deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-05 17:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'refs/remotes/origin/rs5' into jd5kiosk

Browse Source
This commit is contained in:
Jeanie Decker 2018-08-27 07:07:06 -07:00
commit 9d79a6c29a
83 changed files with 1367 additions and 726 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
.openpublishing.redirection.json
View File

@ -1,6 +1,16 @@
{
"redirections": [
{
"source_path": "windows/security/threat-protection/intelligence/av-tests.md",
"redirect_url": "/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests",
"redirect_document_id": true
},
{
"source_path": "windows/security/threat-protection/intelligence/transparency-report.md",
"redirect_url": "/windows/security/threat-protection/intelligence/av-tests",
"redirect_document_id": true
},
{
"source_path": "windows/deployment/update/waas-windows-insider-for-business-aad.md",
"redirect_url": "https://docs.microsoft.com/en-us/windows-insider/at-work-pro/wip-4-biz-add",
"redirect_document_id": true
@ -5261,11 +5271,6 @@
"redirect_document_id": true
},
{
"source_path": "windows/configuration/basic-level-windows-diagnostic-events-and-fields-1803.md",
"redirect_url": "/windows/configuration/basic-level-windows-diagnostic-events-and-fields",
"redirect_document_id": true
},
{
"source_path": "windows/configuration/windows-diagnostic-data-1709.md",
"redirect_url": "/windows/configuration/windows-diagnostic-data",
"redirect_document_id": true
@ -13731,6 +13736,11 @@
"redirect_document_id": true
},
{
"source_path": "windows/privacy/basic-level-windows-diagnostic-events-and-fields.md",
"redirect_url": "/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803",
"redirect_document_id": true
},
{
"source_path": "windows/configuration/basic-level-windows-diagnostic-events-and-fields-1703.md",
"redirect_url": "/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703",
"redirect_document_id": true

2
browsers/edge/includes/allow-config-updates-books-include.md
View File

@ -1,5 +1,5 @@
<!-- ## Allow configuration updates for the Books Library -->
>*Supported versions: Microsoft Edge on Windows 10, version 1802 or later*<br>
>*Supported versions: Microsoft Edge on Windows 10, version 1803 or later*<br>
>*Default setting: Enabled or not configured (Allowed)*
[!INCLUDE [allow-configuration-updates-for-books-library-shortdesc](../shortdesc/allow-configuration-updates-for-books-library-shortdesc.md)]

8
browsers/edge/includes/allow-ext-telemetry-books-tab-include.md
View File

@ -1,5 +1,5 @@
<!-- ## Allow extended telemetry for the Books tab -->
>*Supported versions: Microsoft Edge on Windows 10, version 1802 or later*<br>
>*Supported versions: Microsoft Edge on Windows 10, version 1803 or later*<br>
>*Default setting: Disabled or not configured (Gather and send only basic diagnostic data)*
[!INCLUDE [allow-extended-telemetry-for-books-tab-shortdesc](../shortdesc/allow-extended-telemetry-for-books-tab-shortdesc.md)]
@ -8,8 +8,8 @@
|Group Policy |MDM |Registry |Description |Most restricted |
|---|:---:|:---:|---|:---:|
|Disabled or not configured<br>**(default)** |0 |0 |Microsofot gathers only basic diagnostic data. |![Most restricted value](../images/check-gn.png) |
|Enabled |1 |1 |Microsoft gathers all diagnostic data. For this policy to work correctly, you must set the diagnostic data in _Settings > Diagnostics & feedback_ to **Full**. | |
|Disabled or not configured<br>**(default)** |0 |0 |Gather and send only basic diagnostic data. |![Most restricted value](../images/check-gn.png) |
|Enabled |1 |1 |Gather all diagnostic data. For this policy to work correctly, you must set the diagnostic data in _Settings > Diagnostics & feedback_ to **Full**. | |
---
### ADMX info and settings
@ -32,4 +32,4 @@
- **Value type:** REG_DWORD
<hr>
<hr>

2
browsers/edge/includes/allow-saving-history-include.md
View File

@ -16,7 +16,7 @@
### ADMX info and settings
#### ADMX info
- **GP English name:** Allow saving history
- **GP English name:** Allow Saving History
- **GP name:** AllowSavingHistory
- **GP path:** Windows Components/Microsoft Edge
- **GP ADMX file name:** MicrosoftEdge.admx

2
browsers/edge/includes/configure-autofill-include.md
View File

@ -1,6 +1,6 @@
<!-- ## Configure Autofill -->
>*Supported versions: Microsoft Edge on Windows 10*<br>
>*Default setting: Not configured*
>*Default setting: Not configured (Blank)*
[!INCLUDE [configure-autofill-shortdesc](../shortdesc/configure-autofill-shortdesc.md)]

2
browsers/edge/includes/configure-do-not-track-include.md
View File

@ -9,7 +9,7 @@
|Group Policy |MDM |Registry |Description |Most restricted |
|---|:---:|:---:|---|:---:|
|Not configured<br>**(default)** |Blank |Blank |Do not send tracking information but let users choose to send tracking information to sites they visit. | |
|Disabled |1 |1 |Never send tracking information. | |
|Disabled |0 |0 |Never send tracking information. | |
|Enabled |1 |1 |Send tracking information. |![Most restricted value](../images/check-gn.png) |
---

2
browsers/edge/includes/configure-home-button-include.md
View File

@ -1,5 +1,5 @@
<!-- ## Configure Home Button-->
>*Supported versions: Microsoft Edge on Windows 10*
>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
>*Default setting: Disabled or not configured (Show home button and load the Start page)*

