Merge branch 'master' into DeviceGuard/ConfigureSystemGuardLaunch

windows/configuration/TOC.md

@@ -7,6 +7,7 @@
 ### [Set up a single-app kiosk](kiosk-single-app.md)
 ### [Set up a multi-app kiosk](lock-down-windows-10-to-specific-apps.md)
 ### [More kiosk methods and reference information](kiosk-additional-reference.md)
+#### [Find the Application User Model ID of an installed app](find-the-application-user-model-id-of-an-installed-app.md)
 #### [Validate your kiosk configuration](kiosk-validate.md)
 #### [Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md)
 #### [Policies enforced on kiosk devices](kiosk-policies.md)

windows/configuration/change-history-for-configure-windows-10.md

@@ -10,13 +10,19 @@ ms.localizationpriority: medium
 author: jdeckerms
 ms.author: jdecker
 ms.topic: article
-ms.date: 08/03/2018
+ms.date: 09/13/2018
 ---
 
 # Change history for Configure Windows 10
 
 This topic lists new and updated topics in the [Configure Windows 10](index.md) documentation for Windows 10 and Windows 10 Mobile.
 
+## September 2018
+
+New or changed topic | Description
+--- | ---
+[Find the Application User Model ID of an installed app](find-the-application-user-model-id-of-an-installed-app.md) | New
+
 ## August 2018
 
 New or changed topic | Description

windows/configuration/find-the-application-user-model-id-of-an-installed-app.md

@@ -0,0 +1,95 @@
+---
+title: Find the Application User Model ID of an installed app
+description: In order to use assigned access with Mobile Device Management (MDM), you must know the Application User Model ID (AUMID) of Microsoft Store apps installed on a device. You can find the AUMID by either using Windows PowerShell or querying the registry.
+MSHAttr:
+- 'PreferredSiteName:MSDN'
+- 'PreferredLib:/library/windows/hardware'
+ms.assetid: BD8BD003-887D-4EFD-9C7A-A68AB895D8CD
+author: alhopper-msft
+ms.author: alhopper
+ms.date: 05/02/2017
+ms.topic: article
+ms.prod: windows-hardware
+ms.technology: windows-oem
+---
+# Find the Application User Model ID of an installed app
+
+In order to use assigned access with Mobile Device Management (MDM), you must know the Application User Model ID (AUMID) of Microsoft Store apps installed on a device. You can find the AUMID by either using Windows PowerShell or querying the registry.
+
+## To identify the AUMID of an installed app by using Windows PowerShell
+
+At a Windows PowerShell command prompt, type the following commands to list the AUMIDs for all Microsoft Store apps installed for the current user on your device:
+
+```powershell
+$installedapps = get-AppxPackage
+
+$aumidList = @()
+foreach ($app in $installedapps)
+{
+    foreach ($id in (Get-AppxPackageManifest $app).package.applications.application.id)
+    {
+        $aumidList += $app.packagefamilyname + "!" + $id
+    }
+}
+
+$aumidList
+```
+
+You can add the –user <username> or the –allusers parameters to the get-AppxPackage cmdlet to list AUMIDs for other users. You must use an elevated Windows PowerShell prompt to use the –user or –allusers parameters.
+
+## To identify the AUMID of an installed app for the current user by using the registry
+
+Querying the registry can only return information about Microsoft Store apps that are installed for the current user, while the Windows PowerShell query can find information for any account on the device.
+
+At a command prompt, type the following command:
+
+`reg query HKEY_CURRENT_USER\Software\Classes\ActivatableClasses\Package /s /f AppUserModelID | find "REG_SZ"`
+
+## Example
+
+The following code sample creates a function in Windows PowerShell that returns an array of AUMIDs of the installed apps for the specified user.
+
+```powershell
+function listAumids( $userAccount ) {
+
+    if ($userAccount -eq "allusers")
+    {
+        # Find installed packages for all accounts. Must be run as an administrator in order to use this option.
+        $installedapps = Get-AppxPackage -allusers
+    }
+    elseif ($userAccount)
+    {
+        # Find installed packages for the specified account. Must be run as an administrator in order to use this option.
+        $installedapps = get-AppxPackage -user $userAccount
+    }
+    else
+    {
+        # Find installed packages for the current account.
+        $installedapps = get-AppxPackage
+    }
+
+    $aumidList = @()
+    foreach ($app in $installedapps)
+    {
+        foreach ($id in (Get-AppxPackageManifest $app).package.applications.application.id)
+        {
+            $aumidList += $app.packagefamilyname + "!" + $id
+        }
+    }
+
+    return $aumidList
+}
+```
+
+The following Windows PowerShell commands demonstrate how you can call the listAumids function after you have created it.
+
+```powershell
+# Get a list of AUMIDs for the current account:
+listAumids
+
+# Get a list of AUMIDs for an account named “CustomerAccount”:
+listAumids(“CustomerAccount”)
+
+# Get a list of AUMIDs for all accounts on the device:
+listAumids(“allusers”)
+```

