diff --git a/windows/configuration/TOC.md b/windows/configuration/TOC.md index f0a6f2503a..b388b128cd 100644 --- a/windows/configuration/TOC.md +++ b/windows/configuration/TOC.md @@ -7,6 +7,7 @@ ### [Set up a single-app kiosk](kiosk-single-app.md) ### [Set up a multi-app kiosk](lock-down-windows-10-to-specific-apps.md) ### [More kiosk methods and reference information](kiosk-additional-reference.md) +#### [Find the Application User Model ID of an installed app](find-the-application-user-model-id-of-an-installed-app.md) #### [Validate your kiosk configuration](kiosk-validate.md) #### [Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md) #### [Policies enforced on kiosk devices](kiosk-policies.md) diff --git a/windows/configuration/change-history-for-configure-windows-10.md b/windows/configuration/change-history-for-configure-windows-10.md index 6ec85f01c1..b16671c047 100644 --- a/windows/configuration/change-history-for-configure-windows-10.md +++ b/windows/configuration/change-history-for-configure-windows-10.md @@ -10,13 +10,19 @@ ms.localizationpriority: medium author: jdeckerms ms.author: jdecker ms.topic: article -ms.date: 08/03/2018 +ms.date: 09/13/2018 --- # Change history for Configure Windows 10 This topic lists new and updated topics in the [Configure Windows 10](index.md) documentation for Windows 10 and Windows 10 Mobile. +## September 2018 + +New or changed topic | Description +--- | --- +[Find the Application User Model ID of an installed app](find-the-application-user-model-id-of-an-installed-app.md) | New + ## August 2018 New or changed topic | Description diff --git a/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md new file mode 100644 index 0000000000..9234ee8d90 --- /dev/null +++ b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md @@ -0,0 +1,95 @@ +--- +title: Find the Application User Model ID of an installed app +description: In order to use assigned access with Mobile Device Management (MDM), you must know the Application User Model ID (AUMID) of Microsoft Store apps installed on a device. You can find the AUMID by either using Windows PowerShell or querying the registry. +MSHAttr: +- 'PreferredSiteName:MSDN' +- 'PreferredLib:/library/windows/hardware' +ms.assetid: BD8BD003-887D-4EFD-9C7A-A68AB895D8CD +author: alhopper-msft +ms.author: alhopper +ms.date: 05/02/2017 +ms.topic: article +ms.prod: windows-hardware +ms.technology: windows-oem +--- +# Find the Application User Model ID of an installed app + +In order to use assigned access with Mobile Device Management (MDM), you must know the Application User Model ID (AUMID) of Microsoft Store apps installed on a device. You can find the AUMID by either using Windows PowerShell or querying the registry. + +## To identify the AUMID of an installed app by using Windows PowerShell + +At a Windows PowerShell command prompt, type the following commands to list the AUMIDs for all Microsoft Store apps installed for the current user on your device: + +```powershell +$installedapps = get-AppxPackage + +$aumidList = @() +foreach ($app in $installedapps) +{ + foreach ($id in (Get-AppxPackageManifest $app).package.applications.application.id) + { + $aumidList += $app.packagefamilyname + "!" + $id + } +} + +$aumidList +``` + +You can add the –user <username> or the –allusers parameters to the get-AppxPackage cmdlet to list AUMIDs for other users. You must use an elevated Windows PowerShell prompt to use the –user or –allusers parameters. + +## To identify the AUMID of an installed app for the current user by using the registry + +Querying the registry can only return information about Microsoft Store apps that are installed for the current user, while the Windows PowerShell query can find information for any account on the device. + +At a command prompt, type the following command: + +`reg query HKEY_CURRENT_USER\Software\Classes\ActivatableClasses\Package /s /f AppUserModelID | find "REG_SZ"` + +## Example + +The following code sample creates a function in Windows PowerShell that returns an array of AUMIDs of the installed apps for the specified user. + +```powershell +function listAumids( $userAccount ) { + + if ($userAccount -eq "allusers") + { + # Find installed packages for all accounts. Must be run as an administrator in order to use this option. + $installedapps = Get-AppxPackage -allusers + } + elseif ($userAccount) + { + # Find installed packages for the specified account. Must be run as an administrator in order to use this option. + $installedapps = get-AppxPackage -user $userAccount + } + else + { + # Find installed packages for the current account. + $installedapps = get-AppxPackage + } + + $aumidList = @() + foreach ($app in $installedapps) + { + foreach ($id in (Get-AppxPackageManifest $app).package.applications.application.id) + { + $aumidList += $app.packagefamilyname + "!" + $id + } + } + + return $aumidList +} +``` + +The following Windows PowerShell commands demonstrate how you can call the listAumids function after you have created it. + +```powershell +# Get a list of AUMIDs for the current account: +listAumids + +# Get a list of AUMIDs for an account named “CustomerAccount”: +listAumids(“CustomerAccount”) + +# Get a list of AUMIDs for all accounts on the device: +listAumids(“allusers”) +``` diff --git a/windows/configuration/kiosk-additional-reference.md b/windows/configuration/kiosk-additional-reference.md index 8260c569cf..9675c42d2c 100644 --- a/windows/configuration/kiosk-additional-reference.md +++ b/windows/configuration/kiosk-additional-reference.md @@ -8,7 +8,7 @@ ms.mktglfcycl: manage ms.sitesec: library author: jdeckerms ms.localizationpriority: medium -ms.date: 07/30/2018 +ms.date: 09/13/2018 --- # More kiosk methods and reference information @@ -23,7 +23,8 @@ ms.date: 07/30/2018 Topic | Description --- | --- -[Validate your kiosk configuration](kiosk-validate.md) | This topic explain what to expect on a multi-app kiosk. +[Find the Application User Model ID of an installed app](find-the-application-user-model-id-of-an-installed-app.md) | This topic explains how to get the AUMID for an app. +[Validate your kiosk configuration](kiosk-validate.md) | This topic explains what to expect on a multi-app kiosk. [Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md) | These guidelines will help you choose an appropriate Windows app for your assigned access experience. [Policies enforced on kiosk devices](kiosk-policies.md) | Learn about the policies enforced on a device when you configure it as a kiosk. [Assigned access XML reference](kiosk-xml.md) | The XML and XSD for kiosk device configuration. diff --git a/windows/configuration/kiosk-prepare.md b/windows/configuration/kiosk-prepare.md index 1a38681d7c..e4e836e249 100644 --- a/windows/configuration/kiosk-prepare.md +++ b/windows/configuration/kiosk-prepare.md @@ -37,6 +37,8 @@ Disable the camera. | Go to **Settings** > **Privacy** > **Camera**, a Turn off app notifications on the lock screen. | Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen**. Disable removable media. | Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Device Installation\\Device Installation Restrictions**. Review the policy settings available in **Device Installation Restrictions** for the settings applicable to your situation.