5
browsers/edge/includes/configure-password-manager-include.md
View File

@ -14,9 +14,8 @@
---
Verify not allowed/disabled settings:
1. In the upper-right corner of Microsoft Edge or Microsoft Edge for Windows 10 Mobile, click or tap ellipses (…).
2. Click **Settings** and select **View Advanced settings**.
3. Verify the settings **Save Password** is toggled off or on and is greyed out.
1. Click or tap **More** (…) and select **Settings** > **View Advanced settings**.
2. Verify the settings **Save Password** is toggled off or on and is greyed out.
### ADMX info and settings
#### ADMX info

2
browsers/edge/includes/configure-search-suggestions-address-bar-include.md
View File

@ -1,6 +1,6 @@
<!-- ## Configure search suggestions in Address bar -->
>*Supported versions: Microsoft Edge on Windows 10*<br>
>*Default setting: Not configured*
>*Default setting: Not configured (Blank)*
[!INCLUDE [configure-search-suggestions-in-address-bar-shortdesc](../shortdesc/configure-search-suggestions-in-address-bar-shortdesc.md)]

9
browsers/edge/includes/configure-windows-defender-smartscreen-include.md
View File

@ -8,15 +8,14 @@
|Group Policy |MDM |Registry |Description |Most restricted |
|---|:---:|:---:|---|:---:|
|Not configured |Blank |Blank |Users can choose to use Windows Defender SmartScreen or not. | |
|Not configured |Blank |Blank |Users can choose to use Windows Defender SmartScreen. | |
|Disabled |0 |0 |Turned off. Do not protect users from potential threats and prevent users from turning it on. | |
|Enabled |1 |1 |Turned on. Protect users from potential threats and prevent users from turning it off. |![Most restricted value](../images/check-gn.png) |
---
To verify Windows Defender SmartScreen is turned off (disabled):
1. In the upper-right corner of Microsoft Edge or Microsoft Edge for Windows 10 Mobile, click or tap the ellipses (**...**).
2. Click **Settings** and select **View Advanced Settings**.
3. At the bottom, verify that **Help protect me from malicious sites and download with SmartScreen Filter** is greyed out.<p>![Verify that Windows Defender SmartScreen is turned off (disabled)](../images/allow-smart-screen-validation.PNG)
To verify Windows Defender SmartScreen is turned off (disabled):
1. Click or tap **More** (…) and select **Settings** > **View Advanced settings**.
2. Verify the setting **Help protect me from malicious sites and download with SmartScreen Filter** is disabled.<p>![Verify that Windows Defender SmartScreen is turned off (disabled)](../images/allow-smart-screen-validation.PNG)
### ADMX info and settings

2
browsers/edge/includes/disable-lockdown-of-start-pages-include.md
View File

@ -8,7 +8,7 @@
|Group Policy |MDM |Registry |Description |Most restricted |
|---|:---:|:---:|---|:---:|
|Not configured |0 |0 |Lockdown Start pages configured in either the Configure Open Microsoft Edge With policy and Configure Start Pages policy. |![Most restricted value](../images/check-gn.png) |
|Not configured |0 |0 |Lock down Start pages configured in either the Configure Open Microsoft Edge With policy and Configure Start Pages policy. |![Most restricted value](../images/check-gn.png) |
|Enabled |1 |1 |Unlocked. Users can make changes to all configured start pages.<p><p>When you enable this policy and define a set of URLs in the Configure Start Pages policy, Microsoft Edge uses the URLs defined in the Configure Open Microsoft Edge With policy. | |
---

4
browsers/edge/includes/do-not-sync-include.md
View File

@ -1,6 +1,6 @@
<!-- ## Do not sync -->
>*Supported versions: Microsoft Edge on Windows 10*<br>
>*Default setting: Disabled or not configured (Turned on)*
>*Default setting: Disabled or not configured (Allowed/turned on)*
[!INCLUDE [do-not-sync-shortdesc](../shortdesc/do-not-sync-shortdesc.md)]
@ -17,7 +17,7 @@
- **GP English name:** Do not sync
- **GP name:** AllowSyncMySettings
- **GP path:** Windows Components/Sync your settings
- **GP ADMX file name:** MicrosoftEdge.admx
- **GP ADMX file name:** SettingSync.admx
#### MDM settings
- **MDM name:** Experience/[AllowSyncMySettings](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-allowsyncmysettings)

4
browsers/edge/includes/keep-fav-sync-ie-edge-include.md
View File

@ -8,8 +8,8 @@
|Group Policy |MDM |Registry |Description |Most restricted |
|---|:---:|:---:|---|:---:|
|Disabled or not configured<br>**(default)** |0 |0 |Turned off/not syncing. | |
|Enabled |1 |1 |Turned on/syncing. |![Most restricted value](../images/check-gn.png) |
|Disabled or not configured<br>**(default)** |0 |0 |Turned off/not syncing | |
|Enabled |1 |1 |Turned on/syncing |![Most restricted value](../images/check-gn.png) |
---
### ADMX info and settings

2
browsers/edge/includes/prevent-access-about-flag-include.md
View File

@ -9,7 +9,7 @@
|Group Policy |MDM |Registry |Description |Most restricted |
|---|:---:|:---:|---|:---:|
|Disabled or not configured<br>**(default)** |0 |0 |Allowed. | |
|Enabled |1 |1 |Prevents users from access the about:flags page. |![Most restricted value](../images/check-gn.png) |
|Enabled |1 |1 |Prevents users from accessing the about:flags page. |![Most restricted value](../images/check-gn.png) |
---
### ADMX info and settings

