From 16f717dc93507bf7e796d4b40727032f1bd3de27 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Tue, 26 Sep 2017 09:34:46 -0700 Subject: [PATCH 1/8] set up new topic --- windows/application-management/TOC.md | 1 + ...ange-history-for-application-management.md | 14 +++++-- windows/application-management/index.md | 1 + .../manage-windows-mixed-reality.md | 37 +++++++++++++++++++ 4 files changed, 49 insertions(+), 4 deletions(-) create mode 100644 windows/application-management/manage-windows-mixed-reality.md diff --git a/windows/application-management/TOC.md b/windows/application-management/TOC.md index 35f3b14372..5adf6e1def 100644 --- a/windows/application-management/TOC.md +++ b/windows/application-management/TOC.md @@ -1,6 +1,7 @@ # [Manage applications in Windows 10](index.md) ## [Sideload apps](sideload-apps-in-windows-10.md) ## [Remove background task resource restrictions](enterprise-background-activity-controls.md) +## [Enable or block Windows Mixed Reality apps in the enterprise](manage-windows-mixed-reality.md) ## [Application Virtualization (App-V) for Windows](app-v/appv-for-windows.md) ### [Getting Started with App-V](app-v/appv-getting-started.md) #### [What's new in App-V for Windows 10, version 1703 and earlier](app-v/appv-about-appv.md) diff --git a/windows/application-management/change-history-for-application-management.md b/windows/application-management/change-history-for-application-management.md index 3aca385415..a8a4c9a073 100644 --- a/windows/application-management/change-history-for-application-management.md +++ b/windows/application-management/change-history-for-application-management.md @@ -1,20 +1,26 @@ --- -title: Change history for Configure Windows 10 (Windows 10) +title: Change history for Application management in Windows 10 (Windows 10) description: This topic lists changes to documentation for configuring Windows 10. keywords: ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security -ms.localizationpriority: high +ms.localizationpriority: medium author: jdeckerms -ms.date: 09/15/2017 +ms.date: 10/17/2017 --- -# Change history for Configure Windows 10 +# Change history for Application management in Windows 10 This topic lists new and updated topics in the [Configure Windows 10](index.md) documentation for Windows 10 and Windows 10 Mobile. +## RELEASE: Windows 10, version 1709 + +The topics in this library have been updated for Windows 10, version 1709 (also known as the Fall Creators Update). The following new topic has been added: + +- [Enable or block Windows Mixed Reality apps in the enterprise](manage-windows-mixed-reality.md) + ## September 2017 | New or changed topic | Description | | --- | --- | diff --git a/windows/application-management/index.md b/windows/application-management/index.md index b42c674d12..e96291a634 100644 --- a/windows/application-management/index.md +++ b/windows/application-management/index.md @@ -21,6 +21,7 @@ Learn about managing applications in Windows 10 and Windows 10 Mobile clients. |---|---| |[Sideload apps in Windows 10](sideload-apps-in-windows-10.md)| Requirements and instructions for side-loading LOB applications on Windows 10 and Windows 10 Mobile clients| | [Remove background task resource restrictions](enterprise-background-activity-controls.md) | Windows provides controls to manage which experiences may run in the background. | +| [Enable or block Windows Mixed Reality apps in the enterprise](manage-windows-mixed-reality.md) | Learn how to enable or block Windows Mixed Reality apps. | |[App-V](app-v/appv-getting-started.md)| Microsoft Application Virtualization (App-V) for Windows 10 enables organizations to deliver Win32 applications to users as virtual applications| | [Service Host process refactoring](svchost-service-refactoring.md) | Changes to Service Host grouping in Windows 10 | |[Per User services in Windows 10](sideload-apps-in-windows-10.md)| Overview of per user services and instructions for viewing and disabling them in Windows 10 and Windows 2016| diff --git a/windows/application-management/manage-windows-mixed-reality.md b/windows/application-management/manage-windows-mixed-reality.md new file mode 100644 index 0000000000..511bcad1fd --- /dev/null +++ b/windows/application-management/manage-windows-mixed-reality.md @@ -0,0 +1,37 @@ +--- +title: Enable or block Windows Mixed Reality apps in the enterprise (Windows 10) +description: Learn how to enable or block Windows Mixed Reality apps. +keyboards: ["mr", "mr portal", "mixed reality portal", "mixed reality"] +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.localizationpriority: medium +author: jdeckerms +ms.author: jdecker +ms.date: 10/17/2017 +--- + +# Enable or block Windows Mixed Reality apps in the enterprise +**Applies to** + +- Windows 10 + +intro + +## enable + +Setting up Mixed Reality on Enterprise Network +To enable downloading Windows Mixed Reality software (feature on demand package), IT admin need to do the following. +Enterprises that are using Creator’s Update clients + WSUS can approve Windows Mixed Reality package by unblocking the following KBs (I’m double checking with WSD to confirm the KB numbers) +4016509 +3180030 +3197985 + +Enterprises that use RS3 client will not be able to install FOD directly from WSUS. Instead, the enterprise IT admin/user will need to user one of the two options listed below to install Windows Mixed Reality software. +Have user manually install the Mixed Reality Software +IT admin can create Side by side feature store (shared folder) using instructions here: +https://technet.microsoft.com/en-us/library/jj127275(v=ws.11).aspx + +## block + +Since MRP is an app and blocking this app is sufficient for your scenario, via AppLocker should be sufficient for now. To make sure enterprise understand it, please file a doc bug to publish the instruction of leveraging AppLocker CSP to block Mixed Reality Portal and control Oasis. In the doc, AppLocker CSP doc is here: https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/applocker-csp it has a list of inbox app that could be controlled by this CSP, MRP/Oasis needs to be listed there as well. Provide the content and assign to Maricia – cpub writer for CSP. From f7ef92ddd0c51969eb7c98e20b8ff09563b2888d Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Wed, 27 Sep 2017 06:26:10 -0700 Subject: [PATCH 2/8] sync --- windows/application-management/manage-windows-mixed-reality.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/application-management/manage-windows-mixed-reality.md b/windows/application-management/manage-windows-mixed-reality.md index 511bcad1fd..6a7151bd3a 100644 --- a/windows/application-management/manage-windows-mixed-reality.md +++ b/windows/application-management/manage-windows-mixed-reality.md @@ -16,7 +16,7 @@ ms.date: 10/17/2017 - Windows 10 -intro +Windows 10, version 1709 (also known as the Fall Creators Update), introduces [Windows Mixed Reality](https://blogs.windows.com/windowsexperience/2017/08/28/windows-mixed-reality-holiday-update/). ## enable From 463d37d65b5e2d3c4836087e898e8b4e32ea08a0 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Thu, 28 Sep 2017 07:24:16 -0700 Subject: [PATCH 3/8] sync --- .../manage-windows-mixed-reality.md | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/windows/application-management/manage-windows-mixed-reality.md b/windows/application-management/manage-windows-mixed-reality.md index 6a7151bd3a..4c7ed498e8 100644 --- a/windows/application-management/manage-windows-mixed-reality.md +++ b/windows/application-management/manage-windows-mixed-reality.md @@ -16,12 +16,13 @@ ms.date: 10/17/2017 - Windows 10 -Windows 10, version 1709 (also known as the Fall Creators Update), introduces [Windows Mixed Reality](https://blogs.windows.com/windowsexperience/2017/08/28/windows-mixed-reality-holiday-update/). +Windows 10, version 1709 (also known as the Fall Creators Update), introduces [Windows Mixed Reality](https://blogs.windows.com/windowsexperience/2017/08/28/windows-mixed-reality-holiday-update/). Organizations that use Windows Server Update Services (WSUS) must take action to [enable Windows Mixed Reality](#enable). Any organization that wants to prohibit use of Windows Mixed Reality can [block the installation of the Mixed Reality Portal](#block). -## enable -Setting up Mixed Reality on Enterprise Network -To enable downloading Windows Mixed Reality software (feature on demand package), IT admin need to do the following. + +## Enable Windows Mixed Reality in WSUS + +To enable users to download Windows Mixed Reality software (feature on demand package), IT admin need to do the following. Enterprises that are using Creator’s Update clients + WSUS can approve Windows Mixed Reality package by unblocking the following KBs (I’m double checking with WSD to confirm the KB numbers) 4016509 3180030 @@ -31,7 +32,14 @@ Enterprises that use RS3 client will not be able to install FOD directly from WS Have user manually install the Mixed Reality Software IT admin can create Side by side feature store (shared folder) using instructions here: https://technet.microsoft.com/en-us/library/jj127275(v=ws.11).aspx - + + + ## block Since MRP is an app and blocking this app is sufficient for your scenario, via AppLocker should be sufficient