mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-15 10:23:37 +00:00
Acro-updates
This commit is contained in:
Vinay Pamnani
@ -62,6 +62,6 @@ These tools were included in previous versions of Windows. The associated docume
|
||||
> [!TIP]
|
||||
> If the linked content in this list doesn't provide the information you need to use that tool, send feedback with the **This page** link in the **Feedback** section at the bottom of this article.
|
||||
|
||||
## Related topics
|
||||
## Related articles
|
||||
|
||||
[Diagnostic data viewer](/windows/privacy/diagnostic-data-viewer-overview)
|
||||
|
||||
@ -16,7 +16,7 @@ You can change the policy setting for each external device, and the policy that
|
||||
|
||||
You can use the storage device policy setting to change the manner in which Windows manages storage devices to better meet your needs. The policy settings have the following effects:
|
||||
|
||||
- **Quick removal**: This policy manages storage operations in a manner that keeps the device ready to remove at any time. You can remove the device without using the Safely Remove Hardware process. However, to do this, Windows cannot cache disk write operations. This may degrade system performance.
|
||||
- **Quick removal**: This policy manages storage operations in a manner that keeps the device ready to remove at any time. You can remove the device without using the Safely Remove Hardware process. However, to do this, Windows can't cache disk write operations. This may degrade system performance.
|
||||
- **Better performance**: This policy manages storage operations in a manner that improves system performance. When this policy is in effect, Windows can cache write operations to the external device. However, you must use the Safely Remove Hardware process to remove the external drive. The Safely Remove Hardware process protects the integrity of data on the device by making sure that all cached operations finish.
|
||||
|
||||
> [!IMPORTANT]
|
||||
|
||||
@ -56,9 +56,9 @@ The scenarios presented in this guide illustrate how you can control device inst
|
||||
|--|--|
|
||||
| Scenario #1: Prevent installation of all printers | In this scenario, the administrator wants to prevent users from installing any printers. Thus is a basic scenario to introduce you to the 'prevent/allow' functionality of Device Installation policies in Group Policy. |
|
||||
| Scenario #2: Prevent installation of a specific printer | In this scenario, the administrator allows standard users to install all printers while but preventing them from installing a specific one. |
|
||||
| Scenario #3: Prevent installation of all printers while allowing a specific printer to be installed | In this scenario, you'll combine what you learned from both scenario #1 and scenario #2. The administrator wants to allow standard users to install only a specific printer while preventing the installation of all other printers. This scenario is a more realistic one and brings you a step farther in understanding of the Device Installation Restrictions policies. |
|
||||
| Scenario #3: Prevent installation of all printers while allowing a specific printer to be installed | In this scenario, you combine what you learned from both scenario #1 and scenario #2. The administrator wants to allow standard users to install only a specific printer while preventing the installation of all other printers. This scenario is a more realistic one and brings you a step farther in understanding of the Device Installation Restrictions policies. |
|
||||
| Scenario #4: Prevent installation of a specific USB device | This scenario, although similar to scenario #2, brings another layer of complexity-how does device connectivity work in the PnP tree. The administrator wants to prevent standard users from installing a specific USB device. By the end of the scenario, you should understand the way devices are nested in layers under the PnP device connectivity tree. |
|
||||
| Scenario #5: Prevent installation of all USB devices while allowing an installation of only an authorized USB thumb drive | In this scenario, combining all previous four scenarios, you'll learn how to protect a machine from all unauthorized USB devices. The administrator wants to allow users to install only a small set of authorized USB devices while preventing any other USB device from being installed. In addition, this scenario includes an explanation of how to apply the 'prevent' functionality to existing USB devices that have already been installed on the machine, and the administrator likes to prevent any farther interaction with them (blocking them all together). This scenario builds on the policies and structure we introduced in the first four scenarios and therefore it's preferred to go over them first before attempting this scenario. |
|
||||
| Scenario #5: Prevent installation of all USB devices while allowing an installation of only an authorized USB thumb drive | In this scenario, combining all previous four scenarios, you learn how to protect a machine from all unauthorized USB devices. The administrator wants to allow users to install only a small set of authorized USB devices while preventing any other USB device from being installed. In addition, this scenario includes an explanation of how to apply the 'prevent' functionality to existing USB devices that have already been installed on the machine, and the administrator likes to prevent any farther interaction with them (blocking them all together). This scenario builds on the policies and structure we introduced in the first four scenarios and therefore it's preferred to go over them first before attempting this scenario. |
|
||||
|
||||
## Technology Review
|
||||
|
||||
@ -95,7 +95,7 @@ Hardware IDs are the identifiers that provide the exact match between a device a
|
||||
|
||||
Windows uses these identifiers to select a driver if the operating system can't find a match with the device ID or any of the other hardware IDs. Compatible IDs are listed in the order of decreasing suitability. These strings are optional, and, when provided, they're generic, such as Disk. When a match is made using a compatible ID, you can typically use only the most basic functions of the device.
