deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-16 19:03:46 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Delete unused images and update documentation

Browse Source
This commit is contained in:
Paolo Matarazzo
2024-01-25 09:32:58 -05:00
parent 803a89be76
commit 85c0a9ee00
116 changed files with 2770 additions and 2989 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
windows/configuration/accessibility/index.md
View File

@ -84,7 +84,7 @@ Windows 11, version 22H2, includes improvements for people with disabilities: sy
- With spellings experience in voice access, you can dictate a complex or non-standard word letter-by-letter and add it to Windows dictionary. The next time you try to dictate the same word, voice access improves its recognition.
- [Save time with keyboard shortcuts](https://support.microsoft.com/windows/keyboard-shortcuts-in-windows-dcc61a57-8ff0-cffe-9796-cb9706c75eec).
- [Use voice access to control your PC and author text with your voice](https://support.microsoft.com/en-us/topic/use-voice-access-to-control-your-pc-author-text-with-your-voice-4dcd23ee-f1b9-4fd1-bacc-862ab611f55d).
- [Use voice access to control your PC and author text with your voice](https://support.microsoft.com/topic/use-voice-access-to-control-your-pc-author-text-with-your-voice-4dcd23ee-f1b9-4fd1-bacc-862ab611f55d).
## Other resources

0
windows/configuration/images/apn-add-details.PNG → windows/configuration/cellular/images/apn-add-details.PNG
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 28 KiB

After

Width:  |  Height:  |  Size: 28 KiB

0
windows/configuration/images/apn-add.PNG → windows/configuration/cellular/images/apn-add.PNG
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 16 KiB

After

Width:  |  Height:  |  Size: 16 KiB

28
windows/configuration/cellular/provisioning-apn.md
View File

@ -23,18 +23,18 @@ For users who work in different locations, you can configure one APN to connect
## How to configure cellular settings in a provisioning package
1. In Windows Configuration Designer, [start a new project](../provisioning-packages/provisioning-create-package.md) using the **Advanced provisioning** option.
2. Enter a name for your project, and then click **Next**.
3. Select **All Windows desktop editions**, click **Next**, and then click **Finish**.
4. Go to **Runtime settings > Connections > EnterpriseAPN**.
5. Enter a name for the connection, and then click **Add**.
1. Enter a name for your project, and then click **Next**.
1. Select **All Windows desktop editions**, click **Next**, and then click **Finish**.
1. Go to **Runtime settings > Connections > EnterpriseAPN**.
1. Enter a name for the connection, and then click **Add**.
![Example of APN connection name.](images/apn-add.png)
6. The connection appears in the **Available customizations** pane. Select it to view the settings that you can configure for the connection.
1. The connection appears in the **Available customizations** pane. Select it to view the settings that you can configure for the connection.
![settings for new connection.](images/apn-add-details.png)
7. The following table describes the settings available for the connection.
1. The following table describes the settings available for the connection.
| Setting | Description |
| --- | --- |
@ -50,23 +50,23 @@ For users who work in different locations, you can configure one APN to connect
| Roaming | Select the behavior that you want when the device is roaming. The options are:</br></br>-Disallowed</br>-Allowed (default)</br>-DomesticRoaming</br>-Use OnlyForDomesticRoaming</br>-UseOnlyForNonDomesticRoaming</br>-UseOnlyForRoaming |
| UserName | If you select PAP, CHAP, or MSCHAPv2 authentication, enter a user name. |
8. After you configure the connection settings, [build the provisioning package](../provisioning-packages/provisioning-create-package.md#build-package).
9. [Apply the package to devices.](../provisioning-packages/provisioning-apply-package.md)
1. After you configure the connection settings, [build the provisioning package](../provisioning-packages/provisioning-create-package.md#build-package).
1. [Apply the package to devices.](../provisioning-packages/provisioning-apply-package.md)
## Confirm the settings
After you apply the provisioning package, you can confirm that the settings have been applied.
1. On the configured device, open a command prompt as an administrator.
2. Run the following command:
1. Run the following command:
```
```cmd
netsh mbn show profiles
```
3. The command will list the mobile broadband profiles. Using the "Name" for the listed mobile broadband profile, run:
1. The command will list the mobile broadband profiles. Using the "Name" for the listed mobile broadband profile, run:
```
```cmd
netsh mbn show profiles name="name"
```
@ -74,13 +74,13 @@ After you apply the provisioning package, you can confirm that the settings have
Alternatively, you can also use the command:
```
```cmd
netsh mbn show interface
```
From the results of that command, get the name of the cellular/mobile broadband interface and run:
```
```cmd
netsh mbn show connection interface="name"
```

22
windows/configuration/cortana-at-work/cortana-at-work-o365.md
View File

@ -11,6 +11,7 @@ ms.topic: article
[!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)]
## What can you do with in Windows 10, versions 1909 and earlier?
Your employees can use Cortana to help manage their day and be more productive by getting quick answers to common questions, setting reminders, adding tasks to their To-Do lists, and find out where their next meeting is.
**See also:**
@ -18,34 +19,29 @@ Your employees can use Cortana to help manage their day and be more productive b
[Known issues for Windows Desktop Search and Cortana in Windows 10](/troubleshoot/windows-client/shell-experience/windows-desktop-search-and-cortana-issues).
### Before you begin
There are a few things to be aware of before you start using Cortana in Windows 10, versions 1909 and earlier.
- **Microsoft Entra account.** Before your employees can use Cortana in your org, they must be logged in using their Microsoft Entra account through Cortana&#39;s notebook. They must also authorize Cortana to access Microsoft 365 on their behalf.
- **Office 365 Trust Center.** Cortana in Windows 10, version 1909 and earlier, isn&#39;t a service governed by the [Online Services Terms](https://www.microsoft.com/en-us/licensing/product-licensing/products). [Learn more about how Cortana in Windows 10, versions 1909 and earlier, treats your data](https://support.microsoft.com/en-us/help/4468233/cortana-and-privacy-microsoft-privacy).
- **Office 365 Trust Center.** Cortana in Windows 10, version 1909 and earlier, isn&#39;t a service governed by the [Online Services Terms](https://www.microsoft.com/licensing/product-licensing/products). [Learn more about how Cortana in Windows 10, versions 1909 and earlier, treats your data](https://support.microsoft.com/help/4468233/cortana-and-privacy-microsoft-privacy).
- Windows Information Protection (WIP). If you want to secure the calendar, email, and contact info provided to Cortana on a device, you can use WIP. For more info about WIP, see [Protect your enterprise data using Windows Information Protection (WIP)](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip). If you decide to use WIP, you must also have a management solution. This solution can be Microsoft Intune, Configuration Manager (version 1606 or later), or your current company-wide third-party mobile device management (MDM) solution.
- **Troubleshooting tips.** If you run into issues, check out these [troubleshooting tips](/office365/troubleshoot/miscellaneous/issues-in-cortana).
### Turn on Cortana enterprise services on employees' devices
Your employees must connect Cortana to their Microsoft 365 account to be able to use skills like email and calendar.
#### Turn on Cortana enterprise services
1. Select the **Cortana** search box in the taskbar, and then select the **Notebook** icon.
2. Select **Manage Skills** , select **Manage accounts** , and under **Microsoft 365** select **Link**. The employee will be directed to sign into their Microsoft 365 account.
3. The employee can also disconnect by selecting **Microsoft 365**, then **Unlink**.
1. Select **Manage Skills** , select **Manage accounts** , and under **Microsoft 365** select **Link**. The employee will be directed to sign into their Microsoft 365 account.
1. The employee can also disconnect by selecting **Microsoft 365**, then **Unlink**.
#### Turn off Cortana enterprise services
Cortana in Windows 10, versions 1909 and earlier can only access data in your Microsoft 365 organization when it's turned on. If you don't want Cortana to access your corporate data, you can turn it off in the Microsoft 365 admin center.
1. Sign into the [Microsoft 365 admin center](https://admin.microsoft.com/) using your admin account.
2. Select the app launcher icon in the upper-left and choose **Admin**.
3. Expand **Settings** and select **Org Settings**.
4. Select **Cortana** to toggle Cortana&#39;s access to Microsoft 365 data off.
1. Select the app launcher icon in the upper-left and choose **Admin**.
1. Expand **Settings** and select **Org Settings**.
1. Select **Cortana** to toggle Cortana&#39;s access to Microsoft 365 data off.

11
windows/configuration/cortana-at-work/cortana-at-work-overview.md
View File

@ -28,10 +28,10 @@ Cortana requires a PC running Windows 10, version 1703 or later, and the followi
>A microphone isn't required to use Cortana.
| Software | Minimum version |
|---------|---------|
|Client operating system | - Windows 10, version 2004 (recommended) <br> <br> - Windows 10, version 1703 (legacy version of Cortana) <br> <br> For more information on the differences between Cortana in Windows 10, version 2004 and earlier versions, see [**How is my data processed by Cortana**](#how-is-my-data-processed-by-cortana) below. |
|Microsoft Entra ID | While all employees signing into Cortana need a Microsoft Entra account, a Microsoft Entra ID P1 or P2 tenant isn't required. |
|Additional policies (Group Policy and Mobile Device Management (MDM)) |There's a rich set of policies that can be used to manage various aspects of Cortana. Most of these policies will limit the abilities of Cortana but won't turn off Cortana. For example, if you turn **Speech** off, your employees won't be able to use the wake word ("Cortana") for hands-free activation or voice commands to easily ask for help. |
|--|--|
| Client operating system | - Windows 10, version 2004 (recommended) <br> <br> - Windows 10, version 1703 (legacy version of Cortana) <br> <br> For more information on the differences between Cortana in Windows 10, version 2004 and earlier versions, see [**How is my data processed by Cortana**](#how-is-my-data-processed-by-cortana) below. |
| Microsoft Entra ID | While all employees signing into Cortana need a Microsoft Entra account, a Microsoft Entra ID P1 or P2 tenant isn't required. |
| Additional policies (Group Policy and Mobile Device Management (MDM)) | There's a rich set of policies that can be used to manage various aspects of Cortana. Most of these policies will limit the abilities of Cortana but won't turn off Cortana. For example, if you turn **Speech** off, your employees won't be able to use the wake word ("Cortana") for hands-free activation or voice commands to easily ask for help. |
>[!NOTE]
>For Windows 11, Cortana is no longer pinned to the taskbar by default. You can still pin the Cortana app to the taskbar as you would any other app. In addition, the keyboard shortcut that launched Cortana (Win+C) no longer opens Cortana.
@ -48,13 +48,12 @@ Cortana's approach to integration with Microsoft 365 has changed with Windows 10
### Cortana in Windows 10, version 2004 and later, or Windows 11
Cortana enterprise services that can be accessed using Microsoft Entra ID through Cortana meet the same enterprise-level privacy, security, and compliance promises as reflected in the [Online Services Terms (OST)](https://www.microsoft.com/en-us/licensing/product-licensing/products). To learn more, see [Cortana in Microsoft 365](/microsoft-365/admin/misc/cortana-integration?view=o365-worldwide#what-data-is-processed-by-cortana-in-office-365&preserve-view=true).
Cortana enterprise services that can be accessed using Microsoft Entra ID through Cortana meet the same enterprise-level privacy, security, and compliance promises as reflected in the [Online Services Terms (OST)](https://www.microsoft.com/licensing/product-licensing/products). To learn more, see [Cortana in Microsoft 365](/microsoft-365/admin/misc/cortana-integration?view=o365-worldwide#what-data-is-processed-by-cortana-in-office-365&preserve-view=true).
#### How does Microsoft store, retain, process, and use Customer Data in Cortana?
The table below describes the data handling for Cortana enterprise services.
| Name | Description |
|---------|---------|
|**Storage** |Customer Data is stored on Microsoft servers inside the Office 365 cloud. Your data is part of your tenant. Speech audio isn't retained. |

6
windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md
View File

@ -13,9 +13,9 @@ ms.topic: article
>The wake word has been re-enabled in the latest version of Cortana in Windows. If you're on Windows 10, version 2004, be sure that you've updated to build 19041.329 or later to use the wake word with Cortana. For earlier builds, you can still click on the microphone button to use your voice with Cortana.
1. Select the **Cortana** icon in the task bar and sign in using your Microsoft Entra account.
2. Select the &quot;&quot; menu and select **Talking to Cortana**.
3. Toggle **Wake word** to **On** and close Cortana.
4. Say **Cortana, what can you do?**
1. Select the &quot;&quot; menu and select **Talking to Cortana**.
1. Toggle **Wake word** to **On** and close Cortana.
1. Say **Cortana, what can you do?**
When you say **Cortana**, Cortana will open in listening mode to acknowledge the wake word.

2
windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md
View File

@ -11,7 +11,7 @@ ms.topic: article
1. Select the **Cortana** icon in the taskbar.
2. Type **What time is it in Hyderabad?**.
1. Type **What time is it in Hyderabad?**.
Cortana will respond with the information from Bing.

4
windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md
View File

@ -14,9 +14,9 @@ This scenario helps you find out if a time slot is free on your calendar.
1. Select the **Cortana** icon in the taskbar.
2. Click on the **Cortana** icon in the taskbar, and then click in the **Search** bar.
1. Click on the **Cortana** icon in the taskbar, and then click in the **Search** bar.
3. Type **Am I free at 3 PM tomorrow?**
1. Type **Am I free at 3 PM tomorrow?**
Cortana will respond with your availability for that time, and nearby meetings.

2
windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md
View File

@ -13,7 +13,7 @@ Cortana can help you quickly look up information about someone or the org chart.
1. Select the **Cortana** icon in the taskbar.
2. Type or select the mic and say, **Who is name of person in your organization's?**
1. Type or select the mic and say, **Who is name of person in your organization's?**
:::image type="content" source="images/screenshot9.png" alt-text="Screenshot: Cortana showing name of person in your organization":::

4
windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md
View File

@ -13,8 +13,8 @@ Cortana can help employees in regions outside the US search for quick answers li
1. Select the **Cortana** icon in the taskbar.
2. Select the **…** menu, then select **Settings**, **Language**, then select **Español (España)**. You'll be prompted to restart the app.
1. Select the **…** menu, then select **Settings**, **Language**, then select **Español (España)**. You'll be prompted to restart the app.
3. Once the app has restarted, type or say **Convierte 100 Euros a Dólares**.
1. Once the app has restarted, type or say **Convierte 100 Euros a Dólares**.
:::image type="content" source="images/screenshot10.png" alt-text="Screenshot: Cortana showing a change your language and showing search results in Spanish":::

8
windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md
View File

@ -18,14 +18,14 @@ This optional scenario helps you to protect your organization's data on a device
1. Create and deploy a WIP policy to your organization. For information about how to do this step, see [Protect your enterprise data using Windows Information Protection (WIP)](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip).
2. Create a new email from a non-protected or personal mailbox, including the text _I'll send you that presentation tomorrow_.
1. Create a new email from a non-protected or personal mailbox, including the text _I'll send you that presentation tomorrow_.
3. Wait up to 2 hours to make sure everything has updated, click the **Cortana** icon in the taskbar, and then click in the **Search** bar.
1. Wait up to 2 hours to make sure everything has updated, click the **Cortana** icon in the taskbar, and then click in the **Search** bar.
Cortana automatically pulls your commitment to sending the presentation out of your email, showing it to you.
4. Create a new email from a protected mailbox, including the same text as above, _I'll send you that presentation tomorrow_.
1. Create a new email from a protected mailbox, including the same text as above, _I'll send you that presentation tomorrow_.
5. Wait until everything has updated again, click the **Cortana** icon in the taskbar, and then click in the **Search** bar.
1. Wait until everything has updated again, click the **Cortana** icon in the taskbar, and then click in the **Search** bar.
Because it was in an WIP-protected email, the presentation info isn't pulled out and it isn't shown to you.

10
windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md
View File

@ -27,7 +27,7 @@ To enable voice commands in Cortana
- **Start Cortana removing focus from your app, using specific voice-enabled statements.** [Activate a background app in Cortana using voice commands](/cortana/voice-commands/launch-a-background-app-with-voice-commands-in-cortana).
2. **Install the VCD file on employees' devices**. You can use Configuration Manager or Microsoft Intune to deploy and install the VCD file on your employees' devices, the same way you deploy and install any other package in your organization.
1. **Install the VCD file on employees' devices**. You can use Configuration Manager or Microsoft Intune to deploy and install the VCD file on your employees' devices, the same way you deploy and install any other package in your organization.
## Test scenario: Use voice commands in a Microsoft Store app
While these apps aren't line-of-business apps, we've worked to make sure to implement a VCD file, allowing you to test how the functionality works with Cortana in your organization.
@ -35,21 +35,21 @@ While these apps aren't line-of-business apps, we've worked to make sure to impl
**To get a Microsoft Store app**
1. Go to the Microsoft Store, scroll down to the **Collections** area, select **Show All**, and then select **Better with Cortana**.
2. Select **Uber**, and then select **Install**.
1. Select **Uber**, and then select **Install**.
3. Open Uber, create an account or sign in, and then close the app.
1. Open Uber, create an account or sign in, and then close the app.
**To set up the app with Cortana**
1. Select on the **Cortana** search box in the taskbar, and then select the **Notebook** icon.
2. Select on **Connected Services**, select **Uber**, and then select **Connect**.
1. Select on **Connected Services**, select **Uber**, and then select **Connect**.
![Cortana at work, showing where to connect the Uber service to Cortana.](../images/cortana-connect-uber.png)
**To use the voice-enabled commands with Cortana**
1. Select on the **Cortana** icon in the taskbar, and then select the **Microphone** icon (to the right of the **Search** box).
2. Say _Uber get me a taxi_.
1. Say _Uber get me a taxi_.
Cortana changes, letting you provide your trip details for Uber.

4
windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md
View File

@ -16,7 +16,7 @@ ms.topic: article
## Set up and configure the Bing Answers feature
Bing Answers provides fast, authoritative results to search queries based on search terms. When the Bing Answers feature is enabled, users will be able to ask Cortana web-related questions in the Cortana in Windows app, such as &quot;What&#39;s the current weather?&quot; or &quot;Who is the president of the U.S.?,&quot; and get a response, based on public results from Bing.com.
The above experience is powered by Microsoft Bing, and Cortana sends the user queries to Bing. The use of Microsoft Bing is governed by the [Microsoft Services Agreement](https://www.microsoft.com/servicesagreement) and [Privacy Statement](https://privacy.microsoft.com/en-US/privacystatement).
The above experience is powered by Microsoft Bing, and Cortana sends the user queries to Bing. The use of Microsoft Bing is governed by the [Microsoft Services Agreement](https://www.microsoft.com/servicesagreement) and [Privacy Statement](https://privacy.microsoft.com/privacystatement).
## Configure the Bing Answers feature
@ -36,7 +36,7 @@ When a user enters a search query (by speech or text), Cortana evaluates if the
1. If it is for any of the first-party compliant skills, the query is sent to that skill, and results/action are returned.
2. If it isn't for any of the first-party compliant skills, the query is sent to Bing for a search of public results from Bing.com. Because enterprise searches might be sensitive, similar to [Microsoft Search in Bing](/MicrosoftSearch/security-for-search#microsoft-search-in-bing-protects-workplace-searches), Bing Answers in Cortana has implemented a set of trust measures, described below, that govern how the separate search of public results from Bing.com is handled. The Bing Answers in Cortana trust measures are consistent with the enhanced privacy and security measures described in [Microsoft Search in Bing](/MicrosoftSearch/security-for-search). All Bing.com search logs that pertain to Cortana traffic are disassociated from users&#39; workplace identity. All Cortana queries issued via a work or school account are stored separately from public, non-Cortana traffic.
1. If it isn't for any of the first-party compliant skills, the query is sent to Bing for a search of public results from Bing.com. Because enterprise searches might be sensitive, similar to [Microsoft Search in Bing](/MicrosoftSearch/security-for-search#microsoft-search-in-bing-protects-workplace-searches), Bing Answers in Cortana has implemented a set of trust measures, described below, that govern how the separate search of public results from Bing.com is handled. The Bing Answers in Cortana trust measures are consistent with the enhanced privacy and security measures described in [Microsoft Search in Bing](/MicrosoftSearch/security-for-search). All Bing.com search logs that pertain to Cortana traffic are disassociated from users&#39; workplace identity. All Cortana queries issued via a work or school account are stored separately from public, non-Cortana traffic.
Bing Answers is enabled by default for all users. However, admins can configure and change this setting for specific users and user groups in their organization.

10
windows/configuration/cortana-at-work/test-scenario-1.md
View File

@ -17,15 +17,15 @@ This process helps you to sign out of a Microsoft Account and to sign into a Mic
1. Click on the **Cortana** icon in the taskbar, then click the profile picture in the navigation to open Cortana settings.
2. Click your email address.
1. Click your email address.
A dialog box appears, showing the associated account info.
3. Click **Sign out** under your email address.
1. Click **Sign out** under your email address.
This signs out the Microsoft account, letting you continue to add your work or school account.
4. Open Cortana again and select the **Sign in** glyph in the left rail and follow the instructions to sign in with your work or school account.
1. Open Cortana again and select the **Sign in** glyph in the left rail and follow the instructions to sign in with your work or school account.
## Use Cortana to manage the notebook content
@ -33,9 +33,9 @@ This process helps you to manage the content Cortana shows in your Notebook.
1. Select the **Cortana** icon in the taskbar, click **Notebook**, select **Manage Skills.** Scroll down and click **Weather**.
2. In the **Weather** settings, scroll down to the **Cities you're tracking** area, and then click **Add a city**.
1. In the **Weather** settings, scroll down to the **Cities you're tracking** area, and then click **Add a city**.
3. Add **Redmond, Washington**.
1. Add **Redmond, Washington**.
> [!IMPORTANT]
> The data created as part of these scenarios will be uploaded to Microsoft's Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering.

4
windows/configuration/cortana-at-work/test-scenario-2.md
View File

@ -18,7 +18,7 @@ This scenario helps you perform a quick search using Cortana, both by typing and
1. Click on the Cortana icon in the taskbar, and then click in the Search bar.
2. Type **Type Weather in New York**.
1. Type **Type Weather in New York**.
You should see the weather in New York, New York at the top of the search results.
@ -30,5 +30,5 @@ This process helps you to use Cortana at work and voice commands to perform a qu
1. Click on the **Cortana** icon in the taskbar, and then click the **Microphone** icon (to the right of the Search box).
2. Say **What's the weather in Chicago?** Cortana tells you and shows you the current weather in Chicago.
1. Say **What's the weather in Chicago?** Cortana tells you and shows you the current weather in Chicago.
Insert screenshot

22
windows/configuration/cortana-at-work/test-scenario-3.md
View File

@ -25,26 +25,26 @@ This process helps you to create a reminder based on a specific location.
1. Click on the **Cortana** icon in the taskbar, click on the **Notebook** icon, and then click **Reminders**.
2. Click the **+** sign, add a subject for your reminder, such as **Remember to file expense report receipts**, and then click **Place**.
1. Click the **+** sign, add a subject for your reminder, such as **Remember to file expense report receipts**, and then click **Place**.
3. Choose **Arrive** from the drop-down box, and then type a location to associate with your reminder. For example, you can use the physical address of where you work. Just make sure you can physically get to your location, so you can test the reminder.
1. Choose **Arrive** from the drop-down box, and then type a location to associate with your reminder. For example, you can use the physical address of where you work. Just make sure you can physically get to your location, so you can test the reminder.
4. Click **Done**.
1. Click **Done**.
>[!Note]
>If you've never used this location before, you'll be asked to add a name for it so it can be added to the Favorites list in Windows Maps.
5. Choose to be reminded the Next time you arrive at the location or on a specific day of the week from the drop-down box.
1. Choose to be reminded the Next time you arrive at the location or on a specific day of the week from the drop-down box.
6. Take a picture of your receipts and store them locally on your device.
1. Take a picture of your receipts and store them locally on your device.
7. Click **Add Photo**, click **Library**, browse to your picture, and then click **OK**.
1. Click **Add Photo**, click **Library**, browse to your picture, and then click **OK**.
The photo is stored with the reminder.
Insert screenshot 6
8. Review the reminder info, and then click **Remind**.
1. Review the reminder info, and then click **Remind**.
The reminder is saved and ready to be triggered.
Insert screenshot
@ -55,12 +55,12 @@ This process helps you to use Cortana at work and voice commands to create a rem
1. Click on the **Cortana** icon in the taskbar, and then click the **Microphone* icon (to the right of the Search box).
2. Say **Remind me to grab my expense report receipts before I leave home**.
1. Say **Remind me to grab my expense report receipts before I leave home**.
Cortana opens a new reminder task and asks if it sounds good.
insert screenshot
3. Say **Yes** so Cortana can save the reminder.
1. Say **Yes** so Cortana can save the reminder.
insert screenshot
## Edit or archive an existing reminder
@ -69,6 +69,6 @@ This process helps you to edit or archive and existing or completed reminder.
1. Click on the **Cortana** icon in the taskbar, click on the **Notebook** icon, and then click **Reminders**.
2. Click the pending reminder you want to edit.
1. Click the pending reminder you want to edit.
3. Change any text that you want to change, click **Add photo** if you want to add or replace an image, click **Delete** if you want to delete the entire reminder, click Save to save your changes, and click **Complete and move to History** if you want to save a completed reminder in your **Reminder History**.
1. Change any text that you want to change, click **Add photo** if you want to add or replace an image, click **Delete** if you want to delete the entire reminder, click Save to save your changes, and click **Complete and move to History** if you want to save a completed reminder in your **Reminder History**.

6
windows/configuration/cortana-at-work/test-scenario-4.md
View File

@ -23,9 +23,9 @@ This process helps you find your upcoming meetings.
1. Check to make sure your work calendar is connected and synchronized with your Microsoft Entra account.
2. Click on the **Cortana** icon in the taskbar, and then click in the **Search** bar.
1. Click on the **Cortana** icon in the taskbar, and then click in the **Search** bar.
3. Type **Show me my meetings for tomorrow**.
1. Type **Show me my meetings for tomorrow**.
You'll see all your meetings scheduled for the next day.
@ -38,7 +38,7 @@ This process helps you to use Cortana at work and voice commands to find your up
1. Click on the **Cortana** icon in the taskbar, and then click the **Microphone** icon (to the right of the Search box.
2. Say **Show me what meeting I have at 3pm tomorrow**.
1. Say **Show me what meeting I have at 3pm tomorrow**.
>[!Important]
>Make sure that you have a meeting scheduled for the time you specify here.

12
windows/configuration/cortana-at-work/test-scenario-5.md
View File

@ -20,13 +20,13 @@ This process helps you to send a quick message to a co-worker from the work addr
1. Check to make sure your Microsoft Outlook or mail app is connected and synchronized with your Microsoft Entra account.
2. Click on the **Cortana** icon in the taskbar, and then click in the **Search** bar.
1. Click on the **Cortana** icon in the taskbar, and then click in the **Search** bar.
3. Type **Send an email to <contact_name>**.
1. Type **Send an email to <contact_name>**.
Where <contact_name> is the name of someone in your work address book.
4. Type your email message subject into the **Quick message** (255 characters or less) box and your message into the **Message** (unlimited characters) box, and then click **Send**.
1. Type your email message subject into the **Quick message** (255 characters or less) box and your message into the **Message** (unlimited characters) box, and then click **Send**.
Cortana at work, showing the email text
screenshot
@ -37,18 +37,18 @@ This process helps you to use Cortana at work and voice commands to send a quick
1. Click on the **Cortana** icon in the taskbar, and then click the **Microphone** icon (to the right of the Search box.
2. Say **Send an email** to <contact_name>.
1. Say **Send an email** to <contact_name>.
Where <contact_name> is the name of someone in your work address book.
3. Add your email message by saying, **Hello this is a test email using Cortana at work**.
1. Add your email message by saying, **Hello this is a test email using Cortana at work**.
The message is added and you're asked if you want to **Send it**, **Add more**, or **Make changes**.
Cortana at work, showing the email text created from verbal commands
screenshot
4. Say **Send it**.
1. Say **Send it**.
The email is sent.

12
windows/configuration/cortana-at-work/test-scenario-6.md
View File

@ -19,23 +19,23 @@ Cortana automatically finds patterns in your email, suggesting reminders based t
## Use Cortana to create suggested reminders for you
1. Make sure that you've connected Cortana to Office 365. For the steps to connect, see [Set up and test Cortana with Office 365 in your organization](./cortana-at-work-o365.md).
1. Make sure that you've connected Cortana to Office 361. For the steps to connect, see [Set up and test Cortana with Office 365 in your organization](./cortana-at-work-o365.md).
2. Click on the **Cortana** search box in the taskbar, click the **Notebook** icon, and then click **Permissions**.
1. Click on the **Cortana** search box in the taskbar, click the **Notebook** icon, and then click **Permissions**.
3. Make sure the **Contacts**, **email**, **calendar**, and **communication history** option is turned on.
1. Make sure the **Contacts**, **email**, **calendar**, and **communication history** option is turned on.
Permissions options for Cortana at work
screenshot
4. Click the **Notebook** icon again, click the **Suggested reminders** option, click to turn on the **All reminder suggestions cards** option, click the **Notify me when something I mentioned doing is coming up** box, and then click **Save**.
1. Click the **Notebook** icon again, click the **Suggested reminders** option, click to turn on the **All reminder suggestions cards** option, click the **Notify me when something I mentioned doing is coming up** box, and then click **Save**.
Suggested reminders options for Cortana at work
screenshot
5. Create and send an email to yourself (so you can see the Suggested reminder), including the text, **I'll finish this project by end of day today**.
1. Create and send an email to yourself (so you can see the Suggested reminder), including the text, **I'll finish this project by end of day today**.
6. After you get the email, click on the Cortana **Home** icon, and scroll to today's events.
1. After you get the email, click on the Cortana **Home** icon, and scroll to today's events.
If the reminder has a specific date or time associated with it, like end of day, Cortana notifies you at the appropriate time and puts the reminder into the Action Center. Also from the Home screen, you can view the email where you made the promise, set aside time on your calendar, officially set the reminder, or mark the reminder as completed.