windows/configuration/kiosk-additional-reference.md

@@ -8,7 +8,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 author: jdeckerms
 ms.localizationpriority: medium
-ms.date: 07/30/2018
+ms.date: 09/13/2018
 ---
 
 # More kiosk methods and reference information
@@ -23,7 +23,8 @@ ms.date: 07/30/2018
 
 Topic | Description
 --- | ---
-[Validate your kiosk configuration](kiosk-validate.md) | This topic explain what to expect on a multi-app kiosk.
+[Find the Application User Model ID of an installed app](find-the-application-user-model-id-of-an-installed-app.md) | This topic explains how to get the AUMID for an app.
+[Validate your kiosk configuration](kiosk-validate.md) | This topic explains what to expect on a multi-app kiosk.
 [Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md) | These guidelines will help you choose an appropriate Windows app for your assigned access experience.
 [Policies enforced on kiosk devices](kiosk-policies.md) | Learn about the policies enforced on a device when you configure it as a kiosk.
 [Assigned access XML reference](kiosk-xml.md) | The XML and XSD for kiosk device configuration.

windows/configuration/kiosk-prepare.md

@@ -37,6 +37,8 @@ Disable the camera. |     Go to **Settings** > **Privacy** > **Camera**, a
 Turn off app notifications on the lock screen. |     Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen**.
 Disable removable media. |     Go to **Group Policy Editor** &gt; **Computer Configuration** &gt; **Administrative Templates\\System\\Device Installation\\Device Installation Restrictions**. Review the policy settings available in **Device Installation Restrictions** for the settings applicable to your situation.</br></br>**NOTE**: To prevent this policy from affecting a member of the Administrators group, in **Device Installation Restrictions**, enable **Allow administrators to override Device Installation Restriction policies**.
 
+## Automatic logon
+
 In addition to the settings in the table, you may want to set up **automatic logon** for your kiosk device. When your kiosk device restarts, whether from an update or power outage, you can sign in the assigned access account manually or you can configure the device to sign in to the assigned access account automatically. Make sure that Group Policy settings applied to the device do not prevent automatic sign in.
 
 >[!TIP]
@@ -74,7 +76,151 @@ In addition to the settings in the table, you may want to set up **automatic log
 >You can also configure automatic sign-in [using the Autologon tool from Sysinternals](https://docs.microsoft.com/sysinternals/downloads/autologon).
 