|
||||
|
||||
When you install a device, such as a printer, a USB storage device, or a keyboard, Windows searches for driver packages that match the device you are attempting to install. During this search, Windows assigns a "rank" to each driver package it discovers with at least one match to a hardware or compatible ID. The rank indicates how well the driver matches the device. Lower rank numbers indicate better matches between the driver and the device. A rank of zero represents the best possible match. A match with the device ID to one in the driver package results in a lower (better) rank than a match to one of the other hardware IDs. Similarly, a match to a hardware ID results in a better rank than a match to any of the compatible IDs. After Windows ranks all of the driver packages, it installs the one with the lowest overall rank. For more information about the process of ranking and selecting driver packages, see [How Windows selects a driver package for a device](/windows-hardware/drivers/install/how-windows-selects-a-driver-for-a-device).
|
||||
When you install a device, such as a printer, a USB storage device, or a keyboard, Windows searches for driver packages that match the device you're attempting to install. During this search, Windows assigns a "rank" to each driver package it discovers with at least one match to a hardware or compatible ID. The rank indicates how well the driver matches the device. Lower rank numbers indicate better matches between the driver and the device. A rank of zero represents the best possible match. A match with the device ID to one in the driver package results in a lower (better) rank than a match to one of the other hardware IDs. Similarly, a match to a hardware ID results in a better rank than a match to any of the compatible IDs. After Windows ranks all of the driver packages, it installs the one with the lowest overall rank. For more information about the process of ranking and selecting driver packages, see [How Windows selects a driver package for a device](/windows-hardware/drivers/install/how-windows-selects-a-driver-for-a-device).
|
||||
|
||||
> [!NOTE]
|
||||
> For more information about the driver installation process, see the "Technology review" section of the Step-by-Step Guide to Driver Signing and Staging.
|
||||
@ -168,7 +168,7 @@ Note: This policy setting takes precedence over any other policy settings that a
|
||||
|
||||
### Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria
|
||||
|
||||
This policy setting will change the evaluation order in which Allow and Prevent policy settings are applied when more than one install policy setting is applicable for a given device. Enable this policy setting to ensure that overlapping device match criteria is applied based on an established hierarchy where more specific match criteria supersedes less specific match criteria. The hierarchical order of evaluation for policy settings that specify device match criteria is as follows:
|
||||
This policy setting changes the evaluation order in which Allow and Prevent policy settings are applied when more than one install policy setting is applicable for a given device. Enable this policy setting to ensure that overlapping device match criteria is applied based on an established hierarchy where more specific match criteria supersedes less specific match criteria. The hierarchical order of evaluation for policy settings that specify device match criteria is as follows:
|
||||
|
||||
> **Device instance IDs** > **Device IDs** > **Device setup class** > **Removable devices**
|
||||
|
||||
@ -177,7 +177,7 @@ This policy setting will change the evaluation order in which Allow and Prevent
|
||||
>
|
||||
> If you disable or don't configure this policy setting, the default evaluation is used. By default, all "Prevent installation..." policy settings have precedence over any other policy setting that allows Windows to install a device.