2
windows/configuration/docfx.json
View File

@ -119,5 +119,3 @@
}
}

4
windows/configuration/index.yml
View File

@ -1,5 +1,4 @@
### YamlMime:Landing
title: Configure Windows client # < 60 chars
summary: Find out how to apply custom configurations to Windows client devices. # < 160 chars
@ -14,7 +13,6 @@ metadata:
manager: aaroncz
ms.date: 12/20/2023
# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new
landingContent:
@ -34,7 +32,6 @@ landingContent:
- text: Accessibility information for IT pros
url: windows-accessibility-for-itpros.md
# Card (optional)
- title: Configure a Windows kiosk
linkLists:
@ -49,7 +46,6 @@ landingContent:
- text: Manage multi-user and guest devices
url: shared-devices-concepts.md
# Card (optional)
- title: Use provisioning packages
linkLists:

4
windows/configuration/kiosk/find-the-application-user-model-id-of-an-installed-app.md
View File

@ -41,9 +41,9 @@ To get the names and AUMIDs for all apps installed for the current user, perform
1. Open **Run**, enter **shell:Appsfolder**, and select **OK**.
2. A File Explorer window opens. Press **Alt** > **View** > **Choose details**.
1. A File Explorer window opens. Press **Alt** > **View** > **Choose details**.
3. In the **Choose Details** window, select **AppUserModelId**, and then select **OK**. (You might need to change the **View** setting from **Tiles** to **Details**.)
1. In the **Choose Details** window, select **AppUserModelId**, and then select **OK**. (You might need to change the **View** setting from **Tiles** to **Details**.)
![Image of the Choose Details options.](images/aumid-file-explorer.png)

22
windows/configuration/kiosk/guidelines-for-assigned-access-app.md
View File

@ -21,7 +21,6 @@ The following guidelines may help you choose an appropriate Windows app for your
## Guidelines for Windows apps that launch other apps
Some Windows apps can launch other apps. Assigned access prevents Windows apps from launching other apps.
@ -39,12 +38,11 @@ In Windows client, you can install the **Kiosk Browser** app from Microsoft to u
>
>Kiosk Browser can't access intranet websites.
**Kiosk Browser** must be downloaded for offline licensing using Microsoft Store For Business. You can deploy **Kiosk Browser** to devices running Windows 10, version 1803 (Pro, Business, Enterprise, and Education) and Windows 11.
1. [Get **Kiosk Browser** in Microsoft Store for Business with offline license type.](/microsoft-store/acquire-apps-microsoft-store-for-business#acquire-apps)
2. [Deploy **Kiosk Browser** to kiosk devices.](/microsoft-store/distribute-offline-apps)
3. Configure policies using settings from the Policy Configuration Service Provider (CSP) for [KioskBrowser](/windows/client-management/mdm/policy-csp-kioskbrowser). These settings can be configured using your MDM service provider, or [in a provisioning package](../provisioning-packages/provisioning-create-package.md). In Windows Configuration Designer, the settings are located in **Policies > KioskBrowser** when you select advanced provisioning for Windows desktop editions.
1. [Deploy **Kiosk Browser** to kiosk devices.](/microsoft-store/distribute-offline-apps)
1. Configure policies using settings from the Policy Configuration Service Provider (CSP) for [KioskBrowser](/windows/client-management/mdm/policy-csp-kioskbrowser). These settings can be configured using your MDM service provider, or [in a provisioning package](../provisioning-packages/provisioning-create-package.md). In Windows Configuration Designer, the settings are located in **Policies > KioskBrowser** when you select advanced provisioning for Windows desktop editions.
>[!NOTE]
>If you configure the kiosk using a provisioning package, you must apply the provisioning package after the device completes the out-of-box experience (OOBE).
@ -66,13 +64,13 @@ Restart on Idle Time | Specify when Kiosk Browser should restart in a fresh stat
>
> 1. Create the provisioning package. When ready to export, close the project in Windows Configuration Designer.
> 2. Open the customizations.xml file in the project folder (e.g C:\Users\name\Documents\Windows Imaging and Configuration Designer (WICD)\Project_18).
> 1. Open the customizations.xml file in the project folder (e.g C:\Users\name\Documents\Windows Imaging and Configuration Designer (WICD)\Project_18).
> 3. Insert the null character string in between each URL (e.g www.bing.com`&#xF000;`www.contoso.com).
> 1. Insert the null character string in between each URL (e.g www.bing.com`&#xF000;`www.contoso.com).
> 4. Save the XML file.
> 5. Open the project again in Windows Configuration Designer.
> 6. Export the package. Ensure you do not revisit the created policies under Kiosk Browser or else the null character will be removed.
> 1. Save the XML file.
> 1. Open the project again in Windows Configuration Designer.
> 1. Export the package. Ensure you do not revisit the created policies under Kiosk Browser or else the null character will be removed.
>
>
@ -83,7 +81,6 @@ Restart on Idle Time | Specify when Kiosk Browser should restart in a fresh stat
> - Data type: Integer
> - Value: 1
#### Rules for URLs in Kiosk Browser settings
Kiosk Browser filtering rules are based on the [Chromium Project](https://www.chromium.org/Home).
@ -115,7 +112,6 @@ Blocked URL rule | Block URL exception rule | Result
The following table gives examples for blocked URLs.
| Entry | Result |
|--------------------------|-------------------------------------------------------------------------------|
| `contoso.com` | Blocks all requests to contoso.com, www.contoso.com, and sub.www.contoso.com |
@ -126,8 +122,8 @@ The following table gives examples for blocked URLs.
| `*` | Blocks all requests except for URLs in the Blocked URL Exceptions list. |
| `*:8080` | Blocks all requests to port 8080. |
| `contoso.com/stuff` | Blocks all requests to contoso.com/stuff and its subdomains. |
| `192.168.1.2` | Blocks requests to 192.168.1.2. |
| `youtube.com/watch?v=V1` | Blocks YouTube video with id V1. |
| `192.168.1.2` | Blocks requests to 192.168.1.1. |
| `youtube.com/watch?v=V1` | Blocks YouTube video with id V1. |
### Other browsers

0
windows/configuration/images/apprule.png → windows/configuration/kiosk/images/apprule.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 114 KiB

After

Width:  |  Height:  |  Size: 114 KiB

0
windows/configuration/images/appwarning.png → windows/configuration/kiosk/images/appwarning.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 3.6 KiB

After

Width:  |  Height:  |  Size: 3.6 KiB

0
windows/configuration/images/genrule.png → windows/configuration/kiosk/images/genrule.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 8.4 KiB

After

Width:  |  Height:  |  Size: 8.4 KiB

0
windows/configuration/images/lockdownapps.png → windows/configuration/kiosk/images/lockdownapps.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 6.5 KiB

After

Width:  |  Height:  |  Size: 6.5 KiB

0
windows/configuration/images/multiappassignedaccesssettings.png → windows/configuration/kiosk/images/multiappassignedaccesssettings.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 5.0 KiB

After

Width:  |  Height:  |  Size: 5.0 KiB

8
windows/configuration/kiosk/kiosk-mdm-bridge.md
View File

@ -15,12 +15,12 @@ Here's an example to set AssignedAccess configuration:
1. Download the [psexec tool](/sysinternals/downloads/psexec).
2. Run `psexec.exe -i -s cmd.exe`.
3. In the command prompt launched by psexec.exe, enter `powershell.exe` to open PowerShell.
1. Run `psexec.exe -i -s cmd.exe`.
1. In the command prompt launched by psexec.exe, enter `powershell.exe` to open PowerShell.
Step 4 is different for Windows 10 or Windows 11
4. Execute the following script for Windows 10:
1. Execute the following script for Windows 10:
```xml
$nameSpaceName="root\cimv2\mdm\dmmap"
@ -80,7 +80,7 @@ $obj.Configuration = [System.Web.HttpUtility]::HtmlEncode(@"
Set-CimInstance -CimInstance $obj
```
4. Execute the following script for Windows 11:
1. Execute the following script for Windows 11:
```xml
$nameSpaceName="root\cimv2\mdm\dmmap"

2
windows/configuration/kiosk/kiosk-methods.md
View File

@ -55,7 +55,6 @@ There are several kiosk configuration methods that you can choose from, dependin
The kiosk account can be a local standard user account, a local administrator account, a domain account, or a Microsoft Entra account, depending on the method that you use to configure the kiosk. If you want people to sign in and authenticate on the device, you should use a multi-app kiosk configuration. The single-app kiosk configuration doesn't require people to sign in to the device, although they can sign in to the kiosk app if you select an app that has a sign-in method.
>[!IMPORTANT]
>Single-app kiosk mode isn't supported over a remote desktop connection. Your kiosk users must sign in on the physical device that is set up as a kiosk.
@ -104,6 +103,5 @@ Microsoft Intune or other MDM [for full-screen single-app kiosk](kiosk-single-ap
[MDM Bridge WMI Provider](kiosk-mdm-bridge.md) | UWP, Windows desktop app | Local standard user, Active Directory, Microsoft Entra ID | | ✅
>[!NOTE]
>For devices running Windows client Enterprise and Education, you can also use [Windows Defender Application Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control) or [AppLocker](lock-down-windows-10-applocker.md) to lock down a device to specific apps.

40
windows/configuration/kiosk/kiosk-prepare.md
View File

@ -35,9 +35,9 @@ For a more secure kiosk experience, we recommend that you make the following con
- **Use the registry**:
1. Open Registry Editor (regedit).
2. Go to `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate`.
3. Create a **New** > **DWORD (32-bit) Value**. Enter `SetUpdateNotificationLevel`, and set its value to `1`.
4. Create a **New** > **DWORD (32-bit) Value**. Enter `UpdateNotificationLevel`. For value, you can enter:
1. Go to `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate`.
1. Create a **New** > **DWORD (32-bit) Value**. Enter `SetUpdateNotificationLevel`, and set its value to `1`.
1. Create a **New** > **DWORD (32-bit) Value**. Enter `UpdateNotificationLevel`. For value, you can enter:
- `1`: Hides all notifications except restart warnings.
- `2`: Hides all notifications, including restart warnings.
@ -57,8 +57,8 @@ For a more secure kiosk experience, we recommend that you make the following con
- **Replace "blue screen" with blank screen for OS errors**. To enable this feature, use the Registry Editor:
1. Open Registry Editor (regedit).
2. Go to `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl`.
3. Create a **New** > **DWORD (32-bit) Value**. Enter `DisplayDisabled`, and set its value to `1`.
1. Go to `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl`.
1. Create a **New** > **DWORD (32-bit) Value**. Enter `DisplayDisabled`, and set its value to `1`.
- **Put device in "Tablet mode"**. If you want users to use the touch screen, without using a keyboard or mouse, then turn on tablet mode using the Settings app. If users won't interact with the kiosk, such as for a digital sign, then don't turn on this setting.
@ -68,12 +68,12 @@ For a more secure kiosk experience, we recommend that you make the following con
- Use the **Settings** app:
1. Open the **Settings** app.
2. Go to **System** > **Tablet mode**.
3. Configure the settings you want.
1. Go to **System** > **Tablet mode**.
1. Configure the settings you want.
- Use the **Action Center**:
1. On your device, swipe in from the left.
2. Select **Tablet mode**.
1. Select **Tablet mode**.
- **Hide "Ease of access" feature on the sign-in screen**: To enable this feature, you have the following options:
@ -84,9 +84,9 @@ For a more secure kiosk experience, we recommend that you make the following con
- **Use the Settings app**:
1. Open the **Settings** app.
2. Go to **System** > **Power & Sleep** > **Additional power settings** > **Choose what the power button does**.
3. Select **Do nothing**.
4. **Save changes**.
1. Go to **System** > **Power & Sleep** > **Additional power settings** > **Choose what the power button does**.
1. Select **Do nothing**.
1. **Save changes**.
- **Use Group Policy**: Your options:
@ -127,8 +127,8 @@ For a more secure kiosk experience, we recommend that you make the following con
- **Use the Settings app**:
1. Open the **Settings** app.
2. Go to **Privacy** > **Camera**.
3. Select **Allow apps use my camera** > **Off**.
1. Go to **Privacy** > **Camera**.
1. Select **Allow apps use my camera** > **Off**.
- **Use Group Policy**: `Computer Configuration\Administrative Templates\Windows Components\Camera: Allow use of camera`: Select **Disabled**.
@ -144,8 +144,8 @@ For a more secure kiosk experience, we recommend that you make the following con
- **Use the Settings app**:
1. Open the **Settings** app.
2. Go to **System** > **Notifications & actions**.
3. In **Show notifications on the lock screen**, select **Off**.
1. Go to **System** > **Notifications & actions**.
1. In **Show notifications on the lock screen**, select **Off**.
- **Use Group policy**:
- `Computer Configuration\Administrative Templates\System\Logon\Turn off app notifications on the lock screen`: Select **Enabled**.
@ -207,7 +207,6 @@ You may also want to set up **automatic logon** for your kiosk device. When your
> [!TIP]
> If you use the [kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) or [XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) to configure your kiosk, you can set an account to sign in automatically in the wizard or XML.
**How to edit the registry to have an account sign in automatically**
1. Open Registry Editor (regedit.exe).
@ -215,14 +214,11 @@ You may also want to set up **automatic logon** for your kiosk device. When your
> [!NOTE]
> If you are not familiar with Registry Editor, [learn how to modify the Windows registry](/troubleshoot/windows-server/performance/windows-registry-advanced-users).
2. Go to
1. Go to
**HKEY\_LOCAL\_MACHINE\SOFTWARE\\Microsoft\Windows NT\CurrentVersion\Winlogon**
3. Set the values for the following keys.
1. Set the values for the following keys.
- *AutoAdminLogon*: set value as **1**.
@ -235,7 +231,7 @@ You may also want to set up **automatic logon** for your kiosk device. When your
- *DefaultDomainName*: set value for domain, only for domain accounts. For local accounts, don't add this key.
4. Close Registry Editor. The next time the computer restarts, the account will sign in automatically.
1. Close Registry Editor. The next time the computer restarts, the account will sign in automatically.
> [!TIP]
> You can also configure automatic sign-in [using the Autologon tool from Sysinternals](/sysinternals/downloads/autologon).

15
windows/configuration/kiosk/kiosk-shelllauncher.md
View File

@ -21,7 +21,6 @@ Using Shell Launcher, you can configure a device that runs an application as the
You can apply a custom shell through Shell Launcher [by using PowerShell](#configure-a-custom-shell-using-powershell). Starting with Windows 10 version 1803+, you can also [use mobile device management (MDM)](#configure-a-custom-shell-in-mdm) to apply a custom shell through Shell Launcher.
## Differences between Shell Launcher v1 and Shell Launcher v2
Shell Launcher v1 replaces `explorer.exe`, the default shell, with `eshell.exe` which can launch a Windows desktop application.
@ -56,22 +55,21 @@ To set a custom shell, you first turn on the Shell Launcher feature, and then yo
1. Go to Control Panel &gt; **Programs and features** &gt; **Turn Windows features on or off**.
2. Expand **Device Lockdown**.
1. Expand **Device Lockdown**.
2. Select **Shell Launcher** and **OK**.
1. Select **Shell Launcher** and **OK**.
Alternatively, you can turn on Shell Launcher using Windows Configuration Designer in a provisioning package, using `SMISettings > ShellLauncher`, or you can use the Deployment Image Servicing and Management (DISM.exe) tool.
**To turn on Shell Launcher using DISM**
1. Open a command prompt as an administrator.
2. Enter the following command.
1. Open a command prompt as an administrator.
1. Enter the following command.
```
Dism /online /Enable-Feature /all /FeatureName:Client-EmbeddedShellLauncher
```
## Configure a custom shell in MDM
You can use XML and a [custom OMA-URI setting](#custom-oma-uri-setting) to configure Shell Launcher in MDM.
@ -138,7 +136,7 @@ xmlns:v2="http://schemas.microsoft.com/ShellLauncher/2019/Configuration">
### Custom OMA-URI setting
In your MDM service, you can create a [custom OMA-URI setting](/intune/custom-settings-windows-10) to configure Shell Launcher v1 or v2. (The [XML](#xml-for-shell-launcher-configuration) that you use for your setting will determine whether you apply Shell Launcher v1 or v2.)
In your MDM service, you can create a [custom OMA-URI setting](/intune/custom-settings-windows-10) to configure Shell Launcher v1 or v1. (The [XML](#xml-for-shell-launcher-configuration) that you use for your setting will determine whether you apply Shell Launcher v1 or v2.)
The OMA-URI path is `./Device/Vendor/MSFT/AssignedAccess/ShellLauncher`.
@ -174,7 +172,6 @@ static class CheckShellLauncherLicense
enabled = 0;
}
return (enabled != 0);
}
@ -215,7 +212,6 @@ try {
exit
}
# This well-known security identifier (SID) corresponds to the BUILTIN\Administrators group.
$Admins_SID = "S-1-5-32-544"
@ -229,7 +225,6 @@ function Get-UsernameSID($AccountName) {
return $NTUserSID.Value
}
# Get the SID for a user account named "Cashier". Rename "Cashier" to an existing account on your system to test this script.

49
windows/configuration/kiosk/kiosk-single-app.md
View File

@ -55,7 +55,6 @@ You have several options for configuring your single-app kiosk.
>
> Be sure to check the [configuration recommendations](kiosk-prepare.md) before you set up your kiosk.
<span id="local"/>
## Set up a kiosk in local Settings
@ -85,26 +84,25 @@ When your kiosk is a local device that isn't managed by Active Directory or Micr
When you set up a kiosk (also known as *assigned access*) in **Settings** for Windows client, you create the kiosk user account at the same time. To set up assigned access in PC settings:
1. Open the **Settings** app > **Accounts**. Select **Other users** or **Family and other users**.
Open the **Settings** app > **Accounts**. Select **Other users** or **Family and other users**.
2. Select **Set up a kiosk > Assigned access**, and then select **Get started**.
1. Select **Set up a kiosk > Assigned access**, and then select **Get started**.
3. Enter a name for the new account.
1. Enter a name for the new account.
>[!NOTE]
>If there are any local standard user accounts on the device already, the **Create an account** page will offer the option to **Choose an existing account**.
4. Choose the app that will run when the kiosk account signs in. Only apps that can run above the lock screen will be available in the list of apps to choose from. For more information, see [Guidelines for choosing an app for assigned access](guidelines-for-assigned-access-app.md). If you select **Microsoft Edge** as the kiosk app, you configure the following options:
1. Choose the app that will run when the kiosk account signs in. Only apps that can run above the lock screen will be available in the list of apps to choose from. For more information, see [Guidelines for choosing an app for assigned access](guidelines-for-assigned-access-app.md). If you select **Microsoft Edge** as the kiosk app, you configure the following options:
- Whether Microsoft Edge should display your website full-screen (digital sign) or with some browser controls available (public browser)
- Which URL should be displayed when the kiosk accounts signs in
- When Microsoft Edge should restart after a period of inactivity (if you select to run as a public browser)
5. Select **Close**.
1. Select **Close**.
To remove assigned access, select the account tile on the **Set up a kiosk** page, and then select **Remove kiosk**.
### Windows 10 version 1803 and earlier
When you set up a kiosk (also known as *assigned access*) in **Settings** for Windows 10 version 1803 and earlier, you must select an existing local standard user account. [Learn how to create a local standard user account.](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10)
@ -113,15 +111,15 @@ When you set up a kiosk (also known as *assigned access*) in **Settings** for Wi
**To set up assigned access in PC settings**
1. Go to **Start** > **Settings** > **Accounts** > **Other people**.
1. Go to **Start** > **Settings** > **Accounts** > **Other people**.
2. Select **Set up assigned access**.
1. Select **Set up assigned access**.
3. Choose an account.
1. Choose an account.
4. Choose an app. Only apps that can run above the lock screen will be available in the list of apps to choose from. For more information, see [Guidelines for choosing an app for assigned access](guidelines-for-assigned-access-app.md).
1. Choose an app. Only apps that can run above the lock screen will be available in the list of apps to choose from. For more information, see [Guidelines for choosing an app for assigned access](guidelines-for-assigned-access-app.md).
5. Close **Settings** - your choices are saved automatically, and will be applied the next time that user account signs in.
1. Close **Settings** - your choices are saved automatically, and will be applied the next time that user account signs in.
To remove assigned access, choose **Turn off assigned access and sign out of the selected account**.
@ -151,11 +149,11 @@ You can use any of the following PowerShell cmdlets to set up assigned access on
Before you run the cmdlet:
1. Sign in as administrator.
2. [Create the user account](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10) for Assigned Access.
3. Sign in as the Assigned Access user account.
4. Install the Universal Windows app that follows the assigned access/above the lock guidelines.
5. Sign out as the Assigned Access user account.
6. Sign in as administrator.
1. [Create the user account](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10) for Assigned Access.
1. Sign in as the Assigned Access user account.
1. Install the Universal Windows app that follows the assigned access/above the lock guidelines.
1. Sign out as the Assigned Access user account.
1. Sign in as administrator.
To open PowerShell on Windows client, search for PowerShell, and find **Windows PowerShell Desktop app** in the results. Run PowerShell as administrator.
@ -197,7 +195,6 @@ Clear-AssignedAccess
![Kiosk wizard option in Windows Configuration Designer.](images/kiosk-wizard.png)
>[!IMPORTANT]
>When Exchange Active Sync (EAS) password restrictions are active on the device, the autologon feature does not work. This behavior is by design. For more informations, see [How to turn on automatic logon in Windows](/troubleshoot/windows-server/user-profiles-and-logon/turn-on-automatic-logon).
@ -216,7 +213,7 @@ When you use the **Provision kiosk devices** wizard in Windows Configuration Des
- **Configure devices for shared use**: This setting optimizes Windows client for shared use scenarios, and isn't necessary for a kiosk scenario. Set this value to **No**, which may be the default.
- **Remove pre-installed software**: Optional. Select **Yes** if you want to remove preinstalled software.
2. Set up the network:
1. Set up the network:
:::image type="content" source="images/set-up-network-details.png" alt-text="In Windows Configuration Designer, turn on wireless connectivity, enter the network SSID, and network type.":::
@ -226,7 +223,7 @@ When you use the **Provision kiosk devices** wizard in Windows Configuration Des
- **Network SSID**: Enter the Service Set Identifier (SSID) of the network.
- **Network type**: Select **Open** or **WPA2-Personal**. If you select **WPA2-Personal**, enter the password for the wireless network.
3. Enable account management:
1. Enable account management:
:::image type="content" source="images/account-management-details.png" alt-text="In Windows Configuration Designer, join Active Directory, Microsoft Entra ID, or create a local admin account.":::
@ -242,7 +239,7 @@ When you use the **Provision kiosk devices** wizard in Windows Configuration Des
- **Local administrator**: If you select this option, enter a user name and password. If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password isn't changed during that period, the account might be locked out, and unable to sign in.
4. Add applications:
1. Add applications:
:::image type="content" source="images/add-applications-details.png" alt-text="In Windows Configuration Designer, add an application that will run in kiosk mode.":::
@ -252,11 +249,11 @@ When you use the **Provision kiosk devices** wizard in Windows Configuration Des
> If you select the plus button to add an application, you must enter an application for the provisioning package to validate. If you select the plus button by mistake, then:
>
> 1. In **Installer Path**, select any executable file.
> 2. When the **Cancel** button shows, select it.
> 1. When the **Cancel** button shows, select it.
>
> These steps let you complete the provisioning package without adding an application.
5. Add certificates:
1. Add certificates:
:::image type="content" source="images/add-certificates-details.png" alt-text="In Windows Configuration Designer, add a certificate.":::
@ -265,7 +262,7 @@ When you use the **Provision kiosk devices** wizard in Windows Configuration Des
- **Certificate name**: Enter a name for the certificate.
- **Certificate path**: Browse and select the certificate you want to add.
6. Configure the kiosk account, and the kiosk mode app:
1. Configure the kiosk account, and the kiosk mode app:
:::image type="content" source="images/kiosk-account-details.png" alt-text="In Windows Configuration Designer, the Configure kiosk common settings button is shown when provisioning a kiosk device.":::
@ -277,7 +274,7 @@ When you use the **Provision kiosk devices** wizard in Windows Configuration Des
- **Windows desktop application**: Enter the path or filename. If the file path is in the PATH environment variable, then you can use the filename. Otherwise, the full path is required.
- **Universal Windows app**: Enter the AUMID.
7. Configure kiosk common settings:
1. Configure kiosk common settings:
:::image type="content" source="images/kiosk-common-details.png" alt-text="In Windows Configuration Designer, set tablet mode, configure the welcome and shutdown screens, and turn off the power timeout settings.":::
@ -287,7 +284,7 @@ When you use the **Provision kiosk devices** wizard in Windows Configuration Des
- **Customize user experience**
- **Configure power settings**
8. Finish:
1. Finish:
:::image type="content" source="images/finish-details.png" alt-text="In Windows Configuration Designer, protect your package with a password.":::

2
windows/configuration/kiosk/kiosk-validate.md
View File

@ -74,8 +74,6 @@ The multi-app mode blocks the following hotkeys, which are not relevant for the
| Windows logo key + comma (,) | Temporarily peek at the desktop |
| Windows logo key + Ctrl + F | Search for PCs (if you're on a network) |
### Locked-down Ctrl+Alt+Del screen
The multi-app mode removes options (e.g. **Change a password**, **Task Manager**, **Network**) in the Ctrl+Alt+Del screen to ensure the users cannot access the functionalities that are not allowed in the lockdown experience.

7
windows/configuration/kiosk/kiosk-xml.md
View File

@ -130,6 +130,7 @@ ms.date: 12/31/2017
</Configs>
</AssignedAccessConfiguration>
```
## Kiosk only sample XML
```xml
@ -243,6 +244,7 @@ This sample demonstrates that both UWP and Win32 apps can be configured to autom
```
## Microsoft Edge Kiosk XML Sample
```xml
<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration
@ -329,6 +331,7 @@ This sample demonstrates that only a global profile is used, with no active user
```
Below sample shows dedicated profile and global profile mixed usage, a user would use one profile, everyone else that's non-admin will use another profile.
```xml
<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration
@ -414,6 +417,7 @@ Below sample shows dedicated profile and global profile mixed usage, a user woul
```
## Folder Access sample xml
Starting with Windows 10 version 1809 +, folder access is locked down so that when common file dialog is opened, IT Admin can specify if the user has access to the Downloads folder, or no access to any folder at all. This restriction has been redesigned for finer granularity and easier use, and is available in Windows 10 version 2009+.
IT Admin now can specify user access to Downloads folder, Removable drives, or no restrictions at all. Downloads and Removable Drives can be allowed at the same time.
@ -650,7 +654,6 @@ IT Admin now can specify user access to Downloads folder, Removable drives, or n
</Configs>
</AssignedAccessConfiguration>
```
## XSD for AssignedAccess configuration XML
@ -750,7 +753,6 @@ The following XML schema is for AssignedAccess Configuration up to Windows 10, v
<xs:attributeGroup ref="autoLaunch_attributeGroup"/>
</xs:complexType>
<xs:attributeGroup name="autoLaunch_attributeGroup">
<xs:attribute ref="rs5:AutoLaunch"/>
<xs:attribute ref="rs5:AutoLaunchArguments" use="optional"/>
@ -926,7 +928,6 @@ The following XML is the schema for Windows 10 version 1909+:
<xs:attribute name="Id" type="guid_t" />
</xs:complexType>
<xs:element name="AllowRemovableDrives"/>
<xs:element name="NoRestriction" />
<xs:element name="GlobalProfile" type="globalProfile_t" />

43
windows/configuration/kiosk/lock-down-windows-10-applocker.md
View File

@ -9,7 +9,6 @@ ms.topic: article
# Use AppLocker to create a Windows 10 kiosk that runs multiple apps
Learn how to configure a device running Windows 10 Enterprise or Windows 10 Education, version 1703 and earlier, so that users can only run a few specific apps. The result is similar to [a kiosk device](./kiosk-methods.md), but with multiple apps available. For example, you might set up a library computer so that users can search the catalog and browse the Internet, but can't run any other apps or change computer settings.
>[!NOTE]
@ -25,53 +24,42 @@ This topic describes how to lock down apps on a local device. You can also use A
## Install apps
First, install the desired apps on the device for the target user account(s). This works for both Unified Windows Platform (UWP) apps and Windows desktop apps. For UWP apps, you must log on as that user for the app to install. For desktop apps, you can install an app for all users without logging on to the particular account.
## Use AppLocker to set rules for apps
After you install the desired apps, set up AppLocker rules to only allow specific apps, and block everything else.
1. Run Local Security Policy (secpol.msc) as an administrator.
2. Go to **Security Settings** &gt; **Application Control Policies** &gt; **AppLocker**, and select **Configure rule enforcement**.
1. Run Local Security Policy (secpol.msc) as an administrator.
1. Go to **Security Settings** &gt; **Application Control Policies** &gt; **AppLocker**, and select **Configure rule enforcement**.
![configure rule enforcement.](images/apprule.png)
3. Check **Configured** under **Executable rules**, and then click **OK**.
4. Right-click **Executable Rules** and then click **Automatically generate rules**.
1. Check **Configured** under **Executable rules**, and then click **OK**.
1. Right-click **Executable Rules** and then click **Automatically generate rules**.
![automatically generate rules.](images/genrule.png)
5. Select the folder that contains the apps that you want to permit, or select C:\\ to analyze all apps.
6. Type a name to identify this set of rules, and then click **Next**.
7. On the **Rule Preferences** page, click **Next**. Be patient, it might take awhile to generate the rules.
8. On the **Review Rules** page, click **Create**. The wizard will now create a set of rules allowing the installed set of apps.
9. Read the message and click **Yes**.
1. Select the folder that contains the apps that you want to permit, or select C:\\ to analyze all apps.
1. Type a name to identify this set of rules, and then click **Next**.
1. On the **Rule Preferences** page, click **Next**. Be patient, it might take awhile to generate the rules.
1. On the **Review Rules** page, click **Create**. The wizard will now create a set of rules allowing the installed set of apps.
1. Read the message and click **Yes**.
![default rules warning.](images/appwarning.png)
10. (optional) If you want a rule to apply to a specific set of users, right-click on the rule and select **Properties**. Then use the dialog to choose a different user or group of users.
11. (optional) If rules were generated for apps that should not be run, you can delete them by right-clicking on the rule and selecting **Delete**.
12. Before AppLocker will enforce rules, the **Application Identity** service must be turned on. To force the Application Identity service to automatically start on reset, open a command prompt and run:
1. (optional) If you want a rule to apply to a specific set of users, right-click on the rule and select **Properties**. Then use the dialog to choose a different user or group of users.
1. (optional) If rules were generated for apps that should not be run, you can delete them by right-clicking on the rule and selecting **Delete**.
1. Before AppLocker will enforce rules, the **Application Identity** service must be turned on. To force the Application Identity service to automatically start on reset, open a command prompt and run:
``` syntax
sc config appidsvc start=auto
```
13. Restart the device.
1. Restart the device.
## Other settings to lock down
In addition to specifying the apps that users can run, you should also restrict some settings and functions on the device. For a more secure experience, we recommend that you make the following configuration changes to the device:
- Remove **All apps**.
@ -102,11 +90,8 @@ In addition to specifying the apps that users can run, you should also restrict
To prevent this policy from affecting a member of the Administrators group, in **Device Installation Restrictions**, enable **Allow administrators to override Device Installation Restriction policies**.
To learn more about locking down features, see [Customizations for Windows 10 Enterprise](/windows-hardware/customize/enterprise/enterprise-custom-portal).
## Customize Start screen layout for the device (recommended)
Configure the Start menu on the device to only show tiles for the permitted apps. You will make the changes manually, export the layout to an .xml file, and then apply that file to devices to prevent users from making changes. For instructions, see [Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md).
Configure the Start menu on the device to only show tiles for the permitted apps. You will make the changes manually, export the layout to an .xml file, and then apply that file to devices to prevent users from making changes. For instructions, see [Manage Windows 10 Start layout options](../start/windows-10-start-layout-options-and-policies.md).

64
windows/configuration/kiosk/lock-down-windows-10-to-specific-apps.md
View File

@ -43,8 +43,8 @@ To configure a kiosk in Microsoft Intune, see:
Process:
1. [Create XML file](#create-xml-file)
2. [Add XML file to provisioning package](#add-xml)
3. [Apply provisioning package to device](#apply-ppkg)
1. [Add XML file to provisioning package](#add-xml)
1. [Apply provisioning package to device](#apply-ppkg)
Watch how to use a provisioning package to configure a multi-app kiosk.
@ -147,7 +147,7 @@ The profile **Id** is a GUID attribute to uniquely identify the profile. You can
When the multi-app kiosk configuration is applied to a device, AppLocker rules will be generated to allow the apps that are listed in the configuration. Here are the predefined assigned access AppLocker rules for **UWP apps**:
1. Default rule is to allow all users to launch the signed package apps.
2. The package app blocklist is generated at runtime when the assigned access user signs in. Based on the installed/provisioned package apps available for the user account, assigned access generates the blocklist. This list will exclude the default allowed inbox package apps, which are critical for the system to function. It then excludes the allowed packages that enterprises defined in the assigned access configuration. If there are multiple apps within the same package, all these apps will be excluded. This blocklist will be used to prevent the user from accessing the apps that are currently available for the user but not in the allowed list.
1. The package app blocklist is generated at runtime when the assigned access user signs in. Based on the installed/provisioned package apps available for the user account, assigned access generates the blocklist. This list will exclude the default allowed inbox package apps, which are critical for the system to function. It then excludes the allowed packages that enterprises defined in the assigned access configuration. If there are multiple apps within the same package, all these apps will be excluded. This blocklist will be used to prevent the user from accessing the apps that are currently available for the user but not in the allowed list.
> [!NOTE]
> You can't manage AppLocker rules that are generated by the multi-app kiosk configuration in [MMC snap-ins](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh994629(v=ws.11)#BKMK_Using_Snapins). Avoid creating AppLocker rules that conflict with AppLocker rules that are generated by the multi-app kiosk configuration.
@ -157,8 +157,8 @@ When the multi-app kiosk configuration is applied to a device, AppLocker rules w
Here are the predefined assigned access AppLocker rules for **desktop apps**:
1. Default rule is to allow all users to launch the desktop programs signed with Microsoft Certificate in order for the system to boot and function. The rule also allows the admin user group to launch all desktop programs.
2. There's a predefined inbox desktop app blocklist for the assigned access user account, and this blocklist is adjusted based on the desktop app allowlist that you defined in the multi-app configuration.
3. Enterprise-defined allowed desktop apps are added in the AppLocker allowlist.
1. There's a predefined inbox desktop app blocklist for the assigned access user account, and this blocklist is adjusted based on the desktop app allowlist that you defined in the multi-app configuration.
1. Enterprise-defined allowed desktop apps are added in the AppLocker allowlist.
The following example allows Groove Music, Movies & TV, Photos, Weather, Calculator, Paint, and Notepad apps to run on the device, with Notepad configured to automatically launch and create a file called `123.text` when the user signs in.
@ -217,17 +217,17 @@ The following example shows how to allow user access to the Downloads folder in
> - `FileExplorerNamespaceRestrictions` and `AllowedNamespace:Downloads` are available in namespace `https://schemas.microsoft.com/AssignedAccess/201810/config`.
> - `AllowRemovableDrives` and `NoRestriction` are defined in a new namespace `https://schemas.microsoft.com/AssignedAccess/2020/config`.
* When `FileExplorerNamespaceRestrictions` node isn't used, or used but left empty, the user won't be able to access any folder in a common dialog. For example, **Save As** in the Microsoft Edge browser.
* When Downloads is mentioned in allowed namespace, user will be able to access Downloads folder.
* When `AllowRemovableDrives` is used, user will be to access removable drives.
* When `NoRestriction` is used, no restriction will be applied to the dialog.
* `AllowRemovableDrives` and `AllowedNamespace:Downloads` can be used at the same time.
- When `FileExplorerNamespaceRestrictions` node isn't used, or used but left empty, the user won't be able to access any folder in a common dialog. For example, **Save As** in the Microsoft Edge browser.
- When Downloads is mentioned in allowed namespace, user will be able to access Downloads folder.
- When `AllowRemovableDrives` is used, user will be to access removable drives.
- When `NoRestriction` is used, no restriction will be applied to the dialog.
- `AllowRemovableDrives` and `AllowedNamespace:Downloads` can be used at the same time.
##### StartLayout
After you define the list of allowed applications, you can customize the Start layout for your kiosk experience. You can choose to pin all the allowed apps on the Start screen or just a subset, depending on whether you want the end user to directly access them on the Start screen.
The easiest way to create a customized Start layout to apply to other Windows client devices is to set up the Start screen on a test device and then export the layout. For detailed steps, see [Customize and export Start layout](customize-and-export-start-layout.md).
The easiest way to create a customized Start layout to apply to other Windows client devices is to set up the Start screen on a test device and then export the layout. For detailed steps, see [Customize and export Start layout](../start/customize-and-export-start-layout.md).
A few things to note here:
@ -408,14 +408,14 @@ Group accounts are specified using `<UserGroup>`. Nested groups aren't supported
#### [Preview] Global profile
Global profile is available in Windows 10. If you want everyone who signs into a specific device to be assigned as an access user, even if there's no dedicated profile for that user. Alternatively, perhaps Assigned Access couldn't identify a profile for the user and you want to have a fallback profile. Global profile is designed for these scenarios.
Global profile is available in Windows 1. If you want everyone who signs into a specific device to be assigned as an access user, even if there's no dedicated profile for that user. Alternatively, perhaps Assigned Access couldn't identify a profile for the user and you want to have a fallback profile. Global profile is designed for these scenarios.
Usage is demonstrated below, by using the new XML namespace and specifying `GlobalProfile` from that namespace. When you configure `GlobalProfile`, a non-admin account logs in, if this user doesn't have a designated profile in Assigned Access, or Assigned Access fails to determine a profile for current user, a global profile is applied for the user.
> [!NOTE]
> 1. `GlobalProfile` can only be a multi-app profile.
> 2. Only one `GlobalProfile` can be used in one `AssignedAccess` configuration XML.
> 3. `GlobalProfile` can be used as the only config, or it can be used along with regular user or group config.
> 1. Only one `GlobalProfile` can be used in one `AssignedAccess` configuration XML.
> 1. `GlobalProfile` can be used as the only config, or it can be used along with regular user or group config.
```xml
<?xml version="1.0" encoding="utf-8" ?>
@ -480,60 +480,60 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L
1. Open Windows Configuration Designer. By default: `%systemdrive%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe`.
2. Choose **Advanced provisioning**.
1. Choose **Advanced provisioning**.
3. Name your project, and select **Next**.
1. Name your project, and select **Next**.
4. Choose **All Windows desktop editions** and select **Next**.
1. Choose **All Windows desktop editions** and select **Next**.
5. On **New project**, select **Finish**. The workspace for your package opens.
1. On **New project**, select **Finish**. The workspace for your package opens.
6. Expand **Runtime settings** &gt; **AssignedAccess** &gt; **MultiAppAssignedAccessSettings**.
1. Expand **Runtime settings** &gt; **AssignedAccess** &gt; **MultiAppAssignedAccessSettings**.
7. In the center pane, select **Browse**. Locate and select the assigned access configuration XML file that you created.
1. In the center pane, select **Browse**. Locate and select the assigned access configuration XML file that you created.
![Screenshot of the MultiAppAssignedAccessSettings field in Windows Configuration Designer.](images/multiappassignedaccesssettings.png)
8. _Optional: If you want to apply the provisioning package after device initial setup and there's an admin user already available on the kiosk device, skip this step._ Create an admin user account in **Runtime settings** &gt; **Accounts** &gt; **Users**. Provide a **UserName** and **Password**, and select **UserGroup** as **Administrators**. With this account, you can view the provisioning status and logs if needed.
1. _Optional: If you want to apply the provisioning package after device initial setup and there's an admin user already available on the kiosk device, skip this step._ Create an admin user account in **Runtime settings** &gt; **Accounts** &gt; **Users**. Provide a **UserName** and **Password**, and select **UserGroup** as **Administrators**. With this account, you can view the provisioning status and logs if needed.
9. _Optional: If you already have a non-admin account on the kiosk device, skip this step._ Create a local standard user account in **Runtime settings** &gt; **Accounts** &gt; **Users**. Make sure the **UserName** is the same as the account that you specify in the configuration XML. Select **UserGroup** as **Standard Users**.
1. _Optional: If you already have a non-admin account on the kiosk device, skip this step._ Create a local standard user account in **Runtime settings** &gt; **Accounts** &gt; **Users**. Make sure the **UserName** is the same as the account that you specify in the configuration XML. Select **UserGroup** as **Standard Users**.
10. On the **File** menu, select **Save.**
1. On the **File** menu, select **Save.**
11. On the **Export** menu, select **Provisioning package**.
1. On the **Export** menu, select **Provisioning package**.
12. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.**
1. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.**
13. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing.
1. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing.
- **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
- **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Browse** and choosing the certificate you want to use to sign the package.
14. Select **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows Imaging and Configuration Designer (ICD) uses the project folder as the output location.
1. Select **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows Imaging and Configuration Designer (ICD) uses the project folder as the output location.
Optionally, you can select **Browse** to change the default output location.
15. Select **Next**.
1. Select **Next**.
16. Select **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status.
1. Select **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status.
If you need to cancel the build, select **Cancel**. This action cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
17. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
1. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
- If you choose, you can build the provisioning package again and pick a different path for the output package. To do this action, select **Back** to change the output package name and path, and then select **Next** to start another build.
- If you're done, select **Finish** to close the wizard and go back to the **Customizations Page**.
18. Copy the provisioning package to the root directory of a USB drive.
1. Copy the provisioning package to the root directory of a USB drive.
<span id="apply-ppkg" />
### Apply provisioning package to device
Provisioning packages can be applied to a device during initial setup (out-of-box experience or "OOBE") and after ("runtime"). For more information, see [Apply a provisioning package](./provisioning-packages/provisioning-apply-package.md).
Provisioning packages can be applied to a device during initial setup (out-of-box experience or "OOBE") and after ("runtime"). For more information, see [Apply a provisioning package](../provisioning-packages/provisioning-apply-package.md).
> [!NOTE]
> If your provisioning package doesn't include the assigned access user account creation, make sure the account you specified in the multi-app configuration XML exists on the device.