2
browsers/edge/includes/prevent-certificate-error-overrides-include.md
View File

@ -7,7 +7,7 @@
|Group Policy |MDM |Registry |Description |Most restricted |
|---|:---:|:---:|---|:---:|
|Disabled or not configured<br>**(default)** |0 |0 |Allowed/turned on. Overrides the security warning to sites that have SSL errors. | |
|Disabled or not configured<br>**(default)** |0 |0 |Allowed/turned on. Override the security warning to sites that have SSL errors. | |
|Enabled |1 |1 |Prevented/turned on. |![Most restricted value](../images/check-gn.png) |
---

2
browsers/edge/includes/prevent-live-tile-pinning-start-include.md
View File

@ -9,7 +9,7 @@
|Group Policy |MDM |Registry |Description |Most restricted |
|---|:---:|:---:|---|:---:|
|Disabled or not configured<br>**(default)** |0 |0 |Collect and send Live Tile metadata. | |
|Enabled |1 |1 |Do not collect. |![Most restricted value](../images/check-gn.png) |
|Enabled |1 |1 |No data collected. |![Most restricted value](../images/check-gn.png) |
---
### ADMX info and settings

4
browsers/edge/includes/prevent-users-to-turn-on-browser-syncing-include.md
View File

@ -20,8 +20,8 @@ For more details about configuring the browser syncing options, see [Sync browse
#### ADMX info
- **GP English name:** Prevent users from turning on browser syncing
- **GP name:** PreventUsersFromTurningOnBrowserSyncing
- **GP path:** Windows Components/Microsoft Edge
- **GP ADMX file name:** MicrosoftEdge.admx
- **GP path:** Windows Components/Sync your settings
- **GP ADMX file name:** SettingSync.admx
#### MDM settings
- **MDM name:** Experience/[PreventUsersFromTurningOnBrowserSyncing](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-preventusersfromturningonbrowsersyncing)

2
browsers/edge/includes/provision-favorites-include.md
View File

@ -12,7 +12,7 @@
|Group Policy |Description |Most restricted |
|---|---|:---:|
|Disabled or not configured<br>**(default)** |Users can customize the favorites list, such as adding folders, or adding and removing favorites. | |
|Enabled |Define a default list of favorites in Microsoft Edge. In this case, the Save a Favorite, Import settings, and context menu options (such as Create a new folder) are turned off.<p>To define a default list of favorites, do the following:<ol><li>In the upper-right corner of Microsoft Edge, click the ellipses (**...**) and select **Settings**.</li><li>Click **Import from another browser**, click **Export to file**, and save the file.</li><li>In the **Options** section of the Group Policy Editor, provide the location that points the file with the list of favorites to provision. Specify the URL as: <ul><li>HTTP location: "SiteList"=http://localhost:8080/URLs.html</li><li>Local network: "SiteList"="\network\shares\URLs.html"</li><li>Local file: "SiteList"=file:///c:\Users\\Documents\URLs.html</li></ul></li></ol> |![Most restricted value](../images/check-gn.png) |
|Enabled |Define a default list of favorites in Microsoft Edge. In this case, the Save a Favorite, Import settings, and context menu options (such as Create a new folder) are turned off.<p>To define a default list of favorites, do the following:<ol><li>In the upper-right corner of Microsoft Edge, click the ellipses (**...**) and select **Settings**.</li><li>Click **Import from another browser**, click **Export to file**, and save the file.</li><li>In the **Options** section of the Group Policy Editor, provide the location that points the file with the list of favorites to provision. Specify the URL as: <ul><li>HTTP location: "SiteList"=http://localhost:8080/URLs.html</li><li>Local network: "SiteList"="\network\shares\URLs.html"</li><li>Local file: "SiteList"=file:///c:/Users/Documents/URLs.html</li></ul></li></ol> |![Most restricted value](../images/check-gn.png) |
---
### ADMX info and settings

2
browsers/edge/includes/set-default-search-engine-include.md
View File

@ -8,7 +8,7 @@
|Group Policy |MDM |Registry |Description |Most restricted |
|---|:---:|:---:|---|:---:|
|Not configured<br>**(default)** |Blank |Blank |Microsoft Edge uses the default search engine specified in App settings. If you don't configure this policy and disable the [Allow search engine customization](#allow-search-engine-customization-include) policy, users cannot make changes. | |
|Not configured<br>**(default)** |Blank |Blank |Microsoft Edge uses the default search engine specified in App settings. If you don't configure this policy and disable the [Allow search engine customization](../available-policies.md#allow-search-engine-customization) policy, users cannot make changes. | |
|Disabled |0 |0 |Microsoft Edge removes the policy-set search engine and uses the Microsoft Edge specified engine for the market. | |
|Enabled |1 |1 |Microsoft Edge uses the policy-set search engine specified in the OpenSearch XML file. Users cannot change the default search engine.<p><p>Specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://docs.microsoft.com/en-us/microsoft-edge/dev-guide/browser/search-provider-discovery). Use this format to specify the link you want to add.<p><p>If you want users to use the default Microsoft Edge settings for each market set the string to **EDGEDEFAULT**.<p><p>If you would like users to use Microsoft Bing as the default search engine set the string to **EDGEBING**. |![Most restricted value](../images/check-gn.png) |
---

