See [SurfaceHub CSP](https://msdn.microsoft.com/library/windows/hardware/mt608323.aspx). | No | No | Yes | -| Specify Skype domain | InBoxApps/SkypeForBusiness/DomainName | Yes [Use a custom policy.](#example-intune)) | Yes
[Use a custom setting.] Yes | -| Auto launch Connect App when projection is initiated | InBoxApps/Connect/AutoLaunch | Yes [Use a custom policy.](#example-intune)) | Yes
[Use a custom setting.] Yes | -| Set default volume | Properties/DefaultVolume | Yes [Use a custom policy.](#example-intune)) | Yes
[Use a custom setting.] Yes | -| Set screen timeout | Properties/ScreenTimeout | Yes [Use a custom policy.](#example-intune)) | Yes
[Use a custom setting.] Yes | -| Set session timeout | Properties/SessionTimeout | Yes [Use a custom policy.](#example-intune)) | Yes
[Use a custom setting.] Yes | -| Set sleep timeout | Properties/SleepTimeout | Yes [Use a custom policy.](#example-intune)) | Yes
[Use a custom setting.] Yes | -| Allow session to resume after screen is idle | Properties/AllowSessionResume | Yes [Use a custom policy.](#example-intune)) | Yes
[Use a custom setting.] Yes | -| Allow device account to be used for proxy authentication | Properties/AllowAutoProxyAuth | Yes [Use a custom policy.](#example-intune)) | Yes
[Use a custom setting.] Yes | -| Disable auto-populating the sign-in dialog with invitees from scheduled meetings | Properties/DisableSignInSuggestions | Yes [Use a custom policy.](#example-intune)) | Yes
[Use a custom setting.] Yes | -| Disable "My meetings and files" feature in Start menu | Properties/DoNotShowMyMeetingsAndFiles | Yes [Use a custom policy.](#example-intune)) | Yes
[Use a custom setting.] Yes | +| Specify Skype domain | InBoxApps/SkypeForBusiness/DomainName | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Auto launch Connect App when projection is initiated | InBoxApps/Connect/AutoLaunch | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Set default volume | Properties/DefaultVolume | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Set screen timeout | Properties/ScreenTimeout | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Set session timeout | Properties/SessionTimeout | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Set sleep timeout | Properties/SleepTimeout | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Allow session to resume after screen is idle | Properties/AllowSessionResume | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Allow device account to be used for proxy authentication | Properties/AllowAutoProxyAuth | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Disable auto-populating the sign-in dialog with invitees from scheduled meetings | Properties/DisableSignInSuggestions | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Disable "My meetings and files" feature in Start menu | Properties/DoNotShowMyMeetingsAndFiles | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes | \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. ### Supported Windows 10 settings @@ -92,46 +92,46 @@ The following tables include info on Windows 10 settings that have been validate #### Security settings | Setting | Details | CSP reference | Supported with
Intune? | Supported with
Configuration Manager? | Supported with
SyncML\*? | | -------- | -------- | ------------- |-------------------------- | ---------------------------------------- | ------------------------- | -| Allow Bluetooth | Keep this enabled to support Bluetooth peripherals. | [Connectivity/AllowBluetooth](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Connectivity_AllowBluetooth) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes | -| Bluetooth policies | Use to set the Bluetooth device name, and block advertising, discovery, and automatic pairing. | Bluetooth/*`
See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes | -| Allow camera | Keep this enabled for Skype for Business. | [Camera/AllowCamera](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Camera_AllowCamera) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes | -| Allow location | Keep this enabled to support apps such as Maps. | [System/AllowLocation](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#System_AllowLocation) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes | -| Allow telemetry | Keep this enabled to help Microsoft improve Surface Hub. | [System/AllowTelemetry](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#System_AllowTelemetry) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes | +| Allow Bluetooth | Keep this enabled to support Bluetooth peripherals. | [Connectivity/AllowBluetooth](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Connectivity_AllowBluetooth) | Yes.
| Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Bluetooth policies | Use to set the Bluetooth device name, and block advertising, discovery, and automatic pairing. | Bluetooth/*`
See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes.
| Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Allow camera | Keep this enabled for Skype for Business. | [Camera/AllowCamera](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Camera_AllowCamera) | Yes.
| Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Allow location | Keep this enabled to support apps such as Maps. | [System/AllowLocation](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#System_AllowLocation) | Yes.
. | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Allow telemetry | Keep this enabled to help Microsoft improve Surface Hub. | [System/AllowTelemetry](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#System_AllowTelemetry) | Yes.
| Yes.