|
||||
|
||||
Some of these policies take precedence over other policies. The flowchart shown below illustrates how Windows processes them to determine whether a user can install a device or not, as shown in Figure below.
|
||||
Some of these policies take precedence over other policies. The following flowchart illustrates how Windows processes them to determine whether a user can install a device or not.
|
||||
|
||||
<br/>_Device Installation policies flow chart_
|
||||
|
||||
@ -216,7 +216,7 @@ To find device identification strings using Device Manager
|
||||
|
||||
1. Make sure your printer is plugged in and installed.
|
||||
|
||||
1. To open Device Manager, click the Start button, type mmc devmgmt.msc in the Start Search box, and then press ENTER; or search for Device Manager as application.
|
||||
1. To open Device Manager, select the Start button, type mmc devmgmt.msc in the Start Search box, and then press ENTER; or search for Device Manager as application.
|
||||
|
||||
1. Device Manager starts and displays a tree representing all of the devices detected on your computer. At the top of the tree is a node with your computers name next to it. Lower nodes represent the various categories of hardware into which your computers devices are grouped.
|
||||
|
||||
@ -317,9 +317,9 @@ Creating the policy to prevent all printers from being installed:
|
||||
|
||||
1. Open **Prevent installation of devices using drivers that match these device setup classes** policy and select the 'Enable' radio button.
|
||||
|
||||
1. In the lower left side, in the 'Options' window, click the 'Show...' box. This option will take you to a table where you can enter the class identifier to block.
|
||||
1. In the lower left side, in the 'Options' window, click the 'Show...' box. This option takes you to a table where you can enter the class identifier to block.
|
||||
|
||||
1. Enter the printer class GUID you found above with the curly braces: `{4d36e979-e325-11ce-bfc1-08002be10318}`.
|
||||
1. Enter the printer class GUID you found with the curly braces: `{4d36e979-e325-11ce-bfc1-08002be10318}`.
|
||||
|
||||
<br/>_List of prevent Class GUIDs_
|
||||
|
||||
|
||||
@ -10,17 +10,17 @@ ms.collection:
|
||||
|
||||
# Create mandatory user profiles
|
||||
|
||||
A mandatory user profile is a roaming user profile that has been pre-configured by an administrator to specify settings for users. Settings commonly defined in a mandatory profile include (but are not limited to) icons that appear on the desktop, desktop backgrounds, user preferences in Control Panel, printer selections, and more. Configuration changes made during a user's session that are normally saved to a roaming user profile are not saved when a mandatory user profile is assigned.
|
||||
A mandatory user profile is a roaming user profile that has been pre-configured by an administrator to specify settings for users. Settings commonly defined in a mandatory profile include (but aren't limited to) icons that appear on the desktop, desktop backgrounds, user preferences in Control Panel, printer selections, and more. Configuration changes made during a user's session that are normally saved to a roaming user profile aren't saved when a mandatory user profile is assigned.
|
||||
|
||||
Mandatory user profiles are useful when standardization is important, such as on a kiosk device or in educational settings. Only system administrators can make changes to mandatory user profiles.
|
||||
|
||||
When the server that stores the mandatory profile is unavailable, such as when the user is not connected to the corporate network, users with mandatory profiles can sign in with the locally cached copy of the mandatory profile, if one exists. Otherwise, the user will be signed in with a temporary profile.
|
||||
When the server that stores the mandatory profile is unavailable, such as when the user isn't connected to the corporate network, users with mandatory profiles can sign in with the locally cached copy of the mandatory profile, if one exists. Otherwise, the user is signed in with a temporary profile.
|
||||
|
||||
User profiles become mandatory profiles when the administrator renames the `NTuser.dat` file (the registry hive) of each user's profile in the file system of the profile server from `NTuser.dat` to `NTuser.man`. The `.man` extension causes the user profile to be a read-only profile.