2
browsers/edge/includes/unlock-home-button-include.md
View File

@ -8,7 +8,7 @@
|Group Policy |MDM |Registry |Description |
|---|:---:|:---:|---|
|Disabled or not configured<br>**(default)** |0 |0 |Lock down the home button to prevent users from making changes to the home button settings. |
|Disabled or not configured<br>**(default)** |0 |0 |Lock down and prevent users from making changes to the home button settings. |
|Enabled |1 |1 |Let users make changes. |
---

2
browsers/edge/shortdesc/configure-favorites-shortdesc.md
View File

@ -1 +1 @@
Use the **[Provision Favorites](../available-policies.md#provision-favorites)** in place of Configure Favorites.
Discontinued in Windows 10, version 1810. Use the **[Provision Favorites](../available-policies.md#provision-favorites)** policy instead.

2
education/get-started/inclusive-classroom-it-admin.md
View File

@ -29,7 +29,6 @@ You will also learn how to deploy apps using Microsoft Intune, turn on or off Ea
| Read aloud with simultaneous highlighting | <ul><li>OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac</li><li>Word 2016, Word Online, Word Mac, Word for iOS</li><li>Outlook 2016, Outlook Web Access</li><li>Office Lens on iOS, Android</li></ul> | <p style="text-align: center;">X</p> <p style="text-align: center;"><p style="text-align: center;">(N/A for Word for iOS, Word Online, Outlook Web Access, or Office Lens)</p> | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for Word for iOS, Word Online, Outlook Web Access, or Office Lens)</p> | <p style="text-align: center;">X</p> | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for Outlook PC)</p> | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for any OneNote apps or Outlook PC)</p> |
| Adjustable text spacing and font size | <ul><li>OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac</li><li>Word 2016, Word Online, Word Mac, Word for iPad</li><li>Outlook Web Access</li><li>Office Lens on iOS, Android</li></ul> | <p style="text-align: center;">X</p> <p style="text-align: center;"><p style="text-align: center;">(N/A for Word for iOS, Word Online, Outlook Web Access, or Office Lens)</p> | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for Word for iOS, Word Online, Outlook Web Access, or Office Lens)</p> |<p style="text-align: center;">X</p> | <p style="text-align: center;">X</p> | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for any OneNote apps)</p> |
| Syllabification | <ul><li>OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac</li><li>Word Online</li><li>Outlook Web Access</li></ul> | | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for Word for iOS, Word Online, Outlook Web Access)</p> | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for Word iOS)</p> | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for Word iOS)</p> | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for any OneNote apps or Word iOS)</p> |
| Parts of speech identification | <ul><li>OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac</li><li>Word 2016, Word Online, Word Mac, Word for iOS</li><li>Outlook 2016, Outlook Web Access</li><li>Office Lens on iOS, Android</li></ul> | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for Word Online, Outlook Web Access)</p> | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for Word Online, Outlook Web Access)</p> | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for any OneNote apps)</p> | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for any OneNote apps)</p> | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for any OneNote apps)</p> |
| Line focus mode | <ul><li>Word 2016, Word Online, Word Mac, Word for iOS</li><li>Outlook 2016, Outlook Web Access</li><li>Office Lens on iOS, Android</li></ul> | | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for Word Online, Outlook Web Access)</p> | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for any OneNote apps)</p> | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for any OneNote apps)</p> | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for any OneNote apps)</p> |
| Picture Dictionary | <ul><li>Word 2016, Word Online, Word Mac, Word for iOS</li><li>Outlook 2016, Outlook Web Access</li><li>Office Lens on iOS, Android</li></ul> | | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for Word Online, Outlook Web Access)</p> | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for any OneNote apps)</p> | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for any OneNote apps)</p> | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for any OneNote apps)</p> |
@ -48,7 +47,6 @@ You will also learn how to deploy apps using Microsoft Intune, turn on or off Ea
| Creating accessible content features | Available in which apps|Office 2016 MSI|Office 2019| Office 365 ProPlus Monthly (C2R) | Office 365 ProPlus Semi Annual (C2R) | Office 365 ProPlus Annual (C2R) |
|---|---|---|---|---|---|---|
| Accessibility Checker | <ul><li>All Office 365 authoring applications on PC, Mac, Web</li></ul> | | <p style="text-align: center;">X</p> | <p style="text-align: center;">X</p> | | |
| Accessible Templates | <ul><li>Word for PCs, Mac</li><li>Excel for PCs, Mac</li><li>PowerPoint for PCs, Mac</li><li>Sway on iOS, Web, Windows 10</li></ul> | | <p style="text-align: center;">X</p> | <p style="text-align: center;">X</p> | | |
| Ability to add alt-text for images | <ul><li>Word for PCs (includes automatic suggestions for image descriptions)</li><li>SharePoint Online (includes automatic suggestions for image descriptions)</li><li>PowerPoint for PCs (includes automatic suggestions for image descriptions)</li><li>OneNote (includes automatic extraction of text in images)</li><li>All Office 365 authoring applications (include ability to add alt-text manually)</li></ul> | <p style="text-align: center;">X</p> | <p style="text-align: center;">X</p> | <p style="text-align: center;">X</p> | | |

34
mdop/mbam-v25/high-level-architecture-of-mbam-25-with-configuration-manager-integration-topology.md
View File