8
windows/configuration/kiosk/lock-down-windows-11-to-specific-apps.md
View File

@ -120,7 +120,7 @@ The profile **Id** is a GUID attribute to uniquely identify the profile. You can
When the multi-app kiosk configuration is applied to a device, AppLocker rules will be generated to allow the apps that are listed in the configuration. Here are the predefined assigned access AppLocker rules for **UWP apps**:
1. Default rule is to allow all users to launch the signed package apps.
2. The package app blocklist is generated at runtime when the assigned access user signs in. Based on the installed/provisioned package apps available for the user account, assigned access generates the blocklist. This list will exclude the default allowed inbox package apps, which are critical for the system to function. It then excludes the allowed packages that enterprises defined in the assigned access configuration. If there are multiple apps within the same package, all these apps will be excluded. This blocklist will be used to prevent the user from accessing the apps that are currently available for the user but not in the allowed list.
1. The package app blocklist is generated at runtime when the assigned access user signs in. Based on the installed/provisioned package apps available for the user account, assigned access generates the blocklist. This list will exclude the default allowed inbox package apps, which are critical for the system to function. It then excludes the allowed packages that enterprises defined in the assigned access configuration. If there are multiple apps within the same package, all these apps will be excluded. This blocklist will be used to prevent the user from accessing the apps that are currently available for the user but not in the allowed list.
> [!NOTE]
> You can't manage AppLocker rules that are generated by the multi-app kiosk configuration in [MMC snap-ins](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh994629(v=ws.11)#BKMK_Using_Snapins). Avoid creating AppLocker rules that conflict with AppLocker rules that are generated by the multi-app kiosk configuration.
@ -129,8 +129,8 @@ When the multi-app kiosk configuration is applied to a device, AppLocker rules w
Here are the predefined assigned access AppLocker rules for **desktop apps**:
1. Default rule is to allow all users to launch the desktop programs signed with Microsoft Certificate in order for the system to boot and function. The rule also allows the admin user group to launch all desktop programs.
2. There's a predefined inbox desktop app blocklist for the assigned access user account, and this blocklist is adjusted based on the desktop app allowlist that you defined in the multi-app configuration.
3. Enterprise-defined allowed desktop apps are added in the AppLocker allowlist.
1. There's a predefined inbox desktop app blocklist for the assigned access user account, and this blocklist is adjusted based on the desktop app allowlist that you defined in the multi-app configuration.
1. Enterprise-defined allowed desktop apps are added in the AppLocker allowlist.
The following example allows Photos, Weather, Calculator, Paint, and Notepad apps to run on the device, with Notepad configured to automatically launch and create a file called `123.text` when the user signs in.
@ -334,7 +334,6 @@ $obj.Configuration = [System.Net.WebUtility]::HtmlEncode(@"
<your XML here>
"@)
$obj = Set-CimInstance -CimInstance $obj -ErrorVariable cimSetError -ErrorAction SilentlyContinue
@ -348,7 +347,6 @@ if($cimSetError) {
$events = Get-WinEvent -FilterHashtable $eventLogFilterHashTable -ErrorAction Ignore
} until ($events.Count -or $stopwatch.Elapsed -gt $timeout) # wait for the log to be available
if($events.Count) {
$events | ForEach-Object {

11
windows/configuration/kiosk/lockdown-features-windows-10.md
View File

@ -9,21 +9,20 @@ ms.date: 12/31/2017
# Lockdown features from Windows Embedded 8.1 Industry
Many of the lockdown features available in Windows Embedded 8.1 Industry have been modified in some form for Windows 10. This table maps Windows Embedded Industry 8.1 features to Windows 10 Enterprise features, along with links to documentation.
Many of the lockdown features available in Windows Embedded 8.1 Industry have been modified in some form for Windows 1. This table maps Windows Embedded Industry 8.1 features to Windows 10 Enterprise features, along with links to documentation.
|Windows Embedded 8.1 Industry lockdown feature|Windows 10 feature|Changes|
|--- |--- |--- |
|[Hibernate Once/Resume Many (HORM)](/previous-versions/windows/embedded/dn449302(v=winembedded.82)): Quick boot to device|[HORM](/windows-hardware/customize/enterprise/hibernate-once-resume-many-horm-)|HORM is supported in Windows 10, version 1607 and later.|
|[Unified Write Filter](/previous-versions/windows/embedded/dn449332(v=winembedded.82)): protect a device's physical storage media|[Unified Write Filter](/windows-hardware/customize/enterprise/unified-write-filter)|The Unified Write Filter is continued in Windows 10.|
|[Keyboard Filter](/previous-versions/windows/embedded/dn449298(v=winembedded.82)): block hotkeys and other key combinations|[Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter)|Keyboard filter is added in Windows 10, version 1511. As in Windows Embedded Industry 8.1, Keyboard Filter is an optional component that can be turned on via **Turn Windows Features On/Off**. Keyboard Filter (in addition to the WMI configuration previously available) will be configurable through Windows Imaging and Configuration Designer (ICD) in the SMISettings path.|
|[Shell Launcher](/previous-versions/windows/embedded/dn449423(v=winembedded.82)): launch a Windows desktop application on sign-on|[Shell Launcher](/windows-hardware/customize/enterprise/shell-launcher)|Shell Launcher continues in Windows 10. It is now configurable in Windows ICD under the **SMISettings** category.<br>Learn [how to use Shell Launcher to create a kiosk device](/windows/configuration/kiosk-single-app) that runs a Windows desktop application.|
|[Keyboard Filter](/previous-versions/windows/embedded/dn449298(v=winembedded.82)): block hotkeys and other key combinations|[Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter)|Keyboard filter is added in Windows 10, version 151. As in Windows Embedded Industry 8.1, Keyboard Filter is an optional component that can be turned on via **Turn Windows Features On/Off**. Keyboard Filter (in addition to the WMI configuration previously available) will be configurable through Windows Imaging and Configuration Designer (ICD) in the SMISettings path.|
|[Shell Launcher](/previous-versions/windows/embedded/dn449423(v=winembedded.82)): launch a Windows desktop application on sign-on|[Shell Launcher](/windows-hardware/customize/enterprise/shell-launcher)|Shell Launcher continues in Windows 1. It is now configurable in Windows ICD under the **SMISettings** category.<br>Learn [how to use Shell Launcher to create a kiosk device](/windows/configuration/kiosk-single-app) that runs a Windows desktop application.|
|[Application Launcher](/previous-versions/windows/embedded/dn449251(v=winembedded.82)): launch a Universal Windows Platform (UWP) app on sign-on|[Assigned Access](/windows/client-management/mdm/assignedaccess-csp)|The Windows 8 Application Launcher has been consolidated into Assigned Access. Application Launcher enabled launching a Windows 8 app and holding focus on that app. Assigned Access offers a more robust solution for ensuring that apps retain focus.|
|[Dialog Filter](/previous-versions/windows/embedded/dn449395(v=winembedded.82)): suppress system dialogs and control which processes can run|[AppLocker](/windows/device-security/applocker/applocker-overview)|Dialog Filter has been deprecated for Windows 10. Dialog Filter provided two capabilities; the ability to control which processes were able to run, and the ability to prevent dialogs (in practice, system dialogs) from appearing.<li>Control over which processes are able to run will now be provided by AppLocker.<li>System dialogs in Windows 10 have been replaced with system toasts. To see more on blocking system toasts, see Toast Notification Filter below.|
|[Dialog Filter](/previous-versions/windows/embedded/dn449395(v=winembedded.82)): suppress system dialogs and control which processes can run|[AppLocker](/windows/device-security/applocker/applocker-overview)|Dialog Filter has been deprecated for Windows 1. Dialog Filter provided two capabilities; the ability to control which processes were able to run, and the ability to prevent dialogs (in practice, system dialogs) from appearing.<li>Control over which processes are able to run will now be provided by AppLocker.<li>System dialogs in Windows 10 have been replaced with system toasts. To see more on blocking system toasts, see Toast Notification Filter below.|
|[Toast Notification Filter](/previous-versions/windows/embedded/dn449360(v=winembedded.82)): suppress toast notifications|Mobile device management (MDM) and Group Policy|Toast Notification Filter has been replaced by MDM and Group Policy settings for blocking the individual components of non-critical system toasts that may appear. For example, to prevent a toast from appearing when a USB drive is connected, ensure that USB connections have been blocked using the USB-related policies, and turn off notifications from apps.<br>Group Policy: **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Notifications**<br>MDM policy name may vary depending on your MDM service. In Microsoft Intune, use **Allow action center notifications** and a [custom OMA-URI setting](/mem/intune/configuration/custom-settings-windows-10) for **AboveLock/AllowActionCenterNotifications**.|
|[Embedded Lockdown Manager](/previous-versions/windows/embedded/dn449279(v=winembedded.82)): configure lockdown features|[Windows Imaging and Configuration Designer (ICD)](/windows/configuration/provisioning-packages/provisioning-install-icd)|The Embedded Lockdown Manager has been deprecated for Windows 10 and replaced by the Windows ICD. Windows ICD is the consolidated tool for Windows imaging and provisioning scenarios and enables configuration of all Windows settings, including the lockdown features previously configurable through Embedded Lockdown Manager.|
|[USB Filter](/previous-versions/windows/embedded/dn449350(v=winembedded.82)): restrict USB devices and peripherals on system|MDM and Group Policy|The USB Filter driver has been replaced by MDM and Group Policy settings for blocking the connection of USB devices.<br> <br> Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Device Installation** > **Device Installation Restrictions**<br>MDM policy name may vary depending on your MDM service. In Microsoft Intune, use **Removable storage**.|
|[Assigned Access](/previous-versions/windows/embedded/dn449303(v=winembedded.82)): launch a UWP app on sign-in and lock access to system|[Assigned Access](/windows/client-management/mdm/assignedaccess-csp)|Assigned Access has undergone significant improvement for Windows 10. In Windows 8.1, Assigned Access blocked system hotkeys and edge gestures, and non-critical system notifications, but it also applied some of these limitations to other accounts on the device.<br>In Windows 10, Assigned Access no longer affects accounts other than the one being locked down. Assigned Access now restricts access to other apps or system components by locking the device when the selected user account logs in and launching the designated app above the lock screen, ensuring that no unintended functionality can be accessed.<br><br>Learn [how to use Assigned Access to create a kiosk device](/windows/configuration/kiosk-single-app) that runs a Universal Windows app.|
|[Assigned Access](/previous-versions/windows/embedded/dn449303(v=winembedded.82)): launch a UWP app on sign-in and lock access to system|[Assigned Access](/windows/client-management/mdm/assignedaccess-csp)|Assigned Access has undergone significant improvement for Windows 1. In Windows 8.1, Assigned Access blocked system hotkeys and edge gestures, and non-critical system notifications, but it also applied some of these limitations to other accounts on the device.<br>In Windows 10, Assigned Access no longer affects accounts other than the one being locked down. Assigned Access now restricts access to other apps or system components by locking the device when the selected user account logs in and launching the designated app above the lock screen, ensuring that no unintended functionality can be accessed.<br><br>Learn [how to use Assigned Access to create a kiosk device](/windows/configuration/kiosk-single-app) that runs a Universal Windows app.|
|[Gesture Filter](/previous-versions/windows/embedded/dn449374(v=winembedded.82)): block swipes from top, left, and right edges of screen|MDM and Group Policy|In Windows 8.1, gestures provided the ability to close an app, to switch apps, and to reach the Charms. In Windows 10, Charms have been removed. In Windows 10, version 1607, you can block swipes using the [Allow edge swipe](/windows/client-management/mdm/policy-configuration-service-provider#LockDown_AllowEdgeSwipe) policy.|
|[Custom Logon](/previous-versions/windows/embedded/dn449309(v=winembedded.82)): suppress Windows UI elements during Windows sign-on, sign-off, and shutdown|[Embedded Logon](/windows-hardware/customize/desktop/unattend/microsoft-windows-embedded-embeddedlogon)|No changes. Applies only to Windows 10 Enterprise and Windows 10 Education.|
|[Unbranded Boot](/previous-versions/windows/embedded/dn449249(v=winembedded.82)): custom brand a device by removing or replacing Windows boot UI elements|[Unbranded Boot](/windows-hardware/customize/enterprise/unbranded-boot)|No changes. Applies only to Windows 10 Enterprise and Windows 10 Education.|

44
windows/configuration/kiosk/setup-digital-signage.md
View File

@ -23,31 +23,31 @@ This procedure explains how to configure digital signage using Kiosk Browser on
1. [Get **Kiosk Browser** in Microsoft Store for Business with offline, unencoded license type.](/microsoft-store/acquire-apps-microsoft-store-for-business#acquire-apps)
2. [Download the **Kiosk Browser** package, license file, and all required frameworks.](/microsoft-store/distribute-offline-apps#download-an-offline-licensed-app)
2. [Install Windows Configuration Designer.](~/provisioning-packages/provisioning-install-icd.md)
3. Open Windows Configuration Designer and select **Provision kiosk devices**.
4. Enter a friendly name for the project, and select **Finish**.
5. On **Set up device**, select **Disabled**, and select **Next**.
6. On **Set up network**, enable network setup:
1. [Download the **Kiosk Browser** package, license file, and all required frameworks.](/microsoft-store/distribute-offline-apps#download-an-offline-licensed-app)
1. [Install Windows Configuration Designer.](~/provisioning-packages/provisioning-install-icd.md)
1. Open Windows Configuration Designer and select **Provision kiosk devices**.
1. Enter a friendly name for the project, and select **Finish**.
1. On **Set up device**, select **Disabled**, and select **Next**.
1. On **Set up network**, enable network setup:
- Toggle **On** wireless network connectivity.
- Enter the SSID, the network type (**Open** or **WPA2-Personal**), and (if **WPA2-Personal**) the password for the wireless network.
7. On **Account management**, select **Disabled**, and select **Next**.
8. On **Add applications**, select **Add an application**:
1. On **Account management**, select **Disabled**, and select **Next**.
1. On **Add applications**, select **Add an application**:
- For **Application name**, enter `Kiosk Browser`.
- For **Installer path**, browse to and select the AppxBundle that you downloaded from Microsoft Store for Business. After you select the package, additional fields are displayed.
- For **License file path**, browse to and select the XML license file that you downloaded from Microsoft Store for Business.
- The **Package family name** is populated automatically.
- Select **Next**.
9. On **Add certificates**, select **Next**.
10. On **Configure kiosk account and app**, toggle **Yes** to create a local user account for your digital signage:
1. On **Add certificates**, select **Next**.
1. On **Configure kiosk account and app**, toggle **Yes** to create a local user account for your digital signage:
- Enter a user name and password, and toggle **Auto sign-in** to **Yes**.
- Under **Configure the kiosk mode app**, enter the user name for the account that you're creating.
- For **App type**, select **Universal Windows App**.
- In **Enter the AUMID for the app**, enter `Microsoft.KioskBrowser_8wekyb3d8bbwe!App`.
11. In the bottom left corner of Windows Configuration Designer, select **Switch to advanced editor**.
1. In the bottom left corner of Windows Configuration Designer, select **Switch to advanced editor**.
12. Go to **Runtime settings** > **Policies** > **KioskBrowser**. Let's assume that the URL for your digital signage content is contoso.com/menu:
1. Go to **Runtime settings** > **Policies** > **KioskBrowser**. Let's assume that the URL for your digital signage content is contoso.com/menu:
- In **BlockedUrlExceptions**, enter `https://www.contoso.com/menu`.
- In **BlockedUrl**, enter `*`.
- In **DefaultUrl**, enter `https://www.contoso.com/menu`.
@ -56,13 +56,13 @@ This procedure explains how to configure digital signage using Kiosk Browser on
>[!TIP]
>For more information on kiosk browser settings, see [Guidelines for web browsers](guidelines-for-assigned-access-app.md#guidelines-for-web-browsers).
13. On the **File** menu, select **Save**, and select **OK** in the **Keep your info secure** dialog box.
14. On the **Export** menu, select **Provisioning package**.
15. Change the **Owner** to **IT Admin**, and select **Next**.
16. On **Select security details for the provisioning package**, select **Next**.
17. On **Select where to save the provisioning package**, select **Next**.
18. On **Build the provisioning package**, select **Build**.
19. On the **All done!** screen, click the **Output location**.
20. Copy the .ppkg file to a USB drive.
21. Attach the USB drive to the device that you want to use for your digital sign.
22. Go to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package on the USB drive.
1. On the **File** menu, select **Save**, and select **OK** in the **Keep your info secure** dialog box.
1. On the **Export** menu, select **Provisioning package**.
1. Change the **Owner** to **IT Admin**, and select **Next**.
1. On **Select security details for the provisioning package**, select **Next**.
1. On **Select where to save the provisioning package**, select **Next**.
1. On **Build the provisioning package**, select **Build**.
1. On the **All done!** screen, click the **Output location**.
1. Copy the .ppkg file to a USB drive.
1. Attach the USB drive to the device that you want to use for your digital sign.
1. Go to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package on the USB drive.

4
windows/configuration/lock-screen/windows-spotlight.md
View File

@ -28,19 +28,16 @@ For managed devices running Windows 10 Enterprise and Windows 10 Education, ente
The lock screen background will occasionally make recommendations on how to enhance your productivity and enjoyment of Microsoft products including suggesting other relevant Microsoft products and services.
![fun facts.](images/funfacts.png)
## How do you turn off Windows Spotlight locally?
To turn off Windows Spotlight locally, go to **Settings** &gt; **Personalization** &gt; **Lock screen** &gt; **Background** &gt; **Windows spotlight** &gt; select a different lock screen background
![personalization background.](images/spotlight.png)
## How do you disable Windows Spotlight for managed devices?
Windows Spotlight is enabled by default. Windows 10 provides Group Policy and mobile device management (MDM) settings to help you manage Windows Spotlight on enterprise computers.
>[!NOTE]
@ -64,7 +61,6 @@ Windows Spotlight is enabled by default. Windows 10 provides Group Policy and mo
>[!TIP]
>If you want to use a custom lock screen image that contains text, see [Resolution for custom lock screen image](#resolution-for-custom-lock-screen-image).
![lockscreen policy details.](images/lockscreenpolicy.png)
Pay attention to the checkbox in **Options**. In addition to providing the path to the lock screen image, administrators can choose to allow or **Turn off fun facts, tips, tricks, and more on lock screen**. If the checkbox isn't selected, users will see the lock screen image that is defined in the policy setting, and will also see occasional messages.

1
windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md
View File

@ -8,7 +8,6 @@ ms.date: 12/31/2017
# Configuration service providers for IT pros
This article explains how IT pros and system administrators can take advantage of many settings available through configuration service providers (CSPs) to configure devices running Windows client in their organizations. CSPs expose device configuration settings in Windows client. The CSPs are used by mobile device management (MDM) service providers and are documented in the [Hardware Dev Center](/windows/client-management/mdm/configuration-service-provider-reference).
## What is a CSP?