|
||||
|
||||
## Profile extension for each Windows version
|
||||
|
||||
The name of the folder in which you store the mandatory profile must use the correct extension for the operating system it will be applied to. The following table lists the correct extension for each operating system version.
|
||||
The name of the folder in which you store the mandatory profile must use the correct extension for the operating system it applies to. The following table lists the correct extension for each operating system version.
|
||||
|
||||
| Client operating system version | Server operating system version | Profile extension |
|
||||
|-------------------------------------|-------------------------------------------------|-------------------|
|
||||
@ -39,7 +39,7 @@ First, you create a default user profile with the customizations that you want,
|
||||
|
||||
### How to create a default user profile
|
||||
|
||||
1. Sign in to a computer running Windows as a member of the local Administrator group. Do not use a domain account.
|
||||
1. Sign in to a computer running Windows as a member of the local Administrator group. Don't use a domain account.
|
||||
|
||||
> [!NOTE]
|
||||
> Use a lab or extra computer running a clean installation of Windows to create a default user profile. Do not use a computer that is required for business (that is, a production computer). This process removes all domain accounts from the computer, including user profile folders.
|
||||
@ -51,7 +51,7 @@ First, you create a default user profile with the customizations that you want,
|
||||
|
||||
1. [Create an answer file (Unattend.xml)](/windows-hardware/customize/desktop/wsim/create-or-open-an-answer-file) that sets the [CopyProfile](/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-copyprofile) parameter to **True**. The CopyProfile parameter causes Sysprep to copy the currently signed-on user's profile folder to the default user profile. You can use [Windows System Image Manager](/windows-hardware/customize/desktop/wsim/windows-system-image-manager-technical-reference), which is part of the Windows Assessment and Deployment Kit (ADK) to create the Unattend.xml file.
|
||||
|
||||
1. Uninstall any application you do not need or want from the PC. For examples on how to uninstall Windows Application see [Remove-AppxProvisionedPackage](/powershell/module/dism/remove-appxprovisionedpackage?view=win10-ps&preserve-view=true). For a list of uninstallable applications, see [Understand the different apps included in Windows](/windows/application-management/apps-in-windows-10).
|
||||
1. Uninstall any application you don't need or want from the PC. For examples on how to uninstall Windows Application see [Remove-AppxProvisionedPackage](/powershell/module/dism/remove-appxprovisionedpackage?view=win10-ps&preserve-view=true). For a list of uninstallable applications, see [Understand the different apps included in Windows](/windows/application-management/apps-in-windows-10).
|
||||
|
||||
> [!NOTE]
|
||||
> It is highly recommended to uninstall unwanted or unneeded apps as it will speed up user sign-in times.
|
||||
@ -73,27 +73,27 @@ First, you create a default user profile with the customizations that you want,
|
||||
|
||||
1. The sysprep process reboots the PC and starts at the first-run experience screen. Complete the setup, and then sign in to the computer using an account that has local administrator privileges.
|
||||
|
||||
1. Right-click Start, go to **Control Panel** (view by large or small icons) > **System** > **Advanced system settings**, and click **Settings** in the **User Profiles** section.
|
||||
1. Right-click Start, go to **Control Panel** (view by large or small icons) > **System** > **Advanced system settings**, and select **Settings** in the **User Profiles** section.
|
||||
|
||||
1. In **User Profiles**, click **Default Profile**, and then click **Copy To**.
|
||||
1. In **User Profiles**, select **Default Profile**, and then select **Copy To**.
|
||||
|
||||
|
||||
|
||||
1. In **Copy To**, under **Permitted to use**, click **Change**.
|
||||
1. In **Copy To**, under **Permitted to use**, select **Change**.
|
||||
|
||||
|
||||
|
||||
1. In **Select User or Group**, in the **Enter the object name to select** field, type `everyone`, click **Check Names**, and then click **OK**.
|
||||
1. In **Select User or Group**, in the **Enter the object name to select** field, type `everyone`, select **Check Names**, and then select **OK**.
