deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-16 15:27:22 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'refs/remotes/origin/master' into rs4

Browse Source
This commit is contained in:
Jeanie Decker 2018-02-26 08:03:21 -08:00
commit 8f012d7951
12 changed files with 767 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
devices/surface/change-history-for-surface.md
View File

@ -16,6 +16,7 @@ This topic lists new and updated topics in the Surface documentation library.
|New or changed topic | Description |
| --- | --- |
|[Surface Dock Updater](surface-dock-updater.md) | Added version 2.12.136.0 information |
|[Microsoft Surface Data Eraser](microsoft-surface-data-eraser.md) | Added version 3.2.46.0 information |
## January 2018

18
devices/surface/surface-dock-updater.md
View File

@ -9,7 +9,7 @@ ms.mktglfcycl: manage
ms.pagetype: surface, devices
ms.sitesec: library
author: brecords
ms.date: 11/03/2017
ms.date: 02/23/2018
ms.author: jdecker
---
@ -116,6 +116,22 @@ Microsoft periodically updates Surface Dock Updater. To learn more about the app
>[!Note]
>Each update to Surface Dock firmware is included in a new version of Surface Dock Updater. To update a Surface Dock to the latest firmware, you must use the latest version of Surface Dock Updater.
### Version 2.12.136.0
*Release Date: 29 January 2018*
This version of Surface Dock Updater adds support for the following:
* Update for Surface Dock Main Chipset Firmware
* Update for Surface Dock DisplayPort Firmware
* Improved display stability for external displays when used with Surface Book or Surface Book 2
Additionally, installation of this version of Surface Dock Updater on Surface Book devices includes the following:
* Update for Surface Book Base Firmware
* Added support for Surface Dock firmware updates with improvements targeted to Surface Book devices
>[!Note]
>Before the Surface Dock firmware update applied by Surface Dock Updater v2.12.136.0 will take effect on a Surface Book device, a firmware update for the Surface Book Base is required. If you install Surface Dock Updater v2.12.136.0 on a Surface Book and update an attached Surface Dock from that same device, the firmware of the Surface Book Base will automatically be updated when installing the Surface Dock Updater. However, if you update a Surface Dock using Surface Dock Updater v2.12.136.0 on different device, and then connect that Surface Dock to a Surface Book where Surface Dock Updater v2.12.136.0 has not been installed, the benefits of the updated Surface Dock will not be enabled. To enable the benefits of the updated Surface Dock on a Surface Book device, Surface Book Base firmware must also be updated by installing Surface Dock Updater v2.12.136.0 on the Surface Book device. Surface Book Base firmware update is not required on a Surface Book 2 device.
### Version 2.9.136.0
*Release date: November 3, 2017*

2
windows/client-management/mandatory-user-profile.md
View File

@ -89,7 +89,7 @@ First, you create a default user profile with the customizations that you want,
>![Microsoft Bing Translator package](images/sysprep-error.png)
>Use the [Remove-AppxProvisionedPackage](https://technet.microsoft.com/library/dn376476%28v=wps.620%29.aspx) cmdlet in Windows PowerShell to uninstall the app that is listed in the log.
>Use the [Remove-AppxProvisionedPackage](https://technet.microsoft.com/library/dn376476%28v=wps.620%29.aspx) and [Remove-AppxPackage -AllUsers](https://docs.microsoft.com/en-us/powershell/module/appx/remove-appxpackage?view=win10-ps) cmdlet in Windows PowerShell to uninstall the app that is listed in the log.
5. The sysprep process reboots the PC and starts at the first-run experience screen. Complete the set up, and then sign in to the computer using an account that has local administrator privileges.