@ -7,12 +7,12 @@ ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
ms.prod: w10
ms.date: 07/18/2017
ms.date: 08/23/2018
ms.author: pashort
---
# High-Level Architecture of MBAM 2.5 with Configuration Manager Integration Topology
# High-level architecture of MBAM 2.5 with Configuration Manager Integration topology
This topic describes the recommended architecture for deploying Microsoft BitLocker Administration and Monitoring (MBAM) with the Configuration Manager Integration topology. This topology integrates MBAM with System Center Configuration Manager. To deploy MBAM with the Stand-alone topology, see [High-Level Architecture of MBAM 2.5 with Stand-alone Topology](high-level-architecture-of-mbam-25-with-stand-alone-topology.md).
@ -54,7 +54,7 @@ The recommended number of servers and supported number of clients in a productio
 
## Differences between Configuration Manager Integration and Stand-alone topologies
## Differences between Configuration Manager Integration and stand-alone topologies
The main differences between the topologies are:
@ -70,15 +70,15 @@ The following diagram and table describe the recommended high-level architecture
![mbam2\-5](images/mbam2-5-cmserver.png)
### Database Server
### Database server
#### Recovery Database
#### Recovery database
This feature is configured on a computer running Windows Server and supported SQL Server instance.
The **Recovery Database** stores recovery data that is collected from MBAM Client computers.
#### Audit Database
#### Audit database
This feature is configured on a computer running Windows Server and supported SQL Server instance.
@ -90,7 +90,7 @@ This feature is configured on a computer running Windows Server and supported SQ
The **Reports** provide recovery audit data for the client computers in your enterprise. You can view reports from the Configuration Manager console or directly from SQL Server Reporting Services.
### Configuration Manager Primary Site Server
### Configuration Manager primary site server
System Center Configuration Manager Integration feature
@ -102,19 +102,19 @@ System Center Configuration Manager Integration feature
- The **Configuration Manager console** must be installed on the same computer on which you install the MBAM Server software.
### Administration and Monitoring Server
### Administration and monitoring server
#### Administration and Monitoring Website
#### Administration and monitoring website
This feature is configured on a computer running Windows Server.
The **Administration and Monitoring Website** is used to:
The **Administration and monitoring website** is used to:
- Help end users regain access to their computers when they are locked out. (This area of the Website is commonly called the Help Desk.)
- View the Recovery Audit Report, which shows recovery activity for client computers. Other reports are viewed from the Configuration Manager console.
#### Self-Service Portal
#### Self-service portal
This feature is configured on a computer running Windows Server.
@ -126,21 +126,19 @@ This feature is installed on a computer running Windows Server.
The **monitoring web services** are used by the MBAM Client and the websites to communicate to the database.
**Important**  
The Monitoring Web Service is no longer available in Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 SP1 since the MBAM Client and the websites communicate directly with the Recovery Database.
**Important**<br>The Monitoring Web Service is no longer available in Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 SP1 since the MBAM websites communicate directly with the Recovery Database.
 
### Management Workstation
### Management workstation
#### MBAM Group Policy Templates
#### MBAM group policy templates
- The **MBAM Group Policy Templates** are Group Policy settings that define implementation settings for MBAM, which enable you to manage BitLocker drive encryption.
- Before you run MBAM, you must download the Group Policy Templates from [How to Get MDOP Group Policy (.admx) Templates](https://go.microsoft.com/fwlink/p/?LinkId=393941) and copy them to a server or workstation that is running a supported Windows Server or Windows operating system.
**Note**  
The workstation does not have to be a dedicated computer.
**NOTE**<br>The workstation does not have to be a dedicated computer.
 

2
mdop/mbam-v25/high-level-architecture-of-mbam-25-with-stand-alone-topology.md
View File

@ -109,7 +109,7 @@ This feature is configured on a computer running Windows Server.
The **monitoring web services** are used by the MBAM Client and the websites to communicate to the database.
**Important**  
The Monitoring Web Service is no longer available in Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 SP1 since the MBAM Client and the websites communicate directly with the Recovery Database.
The Monitoring Web Service is no longer available in Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 SP1 since the MBAM websites communicate directly with the Recovery Database.
 

