Disabled|Always| -|Disable pre-release features or settings|Disabled|Always| -|Do not show feedback notifications|Enabled|Always| -|Allow Telemetry|Basic, 0|SetEduPolicies=True| - -### Admin Templates>Windows Components>File Explorer - -|Policy Name| Value|When set?| -|--- |--- |--- | -|Show lock in the user tile menu|Disabled|Always| - -### Admin Templates>Windows Components>Maintenance Scheduler - -|Policy Name| Value|When set?| -|--- |--- |--- | -|Automatic Maintenance Activation Boundary|*MaintenanceStartTime*|Always| -|Automatic Maintenance Random Delay|Enabled, 2 hours|Always| -|Automatic Maintenance WakeUp Policy|Enabled|Always| - -### Admin Templates>Windows Components>Windows Hello for Business - -|Policy Name| Value|When set?| -|--- |--- |--- | -|Use phone sign-in|Disabled|Always| -|Use Windows Hello for Business|Disabled|Always| -|Use biometrics|Disabled|Always| - -### Admin Templates>Windows Components>OneDrive - -|Policy Name| Value|When set?| -|--- |--- |--- | -|Prevent the usage of OneDrive for file storage|Enabled|Always| - -### Windows Settings>Security Settings>Local Policies>Security Options - -|Policy Name| Value|When set?| -|--- |--- |--- | -|Interactive logon: Do not display last user name|Enabled, Disabled when account model is only guest|Always| -|Interactive logon: Sign-in last interactive user automatically after a system-initiated restart|Disabled |Always| -|Shutdown: Allow system to be shut down without having to log on|Disabled|Always| -|User Account Control: Behavior of the elevation prompt for standard users|Auto deny|Always| +[UWP-1]: /uwp/api/windows.system.profile.sharedmodesettings +[UWP-2]: /uwp/api/windows.system.profile.educationsettings +[UWP-3]: /uwp/api/windows.system.profile.sharedmodesettings.shouldavoidlocalstorage \ No newline at end of file diff --git a/windows/configuration/shared-devices-concepts.md b/windows/configuration/shared-devices-concepts.md new file mode 100644 index 0000000000..7f041e6b09 --- /dev/null +++ b/windows/configuration/shared-devices-concepts.md @@ -0,0 +1,74 @@ +--- +title: Manage multi-user and guest Windows devices +description: options to optimize Windows devices used in shared scenarios, such touchdown spaces in an enterprise, temporary customer use in retail or shared devices in a school. +ms.date: 10/15/2022 +ms.prod: windows +ms.technology: windows +ms.topic: conceptual +ms.localizationpriority: medium +author: paolomatarazzo +ms.author: paoloma +ms.reviewer: +manager: aaroncz +ms.collection: +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows 11 SE +--- + +# Manage multi-user and guest Windows devices with Shared PC + +Windows allows multiple users to sign in and use the same device, which is useful in scenarios like touchdown spaces in an enterprise, temporary customer use in retail or shared devices in a school. +As more users access the same device, more resources on the devices are used. This can lead to performance issues and a degraded user experience. + +To optimize multi-user and guest devices, Windows provides options through a feature called *Shared PC*. These settings are designed to improve the experience for all users on the device, and to reduce the administrative overhead caused by the maintenance of multiple user profiles. + +This article describes the different options available in Shared PC. + +## Shared PC mode + +A Windows device enabled for *Shared PC mode* is designed to be maintenance-free with high reliability. Devices configured in Shared PC mode have different settings designed to improve the experience for all users accessing a shared device. + +## Account management + +When *Account management* is configured, user profiles are automatically deleted to free up disk space and resources. Account management is performed both at sign-out time and during system maintenance time periods. Shared PC mode can be configured to delete accounts immediately at sign-out, based on disk space thresholds, or based on inactivity thresholds. + +> [!IMPORTANT] +> Shared PC is designed to take advantage of maintenance time periods, which run while the device is not in use. Therefore, devices should be put to **sleep** instead of shut down, so that they can wake up to perform maintenance tasks. + +> [!TIP] +> While Shared PC does not configure the Windows Update client, it is recommended to configure Windows Update to automatically install updates and reboot during maintenance hours. This will help ensure the device is always up