607
windows/client-management/mdm/assignedaccess-csp.md
View File

@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 11/03/2017
ms.date: 02/22/2018
---
# AssignedAccess CSP
@ -70,6 +70,53 @@ Supported operations are Add, Get, Delete, and Replace.
Deleting the multi-app configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all the enforced policies back (e.g. Start Layout).
<a href="" id="assignedaccess-status"></a>**./Device/Vendor/MSFT/AssignedAccess/Status**
Added in Windows 10, version 1803. This read only polling node allows MDM server to query the current KioskModeAppRuntimeStatus as long as the StatusConfiguration node is set to “On” or “OnWithAlerts”. If the StatusConfiguration is “Off”, a node not found error will be reported to the MDM server. Click [link](#status-example) to see an example SyncML. [Here](#assignedaccessalert-xsd) is the schema for the Status payload.
In Windows 10, version 1803, Assigned Access runtime status only supports monitoring single app kiosk mode. Here are the possible status available for single app kiosk mode.
|Status |Description |
|---------|---------|---------|
| KioskModeAppRunning | This means the kiosk app is running normally. |
| KioskModeAppNotFound | This occurs when the kiosk app is not deployed to the machine. |
| KioskModeAppActivationFailure | This happens when the assigned access controller detects the process terminated unexpectedly after exceeding the max retry. |
Note that status codes available in the Status payload correspond to a specific KioskModeAppRuntimeStatus.
|Status code | KioskModeAppRuntimeStatus |
|---------|---------|
| 1 | KioskModeAppRunning |
| 2 | KioskModeAppNotFound |
| 3 | KioskModeAppActivationFailure |
Additionally, the status payload includes a profileId, which can be used by the MDM server to correlate which kiosk app caused the error.
Supported operation is Get.
<a href="" id="assignedaccess-shelllauncher"></a>**./Device/Vendor/MSFT/AssignedAccess/ShellLauncher**
Added in Windows 10,version 1803. This node accepts a ShellLauncherConfiguration xml as input. Click [link](#shelllauncherconfiguration-xsd) to see the schema.
<a href="" id="assignedaccess-statusconfiguration"></a>**./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration**
Added in Windows 10, version 1803. This node accepts a StatusConfiguration xml as input to configure the Kiosk App Health monitoring. There are three possible values for StatusEnabled node inside StatusConfiguration xml: On, OnWithAlerts, and Off. Click [link](#statusconfiguration-xsd) to see the StatusConfiguration schema.
By default the StatusConfiguration node does not exist, and it implies this feature is off. Once enabled via CSP, Assigned Access will check kiosk app status and wait for MDM server to query the latest status from the Status node.
Optionally, the MDM server can opt-in to the MDM alert so a MDM alert will be generated and sent immediately to the MDM server when the assigned access runtime status is changed. This MDM alert will contain the status payload that is available via the Status node.
This MDM alert header is defined as follows:
- MDMAlertMark: Critical
- MDMAlertType: "com.microsoft.mdm.assignedaccess.status"
- MDMAlertDataType: String
- Source: "./Vendor/MSFT/AssignedAccess"
- Target: N/A
> [!Note]
> MDM alert will only be sent for errors.
## KioskModeApp examples
KioskModeApp Add
@ -160,32 +207,29 @@ KioskModeApp Replace
elementFormDefault="qualified"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"
xmlns:default="http://schemas.microsoft.com/AssignedAccess/2017/config"
targetNamespace="http://schemas.microsoft.com/AssignedAccess/2017/config"
>
<xs:complexType name="profile_list_t">
<xs:sequence minOccurs="1" >
<xs:element name="Profile" type="profile_t" minOccurs="1" maxOccurs="unbounded">
<xs:unique name="duplicateRolesForbidden">
<xs:selector xpath="Profile"/>
<xs:field xpath="@Id"/>
</xs:unique>
</xs:element>
<xs:element name="Profile" type="profile_t" minOccurs="1" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="kioskmodeapp_t">
<xs:attribute name="AppUserModelId" type="xs:string"/>
</xs:complexType>
<xs:complexType name="profile_t">
<xs:sequence minOccurs="1" maxOccurs="1">
<xs:element name="AllAppsList" type="allappslist_t" minOccurs="1" maxOccurs="1">
<xs:unique name="ForbidDupApps">
<xs:selector xpath="App"/>
<xs:field xpath="@AppUserModelId"/>
<xs:field xpath="@DesktopAppPath"/>
</xs:unique>
</xs:element>
<xs:element name="StartLayout" type="xs:string" minOccurs="1" maxOccurs="1"/>
<xs:element name="Taskbar" type="taskbar_t" minOccurs="1" maxOccurs="1"/>
</xs:sequence>
<xs:choice>
<xs:sequence minOccurs="1" maxOccurs="1">
<xs:element name="AllAppsList" type="allappslist_t" minOccurs="1" maxOccurs="1"/>
<xs:element name="StartLayout" type="xs:string" minOccurs="1" maxOccurs="1"/>
<xs:element name="Taskbar" type="taskbar_t" minOccurs="1" maxOccurs="1"/>
</xs:sequence>
<xs:element name="KioskModeApp" type="kioskmodeapp_t" minOccurs="1" maxOccurs="1"/>
</xs:choice>