[Use a custom setting.](#example-sccm) | Yes | \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. #### Browser settings | Setting | Details | CSP reference | Supported with
Intune? | Supported with
Configuration Manager? | Supported with
SyncML\*? | | -------- | ---------------- | ------------- |-------------------------- | ---------------------------------------- | ------------------------- | -| Homepages | Use to configure the default homepages in Microsoft Edge. | [Browser/Homepages](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_Homepages) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes | -| Allow cookies | Surface Hub automatically deletes cookies at the end of a session. Use this to block cookies within a session. | [Browser/AllowCookies](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowCookies) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes | -| Allow developer tools | Use to stop users from using F12 Developer Tools. | [Browser/AllowDeveloperTools](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowDeveloperTools) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes | -| Allow Do Not Track | Use to enable Do Not Track headers. | [Browser/AllowDoNotTrack](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowDoNotTrack) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes | -| Allow pop-ups | Use to block pop-up browser windows. | [Browser/AllowPopups](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowPopups) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes | -| Allow search suggestions | Use to block search suggestions in the address bar. | [Browser/AllowSearchSuggestionsinAddressBar](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowSearchSuggestionsinAddressBar) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes | -| Allow SmartScreen | Keep this enabled to turn on SmartScreen. | [Browser/AllowSmartScreen](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowSmartScreen) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes | -| Prevent ignoring SmartScreen Filter warnings for websites | For extra security, use to stop users from ignoring SmartScreen Filter warnings and block them from accessing potentially malicious websites. | [Browser/PreventSmartScreenPromptOverride](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverride) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes | -| Prevent ignoring SmartScreen Filter warnings for files | For extra security, use to stop users from ignoring SmartScreen Filter warnings and block them from downloading unverified files from Microsoft Edge. | [Browser/PreventSmartScreenPromptOverrideForFiles](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverrideForFiles) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes | +| Homepages | Use to configure the default homepages in Microsoft Edge. | [Browser/Homepages](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_Homepages) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Allow cookies | Surface Hub automatically deletes cookies at the end of a session. Use this to block cookies within a session. | [Browser/AllowCookies](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowCookies) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Allow developer tools | Use to stop users from using F12 Developer Tools. | [Browser/AllowDeveloperTools](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowDeveloperTools) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Allow Do Not Track | Use to enable Do Not Track headers. | [Browser/AllowDoNotTrack](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowDoNotTrack) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Allow pop-ups | Use to block pop-up browser windows. | [Browser/AllowPopups](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowPopups) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Allow search suggestions | Use to block search suggestions in the address bar. | [Browser/AllowSearchSuggestionsinAddressBar](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowSearchSuggestionsinAddressBar) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Allow SmartScreen | Keep this enabled to turn on SmartScreen. | [Browser/AllowSmartScreen](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowSmartScreen) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Prevent ignoring SmartScreen Filter warnings for websites | For extra security, use to stop users from ignoring SmartScreen Filter warnings and block them from accessing potentially malicious websites. | [Browser/PreventSmartScreenPromptOverride](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverride) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Prevent ignoring SmartScreen Filter warnings for files | For extra security, use to stop users from ignoring SmartScreen Filter warnings and block them from downloading unverified files from Microsoft Edge. | [Browser/PreventSmartScreenPromptOverrideForFiles](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverrideForFiles) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. #### Windows Update settings | Setting | Details | CSP reference | Supported with
Intune? | Supported with
Configuration Manager? | Supported with