 
-
+## Interactions and interoperability
+
+The following table describes some features that have interoperability issues we recommend that you consider when running assigned access.
+
+> [!Note]
+> Where applicable, the table notes which features are optional that you can configure for assigned access.
+
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th>Feature</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td><p>Accessibility</p></td>
+<td><p>Assigned access does not change Ease of Access settings.</p>
+<p>We recommend that you use [Keyboard Filter](https://docs.microsoft.com/windows-hardware/customize/enterprise/keyboardfilter) to block the following key combinations that bring up accessibility features:</p>
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th>Key combination</th>
+<th>Blocked behavior</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td><p>Left Alt+Left Shift+Print Screen</p></td>
+<td><p>Open High Contrast dialog box.</p></td>
+</tr>
+<tr class="even">
+<td><p>Left Alt+Left Shift+Num Lock</p></td>
+<td><p>Open Mouse Keys dialog box.</p></td>
+</tr>
+<tr class="odd">
+<td><p>Windows logo key+U</p></td>
+<td><p>Open Ease of Access Center.</p></td>
+</tr>
+</tbody>
+</table>
+<p> </p></td>
+</tr>
+<tr class="even">
+<td><p>Assigned access Windows PowerShell cmdlets</p></td>
+<td><p>In addition to using the Windows UI, you can use the Windows PowerShell cmdlets to set or clear assigned access. For more information, see [Assigned access Windows PowerShell reference](https://docs.microsoft.com/powershell/module/assignedaccess/?view=win10-ps).</p></td>
+</tr>
+<tr class="odd">
+<td><p>Key sequences blocked by assigned access</p></td>
+<td><p>When in assigned access, some key combinations are blocked for assigned access users.</p>
+<p>Alt+F4, Alt+Shift+TaB, Alt+Tab are not blocked by Assigned Access, it is recommended you use [Keyboard Filter](https://docs.microsoft.com/windows-hardware/customize/enterprise/keyboardfilter) to block these key combinations.</p>
+<p>Ctrl+Alt+Delete is the key to break out of Assigned Access. If needed, you can use Keyboard Filter to configure a different key combination to break out of assigned access by setting BreakoutKeyScanCode as described in [WEKF_Settings](https://docs.microsoft.com/windows-hardware/customize/enterprise/wekf-settings).</p>
+<table>
+<colgroup>
+<col width="50%" />
+<col width="50%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th>Key combination</th>
+<th>Blocked behavior for assigned access users</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td><p>Alt+Esc</p></td>
+<td><p>Cycle through items in the reverse order from which they were opened.</p></td>
+</tr>
+<tr class="even">
+<td><p>Ctrl+Alt+Esc</p></td>
+<td><p>Cycle through items in the reverse order from which they were opened.</p></td>
+</tr>
+<tr class="odd">
+<td><p>Ctrl+Esc</p></td>
+<td><p>Open the Start screen.</p></td>
+</tr>
+<tr class="even">
+<td><p>Ctrl+F4</p></td>
+<td><p>Close the window.</p></td>
+</tr>
+<tr class="odd">
+<td><p>Ctrl+Shift+Esc</p></td>
+<td><p>Open Task Manager.</p></td>
+</tr>
+<tr class="even">
+<td><p>Ctrl+Tab</p></td>
+<td><p>Switch windows within the application currently open.</p></td>
+</tr>
+<tr class="odd">
+<td><p>LaunchApp1</p></td>
+<td><p>Open the app that is assigned to this key.</p></td>
+</tr>
+<tr class="even">
+<td><p>LaunchApp2</p></td>
+<td><p>Open the app that is assigned to this key, which on many Microsoft keyboards is Calculator.</p></td>
+</tr>
+<tr class="odd">
+<td><p>LaunchMail</p></td>
+<td><p>Open the default mail client.</p></td>
+</tr>
+<tr class="even">
+<td><p>Windows logo key</p></td>
+<td><p>Open the Start screen.</p></td>
+</tr>
+</tbody>
+</table>
+<p> </p>
+<p>Keyboard Filter settings apply to other standard accounts.</p></td>
+</tr>
+<tr class="even">
+<td><p>Key sequences blocked by [Keyboard Filter](https://docs.microsoft.com/windows-hardware/customize/enterprise/keyboardfilter)</p></td>
+<td><p>If Keyboard Filter is turned ON then some key combinations are blocked automatically without you having to explicitly block them. For more information, see the [Keyboard Filter](https://docs.microsoft.com/windows-hardware/customize/enterprise/keyboardfilter) reference topic.</p>
+<p>[Keyboard Filter](https://docs.microsoft.com/windows-hardware/customize/enterprise/keyboardfilter) is only available on Windows 10 Enterprise or Windows 10 Education.</p>
+</td>
+</tr>
+<tr class="odd">
+<td><p>Power button</p></td>
+<td><p>Customizations for the Power button complement assigned access, letting you implement features such as removing the power button from the Welcome screen. Removing the power button ensures the user cannot turn off the device when it is in assigned access.</p>
+<p>For more information on removing the power button or disabling the physical power button, see [Custom Logon](https://docs.microsoft.com/windows-hardware/customize/enterprise/custom-logon).</p></td>
+</tr>
+<tr class="even">
+<td><p>Unified Write Filter (UWF)</p></td>
+<td><p>UWFsettings apply to all users, including those with assigned access.</p>
+<p>For more information, see [Unified Write Filter](https://docs.microsoft.com/windows-hardware/customize/enterprise/unified-write-filter).</p></td>
+</tr>
+<tr class="odd">
+<td><p>WEDL_AssignedAccess class</p></td>
+<td><p>Although you can use this class to configure and manage basic lockdown features for assigned access, we recommend that you use the Windows PowerShell cmdlets instead.</p>
+<p>If you need to use assigned access API, see [WEDL_AssignedAccess](whttps://docs.microsoft.com/windows-hardware/customize/enterprise/wedl-assignedaccess).</p></td>
+</tr>
+<tr class="even">
+<td><p>Welcome Screen</p></td>
+<td><p>Customizations for the Welcome screen let you personalize not only how the Welcome screen looks, but for how it functions. You can disable the power or language button, or remove all user interface elements. There are many options to make the Welcome screen your own.</p>
+<p>For more information, see [Custom Logon](https://docs.microsoft.com/windows-hardware/customize/enterprise/custom-logon).</p></td>
+</tr>
+</tbody>
+</table>
 