<xs:attribute name="Id" type="guid_t" use="required"/>
<xs:attribute name="Name" type="xs:string" use="optional"/>
</xs:complexType>
@ -193,6 +237,10 @@ KioskModeApp Replace
<xs:complexType name="allappslist_t">
<xs:sequence minOccurs="1" >
<xs:element name="AllowedApps" type="allowedapps_t" minOccurs="1" maxOccurs="1">
<xs:unique name="ForbidDupApps">
<xs:selector xpath="default:App"/>
<xs:field xpath="@AppUserModelId|@DesktopAppPath"/>
</xs:unique>
</xs:element>
</xs:sequence>
</xs:complexType>
@ -235,22 +283,64 @@ KioskModeApp Replace
<xs:complexType name="config_t">
<xs:sequence minOccurs="1" maxOccurs="1">
<xs:element name="Account" type="xs:string" minOccurs="1" maxOccurs="1"/>
<xs:choice>
<xs:element name="Account" type="xs:string" minOccurs="1" maxOccurs="1"/>
<xs:element name="AutoLogonAccount" type="autologon_account_t" minOccurs="1" maxOccurs="1"/>
<xs:element name="UserGroup" type="group_t" minOccurs="1" maxOccurs="1"/>
<xs:element name="SpecialGroup" type="specialGroup_t" minOccurs="1" maxOccurs="1" />
</xs:choice>
<xs:element name="DefaultProfile" type="profileId_t" minOccurs="1" maxOccurs="1"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="autologon_account_t">
<xs:attribute name="HiddenId" type="guid_t" fixed="{74331115-F68A-4DF9-8D2C-52BA2CE2ADB1}"/>
</xs:complexType>
<xs:complexType name="group_t">
<xs:attribute name="Name" type="xs:string" use="required"/>
<xs:attribute name="Type" type="groupType_t" use="required"/>
</xs:complexType>
<xs:complexType name="specialGroup_t">
<xs:attribute name="Name" type="specialGroupType_t" use="required"/>
</xs:complexType>
<xs:simpleType name="groupType_t">
<xs:restriction base="xs:string">
<xs:enumeration value="LocalGroup"/>
<xs:enumeration value="ActiveDirectoryGroup"/>
<xs:enumeration value="AzureActiveDirectoryGroup"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="specialGroupType_t">
<xs:restriction base="xs:string">
<xs:enumeration value="Visitor"/>
</xs:restriction>
</xs:simpleType>
<!--below is the definition of the config xml content-->
<xs:element name="AssignedAccessConfiguration">
<xs:complexType>
<xs:all minOccurs="1">
<xs:element name="Profiles" type="profile_list_t">
<xs:unique name="duplicateRolesForbidden">
<xs:selector xpath="default:Profile"/>
<xs:field xpath="@Id"/>
</xs:unique>
</xs:element>
<xs:element name="Configs" type="config_list_t">
<xs:unique name="duplicateAutoLogonAccountForbidden">
<xs:selector xpath=".//default:AutoLogonAccount"/>
<xs:field xpath="@HiddenId"/>
</xs:unique>
</xs:element>
<xs:element name="Configs" type="config_list_t"/>
</xs:all>
</xs:complexType>
</xs:element>
</xs:schema>
```
## Example AssignedAccessConfiguration XML
@ -560,3 +650,480 @@ Example of the Delete command.
</SyncBody>
</SyncML>
```
## StatusConfiguration XSD
``` syntax
<?xml version="1.0" encoding="utf-8"?>
<xs:schema
elementFormDefault="qualified"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns="http://schemas.microsoft.com/AssignedAccess/2018/StatusConfiguration"
xmlns:default="http://schemas.microsoft.com/AssignedAccess/2018/StatusConfiguration"
targetNamespace="http://schemas.microsoft.com/AssignedAccess/2018/StatusConfiguration"
>
<xs:simpleType name="status_enabled_t">
<xs:restriction base="xs:string">
<xs:enumeration value="Off"/>
<xs:enumeration value="On"/>
<xs:enumeration value="OnWithAlerts"/>
</xs:restriction>
</xs:simpleType>
<!--below is the definition of the config xml content-->
<xs:element name="StatusConfiguration">
<xs:complexType>
<xs:sequence minOccurs="1" maxOccurs="1">
<xs:element name="StatusEnabled" type="status_enabled_t" minOccurs="1" maxOccurs="1"/>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:schema>
```
## StatusConfiguration example
StatusConfiguration Add OnWithAlerts
``` syntax
<SyncML xmlns='SYNCML:SYNCML1.2'>
<SyncBody>
<Add>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>
<![CDATA[
<?xml version="1.0" encoding="utf-8" ?>
<StatusConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2018/StatusConfiguration">
<StatusEnabled>OnWithAlerts</StatusEnabled>
</StatusConfiguration>
]]>
</Data>
</Item>
</Add>
<Final />
</SyncBody>
</SyncML>
```
StatusConfiguration Delete
``` syntax
<SyncML xmlns='SYNCML:SYNCML1.2'>
<SyncBody>
<Delete>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration</LocURI>
</Target>
</Item>
</Delete>
<Final />
</SyncBody>
</SyncML>
```
StatusConfiguration Get
``` syntax
<SyncML xmlns='SYNCML:SYNCML1.2'>
<SyncBody>
<Get>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration</LocURI>
</Target>
</Item>
</Get>
<Final />
</SyncBody>
</SyncML>
```
StatusConfiguration Replace On
```syntax
<SyncML xmlns='SYNCML:SYNCML1.2'>
<SyncBody>
<Replace>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>
<![CDATA[
<?xml version="1.0" encoding="utf-8" ?>
<StatusConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2018/StatusConfiguration">
<StatusEnabled>On</StatusEnabled>
</StatusConfiguration>
]]>
</Data>
</Item>
</Replace>
<Final />
</SyncBody>
</SyncML>
```
## Status example
Status Get
``` syntax