to date without interrupting users when the device is in use. + +### Account models + +Shared PC offers the possibility to enable a **Guest** option on the sign-in screen. The Guest option doesn't require any user credentials or authentication, and creates a new local account each time it's used with access to the desktop. A **Guest button** is shown on the sign-in screen that a user can select. + +:::image type="content" source="./images/sharedpc-guest-win11.png" alt-text="Windows 11 sign-in screen with Guest option enabled." border="True"::: + +Shared PC also offers a **Kiosk** mode, which automatically executes a specific application when the kiosk account signs-in. This is useful in scenarios where the device is accessed for a specific purpose, such as test taking in a school. + +:::image type="content" source="./images/sharedpc-kiosk-win11se.png" alt-text="Windows 11 sign-in screen with Guest and Kiosk options enabled." border="True"::: + +## Advanced customizations + +Shared PC offers advanced customizations for shared devices, such as specific settings for education devices, low end devices, and more. + +Shared devices require special considerations regarding power settings. Shared PC makes it easy to configure power settings for shared devices. The power settings are configured in the local group policy object (LGPO). + +> [!NOTE] +> For devices without Advanced Configuration and Power Interface (ACPI) wake alarms, Shared PC will override real-time clock (RTC) wake alarms to be allowed to wake the PC from sleep (by default, RTC wake alarms are off). This ensures that the widest variety of hardware will take advantage of maintenance periods. + +## Additional information + +- To learn how to configure Shared PC, see [Set up a shared or guest Windows device](set-up-shared-or-guest-pc.md). +- For a list of settings configured by the different options offered by Shared PC, see the [Shared PC technical reference](shared-pc-technical.md). +- For a list of settings exposed by the SharedPC configuration service provider, see [SharedPC CSP][WIN-3]. +- For a list of settings exposed by Windows Configuration Designer, see [SharedPC CSP][WIN-4]. + +----------- + +[WIN-1]: /windows/configuration/provisioning-packages/provisioning-create-package +[WIN-2]: /windows/configuration/provisioning-packages/provisioning-apply-package +[WIN-3]: /windows/client-management/mdm/sharedpc-csp +[WIN-4]: /windows/configuration/wcd/wcd-sharedpc \ No newline at end of file diff --git a/windows/configuration/shared-pc-technical.md b/windows/configuration/shared-pc-technical.md index 4c72c00150..2126265a32 100644 --- a/windows/configuration/shared-pc-technical.md +++ b/windows/configuration/shared-pc-technical.md @@ -19,11 +19,16 @@ appliesto: # Shared PC technical reference -## Local group policy settings list +This article details the settings configured by the different options of Shared PC. -The different options offered by Shared PC configure the local group policy object (LGPO) with different settings. The following tables list the settings configured by each Shared PC option. +> [!IMPORTANT] +> The behavior of some options have changed over time. This article describes the current settings applied by Shared PC. -## EnableSharedPCMode +## EnableSharedPCMode and EnableSharedPCModeWithOneDriveSync + +EnableSharedPCMode and EnableSharedPCModeWithOneDriveSync are the two policies that enable **Shared PC mode**. The only difference between the two is that EnableSharedPCModeWithOneDriveSync enables OneDrive synchronization, while EnableSharedPCMode disables it. + +When enabling Shared PC mode, the following settings in the local GPO are configured: | Policy setting | Status | |--|--| @@ -41,11 +46,12 @@ The different options offered by Shared PC configure the local group policy obje | Windows Components/Biometrics/Allow the use of biometrics | Disabled | | Windows Components/Biometrics/Allow users to log on using biometrics | Disabled | | Windows Components/Biometrics/Allow domain users to log on using biometrics | Disabled | +| Windows Components/Data Collection and Preview Builds/Disable pre-release features or settings | Disabled (all experimentations are turned off) | | Windows Components/Data Collection and Preview Builds/Do not show feedback notifications | Enabled | | Windows Components/Data Collection and Preview Builds/Toggle user control over Insider builds | Disabled | | Windows Components/File Explorer/Show lock in the user tile menu | Disabled | | Windows Components/File History/Turn off File History | Enabled | -| Windows Components/OneDrive/Prevent the usage of OneDrive for file storage | Enabled | +| Windows Components/OneDrive/Prevent the usage of OneDrive for file storage |**Enabled** if using EnableSharedPCMode