218
windows/application-management/apps-in-windows-10.md
View File

@ -8,7 +8,7 @@ ms.pagetype: mobile
ms.author: elizapo
author: lizap
ms.localizationpriority: medium
ms.date: 07/10/2018
ms.date: 08/23/2018
---
# Understand the different apps included in Windows 10
@ -20,7 +20,7 @@ The following types of apps run on Windows 10:
Digging into the Windows apps, there are two categories:
- System apps - Apps that are installed in the c:\Windows\* directory. These apps are integral to the OS.
- Apps - All other apps, installed in c:\Program Files\WindowsApps. There are two classes of apps:
- Provisioned: Installed the first time you sign into Windows. You'll see a tile or Start menu item for these apps, but they aren't installed until the first sign-in.
- Provisioned: Installed in user account the first time you sign in with a new user account.
- Installed: Installed as part of the OS.
The following tables list the system apps, installed Windows apps, and provisioned Windows apps in a standard Windows 10 Enterprise installation. (If you have a custom image, your specific apps might differ.) The tables list the app, the full name, show the app's status in Windows 10 version 1607, 1703, and 1709, and indicate whether an app can be uninstalled through the UI.
@ -30,7 +30,7 @@ Some of the apps show up in multiple tables - that's because their status change
> [!TIP]
> Want to see a list of the apps installed on your specific image? You can run the following PowerShell cmdlet:
> ```powershell
> Get-AppxPackage |Select Name,PackageFamilyName
> Get-AppxPackage | select Name,PackageFamilyName
> Get-AppxProvisionedPackage -Online | select DisplayName,PackageName
> ```
@ -38,66 +38,116 @@ Some of the apps show up in multiple tables - that's because their status change
System apps are integral to the operating system. Here are the typical system apps in Windows 10 versions 1703, 1709, and 1803.
| Name | Full name |1703 | 1709 | 1803 |Uninstall through UI? |
|------------------|-------------------------------------------|:------:|:------:|:------:|-------------------------------------------------------|
| Cortana UI | CortanaListenUIApp | x | | |No |
| | Desktop Learning | x | | |No |
| | DesktopView | x | | |No |
| | EnvironmentsApp | x | | |No |
| Mixed Reality + | HoloCamera | x | | |No |
| Mixed Reality + | HoloItemPlayerApp | x | | |No |
| Mixed Reality + | HoloShell | x | | |No |
| | InputApp | | x | x |No |
| | Microsoft.AAD.Broker.Plugin | x | x | x |No |
| | Microsoft.AccountsControl | x | x | x |No |
| Hello setup UI | Microsoft.BioEnrollment | x | x | x |No |
| | Microsoft.CredDialogHost | x | x | x |No |
| | Microsoft.ECApp | | x | x |No |
| | Microsoft.LockApp | x | x | x |No |
| Microsoft Edge | Microsoft.Microsoft.Edge | x | x | x |No |
| | Microsoft.PPIProjection | x | x | x |No |
| | Microsoft.Windows. Apprep.ChxApp | x | x | x |No |
| | Microsoft.Windows. AssignedAccessLockApp | x | x | x |No |
| | Microsoft.Windows. CloudExperienceHost | x | x | x |No |
| | Microsoft.Windows. ContentDeliveryManager | x | x | x |No |
| Cortana | Microsoft.Windows.Cortana | x | x | x |No |
| | Microsoft.Windows. Holographic.FirstRun | x | x | x |No |
| | Microsoft.Windows. ModalSharePickerHost | x | | |No |
| | Microsoft.Windows. OOBENetworkCaptivePort | x | x | x |No |
| | Microsoft.Windows. OOBENetworkConnectionFlow | x | x | x |No |
| | Microsoft.Windows. ParentalControls | x | x | x |No |
| People Hub | Microsoft.Windows. PeopleExperienceHost | | x | x |No |
| | Microsoft.Windows. PinningConfirmationDialog | | x | x |No |
| | Microsoft.Windows. SecHealthUI | x | x | x |No |
| | Microsoft.Windows. SecondaryTileExperience | x | x | |No |
| | Microsoft.Windows. SecureAssessmentBrowser | x | x | x |No |
| Start | Microsoft.Windows. ShellExperienceHost | x | x | x |No |
| Windows Feedback | Microsoft.WindowsFeedback | * | * | |No |
| | Microsoft.XboxGameCallableUI | x | x | x |No |
| Contact Support* | Windows.ContactSupport | x | * | |Through the Optional Features app |
| Settings | Windows.ImmersiveControlPanel | x | x | |No |
| Connect | Windows.MiracastView | x | | |No |
| Print 3D | Windows.Print3D | | x | |Yes |
| Print UI | Windows.PrintDialog | x | x | x |No |
| Purchase UI | Windows.PurchaseDialog | | | x |No |
| | Microsoft.AsyncTextService | | | x |No |
| | Microsoft.MicrosoftEdgeDevToolsClient | | | x |No |
| | Microsoft.Win32WebViewHost | | | x |No |
| | Microsoft.Windows.CapturePicker | | | x |No |
| | Windows.CBSPreview | | | x |No |
|File Picker | 1527c705-839a-4832-9118-54d4Bd6a0c89 | | | x |No |
|File Explorer | c5e2524a-ea46-4f67-841f-6a9465d9d515 | | | x |No |
|App Resolver | E2A4F912-2574-4A75-9BB0-0D023378592B | | | x |No |
|Add Suggested folder Dialog box| F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE|| | x |No |