<SyncML xmlns='SYNCML:SYNCML1.2'>
<SyncBody>
<Get>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/AssignedAccess/Status</LocURI>
</Target>
</Item>
</Get>
<Final />
</SyncBody>
</SyncML>
```
## ShellLauncherConfiguration XSD
``` syntax
<?xml version="1.0" encoding="utf-8"?>
<xs:schema
elementFormDefault="qualified"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns="http://schemas.microsoft.com/ShellLauncher/2018/Configuration"
xmlns:default="http://schemas.microsoft.com/ShellLauncher/2018/Configuration"
targetNamespace="http://schemas.microsoft.com/ShellLauncher/2018/Configuration"
>
<xs:complexType name="profile_list_t">
<xs:sequence minOccurs="1" maxOccurs="1">
<xs:choice minOccurs="1" maxOccurs="1">
<xs:element name="DefaultProfile" type="default_profile_t"/>
<xs:element name="Profile" type="profile_t"/>
</xs:choice>
<xs:element name="Profile" type="profile_t" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="default_profile_t">
<xs:sequence minOccurs="1" maxOccurs="1">
<xs:element name="Shell" type="default_shell_t" minOccurs="1" maxOccurs="1"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="default_shell_t">
<xs:sequence minOccurs="1" maxOccurs="1">
<xs:element name="DefaultAction" type="default_action_t" minOccurs="0" maxOccurs="1"/>
</xs:sequence>
<xs:attribute name="Shell" type="xs:string" use="required"/>
</xs:complexType>
<xs:complexType name="custom_shell_t">
<xs:all minOccurs="1" maxOccurs="1">
<xs:element name="ReturnCodeActions" type="return_code_action_list_t" minOccurs="0" maxOccurs="1">
<xs:unique name="ForbidDuplicatedReturnCodes">
<xs:selector xpath="default:ReturnCodeAction"/>
<xs:field xpath="@ReturnCode"/>
</xs:unique>
</xs:element>
<!--if "DefaultAction" is not supplied, pre-defined default action is "restart the shell"-->
<xs:element name="DefaultAction" type="default_action_t" minOccurs="0" maxOccurs="1"/>
</xs:all>
<xs:attribute name="Shell" type="xs:string" use="required"/>
</xs:complexType>
<xs:complexType name="default_action_t">
<xs:attribute name="Action" type="system_action_t" use="required"/>
</xs:complexType>
<xs:simpleType name="system_action_t">
<xs:restriction base="xs:string">
<xs:enumeration value="RestartShell" />
<xs:enumeration value="RestartDevice" />
<xs:enumeration value="ShutdownDevice" />
</xs:restriction>
</xs:simpleType>
<xs:complexType name="profile_t">
<xs:sequence minOccurs="1" maxOccurs="1">
<xs:element name="Shell" type="custom_shell_t" minOccurs="1" maxOccurs="1"/>
</xs:sequence>
<xs:attribute name="Id" type="guid_t" use="required"/>
<xs:attribute name="Name" type="xs:string" use="optional"/>
</xs:complexType>
<xs:simpleType name="guid_t">
<xs:restriction base="xs:string">
<xs:pattern value="\{[0-9a-fA-F]{8}\-([0-9a-fA-F]{4}\-){3}[0-9a-fA-F]{12}\}"/>
</xs:restriction>
</xs:simpleType>
<xs:complexType name="return_code_action_list_t">
<xs:sequence minOccurs="1" maxOccurs="1">
<xs:element name="ReturnCodeAction" type="return_code_action_t" minOccurs="1" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="return_code_action_t">
<xs:attribute name="ReturnCode" type="xs:integer" use="required"/>
<xs:attribute name="Action" type="system_action_t" use="required"/>
</xs:complexType>
<xs:complexType name="config_list_t">
<xs:sequence minOccurs="1" maxOccurs="1">
<xs:element name="Config" type="config_t" minOccurs="1" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="config_t">
<xs:sequence minOccurs="1" maxOccurs="1">
<xs:choice minOccurs="1" maxOccurs="1">
<xs:element name="Account" type="account_t" minOccurs="1" maxOccurs="1">
<xs:key name="mutexNameOrSID">
<xs:selector xpath="."/>
<xs:field xpath="@Name|@Sid"/>
</xs:key>
</xs:element>
<xs:element name="AutoLogonAccount" type="autologon_account_t" minOccurs="1" maxOccurs="1"/>
</xs:choice>
<xs:element name="Profile" type="profile_id_t" minOccurs="1" maxOccurs="1"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="account_t">
<xs:attribute name="Name" type="xs:string" use="optional"/>
<xs:attribute name="Sid" type="xs:string" use="optional"/>
</xs:complexType>
<xs:complexType name="autologon_account_t">
<xs:attribute name="HiddenId" type="guid_t" fixed="{50021E57-1CE4-49DF-99A9-8DB659E2C2DD}"/>
</xs:complexType>
<xs:complexType name="profile_id_t">
<xs:attribute name="Id" type="guid_t" use="required"/>
</xs:complexType>
<!--below is the definition of the config xml content-->
<xs:element name="ShellLauncherConfiguration">
<xs:complexType>
<xs:sequence minOccurs="1" maxOccurs="1">
<xs:element name="Profiles" type="profile_list_t" minOccurs="1" maxOccurs="1">
<xs:unique name="ForbidDuplicatedProfiles">
<xs:selector xpath="default:Profile"/>
<xs:field xpath="@Id"/>
</xs:unique>
</xs:element>
<xs:element name="Configs" type="config_list_t" minOccurs="0" maxOccurs="1">
<xs:unique name="ForbidDuplicatedConfigs_Name">
<xs:selector xpath="default:Config/default:Account"/>
<xs:field xpath="@Name"/>
</xs:unique>
<xs:unique name="ForbidDuplicatedConfigs_Sid">
<xs:selector xpath="default:Config/default:Account"/>
<xs:field xpath="@Sid"/>