SyncML*? | | ----------- | ---------------- | ------------- |-------------------------- | ---------------------------------------- | ------------------------- | -| Use Current Branch or Current Branch for Business | Use to configure Windows Update for Business – see [Windows updates](manage-windows-updates-for-surface-hub.md). | [Update/BranchReadinessLevel](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_BranchReadinessLevel) | Yes. Use a custom policy. | Yes. Use a custom setting. | Yes | -| Defer feature updates| See above. | [Update/ DeferFeatureUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferFeatureUpdatesPeriodInDays) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes | -| Defer quality updates | See above. | [Update/DeferQualityUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferQualityUpdatesPeriodInDays) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes | -| Pause feature updates | See above. | [Update/PauseFeatureUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseFeatureUpdates) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes | -| Pause quality updates | See above. | [Update/PauseQualityUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseQualityUpdates) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes| -| Configure device to use WSUS| Use to connect your Surface Hub to WSUS instead of Windows Update – see [Windows updates](manage-windows-updates-for-surface-hub.md). | [Update/UpdateServiceUrl](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_UpdateServiceUrl) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes | -| Delivery optimization | Use peer-to-peer content sharing to reduce bandwidth issues during updates. See [Configure Delivery Optimization for Windows 10](https://technet.microsoft.com/itpro/windows/manage/waas-delivery-optimization) for details. | DeliveryOptimization/*`
See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes | +| Use Current Branch or Current Branch for Business | Use to configure Windows Update for Business – see [Windows updates](manage-windows-updates-for-surface-hub.md). | [Update/BranchReadinessLevel](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_BranchReadinessLevel) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Defer feature updates| See above. | [Update/ DeferFeatureUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferFeatureUpdatesPeriodInDays) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Defer quality updates | See above. | [Update/DeferQualityUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferQualityUpdatesPeriodInDays) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Pause feature updates | See above. | [Update/PauseFeatureUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseFeatureUpdates) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Pause quality updates | See above. | [Update/PauseQualityUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseQualityUpdates) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes| +| Configure device to use WSUS| Use to connect your Surface Hub to WSUS instead of Windows Update – see [Windows updates](manage-windows-updates-for-surface-hub.md). | [Update/UpdateServiceUrl](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_UpdateServiceUrl) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Delivery optimization | Use peer-to-peer content sharing to reduce bandwidth issues during updates. See [Configure Delivery Optimization for Windows 10](https://technet.microsoft.com/itpro/windows/manage/waas-delivery-optimization) for details. | DeliveryOptimization/*`
See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. #### Windows Defender settings | Setting | Details | CSP reference | Supported with
Intune? | Supported with
Configuration Manager? | Supported with
SyncML\*? | | ----------- | ---------------- | ------------- |-------------------------- | ---------------------------------------- | ------------------------- | -| Defender policies | Use to configure various Defender settings, including a scheduled scan time. | Defender/*`
See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes | +| Defender policies | Use to configure various Defender settings, including a scheduled scan time. | Defender/*`
See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | | Defender status | Use to initiate a Defender scan, force a signature update, query any threats detected. | [Defender CSP](https://msdn.microsoft.com/library/windows/hardware/mt187856.aspx) | No. | No. | Yes | \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. @@ -140,8 +140,8 @@ The following tables include info on Windows 10 settings that have been validate | Setting | Details | CSP reference | Supported with
Intune? | Supported with
Configuration Manager? | Supported with
SyncML\*? | | ----------- | ---------------- | ------------- |-------------------------- | ---------------------------------------- | ------------------------- | | Reboot the device immediately | Use in conjunction with OMS to minimize support costs – see [Monitor your Microsoft Surface Hub](monitor-surface-hub.md). | ./Vendor/MSFT/Reboot/RebootNow
See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | No | No | Yes | -| Reboot the device at a scheduled date and time | See above. | ./Vendor/MSFT/Reboot/Schedule/Single
See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes | -| Reboot the device daily at a scheduled date and time | See above. | ./Vendor/MSFT/Reboot/Schedule/DailyRecurrent
See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes | +| Reboot the device at a scheduled date and time | See above. | ./Vendor/MSFT/Reboot/Schedule/Single
See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Reboot the device daily at a scheduled date and time | See above. | ./Vendor/MSFT/Reboot/Schedule/DailyRecurrent
See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. #### Install certificates diff --git a/devices/surface-hub/prepare-your-environment-for-surface-hub.md b/devices/surface-hub/prepare-your-environment-for-surface-hub.md index e11e0e6e42..9ae8f829c5 100644 --- a/devices/surface-hub/prepare-your-environment-for-surface-hub.md +++ b/devices/surface-hub/prepare-your-environment-for-surface-hub.md @@ -42,6 +42,20 @@ Microsoft collects telemetry to help improve your Surface Hub experience. Add th - Telemetry client endpoint: `https://vortex.data.microsoft.com/` - Telemetry settings endpoint: `https://settings.data.microsoft.com/` +### Proxy configuration + +If your organization restricts computers on your network from connecting to the Internet, there is a set of URLs that need to be available for devices to use Store for Business. Some of the Store for Business features use Windows Store app and Windows Store services. Devices using Store for Business – either to acquire, install, or update apps – will need access to these URLs. If you use a proxy server to block traffic, your configuration needs to allow these URLs: + +- login.live.com +- login.windows.net +- account.live.com +- clientconfig.passport.net +- windowsphone.com +- *.wns.windows.com +- *.microsoft.com +- www.msftncsi.com (prior to Windows 10, version 1607) +- www.msftconnecttest.com/connecttest.txt (replaces www.msftncsi.com starting with Windows 10, version 1607) + ## Work with other admins diff --git a/devices/surface-hub/troubleshoot-surface-hub.md b/devices/surface-hub/troubleshoot-surface-hub.md index ff05c19f62..678d06e664 100644 --- a/devices/surface-hub/troubleshoot-surface-hub.md +++ b/devices/surface-hub/troubleshoot-surface-hub.md @@ -622,7 +622,9 @@ This section lists status codes, mapping, user messages, and actions an admin ca +## Related content +- [Troubleshooting Miracast connection to the Surface Hub](https://blogs.msdn.microsoft.com/surfacehub/2017/01/30/troubleshooting-miracast-connection-to-the-surface-hub/) diff --git a/windows/configure/how-it-pros-can-use-configuration-service-providers.md b/windows/configure/how-it-pros-can-use-configuration-service-providers.md index 98152602d5..4a4fc4883a 100644 --- a/windows/configure/how-it-pros-can-use-configuration-service-providers.md +++ b/windows/configure/how-it-pros-can-use-configuration-service-providers.md @@ -21,8 +21,8 @@ Configuration service providers (CSPs) expose device configuration settings in W The CSPs are documented on the [Hardware Dev Center](https://go.microsoft.com/fwlink/p/?LinkId=717390) because CSPs are used by mobile device management (MDM) service providers. This topic explains how IT pros and system administrators can take advantage of many settings available through CSPs to configure devices running Windows 10 and Windows 10 Mobile in their organizations. -**Note** -The explanation of CSPs and CSP documentation also apply to Windows Mobile 5, Windows Mobile 6, Windows Phone 7, and Windows Phone 8, but links to current CSPs are for Windows 10 and Windows 10 Mobile. +>[!NOTE] +>The explanation of CSPs and CSP documentation also apply to Windows Mobile 5, Windows Mobile 6, Windows Phone 7, and Windows Phone 8, but links to current CSPs are for Windows 10 and Windows 10 Mobile. [See what's new for CSPs in Windows 10, version 1607.](https://msdn.microsoft.com/library/windows/hardware/mt299056.aspx#whatsnew_1607) @@ -60,15 +60,15 @@ In addition, you may have unmanaged devices, or a large number of devices that y In addition, some of the topics in the [Windows 10 and Windows 10 Mobile](../index.md) library on Technet include links to applicable CSP reference topics, such as [Cortana integration in your business or enterprise](cortana-at-work-overview.md) which links to the [Policy CSP](https://go.microsoft.com/fwlink/p/?LinkID=623244). In the CSP topics, you can learn about all of the available configuration settings. -### CSPs in Windows Imaging and Configuration Designer (ICD) +### CSPs in Windows Configuration Designer -You can use Windows Imaging and Configuration Designer (ICD) to create [provisioning packages](https://go.microsoft.com/fwlink/p/?LinkId=717466) to apply settings to devices during the out-of-box-experience (OOBE) and after devices are set up. You can use provisioning packages to configure a device's connectivity and enroll the device in MDM. Many of the runtime settings in Windows ICD are based on CSPs. +You can use Windows Configuration Designer to create [provisioning packages](https://go.microsoft.com/fwlink/p/?LinkId=717466) to apply settings to devices during the out-of-box-experience (OOBE) and after devices are set up. You can use provisioning packages to configure a device's connectivity and enroll the device in MDM. Many of the runtime settings in Windows Configuration Designer are based on CSPs. -Many settings in Windows ICD will display documentation for that setting in the center pane, and will include a reference to the CSP if the setting uses one, as shown in the following image. +Many settings in Windows Configuration Designer will display documentation for that setting in the center pane, and will include a reference to the CSP if the setting uses one, as shown in the following image.  -[Configure devices without MDM](../manage/configure-devices-without-mdm.md) explains how to use the Windows ICD tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a runtime provisioning package. +[Provisioning packages in Windows 10](provisioning-packages.md) explains how to use the Windows Configuration Designer tool to create a runtime provisioning package. ### CSPs in MDM @@ -78,7 +78,7 @@ When a CSP is available but is not explicitly included in your MDM solution, you ### CSPs in Lockdown XML -Lockdown XML can be used to configure devices running Windows 10 Mobile. You can manually author a [Lockdown XML file](lockdown-xml.md) to make use of the configuration settings available through the [EnterpriseAssignedAccess configuration service provider (CSP)](https://go.microsoft.com/fwlink/p/?LinkID=618601). +Lockdown XML can be used to configure devices running Windows 10 Mobile. You can manually author a [Lockdown XML file](lockdown-xml.md) to make use of the configuration settings available through the [EnterpriseAssignedAccess configuration service provider (CSP)](https://go.microsoft.com/fwlink/p/?LinkID=618601). In Windows 10, version 1703, you can also use the new [Lockdown Designer app](mobile-lockdown-designer.md) to configure your Lockdown XML. ## How do you use the CSP documentation? diff --git a/windows/configure/images/show-more-tiles.png b/windows/configure/images/show-more-tiles.png new file mode 100644 index 0000000000..6922edeb4c Binary files /dev/null and b/windows/configure/images/show-more-tiles.png differ diff --git a/windows/configure/images/start-screen-size.png b/windows/configure/images/start-screen-size.png new file mode 100644 index 0000000000..6c09d960ef Binary files /dev/null and b/windows/configure/images/start-screen-size.png differ diff --git a/windows/configure/images/wcd-app-commands.PNG b/windows/configure/images/wcd-app-commands.PNG new file mode 100644 index 0000000000..e52908960f Binary files /dev/null and b/windows/configure/images/wcd-app-commands.PNG differ diff --git