14
windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md
View File

@ -50,11 +50,11 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L
1. Open Windows Configuration Designer (by default, %windir%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe).
2. Click **Provision desktop devices**.
1. Click **Provision desktop devices**.
:::image type="content" source="../images/icd-create-options-1703.png" alt-text="In Windows Configuration Designer, see the ICD start options.":::
3. Name your project and click **Finish**. The pages for desktop provisioning will walk you through the following steps.
1. Name your project and click **Finish**. The pages for desktop provisioning will walk you through the following steps.
:::image type="content" source="../images/icd-desktop-1703.png" alt-text="In Windows Configuration Designer, select Finish, and see the ICD desktop provisioning.":::
@ -75,7 +75,7 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L
- **Configure devices for shared use**: Select **Yes** or **No** to optimize the Windows client for shared use scenarios.
- **Remove pre-installed software**: Optional. Select **Yes** if you want to remove preinstalled software.
2. Set up the network:
1. Set up the network:
:::image type="content" source="../images/set-up-network-details-desktop.png" alt-text="In Windows Configuration Designer, turn on wireless connectivity, enter the network SSID, and network type.":::
@ -85,7 +85,7 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L
- **Network SSID**: Enter the Service Set IDentifier (SSID) of the network.
- **Network type**: Select **Open** or **WPA2-Personal**. If you select **WPA2-Personal**, enter the password for the wireless network.
3. Enable account management:
1. Enable account management:
:::image type="content" source="../images/account-management-details.png" alt-text="In Windows Configuration Designer, join Active Directory, Microsoft Entra ID, or create a local admin account.":::
@ -101,13 +101,13 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L
- **Local administrator**: If you select this option, enter a user name and password. If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password isn't changed during that period, the account might be locked out, and unable to sign in.
4. Add applications:
1. Add applications:
:::image type="content" source="../images/add-applications-details.png" alt-text="In Windows Configuration Designer, add an application.":::
To add applications to the devices, select **Add applications**. You can install multiple applications, including Windows desktop applications (Win32) and Universal Windows Platform (UWP) apps. The settings in this step vary depending on the application you select. For help with the settings, see [Provision PCs with apps](provision-pcs-with-apps.md).
5. Add certificates:
1. Add certificates:
:::image type="content" source="../images/add-certificates-details.png" alt-text="In Windows Configuration Designer, add a certificate.":::
@ -116,7 +116,7 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L
- **Certificate name**: Enter a name for the certificate.
- **Certificate path**: Browse and select the certificate you want to add.
6. Finish:
1. Finish:
:::image type="content" source="../images/finish-details.png" alt-text="In Windows Configuration Designer, protect your package with a password.":::

50
windows/configuration/provisioning-packages/provision-pcs-with-apps.md
View File

@ -50,19 +50,17 @@ When you add an app in a Windows Configuration Designer wizard, the appropriate
- **Required win32 app dependencies**: Optionally, specify more files that are required for the installation of the app. For installers that have multiple file dependencies or have directory structures, [create a cab file of the assets](provisioning-script-to-install-app.md#cab-the-application-assets). The installation script should [include expansion of the .cab file](provisioning-script-to-install-app.md#cab-extract).
<span id="adv" />
## Add a Windows desktop application using advanced editor in Windows Configuration Designer
1. In the **Available customizations** pane, go to **Runtime settings** > **ProvisioningCommands** > **PrimaryContext** > **Command**.
2. Enter a name for the first app, and then select **Add**.
1. Enter a name for the first app, and then select **Add**.
![enter name for first app.](../images/wcd-app-name.png)
3. Configure the settings for the appropriate installer type.
1. Configure the settings for the appropriate installer type.
![enter settings for first app.](../images/wcd-app-commands.png)
@ -72,14 +70,13 @@ Universal apps that you can distribute in the provisioning package can be line-o
1. In the **Available customizations** pane, go to **Runtime settings** > **UniversalAppInstall**.
2. For **DeviceContextApp**, specify the **PackageFamilyName** for the app. In Microsoft Store for Business, the package family name is listed in the **Package details** section of the download page.
1. For **DeviceContextApp**, specify the **PackageFamilyName** for the app. In Microsoft Store for Business, the package family name is listed in the **Package details** section of the download page.
3. For **ApplicationFile**, select **Browse** to find and select the target app (either an \*.appx or \*.appxbundle).
1. For **ApplicationFile**, select **Browse** to find and select the target app (either an \*.appx or \*.appxbundle).
4. For **DependencyAppxFiles**, select **Browse** to find and add any dependencies for the app. In Microsoft Store for Business, any dependencies for the app are listed in the **Required frameworks** section of the download page.
1. For **DependencyAppxFiles**, select **Browse** to find and add any dependencies for the app. In Microsoft Store for Business, any dependencies for the app are listed in the **Required frameworks** section of the download page.
5. For **DeviceContextAppLicense**, enter the **LicenseProductID**.
1. For **DeviceContextAppLicense**, enter the **LicenseProductID**.
- In Microsoft Store for Business, generate the unencoded license for the app on the app's download page.
@ -88,9 +85,9 @@ Universal apps that you can distribute in the provisioning package can be line-o
- Open the license file and search for **LicenseID=** to get the GUID, enter the GUID in the **LicenseProductID** field and select **Add**.
6. In the **Available customizations** pane, select the **LicenseProductId** that you just added.
1. In the **Available customizations** pane, select the **LicenseProductId** that you just added.
7. For **LicenseInstall**, select **Browse**, navigate to the license file that you renamed *\<file name>*.**ms-windows-store-license**, and select the license file.
1. For **LicenseInstall**, select **Browse**, navigate to the license file that you renamed *\<file name>*.**ms-windows-store-license**, and select the license file.
[Learn more about distributing offline apps from the Microsoft Store for Business.](/microsoft-store/distribute-offline-apps)
@ -103,16 +100,15 @@ Universal apps that you can distribute in the provisioning package can be line-o
1. In the **Available customizations** pane, go to **Runtime settings** > **Certificates** > **ClientCertificates**.
2. Enter a **CertificateName** and then select **Add**.
1. Enter a **CertificateName** and then select **Add**.
2. Enter the **CertificatePassword**.
1. Enter the **CertificatePassword**.
3. For **CertificatePath**, browse and select the certificate to be used.
1. For **CertificatePath**, browse and select the certificate to be used.
4. Set **ExportCertificate** to **False**.
5. For **KeyLocation**, select **Software only**.
1. Set **ExportCertificate** to **False**.
1. For **KeyLocation**, select **Software only**.
## Add other settings to your package
@ -122,20 +118,20 @@ For details about the settings you can customize in provisioning packages, see [
1. When you are done configuring the provisioning package, on the **File** menu, select **Save**.
2. Read the warning that project files may contain sensitive information, and select **OK**.
1. Read the warning that project files may contain sensitive information, and select **OK**.
When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location, and delete the project files when they're no longer needed.
3. On the **Export** menu, select **Provisioning package**.
1. On the **Export** menu, select **Provisioning package**.
4. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.**
1. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.**
5. Set a value for **Package Version**.
1. Set a value for **Package Version**.
> [!TIP]
> You can make changes to existing packages and change the version number to update previously applied packages.
6. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing.
1. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing.
- **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
@ -144,15 +140,15 @@ For details about the settings you can customize in provisioning packages, see [
> [!TIP]
> We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store. Any package signed with that certificate can be applied silently.
7. Select **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location.<p>
1. Select **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location.<p>
Optionally, you can select **Browse** to change the default output location.
8. Select **Next**.
1. Select **Next**.
9. Select **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.<p>
1. Select **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.<p>
If you need to cancel the build, select **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
10. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.<p>
1. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.<p>
If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
- If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, select **Back** to change the output package name and path, and then select **Next** to start another build.
@ -160,7 +156,7 @@ For details about the settings you can customize in provisioning packages, see [
- If you are done, select **Finish** to close the wizard and go back to the **Customizations Page**.
11. Select the **output location** link to go to the location of the package. You can provide that .ppkg to others through any of the following methods:
1. Select the **output location** link to go to the location of the package. You can provide that .ppkg to others through any of the following methods:
- Shared network folder

20
windows/configuration/provisioning-packages/provisioning-apply-package.md
View File

@ -26,22 +26,22 @@ To apply a provisioning package from a USB drive during initial setup:
:::image type="content" source="../images/oobe.png" alt-text="The first screen when setting up a new PC.":::
2. Insert the USB drive. If nothing happens when you insert the USB drive, press the Windows key five times.
1. Insert the USB drive. If nothing happens when you insert the USB drive, press the Windows key five times.
- If there is only one provisioning package on the USB drive, the provisioning package is applied. See step 5.
- If there is more than one provisioning package on the USB drive, Windows setup will recognize the drive and ask how you want to provision the device. Select **Install provisioning package** and select **Next**.
:::image type="content" source="../images/provisioning-oobe-choice.png" alt-text="What would you like to do?":::
3. Select the provisioning package (`.ppkg`) that you want to apply, and select **Yes**.
1. Select the provisioning package (`.ppkg`) that you want to apply, and select **Yes**.
:::image type="content" source="../images/provisioning-oobe-choose-package.png" alt-text="Choose a package.":::
4. The selected provisioning package will install and apply to the device.
1. The selected provisioning package will install and apply to the device.
:::image type="content" source="../images/provisioning-oobe-installing.png" alt-text="Setting up your PC.":::
5. Wait for the device to load and begin applying the provisioning package. Once you see "You can remove your removable media now!" you can remove your USB drive. Windows will continue provisioning the device.
1. Wait for the device to load and begin applying the provisioning package. Once you see "You can remove your removable media now!" you can remove your USB drive. Windows will continue provisioning the device.
## After initial setup
@ -53,19 +53,19 @@ Provisioning packages can be applied after initial setup through Windows setting
:::image type="content" source="../images/provisioning-runtime-manage-packages.png" alt-text="Add or remove a provisioning package.":::
2. Choose the method you want to use, such as **Removable Media**.
1. Choose the method you want to use, such as **Removable Media**.
:::image type="content" source="../images/provisioning-runtime-choose-package.png" alt-text="Choose a method.":::
3. Select the provisioning package (`.ppkg`) that you want to apply, and select **Add**.
1. Select the provisioning package (`.ppkg`) that you want to apply, and select **Add**.
:::image type="content" source="../images/provisioning-runtime-add-package.png" alt-text="Select and add a package.":::
4. Provisioning packages require administrator privileges as they can modify system policies and run scripts at the system level. Ensure you trust the package you are installing before accepting the UAC prompt. Select **Yes**.
1. Provisioning packages require administrator privileges as they can modify system policies and run scripts at the system level. Ensure you trust the package you are installing before accepting the UAC prompt. Select **Yes**.
:::image type="content" source="../images/provisioning-runtime-UAC.png" alt-text="Do you want to allow changes to your device?":::
5. The provisioning runtime will ask if the package is from a source you trust. Verify that you are applying the correct package and that it is trusted. Select **Yes, add it**.
1. The provisioning runtime will ask if the package is from a source you trust. Verify that you are applying the correct package and that it is trusted. Select **Yes, add it**.
:::image type="content" source="../images/provisioning-runtime-trust.png" alt-text="Do you trust this package?":::
@ -77,11 +77,11 @@ To apply a provisioning package directly, such as from a USB drive, folder, netw
:::image type="content" source="../images/provisioning-runtime-click-to-install.png" alt-text="Double-click package to being installation.":::
2. Provisioning packages require administrator privileges as they can modify system policies and run scripts at the system level. Ensure you trust the package you are installing before accepting the UAC prompt. Select **Yes**.
1. Provisioning packages require administrator privileges as they can modify system policies and run scripts at the system level. Ensure you trust the package you are installing before accepting the UAC prompt. Select **Yes**.
:::image type="content" source="../images/provisioning-runtime-UAC.png" alt-text="Do you want to allow changes to your device?":::
3. The provisioning runtime will ask if the package is from a source you trust. Verify that you are applying the correct package and that it is trusted. Select **Yes, add it**.
1. The provisioning runtime will ask if the package is from a source you trust. Verify that you are applying the correct package and that it is trusted. Select **Yes, add it**.
:::image type="content" source="../images/provisioning-runtime-trust.png" alt-text="Do you trust this package?":::

34
windows/configuration/provisioning-packages/provisioning-create-package.md
View File

@ -8,7 +8,6 @@ ms.date: 12/31/2017
# Create a provisioning package
You can use Windows Configuration Designer to create a provisioning package (`.ppkg`) that contains customization settings, and then apply the provisioning package to a device running Windows client.
>[Learn how to install Windows Configuration Designer.](provisioning-install-icd.md)
@ -20,7 +19,7 @@ You can use Windows Configuration Designer to create a provisioning package (`.p
1. Open Windows Configuration Designer: From either the Start menu or Start menu search, type **Windows Configuration Designer**, and then select the **Windows Configuration Designer** shortcut.
2. Select your desired option on the **Start** page, which offers multiple options for creating a provisioning package, as shown in the following image:
1. Select your desired option on the **Start** page, which offers multiple options for creating a provisioning package, as shown in the following image:
![Configuration Designer wizards.](../images/icd-create-options-1703.png)
@ -44,10 +43,9 @@ You can use Windows Configuration Designer to create a provisioning package (`.p
>
> ![Switch to advanced editor.](../images/icd-switch.png)
3. Enter a name for your project, and then select **Next**.
4. Select the settings you want to configure, based on the type of device, and then select **Next**. The following table describes the options.
1. Enter a name for your project, and then select **Next**.
1. Select the settings you want to configure, based on the type of device, and then select **Next**. The following table describes the options.
| Windows edition | Settings available for customization | Provisioning package can apply to |
|---|---|---|
@ -57,13 +55,12 @@ You can use Windows Configuration Designer to create a provisioning package (`.p
| Windows 10 Holographic | Common settings and settings specific to Windows 10 Holographic | [Microsoft HoloLens](/hololens/hololens-provisioning) |
| Common to Windows 10 Team edition | Common settings and settings specific to Windows 10 Team | [Microsoft Surface Hub](/surface-hub/provisioning-packages-for-surface-hub) |
5. On the **Import a provisioning package (optional)** page, you can select **Finish** to create your project, or browse to and select an existing provisioning package to import to your project, and then select **Finish**.
1. On the **Import a provisioning package (optional)** page, you can select **Finish** to create your project, or browse to and select an existing provisioning package to import to your project, and then select **Finish**.
>[!TIP]
>**Import a provisioning package** can make it easier to create different provisioning packages that all have certain settings in common. For example, you could create a provisioning package that includes the settings for your organization's network. Then, import that package into other packages that you create so you don't have to reconfigure those common settings repeatedly.
6. In the **Available customizations** pane, you can now configure settings for the package.
1. In the **Available customizations** pane, you can now configure settings for the package.
## Configure settings
@ -79,19 +76,19 @@ The process for configuring settings is similar for all settings. The following
:::image type="content" source="../images/icd-step1.png" alt-text="In Windows Configuration Designer, expand the Certificates category.":::
2. Select a setting:
1. Select a setting:
:::image type="content" source="../images/icd-step2.png" alt-text="In Windows Configuration Designer, select ClientCertificates.":::
3. Enter a value for the setting. Select **Add** if the button is displayed:
1. Enter a value for the setting. Select **Add** if the button is displayed:
:::image type="content" source="../images/icd-step3.png" alt-text="In Windows Configuration Designer, enter a name for the certificate.":::
4. Some settings, such as this example, require additional information. In **Available customizations**, select the value you just created, and more settings are displayed:
1. Some settings, such as this example, require additional information. In **Available customizations**, select the value you just created, and more settings are displayed:
:::image type="content" source="../images/icd-step4.png" alt-text="In Windows Configuration Designer, additional settings for client certificate are available.":::
5. When the setting is configured, it is displayed in the **Selected customizations** pane:
1. When the setting is configured, it is displayed in the **Selected customizations** pane:
:::image type="content" source="../images/icd-step5.png" alt-text="In Windows Configuration Designer, the selected customizations pane shows your settings.":::
@ -99,21 +96,20 @@ For details on each specific setting, see [Windows Provisioning settings referen
![Windows Configuration Designer opens the reference topic when you select a setting.](../images/icd-setting-help.png)
## Build package
1. After you're done configuring your customizations, select **Export**, and then select **Provisioning Package**.
![Export on top bar.](../images/icd-export-menu.png)
2. In the **Describe the provisioning package** window, enter the following information, and then select **Next**:
1. In the **Describe the provisioning package** window, enter the following information, and then select **Next**:
- **Name** - This field is pre-populated with the project name. You can change this value by entering a different name in the **Name** field.
- **Version (in Major.Minor format** - Optional. You can change the default package version by specifying a new value in the **Version** field.
- **Owner** - Select **IT Admin**. For more information, see [Precedence for provisioning packages](provisioning-how-it-works.md#precedence-for-provisioning-packages).
- **Rank (between 0-99)** - Optional. You can select a value between 0 and 99, inclusive. The default package rank is 0.
3. In the **Select security details for the provisioning package** window, you can select to encrypt and/or sign a provisioning package with a selected certificate, and then select **Next**. Both selections are optional:
1. In the **Select security details for the provisioning package** window, you can select to encrypt and/or sign a provisioning package with a selected certificate, and then select **Next**. Both selections are optional:
- **Encrypt package** - If you select this option, an autogenerated password will be shown on the screen.
- **Sign package** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by selecting **Select** and choosing the certificate you want to use to sign the package.
@ -124,19 +120,19 @@ For details on each specific setting, see [Windows Provisioning settings referen
>
>If a provisioning package is signed by a trusted provisioner, it can be installed on a device without a prompt for user consent. In order to enable trusted provider certificates, you must set the **TrustedProvisioners** setting prior to installing the trusted provisioning package. This is the only way to install a package without user consent. To provide additional security, you can also set **RequireProvisioningPackageSignature**, which prevents users from installing provisioning packages that are not signed by a trusted provisioner.
4. In the **Select where to save the provisioning package** window, specify the output location where you want the provisioning package to go once it's built, and then select **Next**. By default, Windows Configuration Designer uses the project folder as the output location.
1. In the **Select where to save the provisioning package** window, specify the output location where you want the provisioning package to go once it's built, and then select **Next**. By default, Windows Configuration Designer uses the project folder as the output location.
5. In the **Build the provisioning package** window, select **Build**. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status.
1. In the **Build the provisioning package** window, select **Build**. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status.
If you need to cancel the build, select **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations** page.
6. If your build fails, an error message will appear that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
1. If your build fails, an error message will appear that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, select **Back** to change the output package name and path, and then select **Next** to start another build.
7. When you are done, select **Finish** to close the wizard and go back to the **Customizations** page.
1. When you are done, select **Finish** to close the wizard and go back to the **Customizations** page.
**Next step**: [How to apply a provisioning package](provisioning-apply-package.md)

11
windows/configuration/provisioning-packages/provisioning-how-it-works.md
View File

@ -32,15 +32,15 @@ When multiple provisioning packages are available for device provisioning, the c
1. Microsoft
2. Silicon Vendor
1. Silicon Vendor
3. OEM
1. OEM
4. System Integrator
1. System Integrator
5. Mobile Operator
1. Mobile Operator
6. IT Admin
1. IT Admin
The valid value range of package rank level is 0 to 99.
@ -106,7 +106,6 @@ Device users can apply a provisioning package from a remote source when the devi
The following table shows how device provisioning can be initiated when a user first boots to OOBE.
| Package delivery | Initiation method | Supported device |
| --- | --- | --- |
| Removable media - USB drive or SD card</br> (Packages must be placed at media root) | Five fast taps on the Windows key to launch the provisioning UI |All Windows devices |

4
windows/configuration/provisioning-packages/provisioning-install-icd.md
View File

@ -56,8 +56,8 @@ On devices running Windows client, you can install [the Windows Configuration De
- To enable the simplified authoring jscripts to work on a server SKU running Windows Configuration Designer, you must enable **Allow websites to prompt for information using scripted windows**:
1. Open Internet Explorer.
2. Go to **Settings** > **Internet Options** > **Security** > **Custom level**.
3. Select **Allow websites to prompt for information using scripted windows** > **Enable**.
1. Go to **Settings** > **Internet Options** > **Security** > **Custom level**.
1. Select **Allow websites to prompt for information using scripted windows** > **Enable**.
- If you copy a Windows Configuration Designer project from one PC to another PC, then:

27
windows/configuration/provisioning-packages/provisioning-multivariant.md
View File