</xs:unique>
<xs:unique name="ForbidDuplicatedAutoLogonAccount">
<xs:selector xpath="default:Config/default:AutoLogonAccount"/>
<xs:field xpath="@HiddenId"/>
</xs:unique>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:schema>
```
## ShellLauncherConfiguration examples
ShellLauncherConfiguration Add
```
<SyncML xmlns='SYNCML:SYNCML1.2'>
<SyncBody>
<Add>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/AssignedAccess/ShellLauncher</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>
<![CDATA[
<?xml version="1.0" encoding="utf-8"?>
<ShellLauncherConfiguration xmlns="http://schemas.microsoft.com/ShellLauncher/2018/Configuration">
<Profiles>
<!--default profile defines default shell and action for general purposes, should NOT be bound to any account-->
<DefaultProfile>
<Shell Shell="%SystemRoot%\explorer.exe">
<!--DefaultAction is optional; if not defined, the pre-defined default action is "restart shell"-->
<DefaultAction Action="RestartShell"/>
</Shell>
</DefaultProfile>
<Profile Id="{814B6409-8C51-4EE2-95F8-DB39B70F5F68}">
<Shell Shell="%ProgramFiles%\Internet Explorer\iexplore.exe -k www.bing.com">
<!--ReturnCodeActions is optional, when none is provided, will always execute default action-->
<ReturnCodeActions>
<ReturnCodeAction ReturnCode="0" Action="RestartShell"/>
<ReturnCodeAction ReturnCode="-1" Action="RestartDevice"/>
<ReturnCodeAction ReturnCode="255" Action="ShutdownDevice"/>
</ReturnCodeActions>
<!--restart device after shell exits, if its return code does not match any of the above-->
<DefaultAction Action="RestartDevice"/>
</Shell>
</Profile>
<Profile Id="{24A73092-4F3F-44CC-8375-53F13FE213F7}">
<Shell Shell="%SystemRoot%\System32\cmd.exe"/>
<!--DefaultAction is optional, if none is supplied, will use DefaultAction defined in DefaultProfile-->
</Profile>
</Profiles>
<Configs>
<Config>
<!--AutoLogon account-->
<AutoLogonAccount/>
<Profile Id="{814B6409-8C51-4EE2-95F8-DB39B70F5F68}"/>
</Config>
<Config>
<!--BUILTIN\Administrators SID-->
<Account Sid="S-1-5-32-544"/>
<Profile Id="{24A73092-4F3F-44CC-8375-53F13FE213F7}"/>
</Config>
<Config>
<!--local account-->
<Account Name="sluser1"/>
<Profile Id="{814B6409-8C51-4EE2-95F8-DB39B70F5F68}"/>
</Config>
</Configs>
</ShellLauncherConfiguration>
]]>
</Data>
</Item>
</Add>
<Final />
</SyncBody>
</SyncML>
```
ShellLauncherConfiguration Add AutoLogon
```
<SyncML xmlns='SYNCML:SYNCML1.2'>
<SyncBody>
<Add>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/AssignedAccess/ShellLauncher</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>
<![CDATA[
<?xml version="1.0" encoding="utf-8"?>
<ShellLauncherConfiguration xmlns="http://schemas.microsoft.com/ShellLauncher/2018/Configuration">
<Profiles>
<DefaultProfile>
<Shell Shell="%SystemRoot%\explorer.exe"/>
</DefaultProfile>
<Profile Id="{814B6409-8C51-4EE2-95F8-DB39B70F5F68}">
<Shell Shell="%ProgramFiles%\Internet Explorer\iexplore.exe -k www.bing.com">
<ReturnCodeActions>
<ReturnCodeAction ReturnCode="0" Action="RestartShell"/>
<ReturnCodeAction ReturnCode="-1" Action="RestartDevice"/>
<ReturnCodeAction ReturnCode="255" Action="ShutdownDevice"/>
</ReturnCodeActions>
<DefaultAction Action="RestartDevice"/>
</Shell>
</Profile>
</Profiles>
<Configs>
<Config>
<AutoLogonAccount/>
<Profile Id="{814B6409-8C51-4EE2-95F8-DB39B70F5F68}"/>
</Config>
</Configs>
</ShellLauncherConfiguration>
]]>
</Data>
</Item>
</Add>
<Final />
</SyncBody>
</SyncML>
```
ShellLauncherConfiguration Get
```
<SyncML xmlns='SYNCML:SYNCML1.2'>
<SyncBody>
<Get>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/AssignedAccess/ShellLauncher</LocURI>
</Target>
</Item>
</Get>
<Final />
</SyncBody>
</SyncML>
```
## AssignedAccessAlert XSD
```syntax
<?xml version="1.0" encoding="utf-8"?>
<xs:schema
elementFormDefault="qualified"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns="http://schemas.microsoft.com/AssignedAccess/2018/AssignedAccessAlert"
xmlns:default="http://schemas.microsoft.com/AssignedAccess/2018/AssignedAccessAlert"
targetNamespace="http://schemas.microsoft.com/AssignedAccess/2018/AssignedAccessAlert"
>
<xs:simpleType name="status_t">
<xs:restriction base="xs:int">
<xs:enumeration value="0"/>
<xs:enumeration value="1"/>
<xs:enumeration value="2"/>
<xs:enumeration value="3"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="guid_t">
<xs:restriction base="xs:string">
<xs:pattern value="\{[0-9a-fA-F]{8}\-([0-9a-fA-F]{4}\-){3}[0-9a-fA-F]{12}\}"/>
</xs:restriction>
</xs:simpleType>
<xs:complexType name="event_t">
<xs:sequence minOccurs="1" maxOccurs="1">
<xs:element name="status" type="status_t" minOccurs="1" maxOccurs="1"/>
<xs:element name="profileId" type="guid_t" minOccurs="1" maxOccurs="1"/>
</xs:sequence>
<xs:attribute name="Name" type="xs:string" fixed="KioskModeAppRuntimeStatus" use="required"/>
</xs:complexType>
<xs:element name="Events">
<xs:complexType>
<xs:sequence minOccurs="1" maxOccurs="1">
<xs:element name="Event" type="event_t" minOccurs="1" maxOccurs="1"/>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:schema>
```