a/windows/configure/images/wcd-app-name.PNG b/windows/configure/images/wcd-app-name.PNG new file mode 100644 index 0000000000..23ff06eada Binary files /dev/null and b/windows/configure/images/wcd-app-name.PNG differ diff --git a/windows/configure/lockdown-xml.md b/windows/configure/lockdown-xml.md index 9398934ee7..36fa6806f7 100644 --- a/windows/configure/lockdown-xml.md +++ b/windows/configure/lockdown-xml.md @@ -91,7 +91,7 @@ The following example is a complete lockdown XML file that disables Action Cente The Apps setting serves as an allow list and specifies the applications that will be available in the All apps list. Apps that are not included in this setting are hidden from the user and blocked from running. -You provide the product ID for each app in your file. The product ID identifies an app package, and an app package can contain multiple apps, so you should also provide the App User Model ID (AUMID) to differentiate the app. Optionally, you can set an app to run automatically. [Get product ID and AUMID for apps in Windows 10 Mobile.](product-ids-in-windows-10-mobile.md) +You provide the App User Model ID (AUMID) and product ID for each app in your file. The product ID identifies an app package, and an app package can contain multiple apps, so you also provide the ADUMID to differentiate the app. Optionally, you can set an app to run automatically. [Get product ID and AUMID for apps in Windows 10 Mobile.](product-ids-in-windows-10-mobile.md) The following example makes Outlook Calendar available on the device. diff --git a/windows/configure/mobile-lockdown-designer.md b/windows/configure/mobile-lockdown-designer.md index ee7d0aa8b6..bc580504e6 100644 --- a/windows/configure/mobile-lockdown-designer.md +++ b/windows/configure/mobile-lockdown-designer.md @@ -47,6 +47,11 @@ Perform these steps on the device running Windows 10 Mobile that you will use to 4. Enable **Device discovery**, and then turn on **Device Portal**. +>[!IMPORTANT] +>Check **Settings > Personalization > Start > Show more tiles** on the test mobile device. If **Show more tiles** is **On**, you must select **Large** on the [**Start screen** page](#start) in Lockdown Designer. If you want to apply a **Small** layout, set **Show more tiles** on the test mobile device to **Off**. +> +> + ## Prepare the PC [Install Lockdown Designer](https://www.microsoft.com/store/r/9nblggh40753) on the PC. @@ -130,7 +135,7 @@ The apps and settings available in the pages of Lockdown Designer should now be |  | On this page, you select the settings that you want visible to users. | |  | Each hardware button on a mobile device has different actions that can be disabled. In addition, the behavior for **Search** button can be changed to open an app other than **Search**.Some devices may have additional hardware buttons provided by the OEM. These are listed as Custom1, Custom2, and Custom3. If your device has custom hardware buttons, contact your equipment provider to identify how their custom buttons are defined. | |  | This page contains several settings that you can configure:- The context menu is displayed when a user presses and holds an application in the All Apps list. You can enable or disable the context menu.- Tile manipulation allows users to pin, unpin, move, and resize tiles on the Start screen. You can enable or disable tile manipulation.- The Action Center setting controls whether the user can open the Action Center on the device. When the Action Center is disabled, notifications on the lockscreen and toasts are also disabled. You can use optional attributes with the Action Center element to change that behavior for either notifications, toasts, or both. | -|  | On this page, you can start a remote simulation session with the test mobile device. Click **Start remote simulation**. You will see a **Start screen remote simulation in progress** message on the PC. (If the **Start remote simulation** button is not active, [pair the mobile device with the PC again](#pair).)On the test mobile device, tiles for the apps that you allowed on the **Applications** page are displayed on the screen. You can move, resize, or unpin these tiles to achieve the desired layout.When you are done changing the layout on the test mobile device, click **Accept** on the PC. | +|  | On this page, you can start a remote simulation session with the test mobile device. Click **Start remote simulation**. You will see a **Start screen remote simulation in progress** message on the PC. (If the **Start remote simulation** button is not active, [pair the mobile device with the PC again](#pair).)On the test mobile device, tiles for the apps that you allowed on the **Applications** page are displayed on the screen. You can move, resize, or unpin these tiles to achieve the desired layout.When you are done changing the layout on the test mobile device, click **Accept** on the PC. | ## Validate and export diff --git a/windows/configure/product-ids-in-windows-10-mobile.md b/windows/configure/product-ids-in-windows-10-mobile.md index 6fd085952b..f2a3295ba9 100644 --- a/windows/configure/product-ids-in-windows-10-mobile.md +++ b/windows/configure/product-ids-in-windows-10-mobile.md @@ -230,21 +230,8 @@ The following table lists the product ID and AUMID for each app that is included -## Get product ID and AUMID for other apps -To get the product ID and AUMID for apps that are installed from Windows Store or installed locally ([side-loaded](https://go.microsoft.com/fwlink/p/?LinkID=623433)), use the following steps. - -**Prerequisites**: a device with an SD card inserted and all apps installed that you want to get IDs for - -1. On Start , swipe over to the App list, then tap **Settings**  > **Accounts** > **Apps Corner**. - -2. Tap **Apps**, tap to select the app that you want to get IDs for, and then tap done  - -3. Tap **advanced**, and then **tap export to SD card**. - -4. Connect the device to a PC using USB, and then open the WEHLockdown.xml file on the SD card of the device to view the product ID and AUMID for each app. - ## Related topics diff --git a/windows/configure/provision-pcs-with-apps.md