@ -15,7 +15,6 @@ To provision multivariant settings, you use Windows Configuration Designer to cr
Let's begin by learning how to define a **Target**.
## Define a target
In the XML file, you provide an **Id**, or friendly name, for each **Target**. Each **Target** is defined by at least one **TargetState** which contains at least one **Condition**. A **Condition** element defines the matching type between the condition and the specified value.
@ -38,7 +37,6 @@ The following information describes the logic for the target definition:
The following table shows the conditions supported in Windows client provisioning for a **TargetState**:
| Condition Name | Condition priority | Windows client for desktop editions | Value type | Value description |
| --- | --- | --- | --- | --- |
| MNC | P0 | Supported | Digit string | Use to target settings based on the Mobile Network Code (MNC) value. |
@ -60,7 +58,6 @@ The following table shows the conditions supported in Windows client provisionin
| Region | P1 | Supported | Enumeration | Use to target settings based on country/region, using the 2-digit alpha ISO code per [ISO 3166-1 alpha-2](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2). |
| Lang | P1 | Supported | Enumeration | Use to target settings based on language code, using the 2-digit [ISO 639 alpha-2 code](https://en.wikipedia.org/wiki/ISO_639). |
The matching types supported in Windows client are:
| Matching type | Syntax | Example |
@ -82,13 +79,13 @@ The **TargetState** priority is assigned based on the condition's priority (see
1. A **TargetState** with P0 conditions is higher than a **TargetState** without P0 conditions.
2. A **TargetState** with both P0 and P1 conditions is higher than a **TargetState** with only P0 conditions.
1. A **TargetState** with both P0 and P1 conditions is higher than a **TargetState** with only P0 conditions.
2. A **TargetState** with a greater number of matched P0 conditions is higher than **TargetState** with fewer matched P0 conditions, regardless of the number of P1 conditions matched.
1. A **TargetState** with a greater number of matched P0 conditions is higher than **TargetState** with fewer matched P0 conditions, regardless of the number of P1 conditions matched.
2. If the number of P0 conditions matched are equivalent, then the **TargetState** with the most matched P1 conditions has higher priority.
1. If the number of P0 conditions matched are equivalent, then the **TargetState** with the most matched P1 conditions has higher priority.
3. If both P0 and P1 conditions are equally matched, then the **TargetState** with the greatest total number of matched conditions has highest priority.
1. If both P0 and P1 conditions are equally matched, then the **TargetState** with the greatest total number of matched conditions has highest priority.
@ -96,14 +93,13 @@ The **TargetState** priority is assigned based on the condition's priority (see
Follow these steps to create a provisioning package with multivariant capabilities.
1. Build a provisioning package and configure the customizations you want to apply during certain conditions. For more information, see [Create a provisioning package](provisioning-create-package.md).
2. After you've [configured the settings](provisioning-create-package.md#configure-settings), save the project.
1. After you've [configured the settings](provisioning-create-package.md#configure-settings), save the project.
3. Open the project folder and copy the customizations.xml file to any local location.
1. Open the project folder and copy the customizations.xml file to any local location.
4. Use an XML or text editor to open the customizations.xml file.
1. Use an XML or text editor to open the customizations.xml file.
The customizations.xml file holds the package metadata (including the package owner and rank) and the settings that you configured when you created your provisioning package. The **Customizations** node of the file contains a **Common** section, which contains the customization settings.
@ -137,7 +133,7 @@ Follow these steps to create a provisioning package with multivariant capabiliti
```
5. Edit the customizations.xml file to create a **Targets** section to describe the conditions that will handle your multivariant settings.
1. Edit the customizations.xml file to create a **Targets** section to describe the conditions that will handle your multivariant settings.
The following example shows the customizations.xml, which has been modified to include several conditions including **ProcessorName**, **ProcessorType**, **MCC**, and **MNC**.
@ -188,7 +184,7 @@ Follow these steps to create a provisioning package with multivariant capabiliti
```
6. In the customizations.xml file, create a **Variant** section for the settings you need to customize. To do this:
1. In the customizations.xml file, create a **Variant** section for the settings you need to customize. To do this:
a. Define a child **TargetRefs** element.
@ -258,10 +254,9 @@ Follow these steps to create a provisioning package with multivariant capabiliti
```
7. Save the updated customizations.xml file and note the path to this updated file. You will need the path as one of the values for the next step.
1. Save the updated customizations.xml file and note the path to this updated file. You will need the path as one of the values for the next step.
8. Use the [Windows Configuration Designer command-line interface](provisioning-command-line.md) to create a provisioning package using the updated customizations.xml.
1. Use the [Windows Configuration Designer command-line interface](provisioning-command-line.md) to create a provisioning package using the updated customizations.xml.
For example:

2
windows/configuration/provisioning-packages/provisioning-packages.md
View File

@ -96,7 +96,7 @@ For details about the settings you can customize in provisioning packages, see [
<!-- ## Changes to provisioning in Windows 10, version 1607 -->
<!-- > [!NOTE] -->
<!-- > This section is retained for customers using Windows 10, version 1607, on the Current Branch for Business. Some of this information is not applicable in Windows 10, version 1703. -->
<!-- > This section is retained for customers using Windows 10, version 1607, on the Current Branch for Business. Some of this information is not applicable in Windows 10, version 1701. -->
WCD, simplified common provisioning scenarios.

1
windows/configuration/provisioning-packages/provisioning-powershell.md
View File

@ -75,7 +75,6 @@ Trace logs are captured when using cmdlets. The following logs are available in
>[!NOTE]
>When applying provisioning packages using Powershell cmdlets, the default behavior is to suppress the prompt that appears when applying an unsigned provisioning package. This is by design so that provisioning packages can be applied as part of existing scripts.
## Related articles
- [How provisioning works in Windows client](provisioning-how-it-works.md)

20
windows/configuration/provisioning-packages/provisioning-script-to-install-app.md
View File

@ -14,7 +14,7 @@ This walkthrough describes how to include scripts in a Windows client provisioni
1. On the device where you're authoring the package, place all of your assets in a known location. Each asset must have a unique filename, because all files will be copied to the same temp directory on the device. It's common for many apps to have an installer called 'install.exe' or similar, and there may be name overlap because of that. To fix this, you can use the technique described in the next step to include a complete directory structure that is then expanded into the temp directory on the device. The most common use for this would be to include a subdirectory for each application.
2. If you need to include a directory structure of files, you will need to cab the assets for easy inclusion in the provisioning packages.
1. If you need to include a directory structure of files, you will need to cab the assets for easy inclusion in the provisioning packages.
## Cab the application assets
@ -91,7 +91,7 @@ This walkthrough describes how to include scripts in a Windows client provisioni
```
2. Use makecab to create the cab files.
1. Use makecab to create the cab files.
```makecab
Makecab -f <path to DDF file>
@ -208,30 +208,29 @@ When you are done, [build the package](provisioning-create-package.md#build-pack
### Remarks
1. No user interaction or console output is supported via ProvisioningCommands. All work needs to be silent. If your script attempts to do any of the following it will cause undefined behavior, and could put the device in an unrecoverable state if executed during setup or the Out of Box Experience:
a. Echo to console
b. Display anything on the screen
c. Prompt the user with a dialog or install wizard
2. When applied at first boot, provisioning runs early in the boot sequence and before a user context has been established; care must be taken to only include installers that can run at this time. Other installers can be provisioned via a management tool.
3. If the device is put into an unrecoverable state because of a bad script, you can reset it using [recovery options in Windows client](https://support.microsoft.com/help/12415/windows-10-recovery-options).
4. The CommandFile assets are deployed on the device to a temporary folder unique to each package.
1. When applied at first boot, provisioning runs early in the boot sequence and before a user context has been established; care must be taken to only include installers that can run at this time. Other installers can be provisioned via a management tool.
1. If the device is put into an unrecoverable state because of a bad script, you can reset it using [recovery options in Windows client](https://support.microsoft.com/help/12415/windows-10-recovery-options).
1. The CommandFile assets are deployed on the device to a temporary folder unique to each package.
1. For packages added during the out of box experience, this is usually in `%WINDIR%\system32\config\systemprofile\appdata\local\Temp\ProvisioningPkgTmp\<{PackageIdGuid}>\Commands\0`
The `0` after `Commands\` refers to the installation order and indicates the first app to be installed. The number will increment for each app in the package.
2. For packages added by double-clicking on an already deployed device, this will be in the temp folder for the user executing the provisioning package: `%TMP%\ProvisioningPkgTmp\<{PackageIdGuid}>\Commands\0`
1. For packages added by double-clicking on an already deployed device, this will be in the temp folder for the user executing the provisioning package: `%TMP%\ProvisioningPkgTmp\<{PackageIdGuid}>\Commands\0`
5. The command line will be executed with the directory the CommandFiles were deployed to as the working directory. This means you do not need to specific the full path to assets in the command line or from within any script.
6. The runtime provisioning component will attempt to run the scripts from the provisioning package at the earliest point possible, depending on the stage when the PPKG was added. For example, if the package was added during the Out-of-Box Experience, it will be run immediately after the package is applied, while the out of box experience is still happening. This is before the user account configuration options are presented to the user. A spinning progress dialog will appear and "please wait" will be displayed on the screen.
1. The command line will be executed with the directory the CommandFiles were deployed to as the working directory. This means you do not need to specific the full path to assets in the command line or from within any script.
1. The runtime provisioning component will attempt to run the scripts from the provisioning package at the earliest point possible, depending on the stage when the PPKG was added. For example, if the package was added during the Out-of-Box Experience, it will be run immediately after the package is applied, while the out of box experience is still happening. This is before the user account configuration options are presented to the user. A spinning progress dialog will appear and "please wait" will be displayed on the screen.
>[!NOTE]
>There is a timeout of 30 minutes for the provisioning process at this point. All scripts and installs need to complete within this time.
7. The scripts are executed in the background as the rest of provisioning continues to run. For packages added on existing systems using the double-click to install, there is no notification that provisioning or script execution has completed
1. The scripts are executed in the background as the rest of provisioning continues to run. For packages added on existing systems using the double-click to install, there is no notification that provisioning or script execution has completed
## Related articles
@ -246,4 +245,3 @@ When you are done, [build the package](provisioning-create-package.md#build-pack
- [PowerShell cmdlets for provisioning Windows client (reference)](provisioning-powershell.md)
- [Create a provisioning package with multivariant settings](provisioning-multivariant.md)

3
windows/configuration/provisioning-packages/provisioning-uninstall-package.md
View File

@ -8,10 +8,8 @@ ms.date: 12/31/2017
# Settings changed when you uninstall a provisioning package
When you uninstall a provisioning package, only certain settings are revertible. This article lists the settings that are reverted when you uninstall a provisioning package.
As an administrator, you can uninstall by using the **Add or remove a package for work or school** option available under **Settings** > **Accounts** > **Access work or school**.
When a provisioning package is uninstalled, some of its settings are reverted, which means the value for the setting is changed to the next available or default value. Not all settings, however, are revertible.
@ -22,7 +20,6 @@ Only settings in the following lists are revertible.
The registry-based settings that are revertible when a provisioning package is uninstalled all fall under these categories, which you can find in the Windows Configuration Designer.
- [Wi-Fi Sense](../wcd/wcd-connectivityprofiles.md#wifisense)
- [CountryAndRegion](../wcd/wcd-countryandregion.md)
- DeviceManagement / PGList/ LogicalProxyName

4
windows/configuration/start/changes-to-start-policies-in-windows-10.md
View File

@ -9,12 +9,10 @@ ms.date: 08/18/2023
# Changes to Group Policy settings for Windows 10 Start
Windows 10 has a brand new Start experience. As a result, there are changes to the Group Policy settings that you can use to manage Start. Some policy settings are new or changed, and some old Start policy settings still apply. Other Start policy settings no longer apply and are deprecated.
## Start policy settings supported for Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
These policy settings are available in **Administrative Templates\\Start Menu and Taskbar** under **User Configuration**.
|Policy|Notes|
@ -38,7 +36,7 @@ These policy settings are available in **Administrative Templates\\Start Menu an
## Deprecated Group Policy settings for Start
The Start policy settings listed in the following table don't work on Windows 10. Most of them were deprecated in Windows 8 however a few more were deprecated in Windows 10. Deprecation in this case means that the policy setting won't work on Windows 10. The "Supported on" text for a policy setting won't list Windows 10. The policy settings are still in the Group Policy Management Console and can be used on the operating systems that they apply to.
The Start policy settings listed in the following table don't work on Windows 1. Most of them were deprecated in Windows 8 however a few more were deprecated in Windows 1. Deprecation in this case means that the policy setting won't work on Windows 1. The "Supported on" text for a policy setting won't list Windows 1. The policy settings are still in the Group Policy Management Console and can be used on the operating systems that they apply to.
| Policy | When deprecated |
|----------------------------------------------------------------------------------|-----------------|

2
windows/configuration/start/customize-and-export-start-layout.md
View File

@ -156,7 +156,7 @@ If the Start layout is applied by Group Policy or MDM, and the policy is removed
1. Save the file and apply using any of the deployment methods.
> [!NOTE]
> Office 2019 tiles might be removed from the Start menu when you upgrade Office 2019. This only occurs if Office 2019 app tiles are in a custom group in the Start menu and only contains the Office 2019 app tiles. To avoid this problem, place another app tile in the Office 2019 group prior to the upgrade. For example, add Notepad.exe or calc.exe to the group. This issue occurs because Office 2019 removes and reinstalls the apps when they are upgraded. Start removes empty groups when it detects that all apps for that group have been removed.
> Office 2019 tiles might be removed from the Start menu when you upgrade Office 201. This only occurs if Office 2019 app tiles are in a custom group in the Start menu and only contains the Office 2019 app tiles. To avoid this problem, place another app tile in the Office 2019 group prior to the upgrade. For example, add Notepad.exe or calc.exe to the group. This issue occurs because Office 2019 removes and reinstalls the apps when they are upgraded. Start removes empty groups when it detects that all apps for that group have been removed.
## Related articles

24
windows/configuration/start/customize-start-menu-layout-windows-11.md
View File

@ -74,8 +74,8 @@ If you're familiar with creating JSON files, you can create your own `LayoutModi
### Export an existing Start layout
1. Create a folder to save the `.json` file. For example, create the `C:\Layouts` folder.
2. On a Windows 11 device, open the Windows PowerShell app.
3. Run the following cmdlet. Name the file `LayoutModification.json`.
1. On a Windows 11 device, open the Windows PowerShell app.
1. Run the following cmdlet. Name the file `LayoutModification.json`.
```powershell
Export-StartLayout -Path "C:\Layouts\LayoutModification.json"
@ -85,7 +85,7 @@ If you're familiar with creating JSON files, you can create your own `LayoutModi
### Get the pinnedList JSON
1. Open the `LayoutModification.json` file in a JSON editor, such as Visual Studio Code or Notepad. For more information, see [edit JSON with Visual Studio Code](https://code.visualstudio.com/docs/languages/json).
2. In the file, you see the `pinnedList` section. This section includes all of the pinned apps. Copy the `pinnedList` content in the JSON file. You'll use it in the next section.
1. In the file, you see the `pinnedList` section. This section includes all of the pinned apps. Copy the `pinnedList` content in the JSON file. You'll use it in the next section.
In the following example, you see that Microsoft Edge, Microsoft Word, the Microsoft Store app, and Notepad are pinned:
@ -108,7 +108,7 @@ If you're familiar with creating JSON files, you can create your own `LayoutModi
```
3. Starting with Windows 11, the **ConfigureStartPins** policy is available. This policy uses the `LayoutModification.json` file to add apps to the Pinned section. In your JSON file, you can add more apps to this section using the following keys:
1. Starting with Windows 11, the **ConfigureStartPins** policy is available. This policy uses the `LayoutModification.json` file to add apps to the Pinned section. In your JSON file, you can add more apps to this section using the following keys:
---
| Key | Description |
@ -130,20 +130,20 @@ This section shows you how to create a pinned list policy in Intune. There isn't
To deploy this policy, the devices must be enrolled, and managed by your organization. For more information, see [What is device enrollment?](/mem/intune/enrollment/device-enrollment).
1. Sign in to the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Select **Devices** > **Configuration profiles** > **Create profile**.
3. Enter the following properties:
1. Select **Devices** > **Configuration profiles** > **Create profile**.
1. Enter the following properties:
- **Platform**: Select **Windows 10 and later**.
- **Profile**: Select **Templates** > **Custom**.
4. Select **Create**.
5. In **Basics**, enter the following properties:
1. Select **Create**.
1. In **Basics**, enter the following properties:
- **Name**: Enter a descriptive name for the profile. Name your profiles so you can easily identify them later. For example, a good profile name is **Win11: Custom Start layout**.
- **Description**: Enter a description for the profile. This setting is optional, and recommended.
6. Select **Next**.
7. In **Configuration settings** > **OMA-URI**, select **Add**. Add the following properties:
1. Select **Next**.
1. In **Configuration settings** > **OMA-URI**, select **Add**. Add the following properties:
- **Name**: Enter something like **Configure Start pins**.
- **Description**: Enter a description for the row. This setting is optional, and recommended.
@ -174,8 +174,8 @@ To deploy this policy, the devices must be enrolled, and managed by your organiz
:::image type="content" source="./images/customize-start-menu-layout-windows-11/endpoint-manager-admin-center-custom-oma-uri-start-layout.png" alt-text="Custom OMA-URI settings to customize Start menu layout using pinnedList":::
8. Select **Save** > **Next** to save your changes.
9. Configure the rest of the policy settings. For more specific information, see [Create a profile with custom settings](/mem/intune/configuration/custom-settings-configure).
1. Select **Save** > **Next** to save your changes.
1. Configure the rest of the policy settings. For more specific information, see [Create a profile with custom settings](/mem/intune/configuration/custom-settings-configure).
The Windows OS exposes many CSPs that apply to the Start menu. For a list, see [Supported CSP policies for Windows 11 Start menu](supported-csp-start-menu-layout-windows.md).

19
windows/configuration/start/customize-windows-10-start-screens-by-using-group-policy.md
View File

@ -23,14 +23,12 @@ This topic describes how to update Group Policy settings to display a customized
## Operating system requirements
In Windows 10, version 1607, Start and taskbar layout control using Group Policy is supported in Windows 10 Enterprise and Windows 10 Education. In Windows 10, version 1703, Start and taskbar layout control using Group Policy is also supported in Windows 10 Pro.
The GPO can be configured from any computer on which the necessary ADMX and ADML files (StartMenu.admx and StartMenu.adml) for Windows 10 are installed. In Group Policy, ADMX files are used to define Registry-based policy settings in the Administrative Templates category. To find out how to create a central store for Administrative Templates files, see [article 929841, written for Windows Vista and still applicable](/troubleshoot/windows-server/group-policy/create-central-store-domain-controller) in the Microsoft Knowledge Base.
## <a href="" id="bkmk-howstartscreencontrolworks"></a>How Start layout control works
Three features enable Start and taskbar layout control:
- The [Export-StartLayout](/powershell/module/startlayout/export-startlayout) cmdlet in Windows PowerShell exports a description of the current Start layout in .xml file format.
@ -49,7 +47,6 @@ Three features enable Start and taskbar layout control:
## <a href="" id="bkmk-domaingpodeployment"></a>Use Group Policy to apply a customized Start layout in a domain
To apply the Start and taskbar layout to users in a domain, use the Group Policy Management Console (GPMC) to configure a domain-based Group Policy Object (GPO) that sets **Start Layout** policy settings in the **Start Menu and Taskbar** administrative template for users in a domain.
The GPO applies the Start and taskbar layout at the next user sign-in. Each time the user signs in, the timestamp of the .xml file with the Start and taskbar layout is checked and if a newer version of the file is available, the settings in the latest version of the file are applied.
@ -62,7 +59,6 @@ For information about deploying GPOs in a domain, see [Working with Group Policy
## <a href="" id="bkmk-localgpimport"></a>Use Group Policy to apply a customized Start layout on the local computer
You can use the Local Group Policy Editor to provide a customized Start and taskbar layout for any user who signs in on the local computer. To display the customized Start and taskbar layout for any user who signs in, configure **Start Layout** policy settings for the **Start Menu and Taskbar** administrative template. You can use the **Start Menu and Taskbar** administrative template in **User Configuration** or **Computer Configuration**.
>[!NOTE]
@ -70,30 +66,29 @@ You can use the Local Group Policy Editor to provide a customized Start and task
>
>This procedure creates a Local Group Policy that applies to all users on the computer. To configure Local Group Policy that applies to a specific user or group on the computer, see [Step-by-Step Guide to Managing Multiple Local Group Policy Objects](/previous-versions/windows/it-pro/windows-vista/cc766291(v=ws.10)). The guide was written for Windows Vista and the procedures still apply to Windows 10.
This procedure adds the customized Start and taskbar layout to the user configuration, which overrides any Start layout settings in the local computer configuration when a user signs in on the computer.
**To configure Start Layout policy settings in Local Group Policy Editor**
1. On the test computer, press the Windows key, type **gpedit**, and then select **Edit group policy (Control panel)**.
2. Go to **User Configuration** or **Computer Configuration** &gt; **Administrative Templates** &gt;**Start Menu and Taskbar**.
1. Go to **User Configuration** or **Computer Configuration** &gt; **Administrative Templates** &gt;**Start Menu and Taskbar**.
![start screen layout policy settings.](images/starttemplate.jpg)
3. Right-click **Start Layout** in the right pane, and click **Edit**.
1. Right-click **Start Layout** in the right pane, and click **Edit**.
This opens the **Start Layout** policy settings.
![policy settings for start screen layout.](images/startlayoutpolicy.jpg)
4. Enter the following settings, and then click **OK**:
1. Enter the following settings, and then click **OK**:
1. Select **Enabled**.
1. Select **Enabled**.
2. Under **Options**, specify the path to the .xml file that contains the Start and taskbar layout. For example, type **C:\\Users\\Test01\\StartScreenMarketing.xml**.
1. Under **Options**, specify the path to the .xml file that contains the Start and taskbar layout. For example, type **C:\\Users\\Test01\\StartScreenMarketing.xml**.
3. Optionally, enter a comment to identify the Start and taskbar layout.
1. Optionally, enter a comment to identify the Start and taskbar layout.
> [!IMPORTANT]
> If you disable Start Layout policy settings that have been in effect and then re-enable the policy, users will not be able to make changes to Start, however the layout in the .xml file will not be reapplied unless the file has been updated. In Windows PowerShell, you can update the timestamp on a file by running the following command:
@ -105,12 +100,10 @@ This procedure adds the customized Start and taskbar layout to the user configur
## <a href="" id="bkmk-updatestartscreenlayout"></a>Update a customized Start layout
After you use Group Policy to apply a customized Start and taskbar layout on a computer or in a domain, you can update the layout simply by replacing the .xml file that is specified in the Start Layout policy settings with a file with a newer timestamp.
## Related topics
- [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md)
- [Configure Windows 10 taskbar](configure-windows-10-taskbar.md)
- [Customize and export Start layout](customize-and-export-start-layout.md)

20
windows/configuration/start/customize-windows-10-start-screens-by-using-mobile-device-management.md
View File

@ -25,7 +25,6 @@ In Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, you can use
## <a href="" id="bkmk-howstartscreencontrolworks"></a>How Start layout control works
Two features enable Start layout control:
- The **Export-StartLayout** cmdlet in Windows PowerShell exports a description of the current Start layout in .xml file format.
@ -46,34 +45,33 @@ The following example uses Microsoft Intune to configure an MDM policy that appl
1. Sign in to the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Select **Devices** > **Configuration profiles** > **Create profile**.
1. Select **Devices** > **Configuration profiles** > **Create profile**.
3. Enter the following properties:
1. Enter the following properties:
- **Platform**: Select **Windows 10 and later**.
- **Profile type**: Select **Templates** > **Device restrictions** > **Create**.
4. In **Basics**, enter the following properties:
1. In **Basics**, enter the following properties:
- **Name**: Enter a descriptive name for the profile. Name your profiles so you can easily identify it later. For example, a good profile name is **Customize Start menu and taskbar**.
- **Description**: Enter a description for the profile. This setting is optional, but recommended.
5. Select **Next**.
1. Select **Next**.
6. In **Configuration settings**, select **Start**:
1. In **Configuration settings**, select **Start**:
- If you're using an XML file, select **Start menu layout**. Browse to and select your Start layout XML file.
- If you don't have an XML file, configure the others settings. For more information on these settings, see [Start settings in Microsoft Intune](/mem/intune/configuration/device-restrictions-windows-10#start).
7. Select **Next**.
8. In **Scope tags**, select **Next**. For more information about scope tags, see [Use RBAC and scope tags for distributed IT](/mem/intune/fundamentals/scope-tags).
9. In **Assignments**, select the user or groups that will receive your profile. Select **Next**. For more information on assigning profiles, see [Assign user and device profiles](/mem/intune/configuration/device-profile-assign).
10. In **Review + create**, review your settings. When you select **Create**, your changes are saved, and the profile is assigned. The policy is also shown in the profiles list.
1. Select **Next**.
1. In **Scope tags**, select **Next**. For more information about scope tags, see [Use RBAC and scope tags for distributed IT](/mem/intune/fundamentals/scope-tags).
1. In **Assignments**, select the user or groups that will receive your profile. Select **Next**. For more information on assigning profiles, see [Assign user and device profiles](/mem/intune/configuration/device-profile-assign).
1. In **Review + create**, review your settings. When you select **Create**, your changes are saved, and the profile is assigned. The policy is also shown in the profiles list.
> [!NOTE]
> For third party partner MDM solutions, you may need to use an OMA-URI setting for Start layout, based on the [Policy configuration service provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider). The OMA-URI setting is `./User/Vendor/MSFT/Policy/Config/Start/StartLayout`.
## Next steps
- [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md)

55
windows/configuration/start/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
View File

@ -12,7 +12,7 @@ ms.date: 12/31/2017
> **Looking for consumer information?** [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630)
> [!NOTE]
> Currently, using provisioning packages to customize the Start menu layout is supported on Windows 10. It's not supported on Windows 11.
> Currently, using provisioning packages to customize the Start menu layout is supported on Windows 1. It's not supported on Windows 11.
In Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, version 1703, you can use a provisioning package that you create with Windows Configuration Designer to deploy a customized Start and taskbar layout to users. No reimaging is required, and the Start and taskbar layout can be updated simply by overwriting the .xml file that contains the layout. The provisioning package can be applied to a running device. This enables you to customize Start and taskbar layouts for different departments or organizations, with minimal management overhead.
@ -23,7 +23,6 @@ In Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, version 1703
## <a href="" id="bkmk-howstartscreencontrolworks"></a>How Start layout control works
Three features enable Start and taskbar layout control:
- The **Export-StartLayout** cmdlet in Windows PowerShell exports a description of the current Start layout in .xml file format.
@ -41,82 +40,80 @@ Three features enable Start and taskbar layout control:
The **Export-StartLayout** cmdlet produces an XML file. Because Windows Configuration Designer produces a customizations.xml file that contains the configuration settings, adding the Start layout section to the customizations.xml file directly would result in an XML file embedded in an XML file. Before you add the Start layout section to the customizations.xml file, you must replace the markup characters in your layout.xml with escape characters.
1. Copy the contents of layout.xml into an online tool that escapes characters.
3. During the procedure to create a provisioning package, you will copy the text with the escape characters and paste it in the customizations.xml file for your project.
1. During the procedure to create a provisioning package, you will copy the text with the escape characters and paste it in the customizations.xml file for your project.
## <a href="" id="bkmk-domaingpodeployment"></a>Create a provisioning package that contains a customized Start layout
Use the Windows Configuration Designer tool to create a provisioning package. [Learn how to install Windows Configuration Designer.](../provisioning-packages/provisioning-install-icd.md)
> [!IMPORTANT]
> When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
1. Open Windows Configuration Designer (by default, %systemdrive%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe).
1. Open Windows Configuration Designer (by default, %systemdrive%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe).
2. Choose **Advanced provisioning**.
1. Choose **Advanced provisioning**.
3. Name your project, and click **Next**.
1. Name your project, and click **Next**.
4. Choose **All Windows desktop editions** and click **Next**.
1. Choose **All Windows desktop editions** and click **Next**.
5. On **New project**, click **Finish**. The workspace for your package opens.
1. On **New project**, click **Finish**. The workspace for your package opens.
6. Expand **Runtime settings** &gt; **Policies** &gt; **Start**, and click **StartLayout**.
1. Expand **Runtime settings** &gt; **Policies** &gt; **Start**, and click **StartLayout**.
> [!TIP]
> If **Start** is not listed, check the type of settings you selected in step 4. You must create the project using settings for **All Windows desktop editions**.
> If **Start** is not listed, check the type of settings you selected in step 1. You must create the project using settings for **All Windows desktop editions**.
7. Enter **layout.xml**. This value creates a placeholder in the customizations.xml file that you will replace with the contents of the layout.xml file in a later step.
1. Enter **layout.xml**. This value creates a placeholder in the customizations.xml file that you will replace with the contents of the layout.xml file in a later step.
7. Save your project and close Windows Configuration Designer.
1. Save your project and close Windows Configuration Designer.
7. In File Explorer, open the project's directory. (The default location is C:\Users\\*user name*\Documents\Windows Imaging and Configuration Designer (WICD)\\*project name*)
1. In File Explorer, open the project's directory. (The default location is C:\Users\\*user name*\Documents\Windows Imaging and Configuration Designer (WICD)\\*project name*)
7. Open the customizations.xml file in a text editor. The **&lt;Customizations&gt;** section will look like this:
1. Open the customizations.xml file in a text editor. The **&lt;Customizations&gt;** section will look like this:
![Customizations file with the placeholder text to replace highlighted.](images/customization-start.png)
7. Replace **layout.xml** with the text from the layout.xml file, [with markup characters replaced with escape characters](#escape).
1. Replace **layout.xml** with the text from the layout.xml file, [with markup characters replaced with escape characters](#escape).
8. Save and close the customizations.xml file.
1. Save and close the customizations.xml file.
8. Open Windows Configuration Designer and open your project.
1. Open Windows Configuration Designer and open your project.
8. On the **File** menu, select **Save.**
1. On the **File** menu, select **Save.**
9. On the **Export** menu, select **Provisioning package**.
1. On the **Export** menu, select **Provisioning package**.
10. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.**
1. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.**
11. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing.
1. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing.
- **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
- **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Browse** and choosing the certificate you want to use to sign the package.
12. Click **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows Imaging and Configuration Designer (ICD) uses the project folder as the output location.
1. Click **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows Imaging and Configuration Designer (ICD) uses the project folder as the output location.
Optionally, you can click **Browse** to change the default output location.
13. Click **Next**.
1. Click **Next**.
14. Click **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status.
1. Click **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status.
If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
15. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
1. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
- If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
- If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
16. Copy the provisioning package to the target device.
1. Copy the provisioning package to the target device.
17. Double-click the ppkg file and allow it to install.
1. Double-click the ppkg file and allow it to install.
## Related topics

27
windows/configuration/start/start-layout-xml-desktop.md
View File

@ -9,7 +9,6 @@ appliesto:
# Start layout XML for desktop editions of Windows 10 (reference)
>**Looking for consumer information?** See [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630)
On Windows 10 for desktop editions, the customized Start works by:
@ -49,7 +48,6 @@ The XML schema for `LayoutModification.xml` requires the following order for tag
Comments are not supported in the `LayoutModification.xml` file.
### Supported elements and attributes
>[!NOTE]
@ -73,9 +71,9 @@ The following table lists the supported elements and attributes for the LayoutMo
| start:Folder<br><br>Parent:<br>start:Group | Name (in Windows 10, version 1809 and later only)<br>Size<br>Row<br>Column<br>LocalizedNameResourcetag | Use to specify a folder of icons; can include [Tile](#start-tile), [SecondaryTile](#start-secondarytile), and [DesktopApplicationTile](#start-desktopapplicationtile). |
| start:DesktopApplicationTile</br></br>Parent:</br>AppendGroup | DesktopApplicationID</br>DesktopApplicationLinkPath</br>Size</br>Row</br>Column | Use to specify any of the following:</br>- A Windows desktop application with a known AppUserModelID</br>- An application in a known folder with a link in a legacy Start Menu folder</br>- A Windows desktop application link in a legacy Start Menu folder</br>- A Web link tile with an associated `.url` file that is in a legacy Start Menu folder |
| start:SecondaryTile</br></br>Parent:</br>AppendGroup | AppUserModelID</br>TileID</br>Arguments</br>DisplayName</br>Square150x150LogoUri</br>ShowNameOnSquare150x150Logo</br>ShowNameOnWide310x150Logo</br>Wide310x150LogoUri</br>BackgroundColor</br>ForegroundText</br>IsSuggestedApp</br>Size</br>Row</br>Column | Use to pin a Web link through a Microsoft Edge secondary tile. Note that AppUserModelID is case-sensitive. |
| TopMFUApps</br></br>Parent:</br>LayoutModificationTemplate | n/a | Use to add up to three default apps to the frequently used apps section in the system area.</br></br>**Note**: Only applies to versions of Windows 10 earlier than version 1709. In Windows 10, version 1709, you can no longer pin apps to the Most Frequently Used apps list in Start. |
| Tile</br></br>Parent:</br>TopMFUApps | AppUserModelID | Use with the TopMFUApps tags to specify an app with a known AppUserModelID. </br></br>**Note**: Only applies to versions of Windows 10 earlier than version 1709. In Windows 10, version 1709, you can no longer pin apps to the Most Frequently Used apps list in Start. |
| DesktopApplicationTile</br></br>Parent:</br>TopMFUApps | LinkFilePath | Use with the TopMFUApps tags to specify an app without a known AppUserModelID.</br></br>**Note**: Only applies to versions of Windows 10 earlier than version 1709. In Windows 10, version 1709, you can no longer pin apps to the Most Frequently Used apps list in Start. |
| TopMFUApps</br></br>Parent:</br>LayoutModificationTemplate | n/a | Use to add up to three default apps to the frequently used apps section in the system area.</br></br>**Note**: Only applies to versions of Windows 10 earlier than version 1701. In Windows 10, version 1709, you can no longer pin apps to the Most Frequently Used apps list in Start. |
| Tile</br></br>Parent:</br>TopMFUApps | AppUserModelID | Use with the TopMFUApps tags to specify an app with a known AppUserModelID. </br></br>**Note**: Only applies to versions of Windows 10 earlier than version 1701. In Windows 10, version 1709, you can no longer pin apps to the Most Frequently Used apps list in Start. |
| DesktopApplicationTile</br></br>Parent:</br>TopMFUApps | LinkFilePath | Use with the TopMFUApps tags to specify an app without a known AppUserModelID.</br></br>**Note**: Only applies to versions of Windows 10 earlier than version 1701. In Windows 10, version 1709, you can no longer pin apps to the Most Frequently Used apps list in Start. |
| AppendOfficeSuite</br></br>Parent:</br>LayoutModificationTemplate | n/a | Use to add the in-box installed Office suite to Start. For more information, see [Customize the Office suite of tiles](/windows-hardware/customize/desktop/customize-start-layout#customize-the-office-suite-of-tiles).</br></br>Don't use this tag with AppendDownloadOfficeTile. |
| AppendDownloadOfficeTile</br></br>Parent:</br>LayoutModificationTemplate | n/a | Use to add a specific **Download Office** tile to a specific location in Start</br></br>Do not use this tag with AppendOfficeSuite |
@ -137,7 +135,7 @@ If you specify a region-agnostic **RequiredStartGroups** (or one without the opt
For Windows 10 for desktop editions, AppendGroup tags contain start:Tile, start:DesktopApplicationTile, or start:SecondaryTile tags.
You can specify any number of tiles in an **AppendGroup**, but you can't specify a tile with a **Row** attribute greater than 4. The Start layout doesn't support overlapping tiles.
You can specify any number of tiles in an **AppendGroup**, but you can't specify a tile with a **Row** attribute greater than 1. The Start layout doesn't support overlapping tiles.
### Specify Start tiles
@ -209,7 +207,6 @@ You can use the **start:DesktopApplicationTile** tag to pin a Windows desktop ap
- Use the application's application user model ID, if this is known. If the Windows desktop application doesn't have one, use the shortcut link option.
You can use the [Get-StartApps cmdlet](/powershell/module/startlayout/get-startapps) on a PC that has the application pinned to Start to obtain the app ID.
To pin a Windows desktop application through this method, you must set the **DesktopApplicationID** attribute to the application user model ID that's associated with the corresponding app.
@ -286,7 +283,7 @@ Secondary Microsoft Edge tiles have the same size and location behavior as a Uni
#### TopMFUApps
>[!NOTE]
>Only applies to versions of Windows 10 earlier than version 1709. In Windows 10, version 1709, you can no longer pin apps to the Most Frequently Used apps list in Start.
>Only applies to versions of Windows 10 earlier than version 1701. In Windows 10, version 1709, you can no longer pin apps to the Most Frequently Used apps list in Start.
You can use the **TopMFUApps** tag to add up to 3 default apps to the frequently used apps section in the system area, which delivers system-driven lists to the user including important or frequently accessed system locations and recently installed apps.
@ -332,7 +329,7 @@ The following example shows how to add the **AppendOfficeSuite** tag to your Lay
#### AppendOfficeSuiteChoice
This tag is added in Windows 10, version 1803. You have two options in this tag:
This tag is added in Windows 10, version 1801. You have two options in this tag:
- `<AppendOfficeSuiteChoice Choice="DesktopBridgeSubscription"/>`
- `<AppendOfficeSuiteChoice Choice="DesktopBridge"/>`
@ -343,7 +340,6 @@ Use `Choice=DesktopBridge` on devices running versions of Windows 10 earlier tha
For more information, see [Customize the Office suite of tiles](/windows-hardware/customize/desktop/customize-start-layout#customize-the-office-suite-of-tiles).
#### AppendDownloadOfficeTile
You can use the **AppendDownloadOfficeTile** tag to append the Office trial installer to Start. This tag adds the **Download Office** tile to Start and the download tile will appear at the bottom right-hand side of the second group.
@ -449,8 +445,8 @@ The provisioning engine chooses the right customization file based on the target
For example, if you want to ensure that there's a specific layout for a certain condition, you can:
1. Create a specific layout customization file and then name it LayoutCustomization1.xml.
2. Include the file as part of your provisioning package.
3. Create your multivariant target and reference the XML file within the target condition in the main customization XML file.
1. Include the file as part of your provisioning package.
1. Create your multivariant target and reference the XML file within the target condition in the main customization XML file.
The following example shows what the overall customization file might look like with multivariant support for Start:
@ -526,10 +522,10 @@ You must repeat this process for all variants that you want to support so that e
Once you have created your LayoutModification.xml file to customize devices that will run Windows 10 for desktop editions, you can use Windows ICD methods to add the XML file to the device.
1. In the **Available customizations** pane, expand **Runtime settings**, select **Start** > Select the **StartLayout** setting.
2. In the middle pane, click **Browse** to open File Explorer.
3. In the File Explorer window, navigate to the location where you saved your LayoutModification.xml file.
1. In the middle pane, click **Browse** to open File Explorer.
1. In the File Explorer window, navigate to the location where you saved your LayoutModification.xml file.
4. Select the file and then click **Open**.
1. Select the file and then click **Open**.
This should set the value of **StartLayout**. The setting appears in the **Selected customizations** pane.
@ -538,7 +534,6 @@ This should set the value of **StartLayout**. The setting appears in the **Selec
Once you have created the LayoutModification.xml file and it is present in the device, the system overrides the base default layout and any Unattend settings used to customize Start.
## Related topics
- [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md)

83
windows/configuration/start/start-secondary-tiles.md
View File

@ -30,7 +30,6 @@ In Windows 10, version 1703, by using the PowerShell cmdlet `export-StartLayoutE
**Example of secondary tiles in XML generated by Export-StartLayout**
```xml
<start:SecondaryTile
@ -62,7 +61,7 @@ In Windows 10, version 1703, by using the PowerShell cmdlet `export-StartLayoutE
## Export Start layout and assets
1. Follow the instructions in [Customize and export Start layout](customize-and-export-start-layout.md#customize-the-start-screen-on-your-test-computer) to customize the Start screen on your test computer.
2. Open Windows PowerShell as an administrator and enter the following command:
1. Open Windows PowerShell as an administrator and enter the following command:
```powershell
Export-StartLayout -path <path><file name>.xml
@ -72,12 +71,12 @@ In Windows 10, version 1703, by using the PowerShell cmdlet `export-StartLayoutE
Use a file name of your choice—for example, StartLayoutMarketing.xml. Include the .xml file name extension. The [Export-StartLayout](/powershell/module/startlayout/export-startlayout) cmdlet doesn't append the file name extension, and the policy settings require the extension.
3. If you'd like to change the image for a secondary tile to your own custom image, open the layout.xml file, and look for the images that the tile references.
1. If you'd like to change the image for a secondary tile to your own custom image, open the layout.xml file, and look for the images that the tile references.
- For example, your layout.xml contains `Square150x150LogoUri="ms-appdata:///local/PinnedTiles/21581260870/hires.png" Wide310x150LogoUri="ms-appx:///"`
- Open `C:\Users\<username>\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\21581260870\` and replace those images with your customized images.
4. In Windows PowerShell, enter the following command:
1. In Windows PowerShell, enter the following command:
```powershell
@ -93,37 +92,37 @@ You can apply the customized Start layout with images for secondary tiles by usi
In Microsoft Intune, you create a device restrictions policy to apply to device group. For other MDM solutions, you may need to use an OMA-URI setting for Start layout, based on the [Policy configuration service provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider). The OMA-URI setting is `./User/Vendor/MSFT/Policy/Config/Start/StartLayout`.
1. Sign in to the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Select **Devices** > **Configuration profiles** > **Create profile**.
3. Enter the following properties:
1. Select **Devices** > **Configuration profiles** > **Create profile**.
1. Enter the following properties:
- **Platform**: Select **Windows 10 and later**.
- **Profile**: Select **Templates** > **Device restrictions**.
4. Select **Create**.
5. In **Basics**, enter the following properties:
1. Select **Create**.
1. In **Basics**, enter the following properties:
- **Name**: Enter a descriptive name for the policy. Name your policies so you can easily identify them later.
- **Description**: Enter a description for the policy. This setting is optional, but recommended.
6. Select **Next**.
1. Select **Next**.
7. In **Configuration settings**, select **Start**. Configure the following properties:
1. In **Configuration settings**, select **Start**. Configure the following properties:
- **Start menu layout**: Browse to, and select your Start layout XML file.
- **Pin websites to tiles in Start menu**: Browse to, and select your assets XML file.
There are more Start menu settings you can configure. For more information on these settings, see [Start settings in Intune](/intune/device-restrictions-windows-10#start)
8. Select **Next**.
9. In **Scope tags** (optional), assign a tag to filter the profile to specific IT groups, such as `US-NC IT Team` or `JohnGlenn_ITDepartment`. For more information about scope tags, see [Use RBAC and scope tags for distributed IT](/mem/intune/fundamentals/scope-tags).
1. Select **Next**.
1. In **Scope tags** (optional), assign a tag to filter the profile to specific IT groups, such as `US-NC IT Team` or `JohnGlenn_ITDepartment`. For more information about scope tags, see [Use RBAC and scope tags for distributed IT](/mem/intune/fundamentals/scope-tags).
Select **Next**.
10. In **Assignments**, select the users or groups that will receive your profile. For more information on assigning profiles, see [Assign user and device profiles](/mem/intune/configuration/device-profile-assign).
1. In **Assignments**, select the users or groups that will receive your profile. For more information on assigning profiles, see [Assign user and device profiles](/mem/intune/configuration/device-profile-assign).
Select **Next**.
11. In **Review + create**, review your settings. When you select **Create**, your changes are saved, and the profile is assigned. The policy is also shown in the profiles list.
1. In **Review + create**, review your settings. When you select **Create**, your changes are saved, and the profile is assigned. The policy is also shown in the profiles list.
### Using a provisioning package
@ -135,9 +134,9 @@ The **export-StartLayout** and **export-StartLayoutEdgeAssets** cmdlets produce
1. Copy the contents of layout.xml into an online tool that escapes characters.
2. Copy the contents of assets.xml into an online tool that escapes characters.
1. Copy the contents of assets.xml into an online tool that escapes characters.
3. When you create a provisioning package, you'll copy the text with the escape characters and paste it in the customizations.xml file for your project.
1. When you create a provisioning package, you'll copy the text with the escape characters and paste it in the customizations.xml file for your project.
#### Create a provisioning package that contains a customized Start layout
@ -150,73 +149,73 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L
1. Open Windows Configuration Designer (by default, %systemdrive%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe).
2. Choose **Advanced provisioning**.
1. Choose **Advanced provisioning**.
3. Name your project, and select **Next**.
1. Name your project, and select **Next**.
4. Choose **All Windows desktop editions** and select **Next**.
1. Choose **All Windows desktop editions** and select **Next**.
5. On **New project**, select **Finish**. The workspace for your package opens.
1. On **New project**, select **Finish**. The workspace for your package opens.
6. Expand **Runtime settings** &gt; **Policies** &gt; **Start**, and select **StartLayout**.
1. Expand **Runtime settings** &gt; **Policies** &gt; **Start**, and select **StartLayout**.
>[!TIP]
>If **Start** is not listed, check the type of settings you selected in step 4. You must create the project using settings for **All Windows desktop editions**.
>If **Start** is not listed, check the type of settings you selected in step 1. You must create the project using settings for **All Windows desktop editions**.
7. Enter **layout.xml**. This value creates a placeholder in the customizations.xml file that you'll replace with the contents of the layout.xml file in a later step.
1. Enter **layout.xml**. This value creates a placeholder in the customizations.xml file that you'll replace with the contents of the layout.xml file in a later step.
8. In the **Available customizations** pane, select **ImportEdgeAssets**.
1. In the **Available customizations** pane, select **ImportEdgeAssets**.
9. Enter **assets.xml**. This value creates a placeholder in the customizations.xml file that you'll replace with the contents of the assets.xml file in a later step.
1. Enter **assets.xml**. This value creates a placeholder in the customizations.xml file that you'll replace with the contents of the assets.xml file in a later step.
10. Save your project and close Windows Configuration Designer.
1. Save your project and close Windows Configuration Designer.
11. In File Explorer, open the project's directory. (The default location is C:\Users\\*user name*\Documents\Windows Imaging and Configuration Designer (WICD)\\*project name*)
1. In File Explorer, open the project's directory. (The default location is C:\Users\\*user name*\Documents\Windows Imaging and Configuration Designer (WICD)\\*project name*)
12. Open the customizations.xml file in a text editor. The **&lt;Customizations&gt;** section will look like this:
1. Open the customizations.xml file in a text editor. The **&lt;Customizations&gt;** section will look like this:
![Customizations file with the placeholder text to replace highlighted.](images/customization-start-edge.png)
13. Replace **layout.xml** with the text from the layout.xml file, [with markup characters replaced with escape characters](#escape).
1. Replace **layout.xml** with the text from the layout.xml file, [with markup characters replaced with escape characters](#escape).
14. Replace **assets.xml** with the text from the assets.xml file, [with markup characters replaced with escape characters](#escape).
1. Replace **assets.xml** with the text from the assets.xml file, [with markup characters replaced with escape characters](#escape).
15. Save and close the customizations.xml file.
1. Save and close the customizations.xml file.
16. Open Windows Configuration Designer and open your project.
1. Open Windows Configuration Designer and open your project.
17. On the **File** menu, select **Save.**
1. On the **File** menu, select **Save.**
18. On the **Export** menu, select **Provisioning package**.
1. On the **Export** menu, select **Provisioning package**.
19. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.**
1. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.**
20. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing.
1. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing.
- **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
- **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select...** and choosing the certificate you want to use to sign the package.
21. Select **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows Imaging and Configuration Designer (ICD) uses the project folder as the output location.
1. Select **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows Imaging and Configuration Designer (ICD) uses the project folder as the output location.
Optionally, you can select **Browse** to change the default output location.
22. Select **Next**.
1. Select **Next**.
23. Select **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status.
1. Select **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status.
If you need to cancel the build, select **Cancel**. It cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
24. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
1. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
- If you choose, you can build the provisioning package again and pick a different path for the output package. To change the path, select **Back** to change the output package name and path, and then select **Next** to start another build.
- If you're done, select **Finish** to close the wizard and go back to the **Customizations Page**.
25. Copy the provisioning package to the target device.
1. Copy the provisioning package to the target device.
26. Double-click the ppkg file and allow it to install.
1. Double-click the ppkg file and allow it to install.
## Related articles