87
windows/client-management/mdm/assignedaccess-ddf.md
View File

@ -7,12 +7,15 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 11/01/2017
ms.date: 02/22/2018
---
# AssignedAccess DDF
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
This topic shows the OMA DM device description framework (DDF) for the **AssignedAccess** configuration service provider. DDF files are used only with OMA DM provisioning XML.
You can download the DDF files from the links below:
@ -20,7 +23,7 @@ You can download the DDF files from the links below:
- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip)
- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip)
The XML below is for Windows 10, version 1709.
The XML below is for Windows 10, version 1803.
``` syntax
<?xml version="1.0" encoding="UTF-8"?>
@ -48,7 +51,7 @@ The XML below is for Windows 10, version 1709.
<Permanent />
</Scope>
<DFType>
<MIME>com.microsoft/1.1/MDM/AssignedAccess</MIME>
<MIME>com.microsoft/2.0/MDM/AssignedAccess</MIME>
</DFType>
</DFProperties>
<Node>
@ -111,6 +114,84 @@ This node supports Add, Delete, Replace and Get methods. When there's no configu
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Status</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>This read only node contains kiosk health event xml</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>ShellLauncher</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
<Replace />
</AccessType>
<Description>This node accepts a ShellLauncherConfiguration xml as input. Please check out samples and required xsd on MSDN.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>StatusConfiguration</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
<Replace />
</AccessType>
<Description>This node accepts a StatusConfiguration xml as input. Please check out samples and required xsd on MSDN.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</MgmtTree>
```

BIN
windows/client-management/mdm/images/provisioning-csp-assignedaccess.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 16 KiB

After

Width:  |  Height:  |  Size: 9.6 KiB

22
windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
View File

@ -1416,6 +1416,16 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
<td style="vertical-align:top">[VPNv2 ProfileXML XSD](vpnv2-profile-xsd.md)</td>
<td style="vertical-align:top"><p>Updated the XSD and Plug-in profile example for VPNv2 CSP.</p>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[AssignedAccess CSP](assignedaccess-csp.md)</td>
<td style="vertical-align:top"><p>Added the following nodes in Windows 10, version 1803:</p>
<ul>
<li>Status</li>
<li>ShellLauncher</li>
<li>StatusConfiguration</li>
</ul>
<p>Updated the AssigneAccessConfiguration schema.</p>
</td></tr>
</tbody>
</table>
@ -1435,7 +1445,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
<tbody>
<tr>
<td style="vertical-align:top">[Policy CSP](policy-configuration-service-provider.md)</td>
<td style="vertical-align:top"><p>Added the following new policies for Windows 10, next major update:</p>
<td style="vertical-align:top"><p>Added the following new policies for Windows 10, version 1803:</p>
<ul>
<li>AccountPoliciesAccountLockoutPolicy/AccountLockoutDuration</li>
<li>AccountPoliciesAccountLockoutPolicy/AccountLockoutThreshold</li>
@ -1548,11 +1558,11 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
</tr>
<tr class="odd">
<td style="vertical-align:top">[BitLocker CSP](bitlocker-csp.md)</td>
<td style="vertical-align:top"><p>Updated the description for AllowWarningForOtherDiskEncryption to describe changes added in Windows 10, next major update.</p>
<td style="vertical-align:top"><p>Updated the description for AllowWarningForOtherDiskEncryption to describe changes added in Windows 10, version 1803.</p>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[DMClient CSP](dmclient-csp.md)</td>
<td style="vertical-align:top"><p>Added ./User/Vendor/MSFT/DMClient/Provider/[ProviderID]/FirstSyncStatus node. Also added the following nodes in Windows 10, next major update:</p>
<td style="vertical-align:top"><p>Added ./User/Vendor/MSFT/DMClient/Provider/[ProviderID]/FirstSyncStatus node. Also added the following nodes in Windows 10, version 1803:</p>
<ul>
<li>AADSendDeviceToken</li>
<li>BlockInStatusPage</li>
@ -1564,7 +1574,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[RemoteWipe CSP](remotewipe-csp.md)</td>
<td style="vertical-align:top"><p>Added the following nodes in Windows 10, next major update:</p>
<td style="vertical-align:top"><p>Added the following nodes in Windows 10, version 1803:</p>
<ul>
<li>AutomaticRedeployment</li>
<li>doAutomaticRedeployment</li>
@ -1574,11 +1584,11 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[Defender CSP](defender-csp.md)</td>
<td style="vertical-align:top"><p>Added new node (OfflineScan) in Windows 10, next major update.</p>
<td style="vertical-align:top"><p>Added new node (OfflineScan) in Windows 10, version 1803.</p>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[UEFI CSP](uefi-csp.md)</td>
<td style="vertical-align:top"><p>Added a new CSP in Windows 10, next major update.</p>
<td style="vertical-align:top"><p>Added a new CSP in Windows 10, version 1803.</p>
</td></tr>
</tbody>
</table>