b/windows/configure/provision-pcs-with-apps.md index 2314c30c16..26703f40c9 100644 --- a/windows/configure/provision-pcs-with-apps.md +++ b/windows/configure/provision-pcs-with-apps.md @@ -40,7 +40,7 @@ When you add an app in a Windows Configuration Designer wizard, the appropriate - **Restart required**: Optionally, specify if you want to initiate a reboot after a successful install of this app -- **Required win32 app dependencies**: Optionally, specify additional files that are required for the installation of the app. +- **Required win32 app dependencies**: Optionally, specify additional files that are required for the installation of the app. For installers that have multiple file dependencies or have directory structures, [create a cab file of the assets](provisioning-script-to-install-app.md#cab). The installation script should [include expansion of the .cab file](provisioning-script-to-install-app.md#cab-extract). ### Exe or other installer @@ -52,22 +52,22 @@ When you add an app in a Windows Configuration Designer wizard, the appropriate - **Restart required**: Optionally, specify if you want to initiate a reboot after a successful install of this app -- **Required win32 app dependencies**: Optionally, specify additional files that are required for the installation of the app. +- **Required win32 app dependencies**: Optionally, specify additional files that are required for the installation of the app. For installers that have multiple file dependencies or have directory structures, [create a cab file of the assets](provisioning-script-to-install-app.md#cab). The installation script should [include expansion of the .cab file](provisioning-script-to-install-app.md#cab-extract). -## Add an app using advanced editor in Windows Configuration Designer +## Add a Classic Windows app using advanced editor in Windows Configuration Designer -1. In the **Available customizations** pane, go to **Runtime settings** > **ProvisioningCommands** > **DeviceContext** > **CommandFiles**. +1. In the **Available customizations** pane, go to **Runtime settings** > **ProvisioningCommands** > **PrimaryContext** > **Command**. -2. Add all the files required for the app install, including the data files and the installer. +2. Enter a name for the first app, and then click **Add**. -3. Go to **Runtime settings** > **ProvisioningCommands** > **DeviceContext** > **CommandLine** and specify the command line that needs to be executed to install the app. This is a single command line (such as a script, executable, or msi) that triggers a silent install of your CommandFiles. Note that the install must execute silently (without displaying any UI). For MSI installers use, the `msiexec /quiet` option. +  -> [!NOTE] -> If you are installing more than one app, then use `CommandLine` to invoke the script or batch file that orchestrates installation of the files. For more information, see [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md). +3. [Configure the settings for the appropriate installer type.](#settings-for-classic-windows-apps) +  ### Add a universal app to your package @@ -87,7 +87,7 @@ Universal apps that you can distribute in the provisioning package can be line-o 5. For **DeviceContextAppLicense**, enter the **LicenseProductID**. - - In Windows Store for Business, generate the unencoded license for the app on the app's download page, and change the extension of the license file from **.xml** to **.ms-windows-store-license**. + - In Windows Store for Business, generate the unencoded license for the app on the app's download page.  diff --git a/windows/configure/provisioning-apply-package.md b/windows/configure/provisioning-apply-package.md index 2fa9efb09a..2725bb140c 100644 --- a/windows/configure/provisioning-apply-package.md +++ b/windows/configure/provisioning-apply-package.md @@ -46,7 +46,7 @@ Provisioning packages can be applied to a device during the first-run experience ### After setup, from a USB drive, network folder, or SharePoint site -On a desktop computer, navigate to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package to install. +Insert the USB drive to a desktop computer, navigate to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package to install. For a provisioning package stored on a network forlder or on a SharePoint site, navigate to the provisioning package and double-click it to begin installation.  diff --git a/windows/configure/provisioning-script-to-install-app.md b/windows/configure/provisioning-script-to-install-app.md index 20ada61de8..639ca1ea2f 100644 --- a/windows/configure/provisioning-script-to-install-app.md +++ b/windows/configure/provisioning-script-to-install-app.md @@ -29,6 +29,7 @@ This walkthrough describes how to leverage the ability to include scripts in a W 2. If you need to include a directory structure of files, you will need to cab the assets for easy inclusion in the provisioning packages. + ## Cab the application assets 1. Create a .DDF file as below, replacing *file1* and *file2* with the files you want to package, and adding the name of file/directory. @@ -89,7 +90,9 @@ This walkthrough describes how to leverage the ability to include scripts in a W ## Create the script to install the application -Create a script to perform whatever work is needed to install the application(s). The following examples are provided to help get started authoring the orchestrator script that will execute the required installers. In practice, the orchestrator script may reference many more assets than those in these examples. +In Windows 10, version 1607 and earlier, create a script to perform whatever work is needed to install the application(s). The following examples are provided to help get started authoring the orchestrator script that will execute the required installers. In practice, the orchestrator script may reference many more assets than those in these examples. + +In Windows 10, version 1703, you don’t need to create an orchestrator script. You can have one command line per app. If necessary, you can create a script that logs the output per app, as mentioned below (rather than one orchestrator