diff --git a/windows/application-management/manage-windows-mixed-reality.md b/windows/application-management/manage-windows-mixed-reality.md
index 4a9f219c07..8918fb6977 100644
--- a/windows/application-management/manage-windows-mixed-reality.md
+++ b/windows/application-management/manage-windows-mixed-reality.md
@@ -31,14 +31,55 @@ To enable users to download the Windows Mixed Reality software, enterprises usin
Enterprises will not be able to install Windows Mixed Reality Feature on Demand (FOD) directly from WSUS. Instead, use one of the following options to install Windows Mixed Reality software:
-- Manually install the Mixed Reality Software
+- Manually install the Mixed Reality software
- IT admin can create [Side by side feature store (shared folder)](https://technet.microsoft.com/library/jj127275.aspx)
## block
-Since MRP is an app and blocking this app is sufficient for your scenario, via AppLocker should be sufficient for now. To make sure enterprise understand it, please file a doc bug to publish the instruction of leveraging AppLocker CSP to block Mixed Reality Portal and control Oasis. In the doc, AppLocker CSP doc is here: https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/applocker-csp it has a list of inbox app that could be controlled by this CSP, MRP/Oasis needs to be listed there as well. Provide the content and assign to Maricia – cpub writer for CSP.
+You can use the [AppLocker configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/applocker-csp) to block the Mixed Reality software.
+
+In the following example, the **Id** can be any generated GUID and the **Name** can be any name you choose. Note that `BinaryVersionRange="*"` allows you to block any app executable in the Mixed Reality Portal package. **Binary/VersionRange**, as shown in the example, will block all versions of the Mixed Reality Portal app.
+
+```xml
+
+
+
+ $CmdID$
+ -
+
+ ./Vendor/MSFT/PolicyManager/My/ApplicationManagement/ApplicationRestrictions
+
+
+ chr
+ text/plain
+
+
+ <RuleCollection Type="Appx" EnforcementMode="Enabled">
+ <FilePublisherRule Id="a9e18c21-ff8f-43cf-b9fc-db40eed693ba" Name="(Default Rule) All signed packaged apps" Description="Allows members of the Everyone group to run packaged apps that are signed." UserOrGroupSid="S-1-1-0" Action="Allow">
+ <Conditions>
+ <FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*">
+ <BinaryVersionRange LowSection="0.0.0.0" HighSection="*" />
+ </FilePublisherCondition>
+ </Conditions>
+ </FilePublisherRule>
+ <FilePublisherRule Id="d26da4e7-0b01-484d-a8d3-d5b5341b2d55" Name="Block Mixed Reality Portal" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
+ <Conditions>
+ <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Windows.HolographicFirstRun" BinaryName="*">
+ <BinaryVersionRange LowSection="*" HighSection="*" />
+ </FilePublisherCondition>
+ </Conditions>
+ </FilePublisherRule>
+ </RuleCollection>>
+
+
+
+
+
+
+
+```
## Related topics
diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md
index e0eb928b60..dce9633c00 100644
--- a/windows/client-management/mdm/applocker-csp.md
+++ b/windows/client-management/mdm/applocker-csp.md
@@ -33,7 +33,7 @@ Defines the root node for the AppLocker configuration service provider.
**ApplicationLaunchRestrictions**
Defines restrictions for applications.
-> **Note**
+> [!NOTE]
> When you create a list of allowed apps, all [inbox apps](#inboxappsandcomponents) are also blocked, and you must include them in your list of allowed apps. Don't forget to add the inbox apps for Phone, Messaging, Settings, Start, Email and accounts, Work and school, and other apps that you need.
>
> In Windows 10 Mobile, when you create a list of allowed apps, the [settings app that rely on splash apps](#settingssplashapps) are blocked. To unblock these apps, you must include them in your list of allowed apps.
@@ -571,6 +571,10 @@ The following list shows the apps that may be included in the inbox.
906beeda-b7e6-4ddc-ba8d-ad5031223ef9 |
906beeda-b7e6-4ddc-ba8d-ad5031223ef9 |
+
+| Mixed Reality Portal |
+ |
+Microsoft.Windows.HolographicFirstRun |
| Money |
1e0440f1-7abf-4b9a-863d-177970eefb5e |
@@ -856,6 +860,47 @@ The following example blocks the usage of the map application.
```
+The following example disables the Mixed Reality Portal. In the example, the **Id** can be any generated GUID and the **Name** can be any name you choose. Note that `BinaryVersionRange="*"` allows you to block any app executable in the Mixed Reality Portal package. **Binary/VersionRange**, as shown in the example, will block all versions of the Mixed Reality Portal app.
+
+```xml
+
+
+
+ $CmdID$
+ -
+
+ ./Vendor/MSFT/PolicyManager/My/ApplicationManagement/ApplicationRestrictions
+
+
+ chr
+ text/plain
+
+
+ <RuleCollection Type="Appx" EnforcementMode="Enabled">
+ <FilePublisherRule Id="a9e18c21-ff8f-43cf-b9fc-db40eed693ba" Name="(Default Rule) All signed packaged apps" Description="Allows members of the Everyone group to run packaged apps that are signed." UserOrGroupSid="S-1-1-0" Action="Allow">
+ <Conditions>
+ <FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*">
+ <BinaryVersionRange LowSection="0.0.0.0" HighSection="*" />
+ </FilePublisherCondition>
+ </Conditions>
+ </FilePublisherRule>
+ <FilePublisherRule Id="d26da4e7-0b01-484d-a8d3-d5b5341b2d55" Name="Block Mixed Reality Portal" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
+ <Conditions>
+ <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Windows.HolographicFirstRun" BinaryName="*">
+ <BinaryVersionRange LowSection="*" HighSection="*" />
+ </FilePublisherCondition>
+ </Conditions>
+ </FilePublisherRule>
+ </RuleCollection>>
+
+
+
+
+
+
+
+```
+
The following example for Windows 10 Mobile denies all apps and allows the following apps:
- [settings app that rely on splash apps](#settingssplashapps)