for now. To make sure enterprise understand it, please file a doc bug to publish the instruction of leveraging AppLocker CSP to block Mixed Reality Portal and control Oasis. In the doc, AppLocker CSP doc is here: https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/applocker-csp it has a list of inbox app that could be controlled by this CSP, MRP/Oasis needs to be listed there as well. Provide the content and assign to Maricia – cpub writer for CSP. + + +## Related topics + +- [Mixed reality](https://developer.microsoft.com/windows/mixed-reality/mixed_reality) \ No newline at end of file From 9fbf3bdbe21d48224af63660b27458a75849d82b Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Mon, 2 Oct 2017 10:22:14 -0700 Subject: [PATCH 4/8] enable WMR w/WSUS --- .../manage-windows-mixed-reality.md | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/windows/application-management/manage-windows-mixed-reality.md b/windows/application-management/manage-windows-mixed-reality.md index 4c7ed498e8..bab211b8e7 100644 --- a/windows/application-management/manage-windows-mixed-reality.md +++ b/windows/application-management/manage-windows-mixed-reality.md @@ -12,6 +12,7 @@ ms.date: 10/17/2017 --- # Enable or block Windows Mixed Reality apps in the enterprise + **Applies to** - Windows 10 @@ -22,16 +23,16 @@ Windows 10, version 1709 (also known as the Fall Creators Update), introduces [W ## Enable Windows Mixed Reality in WSUS -To enable users to download Windows Mixed Reality software (feature on demand package), IT admin need to do the following. -Enterprises that are using Creator’s Update clients + WSUS can approve Windows Mixed Reality package by unblocking the following KBs (I’m double checking with WSD to confirm the KB numbers) -4016509 -3180030 -3197985 +To enable users to download the Windows Mixed Reality software, enterprises using WSUS can approve Windows Mixed Reality package by unblocking the following KBs: + +- KB4016509 +- KB3180030 +- KB3197985 -Enterprises that use RS3 client will not be able to install FOD directly from WSUS. Instead, the enterprise IT admin/user will need to user one of the two options listed below to install Windows Mixed Reality software. -Have user manually install the Mixed Reality Software -IT admin can create Side by side feature store (shared folder) using instructions here: -https://technet.microsoft.com/en-us/library/jj127275(v=ws.11).aspx +Enterprises will not be able to install Windows Mixed Reality Feature on Demand (FOD) directly from WSUS. Instead, use one of the following options to install Windows Mixed Reality software: + +- Manually install the Mixed Reality Software +- IT admin can create [Side by side feature store (shared folder)](https://technet.microsoft.com/library/jj127275.aspx) From 76f3adf608368e8089f2ff1899cea438b335ee87 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Thu, 5 Oct 2017 06:07:03 -0700 Subject: [PATCH 5/8] update link --- windows/application-management/manage-windows-mixed-reality.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/application-management/manage-windows-mixed-reality.md b/windows/application-management/manage-windows-mixed-reality.md index bab211b8e7..4a9f219c07 100644 --- a/windows/application-management/manage-windows-mixed-reality.md +++ b/windows/application-management/manage-windows-mixed-reality.md @@ -17,7 +17,7 @@ ms.date: 10/17/2017 - Windows 10 -Windows 10, version 1709 (also known as the Fall Creators Update), introduces [Windows Mixed Reality](https://blogs.windows.com/windowsexperience/2017/08/28/windows-mixed-reality-holiday-update/). Organizations that use Windows Server Update Services (WSUS) must take action to [enable Windows Mixed Reality](#enable). Any organization that wants to prohibit use of Windows Mixed Reality can [block the installation of the Mixed Reality Portal](#block). +Windows 10, version 1709 (also known as the Fall Creators Update), introduces [Windows Mixed Reality](https://blogs.windows.com/windowsexperience/2017/10/03/the-era-of-windows-mixed-reality-begins-october-17/). Organizations that use Windows Server Update Services (WSUS) must take action to [enable Windows Mixed Reality](#enable). Any organization that wants to prohibit use of Windows Mixed Reality can [block the installation of the Mixed Reality Portal](#block). From 82f3d9d64be674ccb73d9a7984f018d46da92af8 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Tue, 10 Oct 2017 13:41:41 -0700 Subject: [PATCH 6/8] Mixed Reality Portal & AppLocker CSP --- .../manage-windows-mixed-reality.md | 45 +++++++++++++++++- .../client-management/mdm/applocker-csp.md | 47 ++++++++++++++++++- 2 files changed, 89 insertions(+), 3 deletions(-) diff --git a/windows/application-management/manage-windows-mixed-reality.md b/windows/application-management/manage-windows-mixed-reality.md index 4a9f219c07..8918fb6977 100644 --- a/windows/application-management/manage-windows-mixed-reality.md +++ b/windows/application-management/manage-windows-mixed-reality.md @@ -31,14 +31,55 @@ To enable users to download the Windows Mixed Reality software, enterprises usin Enterprises will not be able to install Windows Mixed Reality Feature on Demand (FOD) directly from WSUS. Instead, use one of the following options to install Windows Mixed Reality software: -- Manually install the Mixed Reality Software +- Manually install the Mixed Reality software - IT admin can create [Side by side feature store (shared folder)](https://technet.microsoft.com/library/jj127275.aspx) ## block -Since MRP is an app and blocking this app is sufficient for your scenario, via AppLocker should be sufficient for now. To make sure enterprise understand it, please file a doc bug to publish the instruction of leveraging AppLocker CSP to block Mixed Reality Portal and control Oasis. In the doc, AppLocker CSP doc is here: https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/applocker-csp it has a list of inbox app that could be controlled by this CSP, MRP/Oasis needs to be listed there as well. Provide the content and assign to Maricia – cpub writer for CSP. +You can use the [AppLocker configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/applocker-csp) to block the Mixed Reality software. + +In the following example, the **Id** can be any generated GUID and the **Name** can be any name you choose. Note that `BinaryVersionRange="*"` allows you to block any app executable in the Mixed Reality Portal package. **Binary/VersionRange**, as shown in the example, will block all versions of the Mixed Reality Portal app. + +```xml + + + + $CmdID$ + + + ./Vendor/MSFT/PolicyManager/My/ApplicationManagement/ApplicationRestrictions + + + chr + text/plain + + + <RuleCollection Type="Appx" EnforcementMode="Enabled"> + <FilePublisherRule Id="a9e18c21-ff8f-43cf-b9fc-db40eed693ba" Name="(Default Rule) All signed packaged apps" Description="Allows members of the Everyone group to run packaged apps that are signed." UserOrGroupSid="S-1-1-0" Action="Allow"> + <Conditions> + <FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*"> + <BinaryVersionRange LowSection="0.0.0.0" HighSection="*" /> + </FilePublisherCondition> + </Conditions> + </FilePublisherRule> + <FilePublisherRule Id="d26da4e7-0b01-484d-a8d3-d5b5341b2d55" Name="Block Mixed Reality Portal" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"> + <Conditions> + <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Windows.HolographicFirstRun" BinaryName="*"> + <BinaryVersionRange LowSection="*" HighSection="*" /> + </FilePublisherCondition> + </Conditions> + </FilePublisherRule> + </RuleCollection>> + + + + + + + +``` ## Related topics diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md index e0eb928b60..dce9633c00 100644 --- a/windows/client-management/mdm/applocker-csp.md +++ b/windows/client-management/mdm/applocker-csp.md @@ -33,7 +33,7 @@ Defines the root node for the AppLocker configuration service provider. **ApplicationLaunchRestrictions** Defines restrictions for applications. -> **Note**   +> [!NOTE]   > When you create a list of allowed apps, all [inbox apps](#inboxappsandcomponents) are also blocked, and you must include them in your list of allowed apps. Don't forget to add the inbox apps for Phone, Messaging, Settings, Start, Email and accounts, Work and school, and other apps that you need. > > In Windows 10 Mobile, when you create a list of allowed apps, the [settings app that rely on splash apps](#settingssplashapps) are blocked. To unblock these apps, you must include them in your list of allowed apps. @@ -571,6 +571,10 @@ The following list shows the apps that may be included in the inbox. 