script for the entire provisioning package). >[!NOTE] >All actions performed by the script must happen silently, showing no UI and requiring no user interaction. @@ -138,6 +141,7 @@ PsExec.exe -accepteula -i -s cmd.exe /c powershell.exe my_powershell_script.ps1' echo result: %ERRORLEVEL% >> %LOGFILE% ``` + ### Extract from a .CAB example This example script shows expansion of a .cab from the provisioning commands script, as well as installation of the expanded setup.exe @@ -154,7 +158,9 @@ echo result: %ERRORLEVEL% >> %LOGFILE% ### Calling multiple scripts in the package -You are currently allowed one CommandLine per PPKG. The batch files shown above are orchestrator scripts that manage the installation and calls any other scripts included in the PPKG. The orchestrator script is what should be invoked from the CommandLine specified in the package. +In Windows 10, version 1703, your provisioning package can include multiple CommandLines. + +In Windows 10, version 1607 and earlier, you are allowed one CommandLine per provisioning package. The batch files shown above are orchestrator scripts that manage the installation and call any other scripts included in the provisioning package. The orchestrator script is what should be invoked from the CommandLine specified in the package. Here’s a table describing this relationship, using the PowerShell example from above: @@ -166,7 +172,7 @@ Here’s a table describing this relationship, using the PowerShell example from | ProvisioningCommands/DeviceContext/CommandFiles | my_powershell_script.ps1 | Other assets referenced by the orchestrator script. In this example there is only one, but there could be many assets referenced here. One common use case is using the orchestrator to call a series of install.exe or setup.exe installers to install several applications. Each of those installers must be included as an asset here. | -### Add script to provisioning package +### Add script to provisioning package (Windows 10, version 1607) When you have the batch file written and the referenced assets ready to include, you can add them to a provisioning package in the Window Configuration Designer. @@ -197,10 +203,15 @@ When you are done, [build the package](provisioning-create-package.md#build-pack 2. When applied at first boot, provisioning runs early in the boot sequence and before a user context has been established; care must be taken to only include installers that can run at this time. Other installers can be provisioned via a management tool. 3. If the device is put into an unrecoverable state because of a bad script, you can reset it using [recovery options in Windows 10](https://support.microsoft.com/help/12415/windows-10-recovery-options). 4. The CommandFile assets are deployed on the device to a temporary folder unique to each package. - a. For packages added during the out of box experience, this is usually in `%WINDIR%\system32\config\systemprofile\appdata\local\Temp\ProvisioningPkgTmp\<{PackageIdGuid}>\Commands` - b. For packages added by double-clicking on an already deployed device, this will be in the temp folder for the user executing the PPKG: `%TMP%\ProvisioningPkgTmp\<{PackageIdGuid}>\Commands` + - For Windows 10, version 1607 and earlier: + a. For packages added during the out of box experience, this is usually in `%WINDIR%\system32\config\systemprofile\appdata\local\Temp\ProvisioningPkgTmp\<{PackageIdGuid}>\Commands` + b. For packages added by double-clicking on an already deployed device, this will be in the temp folder for the user executing the PPKG: `%TMP%\ProvisioningPkgTmp\<{PackageIdGuid}>\Commands` + - For Windows 10, version 1703: + a. For packages added during the out of box experience, this is usually in `%WINDIR%\system32\config\systemprofile\appdata\local\Temp\ProvisioningPkgTmp\<{PackageIdGuid}>\Commands\0` + The `0` after `Commands\` refers to the installation order and indicates the first app to be installed. The number will increment for each app in the package. + b. For packages added by double-clicking on an already deployed device, this will be in the temp folder for the user executing the provisioning package: `%TMP%\ProvisioningPkgTmp\<{PackageIdGuid}>\Commands\0` 5. The command line will be executed with the directory the CommandFiles were deployed to as the working directory. This means you do not need to specific the full path to assets in the command line or from within any script. -6. The runtime provisioning component will attempt to run the scripts from the PPKG at the earliest point possible, depending on the stage when the PPKG was added. For example, if the package was added during the Out-of-Box Experience, it will be run immediately after the package is applied, while the Out-of-Box Experience is still happening. This is before the user account configuration options are presented to the user. A spinning progress dialog will appear and “please wait” will be displayed on the screen. +6. The runtime provisioning component will attempt to run the scripts from the provisioning package at the earliest point possible, depending on the stage when the PPKG was added. For example, if the package was added during the Out-of-Box Experience, it will be run immediately after the package is applied, while the out of box experience is still happening. This is before the user account configuration options are presented to the user. A spinning progress dialog will appear and “please wait” will be displayed on the screen. >[!NOTE] >There is a timeout of 30 minutes for the provisioning process at this point. All scripts and installs need to complete within this time. diff --git a/windows/deploy/upgrade-readiness-deployment-script.md b/windows/deploy/upgrade-readiness-deployment-script.md index 0206b5764e..f8d311cd6b 100644 --- a/windows/deploy/upgrade-readiness-deployment-script.md +++ b/windows/deploy/upgrade-readiness-deployment-script.md @@ -42,9 +42,9 @@ To run the Upgrade Readiness deployment script: 3. By default, the script sends log information to both the console and the log file. To change the default behavior, use one of the following options: > *logMode = 0 log to console only* -> + > > *logMode = 1 log to file and console* -> + > > *logMode = 2 log to file only* 3. To enable Internet Explorer data collection, set AllowIEData to IEDataOptIn. By default, AllowIEData is set to Disable. Then use one of the following options to determine what Internet Explorer data can be collected: @@ -57,7 +57,16 @@ To run the Upgrade Readiness deployment script: > > *IEOptInLevel = 3 Data collection is enabled for all sites* -4. After you finish editing the parameters in RunConfig.bat, you are ready to run the script. If you are using the Pilot version, run RunConfig.bat from an elevated command prompt. If you are using the Deployment version, use ConfigMgr or other software deployment service to run RunConfig.bat as system. +4. The latest version (03.02.17) of the deployment script is configured to collect and send diagnostic and debugging data to Microsoft. If you wish to disable sending diagnostic and debugging data to Microsoft, set **AppInsightsOptIn = false**. By default, **AppInsightsOptIn** is set to **true**. + + The data that is sent is the same data that is collected in the text log file that captures the events and error codes while running the script. This file is named in the following format: **UA_yyyy_mm_dd_hh_mm_ss_machineID.txt**. Log files are created in the drive that is specified in the RunConfig.bat file. By default this is set to: **%SystemDrive%\UADiagnostics**. + + This data gives us the ability to determine the status of your machines and to help troubleshoot issues. If you choose to opt-in to and send this data to Microsoft, you must also allow https traffic to be sent to the following wildcard endpoints: + + \*vortex\*.data.microsoft.com
+ \*settings\*.data.microsoft.com + +5. After you finish editing the parameters in RunConfig.bat, you are ready to run the script. If you are using the Pilot version, run RunConfig.bat from an elevated command prompt. If you are using the Deployment version, use ConfigMgr or other software deployment service to run RunConfig.bat as system. The deployment script displays the following exit codes to let you know if it was successful, or if an error was encountered. diff --git a/windows/deploy/upgrade-readiness-get-started.md b/windows/deploy/upgrade-readiness-get-started.md index 4829baa632..7cb98c4cf2 100644 --- a/windows/deploy/upgrade-readiness-get-started.md +++ b/windows/deploy/upgrade-readiness-get-started.md @@ -79,7 +79,7 @@ For Upgrade Readiness to receive and display upgrade readiness data from Microso To enable data sharing, whitelist the following endpoints. Note that you may need to get approval from your security group to do this. -Note: The compatibility update KB runs under the computer’s system account. If you are using user authenticated proxies, read [this blog post](https://go.microsoft.com/fwlink/?linkid=838688) to learn what you need to do to run it under the logged on user account. +Note: The compatibility update KB runs under the computer’s system account. If you are using user authenticated proxies, read [this blog post](https://blogs.technet.microsoft.com/upgradeanalytics/2017/03/10/understanding-connectivity-scenarios-and-the-deployment-script/) to learn what you need to do to run it under the logged on user account. | **Endpoint** | **Function** | |---------------------------------------------------------|-----------| diff --git a/windows/deploy/upgrade-readiness-requirements.md b/windows/deploy/upgrade-readiness-requirements.md index 5f706bab59..5593a4eb72 100644 --- a/windows/deploy/upgrade-readiness-requirements.md +++ b/windows/deploy/upgrade-readiness-requirements.md @@ -78,8 +78,6 @@ See [Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields Before you get started configuring Upgrade Anatlyics, review the following tips and limitations about this release. -**User authenticated proxies are not supported in this release.** User computers communicate with Microsoft through Windows telemetry. The Windows telemetry client runs in System context and requires a connection to various Microsoft telemetry endpoints. User authenticated proxies are not supported at this time. Work with your Network Administrator to ensure that user computers can communicate with telemetry endpoints. - **Upgrade Readiness does not support on-premises Windows deployments.** Upgrade Readiness is built as a cloud service, which allows Upgrade Readiness to provide you with insights based on the data from user computers and other Microsoft compatibility services. Cloud services are easy to get up and running and are cost-effective because there is no requirement to physically implement and maintain services on-premises. **In-region data storage requirements.** Windows telemetry data from user computers is encrypted, sent to, and processed at Microsoft-managed secure data centers located in the US. Our analysis of the upgrade readiness-related data is then provided to you through the Upgrade Readiness solution in the Microsoft Operations Management Suite (OMS) portal. At the time this topic is being published, only OMS workspaces created in the East US and West Europe are supported. We’re adding support for additional regions and we’ll update this information when new international regions are supported. diff --git a/windows/images/w10-evaluation.png b/windows/images/w10-evaluation.png new file mode 100644 index 0000000000..19d690b694 Binary files /dev/null and b/windows/images/w10-evaluation.png differ diff --git a/windows/images/w10-whatsnew-highlight.png b/windows/images/w10-whatsnew-highlight.png new file mode 100644 index 0000000000..b8534ef41d Binary files /dev/null and b/windows/images/w10-whatsnew-highlight.png differ diff --git a/windows/index.md b/windows/index.md index 1509edd168..32342a6b60 100644 --- a/windows/index.md +++ b/windows/index.md @@ -19,7 +19,7 @@ This library provides the core content that IT pros need to evaluate, plan, depl
+ 
What's New?
- +
Keep Secure @@ -67,7 +67,7 @@ This library provides the core content that IT pros need to evaluate, plan, depl
-
+ 
Try it
-# Get to know Windows as a Service (WaaS) -