| Name | Full name | 1703 | 1709 | 1803 |Uninstall through UI? |
|------------------|--------------------------------------------|:----:|:----:|:----:|:----------------------------------:|
| Cortana UI | CortanaListenUIApp | x | | |No |
| | Desktop Learning | x | | |No |
| | DesktopView | x | | |No |
| | EnvironmentsApp | x | | |No |
| Mixed Reality + | HoloCamera | x | | |No |
| Mixed Reality + | HoloItemPlayerApp | x | | |No |
| Mixed Reality + | HoloShell | x | | |No |
| | InputApp | | x | x |No |
| | Microsoft.AAD.BrokerPlugin | x | x | x |No |
| | Microsoft.AccountsControl | x | x | x |No |
| Hello setup UI | Microsoft.BioEnrollment | x | x | x |No |
| | Microsoft.CredDialogHost | x | x | x |No |
| | Microsoft.ECApp | | x | x |No |
| | Microsoft.LockApp | x | x | x |No |
| Microsoft Edge | Microsoft.MicrosoftEdge | x | x | x |No |
| | Microsoft.PPIProjection | x | x | x |No |
| | Microsoft.Windows.Apprep.ChxApp | x | x | x |No |
| | Microsoft.Windows.AssignedAccessLockApp | x | x | x |No |
| | Microsoft.Windows.CloudExperienceHost | x | x | x |No |
| | Microsoft.Windows.ContentDeliveryManager | x | x | x |No |
| Cortana | Microsoft.Windows.Cortana | x | x | x |No |
| | Microsoft.Windows.Holographic.FirstRun | x | x | x |No |
| | Microsoft.Windows.ModalSharePickerHost | x | | |No |
| | Microsoft.Windows.OOBENetworkCaptivePort | x | x | x |No |
| | Microsoft.Windows.OOBENetworkConnectionFlow| x | x | x |No |
| | Microsoft.Windows.ParentalControls | x | x | x |No |
| People Hub | Microsoft.Windows.PeopleExperienceHost | | x | x |No |
| | Microsoft.Windows.PinningConfirmationDialog| | x | x |No |
| | Microsoft.Windows.SecHealthUI | x | x | x |No |
| | Microsoft.Windows.SecondaryTileExperience | x | x | |No |
| | Microsoft.Windows.SecureAssessmentBrowser | x | x | x |No |
| Start | Microsoft.Windows.ShellExperienceHost | x | x | x |No |
| Windows Feedback | Microsoft.WindowsFeedback | * | * | |No |
| | Microsoft.XboxGameCallableUI | x | x | x |No |
| Contact Support\* | Windows.ContactSupport | x | * | |via Optional Features app |
| Settings | Windows.ImmersiveControlPanel | x | x | |No |
| Connect | Windows.MiracastView | x | | |No |
| Print 3D | Windows.Print3D | | x | |Yes |
| Print UI | Windows.PrintDialog | x | x | x |No |
| Purchase UI | Windows.PurchaseDialog | | | x |No |
| | Microsoft.AsyncTextService | | | x |No |
| | Microsoft.MicrosoftEdgeDevToolsClient | | | x |No |
| | Microsoft.Win32WebViewHost | | | x |No |
| | Microsoft.Windows.CapturePicker | | | x |No |
| | Windows.CBSPreview | | | x |No |
|File Picker | 1527c705-839a-4832-9118-54d4Bd6a0c89 | | | x |No |
|File Explorer | c5e2524a-ea46-4f67-841f-6a9465d9d515 | | | x |No |
|App Resolver | E2A4F912-2574-4A75-9BB0-0D023378592B | | | x |No |
|Add Suggested folder Dialog box| F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE|| | x |No |
>[!NOTE]
>\* The Contact Support app changed to Get Help in version 1709. Get Help is a provisioned app (instead of system app like Contact Support).
## Provisioned Windows apps
Here are the typical provisioned Windows apps in Windows 10 versions 1703, 1709, and 1803.
| App Name (Canonical) | Display Name | 1703 | 1709 | 1803 | Uninstall via UI? |
|--------------------------------|------------------------|:-----:|:----:|:----:|:-----------------:|
| 3D Builder | [Microsoft.3DBuilder](ms-windows-store://pdp/?PFN=Microsoft.3DBuilder_8wekyb3d8bbwe) | x | | | Yes |
| App Installer | [Microsoft.DesktopAppInstaller](ms-windows-store://pdp/?PFN=Microsoft.DesktopAppInstaller_8wekyb3d8bbwe) | x | x | x | Via Settings App |
| Feedback Hub | [Microsoft.WindowsFeedbackHub](ms-windows-store://pdp/?PFN=Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe) | x | x | x | Yes |
| Get Help | [Microsoft.GetHelp](ms-windows-store://pdp/?PFN=Microsoft.Gethelp_8wekyb3d8bbwe) | | x | x | No |
| Get Office | [Microsoft.MicrosoftOfficeHub](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe) | x | x | x | Yes |
| Groove Music | [Microsoft.ZuneMusic](ms-windows-store://pdp/?PFN=Microsoft.ZuneMusic_8wekyb3d8bbwe) | x | x | x | No |
| Mail and Calendar | [Microsoft.windowscommunicationsapps](ms-windows-store://pdp/?PFN=microsoft.windowscommunicationsapps_8wekyb3d8bbwe) | x | x | x | No |
| Microsoft Messaging | [Microsoft.Messaging](ms-windows-store://pdp/?PFN=Microsoft.Messaging_8wekyb3d8bbwe) | x | x | x | No |
| Microsoft People | [Microsoft.People](ms-windows-store://pdp/?PFN=Microsoft.People_8wekyb3d8bbwe) | x | x | x | No |
| Microsoft Photos | [Microsoft.Windows.Photos](ms-windows-store://pdp/?PFN=Microsoft.Windows.Photos_8wekyb3d8bbwe) | x | x | x | No |
| Microsoft Solitaire Collection | [Microsoft.MicrosoftSolitaireCollection](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe) | x | x | x | Yes |