906beeda-b7e6-4ddc-ba8d-ad5031223ef9 906beeda-b7e6-4ddc-ba8d-ad5031223ef9 + +Mixed Reality Portal + +Microsoft.Windows.HolographicFirstRun Money 1e0440f1-7abf-4b9a-863d-177970eefb5e @@ -856,6 +860,47 @@ The following example blocks the usage of the map application. ``` +The following example disables the Mixed Reality Portal. In the example, the **Id** can be any generated GUID and the **Name** can be any name you choose. Note that `BinaryVersionRange="*"` allows you to block any app executable in the Mixed Reality Portal package. **Binary/VersionRange**, as shown in the example, will block all versions of the Mixed Reality Portal app. + +```xml + + + + $CmdID$ + + + ./Vendor/MSFT/PolicyManager/My/ApplicationManagement/ApplicationRestrictions + + + chr + text/plain + + + <RuleCollection Type="Appx" EnforcementMode="Enabled"> + <FilePublisherRule Id="a9e18c21-ff8f-43cf-b9fc-db40eed693ba" Name="(Default Rule) All signed packaged apps" Description="Allows members of the Everyone group to run packaged apps that are signed." UserOrGroupSid="S-1-1-0" Action="Allow"> + <Conditions> + <FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*"> + <BinaryVersionRange LowSection="0.0.0.0" HighSection="*" /> + </FilePublisherCondition> + </Conditions> + </FilePublisherRule> + <FilePublisherRule Id="d26da4e7-0b01-484d-a8d3-d5b5341b2d55" Name="Block Mixed Reality Portal" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"> + <Conditions> + <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Windows.HolographicFirstRun" BinaryName="*"> + <BinaryVersionRange LowSection="*" HighSection="*" /> + </FilePublisherCondition> + </Conditions> + </FilePublisherRule> + </RuleCollection>> + + + + + + + +``` + The following example for Windows 10 Mobile denies all apps and allows the following apps: - [settings app that rely on splash apps](#settingssplashapps) From 4bfea5ae1990bffbec3509f1e6f85b8c8ce87526 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Tue, 10 Oct 2017 13:56:20 -0700 Subject: [PATCH 7/8] fix heading --- windows/application-management/manage-windows-mixed-reality.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/application-management/manage-windows-mixed-reality.md b/windows/application-management/manage-windows-mixed-reality.md index 8918fb6977..ea252bae8e 100644 --- a/windows/application-management/manage-windows-mixed-reality.md +++ b/windows/application-management/manage-windows-mixed-reality.md @@ -36,7 +36,7 @@ Enterprises will not be able to install Windows Mixed Reality Feature on Demand -## block +## Block the Mixed Reality Portal You can use the [AppLocker configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/applocker-csp) to block the Mixed Reality software. From e9d8099e619fb432f8da435f74358a28d1d1bb51 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Wed, 11 Oct 2017 06:10:45 -0700 Subject: [PATCH 8/8] fix --- windows/application-management/manage-windows-mixed-reality.md | 2 +- windows/client-management/mdm/applocker-csp.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/application-management/manage-windows-mixed-reality.md b/windows/application-management/manage-windows-mixed-reality.md index ea252bae8e..69313ce229 100644 --- a/windows/application-management/manage-windows-mixed-reality.md +++ b/windows/application-management/manage-windows-mixed-reality.md @@ -40,7 +40,7 @@ Enterprises will not be able to install Windows Mixed Reality Feature on Demand You can use the [AppLocker configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/applocker-csp) to block the Mixed Reality software. -In the following example, the **Id** can be any generated GUID and the **Name** can be any name you choose. Note that `BinaryVersionRange="*"` allows you to block any app executable in the Mixed Reality Portal package. **Binary/VersionRange**, as shown in the example, will block all versions of the Mixed Reality Portal app. +In the following example, the **Id** can be any generated GUID and the **Name** can be any name you choose. Note that `BinaryName="*"` allows you to block any app executable in the Mixed Reality Portal package. **Binary/VersionRange**, as shown in the example, will block all versions of the Mixed Reality Portal app. ```xml diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md index dce9633c00..5ab0e0ff0b 100644 --- a/windows/client-management/mdm/applocker-csp.md +++ b/windows/client-management/mdm/applocker-csp.md @@ -860,7 +860,7 @@ The following example blocks the usage of the map application. ``` -The following example disables the Mixed Reality Portal. In the example, the **Id** can be any generated GUID and the **Name** can be any name you choose. Note that `BinaryVersionRange="*"` allows you to block any app executable in the Mixed Reality Portal package. **Binary/VersionRange**, as shown in the example, will block all versions of the Mixed Reality Portal app. +The following example disables the Mixed Reality Portal. In the example, the **Id** can be any generated GUID and the **Name** can be any name you choose. Note that `BinaryName="*"` allows you to block any app executable in the Mixed Reality Portal package. **Binary/VersionRange**, as shown in the example, will block all versions of the Mixed Reality Portal app. ```xml