2
windows/configuration/start/supported-csp-start-menu-layout-windows.md
View File

@ -39,7 +39,7 @@ For information on customizing the Start menu layout using policy, see [Customiz
- [Start/HideUserTile](/windows/client-management/mdm/policy-csp-start#start-hideusertile)
- [Start/HideRecentJumplists](/windows/client-management/mdm/policy-csp-start#start-hiderecentjumplists)
- [Start/NoPinningToTaskbar](/windows/client-management/mdm/policy-csp-start#start-nopinningtotaskbar)
- **Start/ShowOrHideMostUsedApps**: New policy starting with Windows 11. This policy enforces always showing Most Used Apps, or always hiding Most Used Apps in the Start menu. If you use this policy, the [Start/HideFrequentlyUsedApps](/windows/client-management/mdm/policy-csp-start#start-hidefrequentlyusedapps) policy is ignored.
- **Start/ShowOrHideMostUsedApps**: New policy starting with Windows 1. This policy enforces always showing Most Used Apps, or always hiding Most Used Apps in the Start menu. If you use this policy, the [Start/HideFrequentlyUsedApps](/windows/client-management/mdm/policy-csp-start#start-hidefrequentlyusedapps) policy is ignored.
The [Start/HideFrequentlyUsedApps](/windows/client-management/mdm/policy-csp-start#start-hidefrequentlyusedapps) policy enforces hiding Most Used Apps on the Start menu. You can't use this policy to enforce always showing Most Used Apps on the Start menu.

2
windows/configuration/start/windows-10-start-layout-options-and-policies.md
View File

@ -14,7 +14,7 @@ ms.date: 08/05/2021
Your organization can deploy a customized Start and taskbar to Windows 10 Professional, Enterprise, or Education devices. Use a standard, customized Start layout on devices that are common to multiple users, and devices that are locked down. Configuring the taskbar allows you to pin useful apps for your users, and remove apps that are pinned by default.
>[!NOTE]
>Support for applying a customized taskbar using MDM is added in Windows 10, version 1703.
>Support for applying a customized taskbar using MDM is added in Windows 10, version 1701.
As administrator, you can use these features to customize Start and taskbar to meet your organization needs. This article describes the different ways you can customize Start and taskbar, and lists the Start policies. It also includes taskbar information on a clean operating system (OS) installation, and when an OS is upgraded.

28
windows/configuration/store/stop-employees-from-using-microsoft-store.md
View File

@ -28,21 +28,21 @@ For more information on AppLocker, see [What is AppLocker?](/windows/device-secu
1. Enter **`secpol`** in the search bar to find and start AppLocker.
2. In the console tree of the snap-in, select **Application Control Policies**, select **AppLocker**, and then select **Packaged app Rules**.
1. In the console tree of the snap-in, select **Application Control Policies**, select **AppLocker**, and then select **Packaged app Rules**.
3. On the **Action** menu, or by right-clicking on **Packaged app Rules**, select **Create New Rule**.
1. On the **Action** menu, or by right-clicking on **Packaged app Rules**, select **Create New Rule**.
4. On **Before You Begin**, select **Next**.
1. On **Before You Begin**, select **Next**.
5. On **Permissions**, select the action (allow or deny) and the user or group that the rule should apply to, and then select **Next**.
1. On **Permissions**, select the action (allow or deny) and the user or group that the rule should apply to, and then select **Next**.
6. On **Publisher**, you can select **Use an installed app package as a reference**, and then select **Select**.
1. On **Publisher**, you can select **Use an installed app package as a reference**, and then select **Select**.
7. On **Select applications**, find and select **Store** under **Applications** column, and then select **OK**. Select **Next**.
1. On **Select applications**, find and select **Store** under **Applications** column, and then select **OK**. Select **Next**.
[Create a rule for packaged apps](/windows/device-security/applocker/create-a-rule-for-packaged-apps) has more information on reference options and setting the scope on packaged app rules.
8. Optional: On **Exceptions**, specify conditions by which to exclude files from being affected by the rule. Conditions allow you to add exceptions based on the same rule reference and rule scope as you set before. Select **Next**.
1. Optional: On **Exceptions**, specify conditions by which to exclude files from being affected by the rule. Conditions allow you to add exceptions based on the same rule reference and rule scope as you set before. Select **Next**.
## Block Microsoft Store using configuration service provider
@ -65,7 +65,7 @@ For more information on the rules available via AppLocker on the different suppo
Applies to: Windows 10 Enterprise, Windows 10 Education
> [!NOTE]
> Not supported on Windows 10 Pro, starting with version 1511. For more info, see [Knowledge Base article #3135657](/troubleshoot/windows-client/group-policy/cannot-disable-microsoft-store).
> Not supported on Windows 10 Pro, starting with version 151. For more info, see [Knowledge Base article #3135657](/troubleshoot/windows-client/group-policy/cannot-disable-microsoft-store).
You can also use Group Policy to manage access to Microsoft Store.
@ -73,11 +73,11 @@ You can also use Group Policy to manage access to Microsoft Store.
1. Enter **`gpedit`** in the search bar to find and start Group Policy Editor.
2. In the console tree of the snap-in, select **Computer Configuration**, select **Administrative Templates**, select **Windows Components**, and then select **Store**.
1. In the console tree of the snap-in, select **Computer Configuration**, select **Administrative Templates**, select **Windows Components**, and then select **Store**.
3. In the Setting pane, select **Turn off the Store application**, and then select **Edit policy setting**.
1. In the Setting pane, select **Turn off the Store application**, and then select **Edit policy setting**.
4. On the **Turn off the Store application** setting page, select **Enabled**, and then select **OK**.
1. On the **Turn off the Store application** setting page, select **Enabled**, and then select **OK**.
> [!IMPORTANT]
> When you enable the policy to **Turn off the Store application**, it turns off app updates from the Microsoft Store. To allow store apps to update, disable the policy to **Turn off automatic download and install of Updates**. This policy is found under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Store**. This configuration allows in-box store apps to update while still blocking access to the store.
@ -92,13 +92,13 @@ If you're using Microsoft Store for Business and you want employees to only see
1. Enter **`gpedit`** in the search bar, and then select **Edit group policy (Control panel)** to find and start Group Policy Editor.
2. In the console tree of the snap-in, go to **User Configuration** or **Computer Configuration** > **Administrative Templates** > **Windows Components**, and then select **Store**.
1. In the console tree of the snap-in, go to **User Configuration** or **Computer Configuration** > **Administrative Templates** > **Windows Components**, and then select **Store**.
3. Right-click **Only display the private store within the Microsoft Store app** in the right pane, and select **Edit**.
1. Right-click **Only display the private store within the Microsoft Store app** in the right pane, and select **Edit**.
The **Only display the private store within the Microsoft Store app** policy settings will open.
4. On the **Only display the private store within the Microsoft Store app** setting page, select **Enabled**, and then select **OK**.
1. On the **Only display the private store within the Microsoft Store app** setting page, select **Enabled**, and then select **OK**.
## Related articles

31
windows/configuration/taskbar/configure-windows-10-taskbar.md
View File

@ -32,14 +32,13 @@ The following example shows how apps will be pinned: Windows default apps to the
**To configure the taskbar:**
1. Create the XML file.
* If you're also [customizing the Start layout](customize-and-export-start-layout.md), use `Export-StartLayout` to create the XML, and then add the `<CustomTaskbarLayoutCollection>` section from [the following sample](#sample-taskbar-configuration-added-to-start-layout-xml-file) to the file.
* If you're only configuring the taskbar, use [the following sample](#sample-taskbar-configuration-xml-file) to create a layout modification XML file.
2. Edit and save the XML file. You can use [AUMID](./find-the-application-user-model-id-of-an-installed-app.md) or Desktop Application Link Path to identify the apps to pin to the taskbar.
* Add `xmlns:taskbar="http://schemas.microsoft.com/Start/2014/TaskbarLayout"` to the first line of the file, before the closing \>.
* Use `<taskbar:UWA>` and [AUMID](./find-the-application-user-model-id-of-an-installed-app.md) to pin Universal Windows Platform apps.
* Use `<taskbar:DesktopApp>` and Desktop Application Link Path to pin desktop applications.
3. Apply the layout modification XML file to devices using [Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) or a [provisioning package created in Windows Imaging and Configuration Designer (Windows ICD)](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md).
- If you're also [customizing the Start layout](customize-and-export-start-layout.md), use `Export-StartLayout` to create the XML, and then add the `<CustomTaskbarLayoutCollection>` section from [the following sample](#sample-taskbar-configuration-added-to-start-layout-xml-file) to the file.
- If you're only configuring the taskbar, use [the following sample](#sample-taskbar-configuration-xml-file) to create a layout modification XML file.
1. Edit and save the XML file. You can use [AUMID](./find-the-application-user-model-id-of-an-installed-app.md) or Desktop Application Link Path to identify the apps to pin to the taskbar.
- Add `xmlns:taskbar="http://schemas.microsoft.com/Start/2014/TaskbarLayout"` to the first line of the file, before the closing \>.
- Use `<taskbar:UWA>` and [AUMID](./find-the-application-user-model-id-of-an-installed-app.md) to pin Universal Windows Platform apps.
- Use `<taskbar:DesktopApp>` and Desktop Application Link Path to pin desktop applications.
1. Apply the layout modification XML file to devices using [Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) or a [provisioning package created in Windows Imaging and Configuration Designer (Windows ICD)](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md).
>[!IMPORTANT]
>If you use a provisioning package or import-startlayout to configure the taskbar, your configuration will be reapplied each time the explorer.exe process restarts. If your configuration pins an app and the user then unpins that app, the user's change will be overwritten the next time the configuration is applied. To apply a taskbar configuration that allows users to make changes that will persist, apply your configuration by using Group Policy.
@ -51,14 +50,12 @@ The following example shows how apps will be pinned: Windows default apps to the
In the layout modification XML file, you'll need to add entries for applications in the XML markup. In order to pin an application, you need either its AUMID or Desktop Application Link Path.
The easiest way to find this data for an application is to:
1. Pin the application to the Start menu on a reference or testing PC.
2. Open Windows PowerShell and run the `Export-StartLayout` cmdlet.
3. Open the generated XML file.
4. Look for an entry corresponding to the app you pinned.
5. Look for a property labeled `AppUserModelID` or `DesktopApplicationLinkPath`.
1. Pin the application to the Start menu on a reference or testing PC
1. Open Windows PowerShell and run the `Export-StartLayout` cmdlet
1. Open the generated XML file
1. Look for an entry corresponding to the app you pinned
1. Look for a property labeled `AppUserModelID` or `DesktopApplicationLinkPath`
### Sample taskbar configuration XML file
@ -137,6 +134,7 @@ The `<CustomTaskbarLayoutCollection>` section will append listed apps to the tas
</CustomTaskbarLayoutCollection>
</LayoutModificationTemplate>
```
**Before:**
![default apps pinned to taskbar.](images/taskbar-default.png)
@ -182,7 +180,6 @@ If you only want to remove some of the default pinned apps, you would use this m
By adding `PinListPlacement="Replace"` to `<CustomTaskbarLayoutCollection>`, you remove all default pinned apps.
```xml
<?xml version="1.0" encoding="utf-8"?>
<LayoutModificationTemplate
@ -257,13 +254,11 @@ The resulting taskbar for computers in any other country region:
![taskbar for all other regions.](images/taskbar-region-other.png)
> [!NOTE]
> [Look up country and region codes (use the ISO Short column)](/previous-versions/commerce-server/ee799297(v=cs.20))
## Layout Modification Template schema definition
```xml

38
windows/configuration/taskbar/customize-taskbar-windows-11.md
View File

@ -58,7 +58,7 @@ This article shows you how to create the XML file, add apps to the XML, and depl
</LayoutModificationTemplate>
```
2. In the `<taskbar:TaskbarPinList>` node, add (or remove) the apps you want pinned. You can pin Universal Windows Platform (UWP) apps and desktop apps:
1. In the `<taskbar:TaskbarPinList>` node, add (or remove) the apps you want pinned. You can pin Universal Windows Platform (UWP) apps and desktop apps:
- `<taskbar:UWA>`: Select this option for UWP apps. Add the [AUMID](./find-the-application-user-model-id-of-an-installed-app.md) of the UWP app.
- `<taskbar:DesktopApp>`: Select this option for desktop apps. Add the Desktop Application Link Path of the desktop app.
@ -67,14 +67,14 @@ This article shows you how to create the XML file, add apps to the XML, and depl
For more information, see [Get the AUMID and Desktop app link path](#get-the-aumid-and-desktop-app-link-path) (in this article).
3. In the `<CustomTaskbarLayoutCollection>` node, the apps you add are pinned after the default apps. If you want to remove the default apps, and only show the apps you add in the XML file, then add `PinListPlacement="Replace"`:
1. In the `<CustomTaskbarLayoutCollection>` node, the apps you add are pinned after the default apps. If you want to remove the default apps, and only show the apps you add in the XML file, then add `PinListPlacement="Replace"`:
- `<CustomTaskbarLayoutCollection>`: Keeps the default pinned apps. After the default apps, the apps you add are pinned.
- `<CustomTaskbarLayoutCollection PinListPlacement="Replace">`: Unpins the default apps. Only the apps you add are pinned.
If you want to remove some of the default pinned apps, then add `PinListPlacement="Replace"`. When you add your apps to `<taskbar:TaskbarPinList>`, include the default apps you still want pinned.
4. In the `<defaultlayout:TaskbarLayout>` node, use `region=" | "` to use different taskbar configurations based on the device locale and region.
1. In the `<defaultlayout:TaskbarLayout>` node, use `region=" | "` to use different taskbar configurations based on the device locale and region.
In the following XML example, two regions are added: `US|UK` and `DE|FR`:
@ -120,7 +120,7 @@ This article shows you how to create the XML file, add apps to the XML, and depl
- If the `<TaskbarPinList>` node has a country or region, then the apps are pinned on devices configured for that country or region.
- If the `<TaskbarPinList>` node doesn't have a region tag for the current region, then the first `<TaskbarPinList>` node with no region is applied.
5. Save the file, and name the file so you know what it is. For example, name the file something like `TaskbarLayoutModification.xml`. Once you have the file, it's ready to be deployed to your Windows devices.
1. Save the file, and name the file so you know what it is. For example, name the file something like `TaskbarLayoutModification.xml`. Once you have the file, it's ready to be deployed to your Windows devices.
## Use Group Policy or MDM to create and deploy a taskbar policy
@ -133,12 +133,12 @@ This section shows you how to deploy the XML both ways.
Use the following steps to add your XML file to a group policy, and apply the policy:
1. Open your policy editor. For example, open Group Policy Management Console (GPMC) for domain-based group policies, or open `gpedit` for local policies.
2. Go to one of the following policies:
1. Go to one of the following policies:
- `Computer Configuration\Administrative Templates\Start Menu and Taskbar\Start Layout`
- `User Configuration\Administrative Templates\Start Menu and Taskbar\Start Layout`
3. Double-select `Start Layout` > **Enable**. Enter the fully qualified path to your XML file, including the XML file name. You can enter a local path, like `C:\StartLayouts\TaskbarLayoutModification.xml`, or a network path, like `\\Server\Share\TaskbarLayoutModification.xml`. Be sure you enter the correct file path. If using a network share, be sure to give users read access to the XML file. If the file isn't available when the user signs in, then the taskbar isn't changed. Users can't customize the taskbar when this setting is enabled.
1. Double-select `Start Layout` > **Enable**. Enter the fully qualified path to your XML file, including the XML file name. You can enter a local path, like `C:\StartLayouts\TaskbarLayoutModification.xml`, or a network path, like `\\Server\Share\TaskbarLayoutModification.xml`. Be sure you enter the correct file path. If using a network share, be sure to give users read access to the XML file. If the file isn't available when the user signs in, then the taskbar isn't changed. Users can't customize the taskbar when this setting is enabled.
Your policy looks like the following policy:
@ -146,7 +146,7 @@ Use the following steps to add your XML file to a group policy, and apply the po
The `User Configuration\Administrative Templates\Start Menu and Taskbar` policy includes other settings that control the taskbar. Some policies may not work as expected. Be sure to test your policies before broadly deploying them across your devices.
4. When you apply the policy, the taskbar includes your changes. The next time users sign in, they'll see the changes.
1. When you apply the policy, the taskbar includes your changes. The next time users sign in, they'll see the changes.
For more information on using group policies, see [Implement Group Policy Objects](/training/modules/implement-group-policy-objects/).
@ -158,25 +158,25 @@ Use the following steps to create an Intune policy that deploys your taskbar XML
1. Sign in to the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Select **Devices** > **Configuration profiles** > **Create profile**.
1. Select **Devices** > **Configuration profiles** > **Create profile**.
3. Enter the following properties:
1. Enter the following properties:
- **Platform**: Select **Windows 10 and later**.
- **Profile type**: Select **Templates** > **Device restrictions** > **Create**.
4. In **Basics**, enter the following properties:
1. In **Basics**, enter the following properties:
- **Name**: Enter a descriptive name for the profile. Name your profiles so you can easily identify it later. For example, a good profile name is **Win11: Custom taskbar**.
- **Description**: Enter a description for the profile. This setting is optional, and recommended.
5. Select **Next**.
1. Select **Next**.
6. In **Configuration settings**, select **Start** > **Start menu layout**. Browse to, and select your taskbar XML file.
1. In **Configuration settings**, select **Start** > **Start menu layout**. Browse to, and select your taskbar XML file.
7. Select **Next**, and configure the rest of the policy settings. For more specific information, see [Configure device restriction settings](/mem/intune/configuration/device-restrictions-configure).
1. Select **Next**, and configure the rest of the policy settings. For more specific information, see [Configure device restriction settings](/mem/intune/configuration/device-restrictions-configure).
8. When the policy is created, you can deploy it now, or deploy it later. Since this policy is a customized taskbar, the policy can also be deployed before users sign in the first time.
1. When the policy is created, you can deploy it now, or deploy it later. Since this policy is a customized taskbar, the policy can also be deployed before users sign in the first time.
For more information and guidance on assigning policies using Microsoft Intune, see [Assign user and device profiles](/mem/intune/configuration/device-profile-assign).
@ -188,14 +188,14 @@ Use the following steps to create an Intune policy that deploys your taskbar XML
In the layout modification XML file, you add apps in the XML markup. To pin an app, you enter the AUMID or Desktop Application Link Path. The easiest way to find this app information is to use the [Export-StartLayout](/powershell/module/startlayout/export-startlayout) Windows PowerShell cmdlet:
1. On an existing Windows 11 device, pin the app to the Start menu.
2. Create a folder to save an output file. For example, create the `C:\Layouts` folder.
3. Open the Windows PowerShell app, and run the following cmdlet:
1. Create a folder to save an output file. For example, create the `C:\Layouts` folder.
1. Open the Windows PowerShell app, and run the following cmdlet:
```powershell
Export-StartLayout -Path "C:\Layouts\GetIDorPath.xml"
```
4. Open the generated GetIDorPath.xml file, and look for the app you pinned. When you find the app, get the AppID or Path. Add these properties to your XML file.
1. Open the generated GetIDorPath.xml file, and look for the app you pinned. When you find the app, get the AppID or Path. Add these properties to your XML file.
## Pin order for all apps
@ -210,8 +210,8 @@ On a taskbar, the following apps are typically pinned:
Apps are pinned in the following order:
1. Windows default apps are pinned first.
2. User-pinned apps are pinned after the Windows default apps.
3. XML-pinned apps are pinned after the user-pinned apps.
1. User-pinned apps are pinned after the Windows default apps.
1. XML-pinned apps are pinned after the user-pinned apps.
If the OS is configured to use a right-to-left language, then the taskbar order is reversed.