**Disabled** is using EnableSharedPCModeWithOneDriveSync | | Windows Components/Windows Hello for Business/Use biometrics | Disabled | | Windows Components/Windows Hello for Business/Use Windows Hello for Business | Disabled | | Windows Components/Windows Logon Options/Sign-in and lock last interactive user automatically after a restart | Disabled | @@ -53,14 +59,13 @@ The different options offered by Shared PC configure the local group policy obje | Extra registry setting | Status | |-------------------------------------------------------------------------------------------------------------------|----------| | Software\Policies\Microsoft\PassportForWork\Remote\Enabled (Phone sign-in/Use phone sign-in) | 0 | -| Software\Policies\Microsoft\Windows\PreviewBuilds\EnableConfigFlighting (Disable pre-release features or settings) | 0 | | Software\Policies\Microsoft\Windows\PreviewBuilds\AllowBuildPreview () | 0 | ## SetEDUPolicy -SetEDUPolicy configures the following settings: +By enabling SetEDUPolicy, the following settings in the local GPO are configured: -| LGPO setting | Status | +| Policy setting | Status | |--|--| | System/User Profiles/Turn off the advertising ID | Enabled | | Windows Components/Cloud Content/Do not show Windows tips | Enabled | @@ -68,68 +73,58 @@ SetEDUPolicy configures the following settings: ## SetPowerPolicies -SetPowerPolicies configures the following settings: +By enabling SetPowerPolicies, the following settings in the local GPO are configured: -| LGPO setting | Status | +| Policy setting | Status| |--|--| -| System/Power Management/Button Settings/Select the lid switch action (on battery) | Enabled --> Sleep | -| System/Power Management/Button Settings/Select the lid switch action (plugged in) | Enabled --> Sleep | -| System/Power Management/Button Settings/Select the Power button action (on battery) | Enabled --> Sleep | -| System/Power Management/Button Settings/Select the Power button action (plugged in) | Enabled --> Sleep | -| System/Power Management/Button Settings/Select the Sleep button action (on battery) | Enabled --> Sleep | -| System/Power Management/Button Settings/Select the Sleep button action (plugged in) | Enabled --> Sleep | -| System/Power Management/Energy Saver Settings/Energy Saver Battery Threshold (on battery) | Enabled --> 70% | +| System/Power Management/Button Settings/Select the lid switch action (on battery) | Enabled > Sleep | +| System/Power Management/Button Settings/Select the lid switch action (plugged in) | Enabled > Sleep | +| System/Power Management/Button Settings/Select the Power button action (on battery) | Enabled > Sleep | +| System/Power Management/Button Settings/Select the Power button action (plugged in) | Enabled > Sleep | +| System/Power Management/Button Settings/Select the Sleep button action (on battery) | Enabled > Sleep | +| System/Power Management/Button Settings/Select the Sleep button action (plugged in) | Enabled > Sleep | +| System/Power Management/Energy Saver Settings/Energy Saver Battery Threshold (on battery) | Enabled > 70% | | System/Power Management/Sleep Settings/Allow standby states (S1-S3) when sleeping (on battery) | Enabled | | System/Power Management/Sleep Settings/Allow standby states (S1-S3) when sleeping (plugged in) | Enabled | -| System/Power Management/Sleep Settings/Specify the system hibernate timeout (on battery) | 0 (Disables hibernation) | -| System/Power Management/Sleep Settings/Specify the system hibernate timeout (plugged in) | 0 (Disables hibernation) | +| System/Power Management/Sleep Settings/Specify the system hibernate timeout (on battery) | 0 (Hibernation disabled) | +| System/Power Management/Sleep Settings/Specify the system hibernate timeout (plugged in) | 0 (Hibernation disabled) | | System/Power Management/Sleep Settings/Turn off hybrid sleep (on battery) | Enabled | | System/Power Management/Sleep Settings/Turn off hybrid sleep (plugged in) | Enabled | +## MaintenanceStartTime + +By enabling MaintenanceStartTime, the following settings in the local GPO are configured: + +| Policy setting | Status| +|--------------------------------------------------------------------------------------|--------------------------------| +| Windows