 
 

windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md

@@ -35,8 +35,6 @@ You can learn more about Windows functional and diagnostic data through these ar
 - [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md)
 
 
-
-
 ## Appraiser events
 
 ### Microsoft.Windows.Appraiser.General.ChecksumTotalPictureCount

windows/security/threat-protection/intelligence/coordinated-malware-eradication.md

@@ -32,4 +32,4 @@ Organizations participating in the CME effort work together to help eradicate se
 
 Any organization that is involved in cybersecurity and antimalware or interested in fighting cybercrime can participate in CME campaigns by enrolling in the [Virus Information Alliance (VIA) program](virus-information-alliance-criteria.md). It ensures that everyone agrees to use the information and tools available for campaigns for their intended purpose (that is, the eradication of malware).
 
-Please apply using our [membership application form](https://www.microsoft.com/security/portal/partnerships/apply.aspx) to get started.
+If your organization meets these criteria and would like to apply for membership, contact us at [mvi@microsoft.com](mailto:mvi@microsoft.com). Please indicate whether you would like to join CME, [VIA](./virus-information-alliance-criteria.md), or [MVI](./virus-initiative-criteria.md).

windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md

@@ -46,6 +46,4 @@ To be eligible for VIA your organization must:
 
 3. Be willing to sign and adhere to the VIA membership agreement.
 
-If your organization wants to apply and meets this criteria, you can apply using our [membership application form](https://www.microsoft.com/security/portal/partnerships/apply.aspx).
-
-If you have any questions, you can also contact us using our [partnerships contact form](https://www.microsoft.com/security/portal/partnerships/contactus.aspx).
+If your organization meets these criteria and would like to apply for membership, contact us at [mvi@microsoft.com](mailto:mvi@microsoft.com). Please indicate whether you would like to join VIA, [MVI](./virus-initiative-criteria.md), or [CME](./coordinated-malware-eradication.md).

windows/security/threat-protection/intelligence/virus-initiative-criteria.md

@@ -54,4 +54,4 @@ Your organization must meet the following eligibility requirements to participat
 
 ### Apply to MVI
 
-If your organization wants to apply and meets this criteria, you can apply using our [membership application form](https://www.microsoft.com/security/portal/partnerships/apply.aspx).
+If your organization meets these criteria and would like to apply for membership, contact us at [mvi@microsoft.com](mailto:mvi@microsoft.com). Please indicate whether you would like to join MVI, [VIA](./virus-information-alliance-criteria.md), or [CME](./coordinated-malware-eradication.md).

windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md

@@ -180,6 +180,7 @@ This field helps to enumerate and report state on the relevant security properti
 | **4.** | If present, Secure Memory Overwrite is available.       |
 | **5.** | If present, NX protections are available.               |
 | **6.** | If present, SMM mitigations are available.              |
+| **7.** | If present, Mode Based Execution Control is available.  |
 
 
 #### InstanceIdentifier
@@ -199,6 +200,7 @@ This field describes the required security properties to enable virtualization-b
 | **4.** | If present, Secure Memory Overwrite is needed.      |
 | **5.** | If present, NX protections are needed.              |
 | **6.** | If present, SMM mitigations are needed.             |
+| **7.** | If present, Mode Based Execution Control is needed. |
 
 #### SecurityServicesConfigured