5
windows/configuration/ue-v/uev-application-template-schema-reference.md
View File

@ -384,7 +384,7 @@ Application is a container for settings that apply to a particular application.
|LocalizedDescriptions|An optional template description localized by a language locale.|
|Version|Identifies the version of the settings location template for administrative tracking of changes. For more information, see [Version](#version21).|
|DeferToMSAccount|Controls whether this template is enabled in conjunction with a Microsoft account or not. If MSA syncing is enabled for a user on a machine, then this template will automatically be disabled.|
|DeferToOffice365|Similar to MSA, this type controls whether this template is enabled in conjunction with Office365. If Office 365 is being used to sync settings, this template will automatically be disabled.|
|DeferToOffice365|Similar to MSA, this type controls whether this template is enabled in conjunction with Office361. If Office 365 is being used to sync settings, this template will automatically be disabled.|
|FixedProfile|Specifies that this template can only be associated with the profile specified within this element, and can't be changed via WMI or PowerShell.|
|Processes|A container for a collection of one or more Process elements. For more information, see [Processes](#processes21).|
|Settings|A container for all the settings that apply to a particular template. It contains instances of the Registry, File, SystemParameter, and CustomAction settings. For more information, see **Settings** in [Data types](#data21)".|
@ -402,7 +402,7 @@ Common is similar to an Application element, but it's always associated with two
|LocalizedDescriptions|An optional template description localized by a language locale.|
|Version|Identifies the version of the settings location template for administrative tracking of changes. For more information, see [Version](#version21).|
|DeferToMSAccount|Controls whether this template is enabled in conjunction with a Microsoft account or not. If MSA syncing is enabled for a user on a machine, then this template will automatically be disabled.|
|DeferToOffice365|Similar to MSA, this type controls whether this template is enabled in conjunction with Office365. If Office 365 is being used to sync settings, this template will automatically be disabled.|
|DeferToOffice365|Similar to MSA, this type controls whether this template is enabled in conjunction with Office361. If Office 365 is being used to sync settings, this template will automatically be disabled.|
|FixedProfile|Specifies that this template can only be associated with the profile specified within this element, and can't be changed via WMI or PowerShell.|
|Settings|A container for all the settings that apply to a particular template. It contains instances of the Registry, File, SystemParameter, and CustomAction settings. For more information, see **Settings** in [Data types](#data21).|
@ -695,7 +695,6 @@ Here's the SettingsLocationTemplate.xsd file showing its elements, child element
</xs:sequence>
</xs:complexType>
<xs:element name="SettingsLocationTemplate">
<xs:complexType>
<xs:sequence>

6
windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md
View File

@ -90,9 +90,9 @@ The following chart provides additional information about scheduled tasks for UE
To find Scheduled Tasks, perform the following steps:
1. Open "Schedule Tasks" on the user computer.
1. Navigate to: Task Scheduler -&gt; Task Scheduler Library -&gt; Microsoft -&gt; UE-V
1. Select the scheduled task you wish to manage and configure in the details pane.
1. Open "Schedule Tasks" on the user computer.
1. Navigate to: Task Scheduler -&gt; Task Scheduler Library -&gt; Microsoft -&gt; UE-V
1. Select the scheduled task you wish to manage and configure in the details pane.
### Additional information

2
windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md
View File

@ -26,7 +26,7 @@ The following policy settings can be configured for UE-V.
|Synchronization timeout|Computers and Users|This Group Policy setting configures the number of milliseconds that the computer waits before a time-out when it retrieves user settings from the remote settings location. If the remote storage location is unavailable, and the user does not use the sync provider, the application start is delayed by this many milliseconds.|Specify the preferred synchronization time-out in milliseconds. The default value is 2000 milliseconds.|
|Tray Icon|Computers Only|This Group Policy setting enables the User Experience Virtualization (UE-V) tray icon.|This setting only has an effect for UE-V 2.x and earlier. It has no effect for UE-V in Windows 10, version 1607.|
|Use User Experience Virtualization (UE-V)|Computers and Users|This Group Policy setting lets you enable or disable User Experience Virtualization (UE-V).|This setting only has an effect for UE-V 2.x and earlier. For UE-V in Windows 10, version 1607, use the **Enable UE-V** setting.|
|Enable UE-V|Computers and Users|This policy setting allows you to enable or disable User Experience Virtualization (UE-V) feature. Reboot is needed for enable to take effect.|This setting only has an effect for UE-V in Windows 10, version 1607. For UE-V 2.x and earlier, choose the **Use User Experience Virtualization (UE-V)** setting.|
|Enable UE-V|Computers and Users|This policy setting allows you to enable or disable User Experience Virtualization (UE-V) feature. Reboot is needed for enable to take effect.|This setting only has an effect for UE-V in Windows 10, version 1601. For UE-V 2.x and earlier, choose the **Use User Experience Virtualization (UE-V)** setting.|
>[!NOTE]
>In addition, Group Policy settings are available for many desktop applications and Windows apps. You can use these settings to enable or disable settings synchronization for specific applications.

23
windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md
View File

@ -20,10 +20,12 @@ To start, here are the main steps required to synchronize settings for custom ap
- [Create custom settings location templates](#create-custom-settings-location-templates)
These custom templates let users sync settings for custom applications.
- [Deploy the custom settings location templates](#deploy-the-custom-settings-location-templates)
After you test the custom template to ensure that settings are synced correctly, you can deploy these templates in one of these ways:
- With your existing electronic software distribution solution, such as Configuration Manager
- With Group Policy preferences
- With a UE-V settings template catalog
After you test the custom template to ensure that settings are synced correctly, you can deploy these templates in one of these ways:
- With your existing electronic software distribution solution, such as Configuration Manager
- With Group Policy preferences
- With a UE-V settings template catalog
> [!NOTE]
> Templates that are deployed with electronic software distribution methods or Group Policy must be registered with UE-V Windows Management Instrumentation (WMI) or Windows PowerShell.
@ -57,7 +59,7 @@ If registry keys and files that are stored in excluded locations are required to
### Replace the default Microsoft templates
A default group of settings location templates for common Microsoft applications and Windows settings is included with Windows 10, version 1607. If you customize these templates, or create settings location templates to synchronize settings for custom applications, the UE-V service can be configured to use a settings template catalog to store the templates. In this case, you'll need to include the default templates with the custom templates in the settings template catalog.
A default group of settings location templates for common Microsoft applications and Windows settings is included with Windows 10, version 1601. If you customize these templates, or create settings location templates to synchronize settings for custom applications, the UE-V service can be configured to use a settings template catalog to store the templates. In this case, you'll need to include the default templates with the custom templates in the settings template catalog.
> [!IMPORTANT]
> After you enable the UE-V service, you'll need to register the settings location templates using the `Register-UevTemplate` cmdlet in Windows PowerShell.
@ -82,9 +84,9 @@ Install the UE-V template generator on a computer that you can use to create a c
> [!IMPORTANT]
> UE-V for Windows 10, version 1607 includes a new template generator. If you are upgrading from an existing UE-V installation, you'll need to use the new generator to create settings location templates. Templates created with previous versions of the UE-V template generator will continue to work.
**To install the UE-V template generator**
To install the UE-V template generator:
1. Go to [Download the Windows ADK](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) to access the ADK.
1. Go to [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) to access the ADK.
1. Select the **Get Windows ADK for Windows 10** button on this page to start the ADK installer. On the window pictured below, select **Microsoft User Experience Virtualization (UE-V) Template Generator** and then select Install.
<!-- PRESERVING ORIGINAL IMAGE CODING JUST IN CASE
@ -104,7 +106,7 @@ The UE-V service checks this folder for templates that were added, updated, or r
You can configure the settings template catalog path with command-line options, Group Policy, WMI, or Windows PowerShell. Templates stored at the settings template catalog path are automatically registered and unregistered by a scheduled task.
**To configure the settings template catalog for UE-V**
To configure the settings template catalog for UE-V:
1. Create a new folder on the computer that stores the UE-V settings template catalog.
1. Set the following share-level (SMB) permissions for the settings template catalog folder.
@ -132,7 +134,7 @@ At a minimum, the network share must grant permissions for the Domain Computers
Use the UE-V template generator to create settings location templates for line-of-business applications or other custom applications. After you create the template for an application, deploy it to computers to synchronize settings for that application.
**To create a UE-V settings location template with the UE-V template generator**
To create a UE-V settings location template with the UE-V template generator:
1. Click **Start** &gt; **All Programs** &gt; **Microsoft User Experience Virtualization** &gt; **Microsoft User Experience Virtualization template generator**.
1. Click **Create a settings location template**.
@ -180,13 +182,12 @@ You can deploy settings location templates using of these methods:
Templates that are deployed by using an ESD system or Group Policy objects must be registered using UE-V Windows Management Instrumentation (WMI) or Windows PowerShell. Templates that are stored in the settings template catalog location are automatically registered by the UE-V service.
**To deploy UE-V settings location templates with a settings template catalog path**
To deploy UE-V settings location templates with a settings template catalog path:
1. Browse to the network share folder that you defined as the settings template catalog.
1. Add, remove, or update settings location templates in the settings template catalog to reflect the UE-V service template configuration that you want for UE-V computers.
> [!NOTE]
> Templates on computers are updated daily. The update is based on changes to the settings template catalog.
1. To manually update templates on a computer that runs the UE-V service, open an elevated command prompt, and browse to **Program Files\Microsoft User Experience Virtualization \ Agent \ &lt;x86 or x64 &gt;**, and then run **ApplySettingstemplateCatalog.exe**.
> [!NOTE]
> This program runs automatically during computer startup and daily at 3:30 A. M. to gather any new templates that were recently added to the catalog.

4
windows/configuration/ue-v/uev-for-windows.md
View File

@ -44,7 +44,7 @@ Use these UE-V components to create and manage custom templates for your third-p
| Component | Description |
|--|--|
| **UE-V template generator** | Use the **UE-V template generator** to create custom settings location templates that you can then distribute to user computers. The UE-V template generator also lets you edit an existing template or validate a template that was created with a different XML editor. <br>With the Windows 10, version 1607 release, the UE-V template generator is installed with the [Windows Assessment and Deployment kit for Windows 10, version 1607](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) (Windows ADK). <br>If you are upgrading from an existing UE-V installation, you'll need to use the new generator to create new settings location templates. Application templates created with previous versions of the UE-V template generator are still supported, however. |
| **UE-V template generator** | Use the **UE-V template generator** to create custom settings location templates that you can then distribute to user computers. The UE-V template generator also lets you edit an existing template or validate a template that was created with a different XML editor. <br>With the Windows 10, version 1607 release, the UE-V template generator is installed with the [Windows Assessment and Deployment kit for Windows 10, version 1607](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) (Windows ADK). <br>If you are upgrading from an existing UE-V installation, you'll need to use the new generator to create new settings location templates. Application templates created with previous versions of the UE-V template generator are still supported, however. |
| **Settings template catalog** | The **settings template catalog** is a folder path on UE-V computers or a Server Message Block (SMB) network share that stores the custom settings location templates. The UE-V service checks this location once a day, retrieves new or updated templates, and updates its synchronization behavior.<br>If you use only the UE-V default settings location templates, then a settings template catalog is unnecessary. For more information about settings deployment catalogs, see [Deploy a UE-V settings template catalog](uev-deploy-uev-for-custom-applications.md). |
<!-- PRESERVING ORIGINAL IMAGE CODING JUST IN CASE - NOTE THAT UPDATED IMAGE IS A PNG FILE
@ -75,4 +75,4 @@ UE-V synchronizes settings for these applications by default. For a complete lis
- [Administer UE-V for Windows 10](uev-administering-uev.md)
- [Technical Reference for UE-V for Windows 10](uev-technical-reference.md)
For UE-V issues, use the [UE-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-us/home?forum=mdopuev&filter=alltypes&sort=lastpostdesc).
For UE-V issues, use the [UE-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopuev&filter=alltypes&sort=lastpostdesc).

2
windows/configuration/ue-v/uev-getting-started.md
View File

@ -120,7 +120,7 @@ You're ready to run a few tests on your UE-V evaluation deployment to see how UE
1. Open Windows Desktop and verify that the taskbar location matches that of Computer A. Verify that the default fonts match and that NotePad is set to **word wrap on**. Also verify the change you made to any Windows applications.
1. You can change the settings in Computer B back to the original Computer A settings. Then log off Computer B and log in to Computer A to verify the changes.
For UE-V issues, use the [UE-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-us/home?forum=mdopuev&filter=alltypes&sort=lastpostdesc).
For UE-V issues, use the [UE-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopuev&filter=alltypes&sort=lastpostdesc).
## Other resources for this feature

2
windows/configuration/ue-v/uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md
View File

@ -68,7 +68,7 @@ The UE-V Windows PowerShell features enable you to manage a group of settings te
This command unregisters all active templates on the computer.
1. Register the updated templates by typing the following command.
1. Register the updated templates by typing the following command.
```powershell
Register-UevTemplate <path to template folder>\*.xml

2
windows/configuration/ue-v/uev-prepare-for-deployment.md
View File

@ -336,7 +336,7 @@ The VDI template is provided with UE-V and is typically available here after ins
Install the UE-V template generator on the device that is used to create custom settings location templates. This device should be able to run the applications that you want to synchronize settings for. You must be a member of the Administrators group on the device that runs the UE-V template generator software.
The UE-V template generator must be installed on a device that uses an NTFS file system. The UE-V template generator software requires .NET Framework 4. For more information, see [Use UE-V with custom applications](uev-deploy-uev-for-custom-applications.md).
The UE-V template generator must be installed on a device that uses an NTFS file system. The UE-V template generator software requires .NET Framework 1. For more information, see [Use UE-V with custom applications](uev-deploy-uev-for-custom-applications.md).
## Other resources for this feature

2
windows/configuration/ue-v/uev-security-considerations.md
View File

@ -61,7 +61,7 @@ User settings data is vulnerable to these potential threats: interception of the
As of Windows Server 2003, several features of the Windows Server operating system can help secure user data:
- **Kerberos** - Kerberos is standard on all versions of Microsoft Windows 2000 Server and Windows Server beginning with Windows Server 2003. Kerberos ensures the highest level of security to network resources. NTLM authenticates the client only; Kerberos authenticates the server and the client. When NTLM is used, the client doesn't know whether the server is valid. This difference is important if the client exchanges personal files with the server, as is the case with Roaming User Profiles. Kerberos provides better security than NTLM. Kerberos isn't available on the Microsoft Windows NT Server 4.0 or earlier operating systems.
- **Kerberos** - Kerberos is standard on all versions of Microsoft Windows 2000 Server and Windows Server beginning with Windows Server 2001. Kerberos ensures the highest level of security to network resources. NTLM authenticates the client only; Kerberos authenticates the server and the client. When NTLM is used, the client doesn't know whether the server is valid. This difference is important if the client exchanges personal files with the server, as is the case with Roaming User Profiles. Kerberos provides better security than NTLM. Kerberos isn't available on the Microsoft Windows NT Server 4.0 or earlier operating systems.
- **IPsec** - The IP Security Protocol (IPsec) provides network-level authentication, data integrity, and encryption. IPsec ensures that:

2
windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md
View File

@ -13,7 +13,7 @@ To synchronize Office applications settings, you can download Office templates f
## Microsoft Office support in UE-V
UE-V includes settings location templates for Microsoft Office 2016, 2013, and 2010. In previous versions of UE-V, settings location templates for Office 2013 and Office 2010 were distributed and registered when you installed the UE-V agent. Now that UE-V is a feature in Windows 10, version 1607, settings location templates are installed when you install or upgrade to the new operating system.
UE-V includes settings location templates for Microsoft Office 2016, 2013, and 201. In previous versions of UE-V, settings location templates for Office 2013 and Office 2010 were distributed and registered when you installed the UE-V agent. Now that UE-V is a feature in Windows 10, version 1607, settings location templates are installed when you install or upgrade to the new operating system.
These templates help synchronize users' Office experience between devices. Microsoft Office 2016 settings roamed by Office 365 experience aren't included in these settings. For a list of Office 365-specific settings, see [Overview of user and roaming settings for Office](/previous-versions/office/office-2013-resource-kit/jj733593(v=office.15)).

2
windows/configuration/ue-v/uev-troubleshooting.md
View File

@ -12,7 +12,7 @@ For information that can help with troubleshooting UE-V for Windows 10, see:
- [UE-V: List of Microsoft Support Knowledge Base Articles](https://social.technet.microsoft.com/wiki/contents/articles/14271.ue-v-list-of-microsoft-support-knowledge-base-articles.aspx)
- [User Experience Virtualization Release Notes](uev-release-notes-1607.md)
- [Technical Reference for UE-V](uev-technical-reference.md)
- [UE-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-us/home?forum=mdopuev&filter=alltypes&sort=lastpostdesc)
- [UE-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopuev&filter=alltypes&sort=lastpostdesc)
## Other resources

2
windows/configuration/ue-v/uev-upgrade-uev-from-previous-releases.md
View File

@ -33,7 +33,7 @@ After upgrading a user device to Windows 10, version 1607, it's important to ver
1. Type **Get-UEVTemplate** and press ENTER to check that your templates are still registered.
> [!NOTE]
> You'll need to register the NotePad template again after you upgrade the device to Windows 10.
> You'll need to register the NotePad template again after you upgrade the device to Windows 1.
**To verify UE-V settings using the device's registry**

4
windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md
View File

@ -27,7 +27,7 @@ For more information about how to configure an existing UE-V installation after
## New UE-V template generator is available from the Windows 10 ADK
UE-V for Windows 10 includes a new template generator, available from a new location. If you're upgrading from an existing UE-V installation, you'll need to use the new generator to create settings location templates. The UE-V for Windows 10 template generator is now available in the [Windows 10 Assessment and Deployment Kit](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) (Windows ADK).
UE-V for Windows 10 includes a new template generator, available from a new location. If you're upgrading from an existing UE-V installation, you'll need to use the new generator to create settings location templates. The UE-V for Windows 10 template generator is now available in the [Windows 10 Assessment and Deployment Kit](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) (Windows ADK).
## Company Settings Center removed in UE-V for Windows 10, version 1607
@ -93,7 +93,7 @@ UE-V for Windows 10, version 1607 includes the Microsoft Office 2016 settings lo
> [!NOTE]
> An Outlook profile must be created on any device on which a user wants to synchronize their Outlook signature. If the profile is not already created, the user can create one and then restart Outlook on that device to enable signature synchronization.
UE-V works with Office 365 to determine whether Office 2016 settings are roamed by Office 365. If settings are roamed by Office 365, they aren't roamed by UE-V. For more information, see [Overview of user and roaming settings for Microsoft Office](/previous-versions/office/office-2013-resource-kit/jj733593(v=office.15)).
UE-V works with Office 365 to determine whether Office 2016 settings are roamed by Office 361. If settings are roamed by Office 365, they aren't roamed by UE-V. For more information, see [Overview of user and roaming settings for Microsoft Office](/previous-versions/office/office-2013-resource-kit/jj733593(v=office.15)).
To enable settings synchronization using UE-V, do one of the following steps:

3
windows/configuration/wcd/wcd-accountmanagement.md
View File

@ -2,7 +2,6 @@
title: AccountManagement
description: This section describes the account management settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
ms.topic: reference
ms.date: 04/30/2018
---
@ -23,7 +22,6 @@ Use these settings to configure the Account Manager service.
>[!NOTE]
>Although the AccountManagement settings are available in advanced provisioning for other editions, you should only use them for HoloLens devices.
## DeletionPolicy
Use this setting to set a policy for deleting accounts.
@ -36,7 +34,6 @@ Use this setting to set a policy for deleting accounts.
Set as **True** to enable automatic account management. If this is not set to **True**, no automatic account management will occur.
## ProfileInactivityThreshold
If you set **DeletionPolicy** as **Delete at storage capacity threshold and profile inactivity threshold**, use this setting to configure the number of days after which an account that has not signed in will be deleted.

3
windows/configuration/wcd/wcd-accounts.md
View File

@ -20,7 +20,6 @@ Use these settings to join a device to an Active Directory domain or a Microsoft
| [ComputerAccount](#computeraccount) | ✅ | ✅ | | ✅ |
| [Users](#users) | ✅ | ✅ | ✅ | |
## Azure
The **Azure > Authority** and **Azure > BPRT** settings for bulk Microsoft Entra enrollment can only be configured using one of the provisioning wizards. After you get a bulk token for Microsoft Entra enrollment in a wizard, you can switch to the advanced editor to configure more provisioning settings. For information about using the wizards, see:
@ -39,7 +38,7 @@ Specifies the settings you can configure when joining a device to a domain, incl
| --- | --- | --- |
| Account | String | Account to use to join computer to domain |
| AccountOU | Enter the full path for the organizational unit. For example: OU=testOU,DC=domain,DC=Domain,DC=com. | Name of organizational unit for the computer account |
| ComputerName | On desktop PCs, this setting specifies the DNS hostname of the computer (Computer Name) up to 63 characters. Use `%RAND:x%` to generate x number of random digits in the name, where x must be a number less than 63. For domain-joined computers, the unique name must use `%RAND:x%`. Use `%SERIAL%` to generate the name with the `computer's` serial number embedded. If the serial number exceeds the character limit, it will be truncated from the beginning of the sequence. The character restriction limit doesn't count the length of the macros, including `%RAND:x%` and `%SERIAL%`. This setting is supported only in Windows 10, version 1803 and later. To change this setting in Windows 10 version 1709 and earlier releases, use the **ComputerName** setting under **Accounts**. | Specifies the name of the Windows device (computer name on PCs) |
| ComputerName | On desktop PCs, this setting specifies the DNS hostname of the computer (Computer Name) up to 63 characters. Use `%RAND:x%` to generate x number of random digits in the name, where x must be a number less than 61. For domain-joined computers, the unique name must use `%RAND:x%`. Use `%SERIAL%` to generate the name with the `computer's` serial number embedded. If the serial number exceeds the character limit, it will be truncated from the beginning of the sequence. The character restriction limit doesn't count the length of the macros, including `%RAND:x%` and `%SERIAL%`. This setting is supported only in Windows 10, version 1803 and later. To change this setting in Windows 10 version 1709 and earlier releases, use the **ComputerName** setting under **Accounts**. | Specifies the name of the Windows device (computer name on PCs) |
| DomainName | String (can't be empty) | Specify the name of the domain that the device will join |
| Password | String (can't be empty) | Corresponds to the password of the user account that's authorized to join the computer account to the domain. |

28
windows/configuration/wcd/wcd-admxingestion.md
View File

@ -16,7 +16,6 @@ Starting in Windows 10, version 1703, you can import (*ingest*) Group Policy adm
- The settings under [ConfigOperations](#configoperations) specify the ADMX file to be imported.
>[!IMPORTANT]
>Only device scope policies (class="Machine" or class="Both") can be set using a provisioning package.
@ -35,44 +34,35 @@ Use **ConfigOperations** to import ADMX policies from an ADMX file.
This can be any name you assign, so choose something descriptive to help you identify its purpose. For example, if you are importing ADMX for Chromium Edge, enter an app name.
Example, `MSEdgeEfficiencyMode`
2. Select the app name in the Customizations pane, select a setting type, and then click **Add**.
1. Select the app name in the Customizations pane, select a setting type, and then click **Add**.
The choices, **Policy** and **Preference**, have no impact on the behavior of the settings, and are only provided for your convenience should you want to categorize the settings you add.
3. Select the setting type in the Customizations pane. In the **AdmxFileUid** field, enter the name of the ADMX file or a unique ID for the file, and then click **Add**.
1. Select the setting type in the Customizations pane. In the **AdmxFileUid** field, enter the name of the ADMX file or a unique ID for the file, and then click **Add**.
The **AdmxFileUid** can be any string, but must be unique in the provisioning package. Using the name of the ADMX file will help you identify the file in the future.
Example, `MSEdgeEfficiencyMode`
>[!NOTE]
>Keeping the AdmxFileUid and AppName the same will help prevent authorizing errors.
4. Select the AdmxFileUid in the Customizations pane, and paste the contents of the ADMX file in the text field. Before copying the contents of the ADMX file, you must convert it to a single-line. See [Convert multi-line to single line](#convert) for instructions.
1. Select the AdmxFileUid in the Customizations pane, and paste the contents of the ADMX file in the text field. Before copying the contents of the ADMX file, you must convert it to a single-line. See [Convert multi-line to single line](#convert) for instructions.
>[!NOTE]
>When you have a large ADMX file, you may want to only include specific settings. Instead of pasting in the entire ADMX file, you can paste just one or more specific policies (after converting them to single-line).
Example, EfficiencyMode
```XML
<policy class="Both" displayName="$(string.EfficiencyMode)" explainText="$(string.EfficiencyMode_Explain)" key="Software\Policies\Microsoft\Edge" name="EfficiencyMode" presentation="$(presentation.EfficiencyMode)"> <parentCategory ref="Performance"/> <supportedOn ref="SUPPORTED_WIN7_V96"/> <elements> <enum id="EfficiencyMode" valueName="EfficiencyMode"> <item displayName="$(string.EfficiencyMode_AlwaysActive)"> <value> <decimal value="0"/> </value> </item> <item displayName="$(string.EfficiencyMode_NeverActive)"> <value> <decimal value="1"/> </value> </item> <item displayName="$(string.EfficiencyMode_ActiveWhenUnplugged)"> <value> <decimal value="2"/> </value> </item> <item displayName="$(string.EfficiencyMode_ActiveWhenUnpluggedBatteryLow)"> <value> <decimal value="3"/> </value> </item> </enum> </elements> </policy>
```
5. Repeat for each ADMX, or set of ADMX policies, that you want to add, and then configure [ConfigADMXInstalledPolicy](#configadmxinstalledpolicy) for each one.
1. Repeat for each ADMX, or set of ADMX policies, that you want to add, and then configure [ConfigADMXInstalledPolicy](#configadmxinstalledpolicy) for each one.
<span id="convert"/>
## ConfigADMXInstalledPolicy
>[!IMPORTANT]
@ -84,23 +74,18 @@ In **ConfigADMXInstalledPolicy**, you provide a policy setting and value for tha
`<AppName (from ConfigOperations)>~<SettingType>~<category name from ADMX>`
See [Category and policy in ADMX](#category-and-policy-in-admx) for more information. A setting may have multiple levels of category names, as in the following example.
Example: `MSEdgeEfficiencyMode~Policy~microsoft_edge~Performance`
2. Select the area name in the Customization pane, enter a policy name from the ADMX, and then click **Add**.
1. Select the area name in the Customization pane, enter a policy name from the ADMX, and then click **Add**.
Example, `EfficiencyMode`.
3. Select the policy name in the Customization pane, and then enter a value from the ADMX in the text field.
1. Select the policy name in the Customization pane, and then enter a value from the ADMX in the text field.
Example, `<enabled/><data id="EfficiencyMode" Value="2">`.
## Category and policy in ADMX
The following samples show the ADMX file for Chromium Edge used in the examples in the procedures above. The first sample highlights the category names.
@ -149,7 +134,6 @@ The next sample highlights the specific policy.
```
<!--![Snipped of ADMX shows policy setting highlighted.](../images/admx-policy.png)-->
## Convert multi-line to single line
Use the following PowerShell cmdlet to remove carriage returns and line feeds from a multi-line file to create a single-line file that you can paste in **AdmxFileUid**.

5
windows/configuration/wcd/wcd-assignedaccess.md
View File

@ -19,7 +19,6 @@ Use this setting to configure single use (kiosk) devices.
| [AssignedAccessSettings](#assignedaccesssettings) | ✅ | | ✅ | |
| [MultiAppAssignedAccessSettings](#multiappassignedaccesssettings) | ✅ | | ✅ | |
## AssignedAccessSettings
Enter the account and the application you want to use for Assigned access, using [the AUMID](../find-the-application-user-model-id-of-an-installed-app.md). When that user account signs in on the device, only the specified app will run.
@ -36,8 +35,8 @@ Enter the account and the application you want to use for Assigned access, using
Use this setting to configure a kiosk device that runs more than one app.
1. Create an assigned access configuration XML file for multiple apps [(desktop](../lock-down-windows-10-to-specific-apps.md) or [HoloLens)](/hololens/hololens-provisioning).
2. In Windows Configuration Designer, select **MultiAppAssignedAccessSettings**.
3. Browse to and select the assigned access configuration XML file.
1. In Windows Configuration Designer, select **MultiAppAssignedAccessSettings**.
1. Browse to and select the assigned access configuration XML file.
## Related topics

13
windows/configuration/wcd/wcd-browser.md
View File

@ -22,7 +22,6 @@ Use to configure browser settings that should only be set by OEMs who are part o
| [PartnerSearchCode](#partnersearchcode) | ✅ | ✅ | | |
| [SearchProviders](#searchproviders) | | | | |
## AllowPrelaunch
Use this setting to allow Microsoft Edge to pre-launch during Windows sign-in, when the system is idle, and each time that Microsoft Edge is closed. Pre-launch minimizes the amount of time required to start Microsoft Edge.
@ -34,7 +33,7 @@ Select between **Prevent Pre-launching** and **Allow Pre-launching**.
Use to add items to the Favorites Bar in Microsoft Edge.
1. Enter a name for the item, and select **Add**. (The name you enter here's only used to distinguish the group of settings, and isn't shown on the device when the settings are applied.)
2. In **Available customizations**, select the item that you added, and then configure the following settings for that item:
1. In **Available customizations**, select the item that you added, and then configure the following settings for that item:
Setting | Description
--- | ---
@ -50,11 +49,10 @@ To add a new item under the browser's **Favorites** list:
1. In the **Name** field, enter a friendly name for the item, and then click **Add**.
2. In the **Available customizations** pane, select the friendly name that you created, and in the text field, enter the URL for the item.
1. In the **Available customizations** pane, select the friendly name that you created, and in the text field, enter the URL for the item.
For example, to include the corporate Web site to the list of browser favorites, a company called Contoso can specify **Contoso** as the value for the name and `http://www.contoso.com` for the URL.
## PartnerSearchCode
>[!IMPORTANT]
@ -64,9 +62,6 @@ Set the value to a character string that corresponds to the OEM's Partner Search
OEMs who are part of the program only have one PartnerSearchCode which should be used for all Windows 10 for desktop editions images.
## SearchProviders
Contains the settings you can use to configure the default and other search providers.
@ -82,15 +77,13 @@ Some countries/regions require specific, default search providers. The following
>[!NOTE]
>For Russia + Commonwealth of Independent States (CIS), the independent states consist of Russia, Ukraine, Georgia, The Republic of Azerbaijan, Republic Of Belarus, The Republic of Kazakhstan, The Kyrgyz Republic, The Republic of Moldova, The Republic of Tajikistan, The Republic of Armenia, Turkmenistan, The Republic of Uzbekistan, and Türkiye.
### SearchProviderList
Use to specify a list of extra search providers.
1. In the **Name** field, enter a name for the item, and then click **Add**.
2. In the **Available customizations** pane, select the name that you created, and in the text field, enter the URL for the other search provider.
1. In the **Available customizations** pane, select the name that you created, and in the text field, enter the URL for the other search provider.
For example, to specify Yandex in Russia and Commonwealth of Independent States (CIS), set the value of URL to "https://yandex.ru/search/touch/?text={searchTerm}&clid=2234144".