Components/Maintenance Scheduler/Automatic Maintenance Activation Boundary | 2000-01-01T00:00:00 (midnight) | +| Windows Components/Maintenance Scheduler/Automatic Maintenance Random Delay | Enabled PT2H (2 hours) | +| Windows Components/Maintenance Scheduler/Automatic Maintenance WakeUp Policy | Enabled | + ## SignInOnResume -SignInOnResume configures the following settings: +By enabling SignInOnResume, the following settings in the local GPO are configured: -| LGPO setting | Status | +| Policy setting | Status| |--|--| | System/Logon/Allow users to select when a password is required when resuming from connected standby | Disabled | | System/Power Management/Sleep Settings/Require a password when a computer wakes (on battery) | Enabled | | System/Power Management/Sleep Settings/Require a password when a computer wakes (plugged in) | Enabled | -## MaintenanceStartTime +## EnableAccountManager -| Policy setting | Status | -|--------------------------------------------------------------------------------------|--------------------------------| -| Windows Components/Maintenance Scheduler/Automatic Maintenance Activation Boundary | 2000-01-01T00:00:00 (midnight) | -| Windows Components/Maintenance Scheduler/Automatic Maintenance Random Delay | Enabled PT2H | -| Windows Components/Maintenance Scheduler/Automatic Maintenance WakeUp Policy | Enabled | +By enabling Enableaccountmanager, the following schedule task is turned on: `\Microsoft\Windows\SharedPC\Account Cleanup`. -## Enableaccountmanager +## Shared PC APIs and app behavior -Enables scheduled task: -\Microsoft\Windows\SharedPC\,"Account Cleanup" +Applications can take advantage of Shared PC mode with the following three APIs: -[SharedModeSettings.ShouldAvoidLocalStorage Property](/uwp/api/windows.system.profile.sharedmodesettings.shouldavoidlocalstorage) +- [**IsEnabled**][API-1] - This API informs applications when the device is configured for shared use scenarios. For example, an app might only download content on demand on a device in shared PC mode, or might skip first run experiences. +- [**ShouldAvoidLocalStorage**][API-2] - This API informs applications when the PC has been configured to not allow the user to save to the local storage of the PC. Instead, only cloud save locations should be offered by the app or saved automatically by the app. +- [**IsEducationEnvironment**][API-3] - This API informs applications when the PC is used in an education environment. Apps may want to handle diagnostic data differently or hide advertising functionality. -Account Model has been set to not configured --> no GPO changes --> removes Guest from login screen -Restrict Local Storage has been set to not configured --> no GPO changes -removed all diskleveldeletion, threshold --> no GPO changes +----------- - - - - - - - - -##### to check - -### Windows Settings>Security Settings>Local Policies>Security Options - -|Policy Name| Value|When set?| -|--- |--- |--- | -|Interactive logon: Do not display last user name|Enabled, Disabled when account model is only guest|Always| -|Interactive logon: Sign-in last interactive user automatically after a system-initiated restart|Disabled |Always| -|Shutdown: Allow system to be shut down without having to log on|Disabled|Always| -|User Account Control: Behavior of the elevation prompt for standard users|Auto deny|Always| +[API-1]: /uwp/api/windows.system.profile.sharedmodesettings.isenabled +[API-2]: /uwp/api/windows.system.profile.sharedmodesettings.shouldavoidlocalstorage +[API-3]: /uwp/api/windows.system.profile.educationsettings \ No newline at end of file diff --git a/windows/configuration/wcd/wcd-sharedpc.md b/windows/configuration/wcd/wcd-sharedpc.md index f3035e6415..c132d4bdc1 100644 --- a/windows/configuration/wcd/wcd-sharedpc.md +++ b/windows/configuration/wcd/wcd-sharedpc.md @@ -1,6 +1,6 @@ --- -title: SharedPC (Windows 10) -description: This section describes the SharedPC settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. +title: SharedPC +description: This section describes the SharedPC settings that you can configure in provisioning packages for Windows using Windows Configuration Designer. ms.prod: w10 author: aczechowski ms.localizationpriority: medium @@ -13,8 +13,7 @@ manager: dougeby # SharedPC (Windows Configuration Designer reference) -Use SharedPC settings to optimize Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. - +Use SharedPC settings to optimize Windows devices