|
||||
|
||||
1. In **Copy To**, in the **Copy profile to** field, enter the path and folder name where you want to store the mandatory profile. The folder name must use the correct [extension](#profile-extension-for-each-windows-version) for the operating system version. For example, the folder name must end with `.v6` to identify it as a user profile folder for Windows 10, version 1607 or later.
|
||||
|
||||
- If the device is joined to the domain and you are signed in with an account that has permissions to write to a shared folder on the network, you can enter the shared folder path.
|
||||
- If the device is joined to the domain and you're signed in with an account that has permissions to write to a shared folder on the network, you can enter the shared folder path.
|
||||
|
||||
|
||||
|
||||
- If the device is not joined to the domain, you can save the profile locally and then copy it to the shared folder location.
|
||||
- If the device isn't joined to the domain, you can save the profile locally, and then copy it to the shared folder location.
|
||||
|
||||
1. Click **OK** to copy the default user profile.
|
||||
1. Select **OK** to copy the default user profile.
|
||||
|
||||
### How to make the user profile mandatory
|
||||
|
||||
@ -109,7 +109,7 @@ First, you create a default user profile with the customizations that you want,
|
||||
1. Open the properties of the "profile.v6" folder.
|
||||
1. Select the **Security** tab and then select **Advanced**.
|
||||
1. Verify the **Owner** of the folder. It must be the builtin **Administrators** group. To change the owner, you must be a member of the Administrators group on the file server, or have "Set owner" privilege on the server.
|
||||
1. When you set the owner, select **Replace owner on subcontainers and objects** before you click OK.
|
||||
1. When you set the owner, select **Replace owner on subcontainers and objects** before you select OK.
|
||||
|
||||
## Apply a mandatory user profile to users
|
||||
|
||||
@ -118,10 +118,10 @@ In a domain, you modify properties for the user account to point to the mandator
|
||||
### How to apply a mandatory user profile to users
|
||||
|
||||
1. Open **Active Directory Users and Computers** (dsa.msc).
|
||||
1. Navigate to the user account that you will assign the mandatory profile to.
|
||||
1. Navigate to the user account that you'll assign the mandatory profile to.
|
||||
1. Right-click the user name and open **Properties**.
|
||||
1. On the **Profile** tab, in the **Profile path** field, enter the path to the shared folder without the extension. For example, if the folder name is `\\server\share\profile.v6`, you would enter `\\server\share\profile`.
|
||||
1. Click **OK**.
|
||||
1. Select **OK**.
|
||||
|
||||
It may take some time for this change to replicate to all domain controllers.
|
||||
|
||||
@ -136,9 +136,9 @@ When a user is configured with a mandatory profile, Windows starts as though it
|
||||
| Computer Configuration > Administrative Templates > Windows Components > Cloud Content > **Turn off Microsoft consumer experience** = Enabled | ✅ | ❌ |
|
||||
|
||||
> [!NOTE]
|
||||
> The Group Policy settings above can be applied in Windows Professional edition.
|
||||
> These Group Policy settings can be applied in Windows Professional edition.
|
||||
|
||||
## Related topics
|
||||
## Related articles
|
||||
|
||||
- [Manage Windows 10 Start layout and taskbar options](/windows/configuration/windows-10-start-layout-options-and-policies)
|
||||
- [Lock down Windows 10 to specific apps](/windows/configuration/lock-down-windows-10-to-specific-apps)
|
||||
|
||||
@ -11,7 +11,7 @@ Libraries are virtual containers for users' content. A library can contain files
|
||||
|
||||
## Features for Users
|
||||
|
||||
Windows libraries are backed by full content search and rich metadata. Libraries offer the following advantages to users:
|
||||
Windows libraries provide full content search and rich metadata. Libraries offer the following advantages to users:
|
||||
|
||||
- Aggregate content from multiple storage locations into a single, unified presentation.
|
||||
- Enable users to stack and group library contents based on metadata.