2
windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
View File

@ -442,7 +442,7 @@ For that reason, add only a minimal set of rules to Bootstrap.ini, such as which
3. Click **Edit Bootstrap.ini** and modify using the following information:
``` syntax
Settings]
[Settings]
Priority=Default
[Default]
DeployRoot=\\MDT01\MDTBuildLab$

3
windows/deployment/update/waas-manage-updates-wufb.md
View File

@ -25,7 +25,7 @@ ms.date: 10/13/2017
>
>In the following settings CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel.
Windows Update for Business enables information technology administrators to keep the Windows 10 devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Windows Update service. You can use Group Policy or MDM solutions such as Intune to configure the Windows Update for Business settings that control how and when Windows 10 devices are updated. In addition, by using Intune, organizations can manage devices that are not joined to a domain at all or are joined to Microsoft Azure Active Directory (Azure AD) alongside your on-premises domain-joined machines.
Windows Update for Business enables information technology administrators to keep the Windows 10 devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Windows Update service. You can use Group Policy or MDM solutions such as Intune to configure the Windows Update for Business settings that control how and when Windows 10 devices are updated. In addition, by using Intune, organizations can manage devices that are not joined to a domain at all or are joined to Microsoft Azure Active Directory (Azure AD) alongside your on-premises domain-joined machines. Windows Update for Business leverages diagnostic data to provide reporting and insights into an organization's Windows 10 devices.
Specifically, Windows Update for Business allows for:
@ -33,6 +33,7 @@ Specifically, Windows Update for Business allows for:
- Selectively including or excluding drivers as part of Microsoft-provided updates
- Integration with existing management tools such as Windows Server Update Services (WSUS), System Center Configuration Manager, and Microsoft Intune.
- Peer-to-peer delivery for Microsoft updates, which optimizes bandwidth efficiency and reduces the need for an on-site server caching solution.
- Control over diagnostic data level to provide reporting and insights in Windows Analytics.
Windows Update for Business is a free service that is available for Windows Pro, Enterprise, Pro Education, and Education.

37
windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: deploy
author: greg-lindsay
ms.date: 01/26/2018
ms.date: 02/22/2018
ms.localizationpriority: high
---
@ -657,7 +657,7 @@ For more information, see [How to perform a clean boot in Windows](https://suppo
<br>Result codes starting with the digits 0x800 are also important to understand. These error codes indicate general operating system errors, and are not unique to the Windows upgrade process. Examples include timeouts, devices not functioning, and a process stopping unexpectedly.
<br>See the following general troubleshooting procedures associated with a result code of 0x800xxxxx:
<br>See the following general troubleshooting procedures associated with a result code of 0x800xxxxx:<br>
<br><table border="1" cellspacing="0" cellpadding="0">
@ -694,6 +694,39 @@ This error has more than one possible cause. Attempt [quick fixes](#quick-fixes)
<tr><td align="left" valign="top" style='border:solid #000000 1.0pt;'>
<table cellspacing="0" cellpadding="0">
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Code</b>
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
0x80073BC3 - 0x20009<br>
0x8007002 - 0x20009<br>
0x80073B92 - 0x20009
</table>
<br><table cellspacing="0" cellpadding="0">
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Cause</b>
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
The requested system device cannot be found, there is a sharing violation, or there are multiple devices matching the identification criteria.
</table>
</td>
<td align="left" valign="top" style='border:solid #000000 1.0pt;'>
<table cellspacing="0" cellpadding="0">
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><b>Mitigation</b>
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>
These errors occur during partition analysis and validation, and can be caused by the presence of multiple system partitions. For example, if you installed a new system drive but left the previous system drive connected, this can cause a conflict. To resolve the errors, disconnect or temporarily disable drives that contain the unused system partition. You can reconnect the drive after the upgrade has completed. Alternatively, you can delete the unused system partition.
</table>
</td>
</tr>
<tr><td align="left" valign="top" style='border:solid #000000 1.0pt;'>
<table cellspacing="0" cellpadding="0">
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'><B>Code</B>
<tr><td style='padding:0in 4pt 0in 4pt;border:dotted #FFFFFF 0.0pt;'>

2