for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. ## Applies to @@ -37,16 +36,18 @@ Use these settings to configure settings for accounts allowed on the shared PC. | KioskModeAUMID | String | Set an Application User Model ID (AUMID) to enable the kiosk account on the sign in screen. A new account will be created and will use assigned access to only run the app specified by the AUMID. The app must be installed on the PC. Set the name of the account using **KioskModeUserTileDisplayText**, or a default name will be used. [Find the Application User Model ID of an installed app](/previous-versions/windows/embedded/dn449300(v=winembedded.82)) | | KioskModeUserTileDisplayText | String | Sets the display text on the kiosk account if **KioskModeAUMID** has been set. | - ## EnableSharedPCMode -Set as **True**. When set to **False**, shared PC mode isn't turned on and none of the other settings apply. This setting controls this API: [IsEnabled](/uwp/api/windows.system.profile.sharedmodesettings). +Set as **True** to enable **Shared PC Mode**. This setting controls this API: [IsEnabled](/uwp/api/windows.system.profile.sharedmodesettings). + +## EnableSharedPCModeWithOneDriveSync + +Set as **True** to enable **Shared PC Mode**. This setting controls this API: [IsEnabled](/uwp/api/windows.system.profile.sharedmodesettings). -Some of the remaining settings in SharedPC are optional, but we strongly recommend that you also set **EnableAccountManager** to **True**. ## PolicyCustomization -Use these settings to configure policies for shared PC mode. +Use these settings to configure additional Shared PC policies. | Setting | Value | Description | | --- | --- | --- | diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md index acc9d2ff15..936f68a628 100644 --- a/windows/deployment/update/media-dynamic-update.md +++ b/windows/deployment/update/media-dynamic-update.md @@ -192,21 +192,28 @@ Copy-Item -Path $MAIN_OS_MOUNT"\windows\system32\recovery\winre.wim" -Destinatio Write-Output "$(Get-TS): Mounting WinRE" Mount-WindowsImage -ImagePath $WORKING_PATH"\winre.wim" -Index 1 -Path $WINRE_MOUNT -ErrorAction stop | Out-Null -# Add servicing stack update +# Add servicing stack update (Step 1 from the table) -# Note: If you are using a combined cumulative update, there may be a prerequisite servicing stack update required -# This is where you'd add the prerequisite SSU, before applying the latest combined cumulative update. +# Depending on the Windows release that you are updating, there are 2 different approaches for updating the servicing stack +# The first approach is to use the combined cumulative update. This is for Windows releases that are shipping a combined +# cumulative update that includes the servicing stack updates (i.e. SSU + LCU are combined). Windows 11, version 21H2 and +# Windows 11, version 22H2 are examples. In these cases, the servicing stack update is not published seperately; the combined +# cumulative update should be used for this step. However, in hopefully rare cases, there may breaking change in the combined +# cumulative update format, that requires a standalone servicing stack update to be published, and installed first before the +# combined cumulative update can be installed. -# Note: If you are applying a combined cumulative update to a previously updated image (e.g. an image you updated last month) -# There is a known issue where the servicing stack update is installed, but the cumulative update will fail. -# This error should be caught and ignored, as the last step will be to apply the cumulative update -# (or in this case the combined cumulative update) and thus the image will be left with the correct packages installed. +# This is the code to handle the rare case that the SSU is published and required for the combined cumulative update +# Write-Output "$(Get-TS): Adding package $SSU_PATH" +# Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SSU_PATH | Out-Null -Write-Output "$(Get-TS): Adding package $SSU_PATH" +# Now, attempt the combined cumulative update. +# There is a known issue where the servicing stack update is installed, but the cumulative update will fail. This error should +# be caught and ignored, as the last step will be to apply the Safe OS update and thus the image will be left with the correct +# packages installed. try { - Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SSU_PATH | Out-Null + Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $LCU_PATH | Out-Null } Catch { @@ -221,6 +228,13 @@ Catch } } +# The second approach for Step 1 is for Windows releases that have not adopted the combined cumulative update +# but instead continue to have a seperate servicing stack update published. In this case, we'll install the SSU +# update. This second approach is commented out below. + +# Write-Output "$(Get-TS): Adding package $SSU_PATH" +# Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SSU_PATH | Out-Null + # # Optional: Add the language to recovery environment # @@ -301,27 +315,34 @@ Foreach ($IMAGE in $WINPE_IMAGES) { Write-Output "$(Get-TS): Mounting WinPE" Mount-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\boot.wim" -Index $IMAGE.ImageIndex -Path $WINPE_MOUNT -ErrorAction stop | Out-Null - # Add SSU + # Add servicing stack update (Step 9 from the table) - # Note: If you are using a combined cumulative update, there may be a prerequisite servicing stack update required - # This is where you'd add the prerequisite SSU, before applying the latest combined cumulative update. + # Depending on the Windows release that you are updating, there are 2 different approaches for updating the servicing stack + # The first approach is to use the combined cumulative update. This is for Windows releases that are shipping a combined + # cumulative update that includes the servicing stack updates (i.e. SSU + LCU are combined). Windows 11, version 21H2 and + # Windows 11, version 22H2 are examples. In these cases, the servicing stack update is not published seperately; the combined + # cumulative update should be used for this step. However, in hopefully rare cases, there may breaking change in the combined + # cumulative update format, that requires a standalone servicing stack update to be published, and installed first before the + # combined cumulative update can be installed. - # Note: If you are applying a combined cumulative update to a previously updated image (e.g. an image you updated last month) + # This is the code to handle the rare case that the SSU is published and required for the combined cumulative update + # Write-Output "$(Get-TS): Adding package $SSU_PATH" + # Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $SSU_PATH | Out-Null + + # Now, attempt the combined cumulative update. # There is a known issue where the servicing stack update is installed, but the cumulative update will fail. # This error should be caught and ignored, as the last step will be to apply the cumulative update # (or in this case the combined cumulative update) and thus the image will be left with the correct packages installed. - Write-Output "$(Get-TS): Adding package $SSU_PATH" - try { - Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $SSU_PATH | Out-Null + Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $LCU_PATH | Out-Null } Catch { $theError = $_ Write-Output "$(Get-TS): $theError" - + if ($theError.Exception -like "*0x8007007e*") { Write-Output "$(Get-TS): This failure is a known issue with combined cumulative update, we can ignore." } @@ -330,6 +351,13 @@ Foreach ($IMAGE in $WINPE_IMAGES) { } } + # The second approach for Step 9 is for Windows releases that have not adopted the combined cumulative update + # but instead continue to have a seperate servicing stack update published. In this case, we'll install the SSU + # update. This second approach is commented out below. + + # Write-Output "$(Get-TS): Adding package $SSU_PATH" + # Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $SSU_PATH | Out-Null + # Install lp.cab cab Write-Output "$(Get-TS): Adding package $WINPE_OC_LP_PATH" Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $WINPE_OC_LP_PATH -ErrorAction stop | Out-Null @@ -412,9 +440,29 @@ You can install Optional Components, along with the .NET feature, offline, but t # update Main OS # -# Add servicing stack update -Write-Output "$(Get-TS): Adding package $SSU_PATH" -Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $SSU_PATH -ErrorAction stop | Out-Null +# Add servicing stack update (Step 18 from the table) + +# Depending on the Windows release that you are updating, there are 2 different approaches for updating the servicing stack +# The first approach is to use the combined cumulative update. This is for Windows releases that are shipping a combined cumulative update that +# includes the servicing stack updates (i.e. SSU + LCU are combined). Windows 11, version 21H2 and Windows 11, version 22H2 are examples. In these +# cases, the servicing stack update is not published seperately; the