**NOTE**: To prevent this policy from affecting a member of the Administrators group, in **Device Installation Restrictions**, enable **Allow administrators to override Device Installation Restriction policies**. +## Automatic logon + In addition to the settings in the table, you may want to set up **automatic logon** for your kiosk device. When your kiosk device restarts, whether from an update or power outage, you can sign in the assigned access account manually or you can configure the device to sign in to the assigned access account automatically. Make sure that Group Policy settings applied to the device do not prevent automatic sign in. >[!TIP] @@ -74,7 +76,151 @@ In addition to the settings in the table, you may want to set up **automatic log >You can also configure automatic sign-in [using the Autologon tool from Sysinternals](https://docs.microsoft.com/sysinternals/downloads/autologon). - +## Interactions and interoperability + +The following table describes some features that have interoperability issues we recommend that you consider when running assigned access. + +> [!Note] +> Where applicable, the table notes which features are optional that you can configure for assigned access. + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FeatureDescription

Accessibility

Assigned access does not change Ease of Access settings.

+

We recommend that you use [Keyboard Filter](https://docs.microsoft.com/windows-hardware/customize/enterprise/keyboardfilter) to block the following key combinations that bring up accessibility features:

+ ++++ + + + + + + + + + + + + + + + + + + + + +
Key combinationBlocked behavior

Left Alt+Left Shift+Print Screen

Open High Contrast dialog box.

Left Alt+Left Shift+Num Lock

Open Mouse Keys dialog box.