windows/deployment/upgrade/upgrade-readiness-requirements.md
View File

@ -82,7 +82,7 @@ Before you get started configuring Upgrade Anatlyics, review the following tips
**Upgrade Readiness does not support on-premises Windows deployments.** Upgrade Readiness is built as a cloud service, which allows Upgrade Readiness to provide you with insights based on the data from user computers and other Microsoft compatibility services. Cloud services are easy to get up and running and are cost-effective because there is no requirement to physically implement and maintain services on-premises.
**In-region data storage requirements.** Windows diagnostic data from user computers is encrypted, sent to, and processed at Microsoft-managed secure data centers located in the US. Our analysis of the upgrade readiness-related data is then provided to you through the Upgrade Readiness solution in the Microsoft Operations Management Suite (OMS) portal. At the time this topic is being published, only OMS workspaces created in the East US and West Europe are supported. Were adding support for additional regions and well update this information when new international regions are supported.
**In-region data storage requirements.** Windows diagnostic data from user computers is encrypted, sent to, and processed at Microsoft-managed secure data centers located in the US. Our analysis of the upgrade readiness-related data is then provided to you through the Upgrade Readiness solution in the Microsoft Operations Management Suite (OMS) portal. Upgrade Readiness is supported in all OMS regions; however, selecting an international OMS region does not prevent diagnostic data from being sent to and processed in Microsoft's secure data centers in the US.
### Tips

23
windows/security/threat-protection/device-guard/steps-to-deploy-windows-defender-application-control.md
View File

@ -147,6 +147,7 @@ Microsoft recommends that you block the following Microsoft-signed applications
<Deny ID="ID_DENY_WSLHOST" FriendlyName="wslhost.exe" FileName="wslhost.exe" MinimumFileVersion = "65535.65535.65535.65535" />
<Deny ID="ID_DENY_INFINSTALL" FriendlyName="infdefaultinstall.exe" FileName="infdefaultinstall.exe" MinimumFileVersion = "65535.65535.65535.65535" />
<Deny ID="ID_DENY_LXRUN" FriendlyName="lxrun.exe" FileName="lxrun.exe" MinimumFileVersion = "65535.65535.65535.65535" />
<Deny ID="ID_DENY_PWRSHLCUSTOMHOST" FriendlyName="powershellcustomhost.exe" FileName="powershellcustomhost.exe" MinimumFileVersion = "65535.65535.65535.65535" />
<Deny ID="ID_DENY_D_1" FriendlyName="Powershell 1" Hash="02BE82F63EE962BCD4B8303E60F806F6613759C6" />
<Deny ID="ID_DENY_D_2" FriendlyName="Powershell 2" Hash="13765D9A16CC46B2113766822627F026A68431DF" />
@ -437,7 +438,18 @@ Microsoft recommends that you block the following Microsoft-signed applications
<!--rs3 x86fre-->
<Deny ID="ID_DENY_D_273" FriendlyName="PubPrn 273" Hash="47CBE201ED224BF3F5C322F7A49EF64469AF2E1A" />
<Deny ID="ID_DENY_D_274" FriendlyName="PubPrn 274" Hash="24855B9CC420719D5AB93F4F1589CE09E4063E4FC98681BD91A1D18A3C8ACB43" />
<!--rs3 sxs amd64-->
<Deny ID="ID_DENY_D_275" FriendlyName="PubPrn 275" Hash="663D8E25BAE20510A882F6692BE2620FBABFB94E" />
<Deny ID="ID_DENY_D_276" FriendlyName="PubPrn 276" Hash="649A9E5A4867A28C7D0934793F33B545F9441EA23872715C84826D80CC8EC576" />
<!--rs3 sxs arm64-->
<Deny ID="ID_DENY_D_277" FriendlyName="PubPrn 277" Hash="226ABB2FBAEFC5A7E2A819D9D708F826C00FD215" />
<Deny ID="ID_DENY_D_278" FriendlyName="PubPrn 278" Hash="AC6B35C904D388FD12C07C2F6A1A07F337D31895713BF01DCCE7A7F187D7F4D9" />
<!--rs3 sxs woa-->
<Deny ID="ID_DENY_D_279" FriendlyName="PubPrn 279" Hash="071D7849941E43144839988971255FE34690A747" />
<Deny ID="ID_DENY_D_280" FriendlyName="PubPrn 280" Hash="5AF75895BDC11A6B68C816A8677D7CF9692BF25A95C4378A43FBDE740B18EEB1" />
<!--rs3 sxs x86-->
<Deny ID="ID_DENY_D_281" FriendlyName="PubPrn 281" Hash="9FBFF074C201BFEBE37710CB453EFF9A14AE3BFF" />
<Deny ID="ID_DENY_D_282" FriendlyName="PubPrn 282" Hash="A0C71A925850D2D481C7E520F5D5A83305EC169EEA4C5B8DC20C8D8AFCD8A512" />
</FileRules>
<!--Signers-->
<Signers />
@ -480,6 +492,7 @@ Microsoft recommends that you block the following Microsoft-signed applications
<FileRuleRef RuleID="ID_DENY_WSLHOST"/>
<FileRuleRef RuleID="ID_DENY_INFINSTALL"/>
<FileRuleRef RuleID="ID_DENY_LXRUN"/>
<FileRuleRef RuleID="ID_DENY_PWRSHLCUSTOMHOST"/>
<FileRuleRef RuleID="ID_DENY_D_1" />
<FileRuleRef RuleID="ID_DENY_D_2" />
<FileRuleRef RuleID="ID_DENY_D_3" />
@ -754,6 +767,14 @@ Microsoft recommends that you block the following Microsoft-signed applications
<FileRuleRef RuleID="ID_DENY_D_272"/>
<FileRuleRef RuleID="ID_DENY_D_273"/>
<FileRuleRef RuleID="ID_DENY_D_274"/>
<FileRuleRef RuleID="ID_DENY_D_275"/>
<FileRuleRef RuleID="ID_DENY_D_276"/>
<FileRuleRef RuleID="ID_DENY_D_277"/>
<FileRuleRef RuleID="ID_DENY_D_278"/>
<FileRuleRef RuleID="ID_DENY_D_279"/>
<FileRuleRef RuleID="ID_DENY_D_280"/>
<FileRuleRef RuleID="ID_DENY_D_281"/>
<FileRuleRef RuleID="ID_DENY_D_282"/>
</FileRulesRef>
</ProductSigners>
</SigningScenario>