12
windows/configuration/wcd/wcd-cellcore.md
View File

@ -10,7 +10,7 @@ ms.date: 10/02/2018
# CellCore (Windows Configuration Designer reference)
>Setting documentation is provided for Windows 10, version 1803 and earlier. CellCore isn't available in Windows 10, version 1809.
>Setting documentation is provided for Windows 10, version 1803 and earlier. CellCore isn't available in Windows 10, version 1801.
Use to configure settings for cellular data.
@ -46,13 +46,13 @@ Use to configure settings for cellular data.
1. In **CellConfiguration** > **PropertyGroups**, enter a name for the property group.
2. Select the **PropertyGroups** you created in the **Available customizations** pane and then enter a **PropertyName**.
3. Select the **PropertyName** you created in the **Available customizations** pane, and then select one of the following data types for the property:
1. Select the **PropertyGroups** you created in the **Available customizations** pane and then enter a **PropertyName**.
1. Select the **PropertyName** you created in the **Available customizations** pane, and then select one of the following data types for the property:
- Binary
- Boolean
- Integer
- String
4. The data type that you selected is added in **Available customizations**. Select it to enter a value for the property.
1. The data type that you selected is added in **Available customizations**. Select it to enter a value for the property.
### CellData
@ -186,7 +186,7 @@ Configure **FwUpdate** > **AllowedAppIdList** to list apps that are allowed to u
|OperatorPreferredForFasterRadio | Set Issuer Identification Number (IIN) or partial ICCID of preferred operator for the faster radio. For mobile operators that require more control over the system types that their phones use to connect to the mobile operators' networks, OEMs can map a partial ICCID or an Industry Identification Number (IIN) to the faster radio regardless of which SIM card is chosen for data connectivity. This setting is used only for China. OEMs should not use this setting unless required by the mobile operator. To map a partial ICCID or an IIN to the faster radio regardless of which SIM card is chosen for data connectivity, set the value of OperatorPreferredForFasterRadio to match the IIN or the ICCID, up to 7 digits, of the preferred operator.|
|PreferredDataProviderList | OEMs can set a list of MCC/MNC pairs for the purchase order (PO) carrier or primary operator. For mobile operators that require it, OEMs can set a list of MCC/MNC pairs for the purchase order (PO) carrier or primary operator so that it can be set as the default data line for phones that have a dual SIM. When the PO SIM is inserted into the phone, the OS picks the PO SIM as the data line and shows a notification to the user that the SIM has been selected for Internet data. If two PO SIMs are inserted, the OS will choose the first PO SIM that was detected as the default data line and the mobile operator action required dialogue (ARD) is shown. If two non-PO SIMs are inserted, the user is prompted to choose the SIM to use as the default data line. Note OEMs should not set this customization unless required by the mobile operator. To enumerate the MCC/MNC value pairs to use for data connections, set the value for **PreferredDataProviderList**. The value must be a comma-separated list of preferred MCC:MNC values. For example, the value can be 301:026,310:030 and so on.|
|Slot2DisableAppsList | Disable specified apps from slot 2 on a C+G dual SIM phone. To disable a list of specified apps from Slot 2, set Slot2DisableAppsList to a comma-separated list of values representing the apps. For example, `4,6`.|
|Slot2ExcludedSystemTypes | Exclude specified system types from SIM cards inserted in Slot 2. For mobile operators that require more control over the system types that their phones use to connect to the mobile operators' networks, OEMs can restrict the second slot in a dual-SIM phone regardless of what apps or executor mapping the second slot is associated with. Note This setting is used only for China. OEMs should not use this setting unless required by the mobile operator. To allow an operator to simply restrict the second slot in a dual SIM phone regardless of what apps or executor mapping the second slot is associated with, set the value of Slot2ExcludedSystemTypes to the system types to be excluded from the SIM cards inserted in Slot 2. For example, a value of 0x8 specifies RIL_SYSTEMTYPE_UMTS (3G) while 0x10 specifies RIL_SYSTEMTYPE_LTE (4G). To exclude more than one system type, perform a bitwise OR operation on the radio technologies you want to exclude. For example, a bitwise OR operation on RIL_SYSTEMTYPE_LTE (4G) and RIL_SYSTEMTYPE_UMTS (3G) results in the value 11000 (binary) or 0x18 (hexadecimal). In this case, any SIM inserted in Slot 2 will be limited to 2G. For more information about the RIL system types, see [RILSYSTEMTYPE](/previous-versions/windows/hardware/cellular/dn931143(v=vs.85)).|
|Slot2ExcludedSystemTypes | Exclude specified system types from SIM cards inserted in Slot 1. For mobile operators that require more control over the system types that their phones use to connect to the mobile operators' networks, OEMs can restrict the second slot in a dual-SIM phone regardless of what apps or executor mapping the second slot is associated with. Note This setting is used only for China. OEMs should not use this setting unless required by the mobile operator. To allow an operator to simply restrict the second slot in a dual SIM phone regardless of what apps or executor mapping the second slot is associated with, set the value of Slot2ExcludedSystemTypes to the system types to be excluded from the SIM cards inserted in Slot 1. For example, a value of 0x8 specifies RIL_SYSTEMTYPE_UMTS (3G) while 0x10 specifies RIL_SYSTEMTYPE_LTE (4G). To exclude more than one system type, perform a bitwise OR operation on the radio technologies you want to exclude. For example, a bitwise OR operation on RIL_SYSTEMTYPE_LTE (4G) and RIL_SYSTEMTYPE_UMTS (3G) results in the value 11000 (binary) or 0x18 (hexadecimal). In this case, any SIM inserted in Slot 2 will be limited to 2G. For more information about the RIL system types, see [RILSYSTEMTYPE](/previous-versions/windows/hardware/cellular/dn931143(v=vs.85)).|
|SuggestDataRoamingARD | Use to show the data roaming suggestion dialog when roaming and the data roaming setting is set to no roaming.|
|SuggestGlobalModeARD | Define whether Global Mode is suggested on a C+G dual SIM phone.|
|SuggestGlobalModeTimeout | To specify the number of seconds to wait for network registration before suggesting global mode, set SuggestGlobalModeTimeout to a value between 1 and 600, inclusive. For example, to set the timeout to 60 seconds, set the value to 60 (decimal) or 0x3C (hexadecimal).|
@ -205,7 +205,7 @@ Configure **FwUpdate** > **AllowedAppIdList** to list apps that are allowed to u
|AckExpirySeconds |Set the value, in seconds, for how long to wait for a client ACK before trying to deliver. |
|DefaultMCC |Set the default mobile country code (MCC).|
|Encodings > GSM7BitEncodingPage |Enter the code page value for the 7-bit GSM default alphabet encoding. Values:</br></br>- Code page value: 55000 (Setting value: 0xD6D8)(Code page: default alphabet)</br>- Code page value: 55001 (Setting value: 0xD6D9)(Code page: GSM with single shift for Spanish)</br>- Code page value: 55002 (Setting value: 0xD6DA)(Code page: GSM with single shift for Portuguese)</br>- Code page value: 55003 (Setting value: 0xD6DB)(Code page: GSM with single shift for Turkish)</br>- Code page value: 55004 (Setting value: 0xD6DC)(Code page: SMS Greek Reduction)|
|Encodings > GSM8BitEncodingPage|Enter the code page value for GSM 8-bit encoding (OEM set). OEM-created code page IDs should be in the range 5505055099. |
|Encodings > GSM8BitEncodingPage|Enter the code page value for GSM 8-bit encoding (OEM set). OEM-created code page IDs should be in the range 5505055091. |
|Encodings > OctetEncodingPage |Set the octet (binary) encoding.|
|Encodings > SendUDHNLSS |Set the 7 bit GSM shift table encoding.|
|Encodings > UseASCII |Set the 7 bit ASCII encoding. Used only for CDMA carriers that use 7-bit ASCII encoding instead of GSM 7-bit encoding.|

4
windows/configuration/wcd/wcd-cellular.md
View File

@ -56,7 +56,6 @@ Enter a customized string for the appropriate [data class](/windows/desktop/api/
Enter a comma-separated list of mobile country code (MCC) and mobile network code (MCC) pairs (MCC:MNC).
### SignalBarMappingTable
>[!NOTE]
@ -65,13 +64,12 @@ Enter a comma-separated list of mobile country code (MCC) and mobile network cod
Use the **SignalBarMappingTable** settings to customize the number of bars displayed based on signal strength. Set a signal strength minimum for each bar number.
1. Expand **SignalBarMappingTable**, select a bar number in **SignalForBars**, and select **Add**.
2. Select the signal bar number in **Available customizations**, and enter a minimum signal strength value, between 0 and 31.
1. Select the signal bar number in **Available customizations**, and enter a minimum signal strength value, between 0 and 31.
### SIMBlockList
Enter a comma-separated list of mobile country code (MCC) and mobile network code (MCC) pairs (MCC:MNC).
### UseBrandingNameOnRoaming
Select an option for displaying the BrandingName when the device is roaming.

22
windows/configuration/wcd/wcd-certificates.md
View File

@ -24,19 +24,17 @@ Use to deploy Root Certificate Authority (CA) certificates to devices. The follo
| --- | :---: | :---: | :---: | :---: |
| All setting groups | ✅ | ✅ | ✅ | ✅ |
## CACertificates
1. In **Available customizations**, select **CACertificates**, enter a friendly name for the certificate, and then click **Add**.
2. In **Available customizations**, select the name that you created.
3. In **CertificatePath**, browse to or enter the path to the certificate.
1. In **Available customizations**, select the name that you created.
1. In **CertificatePath**, browse to or enter the path to the certificate.
## ClientCertificates
1. In **Available customizations**, select **ClientCertificates**, enter a friendly name for the certificate, and then click **Add**.
2. In **Available customizations**, select the name that you created. The following table describes the settings you can configure. Settings in **bold** are required.
1. In **Available customizations**, select the name that you created. The following table describes the settings you can configure. Settings in **bold** are required.
| Setting | Value | Description |
| --- | --- | ---- |
@ -48,25 +46,23 @@ Use to deploy Root Certificate Authority (CA) certificates to devices. The follo
## RootCertificates
1. In **Available customizations**, select **RootCertificates**, enter a friendly name for the certificate, and then click **Add**.
2. In **Available customizations**, select the name that you created.
3. In **CertificatePath**, browse to or enter the path to the certificate.
1. In **Available customizations**, select the name that you created.
1. In **CertificatePath**, browse to or enter the path to the certificate.
## TrustedPeopleCertificates
1. In **Available customizations**, select **TrustedPeopleCertificates**, enter a friendly name for the certificate, and then click **Add**.
2. In **Available customizations**, select the name that you created.
3. In **TrustedCertificate**, browse to or enter the path to the certificate.
1. In **Available customizations**, select the name that you created.
1. In **TrustedCertificate**, browse to or enter the path to the certificate.
## TrustedProvisioners
1. In **Available customizations**, select **TrustedPprovisioners**, enter a CertificateHash, and then click **Add**.
2. In **Available customizations**, select the name that you created.
1. In **Available customizations**, select the name that you created.
3. In **TrustedProvisioner**, browse to or enter the path to the certificate.
1. In **TrustedProvisioner**, browse to or enter the path to the certificate.
## Related topics
- [RootCATrustedCertficates configuration service provider (CSP)](/windows/client-management/mdm/rootcacertificates-csp)

90
windows/configuration/wcd/wcd-changes.md
View File

@ -1,9 +1,7 @@
---
title: Changes to settings in Windows Configuration Designer
description: This section describes the changes to settings in Windows Configuration Designer in Windows 10, version 1809.
ms.topic: reference
ms.date: 12/31/2017
---
@ -26,7 +24,6 @@ ms.date: 12/31/2017
## Settings added in Windows 10, version 1809
- [Browser > AllowPrelaunch](wcd-browser.md#allowprelaunch)
- [Browser > FavoriteBarItems](wcd-browser.md#favoritebaritems)
- [Cellular > SignalBarMappingTable](wcd-cellular.md#signalbarmappingtable)
@ -34,62 +31,59 @@ ms.date: 12/31/2017
- [Location](wcd-location.md)
- [Policies > ApplicationManagement > LaunchAppAfterLogOn](wcd-policies.md#applicationmanagement)
- [Policies > Authentication:](wcd-policies.md#authentication)
- EnableFastFirstSignin
- EnableWebSignin
- PreferredAadTenantDomainName
- EnableFastFirstSignin
- EnableWebSignin
- PreferredAadTenantDomainName
- [Policies > Browser:](wcd-policies.md#browser)
- AllowFullScreenMode
- AllowPrelaunch
- AllowPrinting
- AllowSavingHistory
- AllowSideloadingOfExtensions
- AllowTabPreloading
- AllowWebContentOnNewTabPage
- ConfigureFavoritesBar
- ConfigureHomeButton
- ConfigureKioskMode
- ConfigureKioskResetAfterIdleTimer
- ConfigureOpenMicrosoftEdgeWith
- ConfigureTelemetryForMicrosoft365
- FirstRunURL
- PreventCertErrorOverrides
- PreventTurningOffRequiredExtensions
- SetHomeButtonURL
- SetNewTabPageURL
- UnlockHomeButton
- AllowFullScreenMode
- AllowPrelaunch
- AllowPrinting
- AllowSavingHistory
- AllowSideloadingOfExtensions
- AllowTabPreloading
- AllowWebContentOnNewTabPage
- ConfigureFavoritesBar
- ConfigureHomeButton
- ConfigureKioskMode
- ConfigureKioskResetAfterIdleTimer
- ConfigureOpenMicrosoftEdgeWith
- ConfigureTelemetryForMicrosoft365
- FirstRunURL
- PreventCertErrorOverrides
- PreventTurningOffRequiredExtensions
- SetHomeButtonURL
- SetNewTabPageURL
- UnlockHomeButton
- [Policies > DeliveryOptimization:](wcd-policies.md#deliveryoptimization)
- DODelayBackgroundDownloadFromHttp
- DODelayForegroundDownloadFromHttp
- DOGroupIdSource
- DOPercentageMaxBackDownloadBandwidth
- DOPercentageMaxForeDownloadBandwidth
- DORestrictPeerSelectionsBy
- DOSetHoursToLimitBackgroundDownloadBandwidth
- DOSetHoursToLimitForegroundDownloadBandwidth
- DODelayBackgroundDownloadFromHttp
- DODelayForegroundDownloadFromHttp
- DOGroupIdSource
- DOPercentageMaxBackDownloadBandwidth
- DOPercentageMaxForeDownloadBandwidth
- DORestrictPeerSelectionsBy
- DOSetHoursToLimitBackgroundDownloadBandwidth
- DOSetHoursToLimitForegroundDownloadBandwidth
- [Policies > KioskBrowser](wcd-policies.md#kioskbrowser) > EnableEndSessionButton
- [Policies > Search](wcd-policies.md#search) > DoNotUseWebResults
- [Policies > System:](wcd-policies.md#system)
- DisableDeviceDelete
- DisableDiagnosticDataViewer
- DisableDeviceDelete
- DisableDiagnosticDataViewer
- [Policies > Update:](wcd-policies.md#update)
- AutoRestartDeadlinePeriodInDaysForFeatureUpdates
- EngagedRestartDeadlineForFeatureUpdates
- EngagedRestartSnoozeScheduleForFeatureUpdates
- EngagedRestartTransitionScheduleForFeatureUpdates
- ExcludeWUDriversInQualityUpdate
- SetDisablePauseUXAccess
- SetDisableUXWUAccess
- UpdateNotificationLevel
- AutoRestartDeadlinePeriodInDaysForFeatureUpdates
- EngagedRestartDeadlineForFeatureUpdates
- EngagedRestartSnoozeScheduleForFeatureUpdates
- EngagedRestartTransitionScheduleForFeatureUpdates
- ExcludeWUDriversInQualityUpdate
- SetDisablePauseUXAccess
- SetDisableUXWUAccess
- UpdateNotificationLevel
- [UnifiedWriteFilter > OverlayFlags](wcd-unifiedwritefilter.md#overlayflags)
- [UnifiedWriteFilter > ResetPersistentState](wcd-unifiedwritefilter.md#resetpersistentstate)
- [WindowsHelloForBusiness](wcd-windowshelloforbusiness.md)
## Settings removed in Windows 10, version 1809
- [CellCore](wcd-cellcore.md)
- [Policies > Browser:](wcd-policies.md#browser)
- AllowBrowser
- PreventTabReloading
- AllowBrowser
- PreventTabReloading

3
windows/configuration/wcd/wcd-connections.md
View File

@ -18,10 +18,9 @@ Use to configure settings related to various types of phone connections.
| --- | :---: | :---: | :---: | :---: |
| All settings | ✅ | ✅ | | |
For each setting group:
1. In **Available customizations**, select the setting group (such as **Cellular**), enter a friendly name for the connection, and then click **Add**.
2. In **Available customizations**, select the name that you created.
1. In **Available customizations**, select the name that you created.
## Cellular

17
windows/configuration/wcd/wcd-connectivityprofiles.md
View File

@ -28,7 +28,7 @@ Use to configure profiles that a user will connect with, such as an email accoun
Specify an email account to be automatically set up on the device.
1. In **Available customizations**, select **Email**, enter a friendly name for the account, and then click **Add**.
2. In **Available customizations**, select the name that you created. The following table describes the settings you can configure for each account. Settings in **bold** are required.
1. In **Available customizations**, select the name that you created. The following table describes the settings you can configure for each account. Settings in **bold** are required.
| Setting | Description |
| --- | --- |
@ -57,7 +57,7 @@ Specify an email account to be automatically set up on the device.
Configure settings related to Exchange email server. These settings are related to the [ActiveSync configuration service provider (CSP)](/windows/client-management/mdm/activesync-csp).
1. In **Available customizations**, select **Exchange**, enter a name for the account, and then click **Add**. A globally unique identifier (GUID) is generated for the account.
2. In **Available customizations**, select the GUID that you created. The following table describes the settings you can configure. Settings in **bold** are required.
1. In **Available customizations**, select the GUID that you created. The following table describes the settings you can configure. Settings in **bold** are required.
| Setting | Description |
| --- | --- |
@ -103,10 +103,10 @@ Configure settings to change the default maximum transmission unit ([MTU](#mtu))
| ProtocolType | Select **VPNProtocolType** |
| TunnelMTU | Enter the desired MTU size, between **1** and **1500** |
### VPN
### VPN setting
1. In **Available customizations**, select **VPNSetting**, enter a friendly name for the account, and then click **Add**.
2. In **Available customizations**, select the name that you created. The following table describes the settings you can configure. Settings in **bold** are required.
1. In **Available customizations**, select the name that you created. The following table describes the settings you can configure. Settings in **bold** are required.
| Setting | Description |
| --- | --- |
@ -164,7 +164,7 @@ The **Config** settings are initial settings that can be overwritten when settin
### SystemCapabilities
You can use these settings to configure system capabilities for Wi-Fi adapters, which is a new functionality in Windows 10. These system capabilities are added at image time to ensure that the information is at its most accurate. The capabilities allow the OS to have a better understanding of the underlying hardware that it's running on. Diagnostic data is generated by the system to provide data that can be used to diagnose both software and hardware issues.
You can use these settings to configure system capabilities for Wi-Fi adapters, which is a new functionality in Windows 1. These system capabilities are added at image time to ensure that the information is at its most accurate. The capabilities allow the OS to have a better understanding of the underlying hardware that it's running on. Diagnostic data is generated by the system to provide data that can be used to diagnose both software and hardware issues.
| Setting | Description |
| --- | --- |
@ -174,18 +174,17 @@ You can use these settings to configure system capabilities for Wi-Fi adapters,
| WLANFunctionLevelDeviceResetSupported | Select whether the device supports functional level device reset (FLDR). The FLDR feature in the OS checks this system capability exclusively to determine if it can run. |
| WLANPlatformLevelDeviceResetSupported | Select whether the device supports platform level device reset (PLDR). The PLDR feature in the OS checks this system capability exclusively to determine if it can run. |
## WLAN
Configure settings for wireless connectivity.
### Profiles
**To add a profile**
To add a profile:
1. Create [the wireless profile XML](/windows/win32/nativewifi/wireless-profile-samples).
2. In **WLAN > Profiles**, browse to and select the profile XML file.
3. Click **Add**.
1. In **WLAN > Profiles**, browse to and select the profile XML file.
1. Click **Add**.
### WLANXmlSettings

1
windows/configuration/wcd/wcd-developersetup.md
View File

@ -19,7 +19,6 @@ Use to unlock developer mode on HoloLens devices and configure authentication to
| [EnableDeveloperMode](#developersetupsettings-enabledevelopermode) | | | ✅ | |
| [AuthenticationMode](#windowsdeviceportalsettings-authentication-mode) | | | ✅ | |
## DeveloperSetupSettings: EnableDeveloperMode
When this setting is configured as **True**, the device is unlocked for developer functionality.

8
windows/configuration/wcd/wcd-deviceformfactor.md
View File

@ -18,7 +18,7 @@ Use to identify the form factor of the device.
| --- | :---: | :---: | :---: | :---: |
| DeviceForm | ✅ | ✅ | | |
Specifies the device form factor running Windows 10. Generally, the device form is set by the original equipment manufacturer (OEM), however you might want to change the device form based on its usage in your organization.
Specifies the device form factor running Windows 1. Generally, the device form is set by the original equipment manufacturer (OEM), however you might want to change the device form based on its usage in your organization.
DeviceForm supports the following features or components:
@ -58,9 +58,3 @@ Select the appropriate form from the dropdown menu.
| AIO | An All-in-One (AIO) device is an evolution of the traditional desktop with an attached display. |
| Stick | A device that turns your TV into a Windows computer. Plug the stick into the HDMI slot on the TV and connect a USB or Bluetooth keyboard or mouse. |
| Puck | A small-size PC that users can use to plug in a monitor and keyboard. |

10
windows/configuration/wcd/wcd-devicemanagement.md
View File

@ -24,14 +24,14 @@ Use to configure device management settings.
## Accounts
1. In **Available customizations**, select **Accounts**, enter a friendly name for the account, and then click **Add**.
2. In **Available customizations**, select the account that you created. The following table describes the settings you can configure. Settings in **bold** are required.
1. In **Available customizations**, select the account that you created. The following table describes the settings you can configure. Settings in **bold** are required.
| Setting | Description |
| --- | --- |
| **Address** | Enter the OMA DM server address |
| **AddressType** | Choose between **IPv4** and **URI** for the type of OMA DM server address. The default value of **URI** specifies that the OMA DM account address is a URI address. A value of **IPv4** specifies that the OMA DM account address is an IP address. |
| **AppID** | Select **w7** |
| Authentication > Credentials | 1. Select a credentials level (CLCRED or SRVCRED). A value of **CLCRED** indicates that the credentials client will authenticate itself to the OMA DM server at the OMA DM protocol level. A value of **SRVCRED** indicates that the credentials server will authenticate itself to the OMA DM Client at the OMA DM protocol level. </br>2. In **Available customizations**, select the level.</br>3. For **Data**, enter the authentication nonce as a Base64 encoded string.</br>4. For **Level**, select **CLCRED** or **SRVCRED**.</br>5. For **Name**, enter the authentication name.</br>6. For **Secret**, enter the password or secret used for authentication.</br>7. For **Type**, select between **Basic**, **Digest**, and **HMAC**. For **CLCRED**, the supported values are **BASIC** and **DIGEST**. For **SRVCRED**, the supported value is **DIGEST**. |
| Authentication > Credentials | 1. Select a credentials level (CLCRED or SRVCRED). A value of **CLCRED** indicates that the credentials client will authenticate itself to the OMA DM server at the OMA DM protocol level. A value of **SRVCRED** indicates that the credentials server will authenticate itself to the OMA DM Client at the OMA DM protocol level. </br>1. In **Available customizations**, select the level.</br>1. For **Data**, enter the authentication nonce as a Base64 encoded string.</br>1. For **Level**, select **CLCRED** or **SRVCRED**.</br>1. For **Name**, enter the authentication name.</br>1. For **Secret**, enter the password or secret used for authentication.</br>1. For **Type**, select between **Basic**, **Digest**, and **HMAC**. For **CLCRED**, the supported values are **BASIC** and **DIGEST**. For **SRVCRED**, the supported value is **DIGEST**. |
| AuthenticationPreference | Select between **Basic**, **Digest**, and **HMAC** |
| BackCompatRetryDisabled | Specify whether to retry resending a package with an older protocol version (for example, 1.1) in the SyncHdr on subsequent attempts (not including the first time). The default value of "FALSE" indicates that backward-compatible retries are enabled. A value of "TRUE" indicates that backward-compatible retries are disabled. |
| ConnectionRetries | Enter a number to specify how many retries the DM client performs when there are Connection Manager-level or wininet-level errors. The default value is `3`. |
@ -51,12 +51,11 @@ Use to configure device management settings.
| UseHardwareDeviceID | Specify whether to use the hardware ID for the ./DevInfo/DevID parameter in the DM account to identify the device |
| UseNonceResync | Specify whether the OMA DM client should use the nonce resynchronization procedure if the server trigger notification fails authentication |
## PGList
1. In **Available customizations**, select **PGList**, enter a LogicalProxyName, and then click **Add**.
2. In **Available customizations**, select the LogicalProxyName that you created, and then select **PhysicalProxies**.
3. Enter a PhysicalProxyName, and then click **Add**. The following table describes the settings you can configure for the physical proxy and for **Trust**.
1. In **Available customizations**, select the LogicalProxyName that you created, and then select **PhysicalProxies**.
1. Enter a PhysicalProxyName, and then click **Add**. The following table describes the settings you can configure for the physical proxy and for **Trust**.
| Setting | Description |
| --- | --- |
@ -66,7 +65,6 @@ Use to configure device management settings.
| PushEnabled | Select whether push operations are enabled |
| Trust | Specify whether or not the physical proxies in this logical proxy are privileged |
## Policies
The following table describes the settings you can configure for **Policies**.

3
windows/configuration/wcd/wcd-editionupgrade.md
View File

@ -20,7 +20,6 @@ Use to upgrade the edition of Windows 10 on the device. [Learn about Windows 10
| [UpgradeEditionWithLicense](#upgradeeditionwithlicense) | ✅ | | ✅ | |
| [UpgradeEditionWithProductKey](#upgradeeditionwithproductkey) | ✅ | | | |
## ChangeProductKey
Enter a product key, which will be used to update the existing product key on the device.
@ -29,7 +28,6 @@ Enter a product key, which will be used to update the existing product key on th
Browse to and select a license XML file for the edition upgrade.
## UpgradeEditionWithProductKey
Enter a product key for an edition upgrade of Windows 10 devices.
@ -38,7 +36,6 @@ If a product key is entered in a provisioning package and the user begins instal
After the device restarts, the edition upgrade process completes. The user will receive a notification of the successful upgrade.
## Related topics
- [WindowsLicensing configuration service provider (CSP)](/windows/client-management/mdm/windowslicensing-csp)

10
windows/configuration/wcd/wcd-kioskbrowser.md
View File

@ -35,10 +35,10 @@ Restart on Idle Time | Specify when Kiosk Browser should restart in a fresh stat
>
> 1. Create the provisioning package. When ready to export, close the project in Windows Configuration Designer.
> 2. Open the customizations.xml file in the project folder (e.g C:\Users\name\Documents\Windows Imaging and Configuration Designer (WICD)\Project_18).
> 1. Open the customizations.xml file in the project folder (e.g C:\Users\name\Documents\Windows Imaging and Configuration Designer (WICD)\Project_18).
> 3. Insert the null character string in between each URL (e.g www.bing.com`&#xF000;`www.contoso.com).
> 1. Insert the null character string in between each URL (e.g www.bing.com`&#xF000;`www.contoso.com).
> 4. Save the XML file.
> 5. Open the project again in Windows Configuration Designer.
> 6. Export the package. Ensure you do not revisit the created policies under Kiosk Browser or else the null character will be removed.
> 1. Save the XML file.
> 1. Open the project again in Windows Configuration Designer.
> 1. Export the package. Ensure you do not revisit the created policies under Kiosk Browser or else the null character will be removed.

1
windows/configuration/wcd/wcd-location.md
View File

@ -4,7 +4,6 @@ description: This section describes the Location settings that you can configure
ms.topic: reference
ms.date: 12/31/2017
---

3
windows/configuration/wcd/wcd-maps.md
View File

@ -4,7 +4,6 @@ description: This section describes the Maps settings that you can configure in
ms.topic: reference
ms.date: 12/31/2017
---
@ -20,14 +19,12 @@ Use for settings related to Maps.
| [UseExternalStorage](#useexternalstorage) | ✅ | ✅ | | |
| [UseSmallerCache](#usesmallercache) | ✅ | ✅ | | |
## ChinaVariantWin10
Use **ChinaVariantWin10** to specify that the Windows device is intended to ship in China. When set to **True**, maps approved by the State Bureau of Surveying and Mapping in China are used. These maps are obtained from a server located in China.
This customization may result in different maps, servers, or other configuration changes on the device.
## UseExternalStorage
Use to store map data on an SD card.

4
windows/configuration/wcd/wcd-networkproxy.md
View File

@ -4,7 +4,6 @@ description: This section describes the NetworkProxy settings that you can confi
ms.topic: reference
ms.date: 12/31/2017
---
@ -18,7 +17,6 @@ Use for settings related to NetworkProxy.
| --- | :---: | :---: | :---: | :---: |
| All settings | | ✅ | | |
## AutoDetect
Automatically detect network proxy settings.
@ -38,12 +36,10 @@ Node for configuring a static proxy for Ethernet and Wi-Fi connections. The same
| ProxyExceptions | Addresses that shouldn't use the proxy server. The system won't use the proxy server for addresses that begin with the values specified in this node. Use semicolons (;) to separate entries. |
| UseProxyForLocalAddresses | Whether the proxy server should be used for local (intranet) addresses.</br></br>- 0 = Disabled. Don't use the proxy server for local addresses.</br>- 1 = Enabled. Use the proxy server for local addresses. |
## SetupScriptUrl
Address to the PAC script you want to use.
## Related topics
- [NetworkProxy configuration service provider (CSP)](/windows/client-management/mdm/networkproxy-csp)

7
windows/configuration/wcd/wcd-networkqospolicy.md
View File

@ -4,7 +4,6 @@ description: This section describes the NetworkQoSPolicy settings that you can c
ms.topic: reference
ms.date: 12/31/2017
---
@ -19,15 +18,15 @@ Use to create network Quality of Service (QoS) policies. A QoS policy performs a
| All settings | | ✅ | | |
1. In **Available customizations**, select **NetworkQoSPolicy**, enter a friendly name for the account, and then click **Add**.
2. In **Available customizations**, select the name that you just created. The following table describes the settings you can configure.
1. In **Available customizations**, select the name that you just created. The following table describes the settings you can configure.
| Setting | Description |
| --- | --- |
| AppPathNameMatchCondition | Enter the name of an application to be sued to match the network traffic, such as application.exe or %ProgramFiles%\application.exe. |
| DestinationPortMatchCondition | Specify a port or a range of ports to be used to match the network traffic. Valid values are [first port number]-[last port number], or [port number]. |
| DSCPAction | Enter the differentiated services code point (DSCP) value to apply to match with network traffic. Valid values are 0-63. |
| DSCPAction | Enter the differentiated services code point (DSCP) value to apply to match with network traffic. Valid values are 0-61. |
| IPProtocolMatchCondition | Select between **Both TCP and UDP**, **TCP**, and **UDP** to specify the IP protocol used to match the network traffic. |
| PriorityValue8021Action | Specify the IEEE 802.1p value. Valid values are 0 through 7. |
| PriorityValue8021Action | Specify the IEEE 802.1p value. Valid values are 0 through 1. |
| SourcePortMatchCondition | Specify a single port or range of ports. Valid values are [first port number]-[last port number], or [port number]. |
## Related topics

Some files were not shown because too many files have changed in this diff Show More