Windows logo key+U

Open Ease of Access Center.

+

 

Assigned access Windows PowerShell cmdlets

In addition to using the Windows UI, you can use the Windows PowerShell cmdlets to set or clear assigned access. For more information, see [Assigned access Windows PowerShell reference](https://docs.microsoft.com/powershell/module/assignedaccess/?view=win10-ps).

Key sequences blocked by assigned access

When in assigned access, some key combinations are blocked for assigned access users.

+

Alt+F4, Alt+Shift+TaB, Alt+Tab are not blocked by Assigned Access, it is recommended you use [Keyboard Filter](https://docs.microsoft.com/windows-hardware/customize/enterprise/keyboardfilter) to block these key combinations.

+

Ctrl+Alt+Delete is the key to break out of Assigned Access. If needed, you can use Keyboard Filter to configure a different key combination to break out of assigned access by setting BreakoutKeyScanCode as described in [WEKF_Settings](https://docs.microsoft.com/windows-hardware/customize/enterprise/wekf-settings).

+ ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Key combinationBlocked behavior for assigned access users

Alt+Esc

Cycle through items in the reverse order from which they were opened.

Ctrl+Alt+Esc

Cycle through items in the reverse order from which they were opened.

Ctrl+Esc

Open the Start screen.

Ctrl+F4

Close the window.

Ctrl+Shift+Esc

Open Task Manager.

Ctrl+Tab

Switch windows within the application currently open.

LaunchApp1

Open the app that is assigned to this key.

LaunchApp2

Open the app that is assigned to this key, which on many Microsoft keyboards is Calculator.

LaunchMail

Open the default mail client.

Windows logo key

Open the Start screen.

+

 

+

Keyboard Filter settings apply to other standard accounts.

Key sequences blocked by [Keyboard Filter](https://docs.microsoft.com/windows-hardware/customize/enterprise/keyboardfilter)

If Keyboard Filter is turned ON then some key combinations are blocked automatically without you having to explicitly block them. For more information, see the [Keyboard Filter](https://docs.microsoft.com/windows-hardware/customize/enterprise/keyboardfilter) reference topic.

+

[Keyboard Filter](https://docs.microsoft.com/windows-hardware/customize/enterprise/keyboardfilter) is only available on Windows 10 Enterprise or Windows 10 Education.

+

Power button

Customizations for the Power button complement assigned access, letting you implement features such as removing the power button from the Welcome screen. Removing the power button ensures the user cannot turn off the device when it is in assigned access.

+

For more information on removing the power button or disabling the physical power button, see [Custom Logon](https://docs.microsoft.com/windows-hardware/customize/enterprise/custom-logon).

Unified Write Filter (UWF)

UWFsettings apply to all users, including those with assigned access.

+

For more information, see [Unified Write Filter](https://docs.microsoft.com/windows-hardware/customize/enterprise/unified-write-filter).

WEDL_AssignedAccess class

Although you can use this class to configure and manage basic lockdown features for assigned access, we recommend that you use the Windows PowerShell cmdlets instead.

+

If you need to use assigned access API, see [WEDL_AssignedAccess](whttps://docs.microsoft.com/windows-hardware/customize/enterprise/wedl-assignedaccess).

Welcome Screen

Customizations for the Welcome screen let you personalize not only how the Welcome screen looks, but for how it functions. You can disable the power or language button, or remove all user interface elements. There are many options to make the Welcome screen your own.

+

For more information, see [Custom Logon](https://docs.microsoft.com/windows-hardware/customize/enterprise/custom-logon).

diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md index 55efbb3633..2f0e8fbb61 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md @@ -35,8 +35,6 @@ You can learn more about Windows functional and diagnostic data through these ar - [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md) - - ## Appraiser events ### Microsoft.Windows.Appraiser.General.ChecksumTotalPictureCount diff --git a/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md b/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md index 5c1f9d33d8..2f6a6ce43c 100644 --- a/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md +++ b/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md @@ -32,4 +32,4 @@ Organizations participating in the CME effort work together to help eradicate se Any organization that is involved in cybersecurity and antimalware or interested in fighting cybercrime can participate in CME campaigns by enrolling in the [Virus Information Alliance (VIA) program](virus-information-alliance-criteria.md). It ensures that everyone agrees to use the information and tools available for campaigns for their intended purpose (that is, the eradication of malware). -Please apply using our [membership application form](https://www.microsoft.com/security/portal/partnerships/apply.aspx) to get started. \ No newline at end of file +If your organization meets these criteria and would like to apply for membership, contact us at [mvi@microsoft.com](mailto:mvi@microsoft.com). Please indicate whether you would like to join CME, [VIA](./virus-information-alliance-criteria.md), or [MVI](./virus-initiative-criteria.md). \ No newline at end of file diff --git a/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md b/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md index d08b16e029..10e99ef924 100644 --- a/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md +++ b/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md @@ -46,6 +46,4 @@ To be eligible for VIA your organization must: 3. Be willing to sign and adhere to the VIA membership agreement. -If your organization wants to apply and meets this criteria, you can apply using our [membership application form](https://www.microsoft.com/security/portal/partnerships/apply.aspx). - -If you have any questions, you can also contact us using our [partnerships contact form](https://www.microsoft.com/security/portal/partnerships/contactus.aspx). \ No newline at end of file +If your organization meets these criteria and would like to apply for membership, contact us at [mvi@microsoft.com](mailto:mvi@microsoft.com). Please indicate whether you would like to join VIA, [MVI](./virus-initiative-criteria.md), or [CME](./coordinated-malware-eradication.md). \ No newline at end of file diff --git a/windows/security/threat-protection/intelligence/virus-initiative-criteria.md b/windows/security/threat-protection/intelligence/virus-initiative-criteria.md index 6edc83eaba..26f3bbce30 100644 --- a/windows/security/threat-protection/intelligence/virus-initiative-criteria.md +++ b/windows/security/threat-protection/intelligence/virus-initiative-criteria.md @@ -54,4 +54,4 @@ Your organization must meet the following eligibility requirements to participat ### Apply to MVI -If your organization wants to apply and meets this criteria, you can apply using our [membership application form](https://www.microsoft.com/security/portal/partnerships/apply.aspx). \ No newline at end of file +If your organization meets these criteria and would like to apply for membership, contact us at [mvi@microsoft.com](mailto:mvi@microsoft.com). Please indicate whether you would like to join MVI, [VIA](./virus-information-alliance-criteria.md), or [CME](./coordinated-malware-eradication.md). \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md index cb3e681ae8..0a7e07c36c 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md @@ -180,6 +180,7 @@ This field helps to enumerate and report state on the relevant security properti | **4.** | If present, Secure Memory Overwrite is available. | | **5.** | If present, NX protections are available. | | **6.** | If present, SMM mitigations are available. | +| **7.** | If present, Mode Based Execution Control is available. | #### InstanceIdentifier @@ -199,6 +200,7 @@ This field describes the required security properties to enable virtualization-b | **4.** | If present, Secure Memory Overwrite is needed. | | **5.** | If present, NX protections are needed. | | **6.** | If present, SMM mitigations are needed. | +| **7.** | If present, Mode Based Execution Control is needed. | #### SecurityServicesConfigured @@ -274,4 +276,4 @@ Set-VMSecurity -VMName -VirtualizationBasedSecurityOptOut $true - The Hyper-V virtual machine must be Generation 2, and running at least Windows Server 2016 or Windows 10. - HVCI and [nested virtualization](https://docs.microsoft.com/virtualization/hyper-v-on-windows/user-guide/nested-virtualization) cannot be enabled at the same time. - Virtual Fibre Channel adapters are not compatible with HVCI. Before attaching a virtual Fibre Channel Adapter to a virtual machine, you must first opt out of virtualization-based security using `Set-VMSecurity`. - - The AllowFullSCSICommandSet option for pass-through disks is not compatible with HVCI. Before configuring a pass-through disk with AllowFullSCSICommandSet, you must first opt out of virtualization-based security using `Set-VMSecurity`. \ No newline at end of file + - The AllowFullSCSICommandSet option for pass-through disks is not compatible with HVCI. Before configuring a pass-through disk with AllowFullSCSICommandSet, you must first opt out of virtualization-based security using `Set-VMSecurity`.