|
||||
@ -51,7 +51,7 @@ Libraries are built upon the legacy known folders (such as My Documents, My Pict
|
||||
|
||||
### Hiding Default Libraries
|
||||
|
||||
Users or administrators can hide or delete the default libraries, though the libraries node in the Navigation pane can't be hidden or deleted. Hiding a default library is preferable to deleting it, as applications like Windows Media Player rely on the default libraries and will re-create them if they don't exist on the computer. See [How to Hide Default Libraries](/previous-versions/windows/it-pro/windows-7/ee461108(v=ws.10)#BKMK_HideDefaultLibraries) for instructions.
|
||||
Users or administrators can hide or delete the default libraries, though the libraries node in the Navigation pane can't be hidden or deleted. Hiding a default library is preferable to deleting it, as applications like Windows Media Player rely on the default libraries and re-create them if they don't exist on the computer. See [How to Hide Default Libraries](/previous-versions/windows/it-pro/windows-7/ee461108(v=ws.10)#BKMK_HideDefaultLibraries) for instructions.
|
||||
|
||||
### Default Save Locations for Libraries
|
||||
|
||||
@ -105,9 +105,7 @@ The following library attributes can be modified within Windows Explorer, the Li
|
||||
- Order of library locations
|
||||
- Default save location
|
||||
|
||||
The library icon can be modified by the administrator or user by directly editing the Library Description schema file.
|
||||
|
||||
See [Library Description Schema](/windows/win32/shell/library-schema-entry) for information on creating Library Description files.
|
||||
The library icon can be modified by the administrator or user by directly editing the Library Description schema file. See [Library Description Schema](/windows/win32/shell/library-schema-entry) for information on creating Library Description files.
|
||||
|
||||
## See also
|
||||
|
||||
|
||||
@ -11,11 +11,11 @@ The [Long-Term Servicing Channel](/windows/deployment/update/waas-overview#servi
|
||||
|
||||
In the [General Availability Channel](/windows/deployment/update/waas-overview#servicing-channels), you can set feature updates as soon as Microsoft releases them. This servicing modal is ideal for pilot deployments and to test Windows feature updates and for users like developers who need to work with the latest features immediately. Once you've tested the latest release, you can choose when to roll it out broadly in your deployment.
|
||||
|
||||
To determine if your device is enrolled in the Long-Term Servicing Channel or the General Availability Channel, you'll need to know what version of Windows you're running. There are a few ways to figure this out. Each method provides a different set of details, so it's useful to learn about all of them.
|
||||
To determine if your device is enrolled in the Long-Term Servicing Channel or the General Availability Channel, you need to know what version of Windows you're running. There are a few ways to figure this out. Each method provides a different set of details, so it's useful to learn about all of them.
|
||||
|
||||
## System Properties
|
||||
|
||||
Select **Start** > **Settings** > **System**, then select **About**. You'll then see **Edition**, **Version**, and **OS Build** information.
|
||||
Select **Start** > **Settings** > **System**, then select **About**. You then see **Edition**, **Version**, and **OS Build** information.
|
||||
|
||||
:::image type="content" source="images/systemcollage.png" alt-text="screenshot of the system properties window for a device running Windows 10.":::
|
||||
|
||||
@ -40,6 +40,6 @@ You can type the following in the search bar and press **ENTER** to see version
|
||||
|
||||
:::image type="content" source="images/refcmd.png" alt-text="screenshot of system information display text.":::
|
||||
|
||||
- At the PowerShell or Command Prompt, type `slmgr /dlv`, and then press ENTER. The /dlv command displays the detailed licensing information. Notice the output displays "EnterpriseS" as seen in the image below:
|
||||
- At the PowerShell or Command Prompt, type `slmgr /dlv`, and then press ENTER. The /dlv command displays the detailed licensing information. Notice the output displays "EnterpriseS" as seen in the following image:
|
||||
|
||||
:::image type="content" source="images/slmgr-dlv.png" alt-text="screenshot of software licensing manager.":::
|
||||
|
||||
Reference in New Issue
Block a user