combined cumulative update should be used for this step. However, in hopefully +# rare cases, there may breaking change in the combined cumulative update format, that requires a standalone servicing stack update to be published, +# and installed first before the combined cumulative update can be installed. + +# This is the code to handle the rare case that the SSU is published and required for the combined cumulative update +# Write-Output "$(Get-TS): Adding package $SSU_PATH" +# Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $SSU_PATH | Out-Null + +# Now, attempt the combined cumulative update. Unlike WinRE and WinPE, we don't need to check for error 0x8007007e +Write-Output "$(Get-TS): Adding package $LCU_PATH" +Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $LCU_PATH | Out-Null + +# The second approach for Step 18 is for Windows releases that have not adopted the combined cumulative update +# but instead continue to have a seperate servicing stack update published. In this case, we'll install the SSU +# update. This second approach is commented out below. + +# Write-Output "$(Get-TS): Adding package $SSU_PATH" +# Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $SSU_PATH | Out-Null # Optional: Add language to main OS Write-Output "$(Get-TS): Adding package $OS_LP_PATH" diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md index 9fa7e60794..dc4f572c12 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md @@ -31,3 +31,18 @@ After you've completed enrollment in Windows Autopatch, some management settings ## Windows Autopatch configurations Windows Autopatch deploys, manages and maintains all configurations related to the operation of the service, as described in [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md). Don't make any changes to any of the Windows Autopatch configurations. + +## Windows Autopatch tenant actions + +The **Tenant management** blade can be found by navigating to Tenant administration > Windows Autopatch > **Tenant management**. + +> [!IMPORTANT] +> Starting October 12, 2022, Windows Autopatch will manage your tenant with our [first party enterprise applications](../references/windows-autopatch-changes-to-tenant.md#windows-autopatch-enterprise-applications). If your tenant is still using the [Windows Autopatch service accounts](../references/windows-autopatch-privacy.md#service-accounts), your Global admin must take action in the new Windows Autopatch Tenant management blade to approve the configuration change. To take action or see if you need to take action, visit the Tenant management blade in the Windows Autopatch portal. + +The type of banner that appears depends on the severity of the action. Currently, only critical actions are listed. + +### Tenant action severity types + +| Severity | Description | +| ----- | ----- | +| Critical | You must take action as soon as possible. If no action is taken, the Windows Autopatch service may be affected. | diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-communications.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-communications.md index f4eab55834..783558abe7 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-communications.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-communications.md @@ -1,5 +1,5 @@ --- -title: Windows quality update communications +title: Windows quality and feature update communications description: This article explains Windows quality update communications ms.date: 05/30/2022 ms.prod: w11 @@ -14,7 +14,7 @@ msreviewer: hathind # Windows quality update communications -There are three categories of communication that are sent out during a Windows quality update: +There are three categories of communication that are sent out during a Windows quality and feature update: - [Standard communications](#standard-communications) - [Communications during release](#communications-during-release) diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md index 698612aa82..d04beca815 100644 --- a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md @@ -52,7 +52,7 @@ Windows Autopatch creates an enterprise application in your tenant. This enterpr | Enterprise application name | Usage | Permissions | | ----- | ------ | ----- | -| Modern Workplace Management | This enterprise application is a limited first party enterprise application with elevated privileges. This account is used to manage the service, publish baseline configuration updates, and maintain overall service health. | | +| Modern Workplace Management | This enterprise application is a limited first party enterprise application with elevated privileges. This application is used to manage the service, publish baseline configuration updates, and maintain overall service health. | | > [!NOTE] > Enterprise application authentication is only available on tenants enrolled after July 9th, 2022. For tenants enrolled before this date, Enterprise Application authentication will be made available for enrollment soon. diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md b/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md index c90d19fae5..a1ada94b72 100644 --- a/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md @@ -52,7 +52,7 @@ Windows Autopatch uses [Windows 10/11 Enhanced diagnostic data](/windows/privacy The enhanced diagnostic data setting includes more detailed information about the devices enrolled in Windows Autopatch and their settings, capabilities, and device health. When enhanced diagnostic data is selected, data, including required diagnostic data, are collected. For more information, see [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection) about the Windows 10 diagnostic data setting and data collection. -The diagnostic data terminology will change in future versions of Windows. Windows Autopatch is committed to processing only the data that the service needs. While this will mean the diagnostic level will change to **Optional**, Windows Autopatch will implement the limited diagnostic policies to fine-tune diagnostic data collection required for the service. For more information, see [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection). +The diagnostic data terminology will change in future versions of Windows. Windows Autopatch is committed to processing only the data that the service needs. The diagnostic level will change to **Optional**, but Windows Autopatch will implement the limited diagnostic policies to fine-tune diagnostic data collection required for the service. For more information, see [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection). Windows Autopatch only processes and stores system-level data from Windows 10 optional diagnostic data that originates from enrolled devices such as application and device reliability, and performance information. Windows Autopatch doesn't process and store customers' personal data such as chat and browser history, voice, text, or speech data. @@ -60,13 +60,24 @@ For more information about the diagnostic data collection of Microsoft Windows 1 ## Tenant access -Windows Autopatch creates and uses guest accounts leveraging just-in-time access functionality when signing into a customer tenant to manage the Windows Autopatch service. To provide additional locked down control, Windows Autopatch maintains a separate conditional access policy to restrict access to these accounts. +Windows Autopatch creates an enterprise application in your tenant. This enterprise application is a first party application used to run the Windows Autopatch service. + +| Enterprise application name | Usage | Permissions | +| ----- | ----- | ----- | +| Modern Workplace Management | This enterprise application is a limited first party enterprise application with elevated privileges. This application is used to manage the service, publish baseline configuration updates, and maintain overall service health. | | + +### Service accounts + +> [!IMPORTANT] +> Starting October 12, 2022, Windows Autopatch will manage your tenant with our [first party enterprise application](windows-autopatch-changes-to-tenant.md#windows-autopatch-enterprise-applications). If your tenant is still using the [Windows Autopatch service accounts](windows-autopatch-privacy.md#service-accounts), you must take action. To take action or see if you need to take action, visit the [Tenant management blade](../operate/windows-autopatch-maintain-environment.md#windows-autopatch-tenant-actions) in the Windows Autopatch portal. + +Windows Autopatch creates and uses guest accounts using just-in-time access functionality when signing into a customer tenant to manage the Windows Autopatch service. To provide additional locked down control, Windows Autopatch maintains a separate conditional access policy to restrict access to these accounts. | Account name | Usage | Mitigating controls | | ----- | ----- | -----| -| MsAdmin@tenantDomain.onmicrosoft.com | | Audited sign-ins | -| MsAdminInt@tenantDomain.onmicrosoft.com | |