| Microsoft Sticky Notes | [Microsoft.MicrosoftStickyNotes](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe) | x | x | x | No |
| Microsoft Tips | [Microsoft.Getstarted](ms-windows-store://pdp/?PFN=Microsoft.Getstarted_8wekyb3d8bbwe) | x | x | x | Yes |
| Mixed Reality Viewer | [Microsoft.Microsoft3DViewer](ms-windows-store://pdp/?PFN=Microsoft.Microsoft3DViewer_8wekyb3d8bbwe) | x | x | x | No |
| Movies & TV | [Microsoft.ZuneVideo](ms-windows-store://pdp/?PFN=Microsoft.ZuneVideo_8wekyb3d8bbwe) | x | x | x | No |
| MSN Weather (BingWeather | [Microsoft.BingWeather](ms-windows-store://pdp/?PFN=Microsoft.BingWeather_8wekyb3d8bbwe) | x | x | x | Yes |
| One Note | [Microsoft.Office.OneNote](ms-windows-store://pdp/?PFN=Microsoft.Office.OneNote_8wekyb3d8bbwe) | x | x | x | Yes |
| Paid Wi-Fi & Cellular | [Microsoft.OneConnect](ms-windows-store://pdp/?PFN=Microsoft.OneConnect_8wekyb3d8bbwe) | x | x | x | Yes |
| Paint 3D | [Microsoft.MSPaint](ms-windows-store://pdp/?PFN=Microsoft.MSPaint_8wekyb3d8bbwe) | x | x | x | No |
| Print 3D | [Microsoft.Print3D](ms-windows-store://pdp/?PFN=Microsoft.Print3D_8wekyb3d8bbwe) | | x | x | No |
| Skype | [Microsoft.SkypeApp](ms-windows-store://pdp/?PFN=Microsoft.SkypeApp_kzf8qxf38zg5c) | x | x | x | Yes |
| Store Purchase App\* | App not available in store | x | x | x | No |
| Wallet | App not available in store | x | x | x | No |
| Web Media Extensions | [Microsoft.WebMediaExtensions](ms-windows-store://pdp/?PFN=Microsoft.WebMediaExtensions_8wekyb3d8bbwe) | | | x | No |
| Windows Alarms & Clock | [Microsoft.WindowsAlarms](ms-windows-store://pdp/?PFN=Microsoft.WindowsAlarms_8wekyb3d8bbwe) | x | x | x | No |
| Windows Calculator | [Microsoft.WindowsCalculator](ms-windows-store://pdp/?PFN=Microsoft.WindowsCalculator_8wekyb3d8bbwe) | x | x | x | No |
| Windows Camera | [Microsoft.WindowsCamera](ms-windows-store://pdp/?PFN=Microsoft.WindowsCamera_8wekyb3d8bbwe) | x | x | x | No |
| Windows Maps | [Microsoft.WindowsMaps](ms-windows-store://pdp/?PFN=Microsoft.WindowsMaps_8wekyb3d8bbwe) | x | x | x | No |
| Windows Store | [Microsoft.WindowsStore](ms-windows-store://pdp/?PFN=Microsoft.WindowsStore_8wekyb3d8bbwe) | x | x | x | No |
| Windows Voice Recorder | [Microsoft.SoundRecorder](ms-windows-store://pdp/?PFN=Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe) | x | x | x | No |
| Xbox | [Microsoft.XboxApp](ms-windows-store://pdp/?PFN=Microsoft.XboxApp_8wekyb3d8bbwe) | x | x | x | No |
| Xbox Game Bar | [Microsoft.XboxGameOverlay](ms-windows-store://pdp/?PFN=Microsoft.XboxGameOverlay_8wekyb3d8bbwe) | x | x | x | No |
| Xbox Gaming Overlay | [Microsoft.XboxGamingOverlay](ms-windows-store://pdp/?PFN=Microsoft.XboxGamingOverlay_8wekyb3d8bbwe) | | | x | No |
| Xbox Identity Provider | [Microsoft.XboxIdentityProvider](ms-windows-store://pdp/?PFN=Microsoft.XboxIdentityProvider_8wekyb3d8bbwe) | x | x | x | No |
| Xbox Speech to Text Overlay | App not available in store | x | x | x | No |
| Xbox TCUI | [Microsoft.Xbox.TCUI](ms-windows-store://pdp/?PFN=Microsoft.Xbox.TCUI_8wekyb3d8bbwe) | | x | x | No |
>[!NOTE]
>\* The Store app can't be removed. If you want to remove and reinstall the Store app, you can only bring Store back by either restoring your system from a backup or resetting your system. Instead of removing the Store app, you should use group policies to hide or disable it.
> [!NOTE]
> - The Contact Support app changed to Get Help in version 1709. Get Help is a provisioned app (instead of system app like Contact Support).
## Installed Windows apps
Here are the typical installed Windows apps in Windows 10 versions 1703, 1709, and 1803.
| Name | Full name | 1703 | 1709 | 1803 |Uninstall through UI? |
|--------------------|------------------------------------------|:----:|:----:|:----:|----------------------|
| Name | DisplayName | 1703 | 1709 | 1803 |Uninstall through UI? |
|--------------------|------------------------------------------|:----:|:----:|:----:|:----------------------:|
| Remote Desktop | Microsoft.RemoteDesktop | x | x | | Yes |
| PowerBI | Microsoft.Microsoft PowerBIforWindows | x | | | Yes |
| Code Writer | ActiproSoftwareLLC.562882FEEB491 | x | x | x | Yes |
@ -106,7 +156,7 @@ Here are the typical installed Windows apps in Windows 10 versions 1703, 1709, a
| Photoshop Express | AdobeSystemIncorporated. AdobePhotoshop | x | x | x | Yes |
| Duolingo | D5EA27B7.Duolingo- LearnLanguagesforFree | x | x | x | Yes |
| Network Speed Test | Microsoft.NetworkSpeedTest | x | x | x | Yes |
| News | Microsoft.BingNews | x | x | x | Yes |
| News | Microsoft.BingNews | x | x | x | Yes |
| Flipboard | | | | | Yes |
| | Microsoft.Advertising.Xaml | x | x | x | Yes |
| | Microsoft.NET.Native.Framework.1.2 | x | x | x | Yes |
@ -126,52 +176,4 @@ Here are the typical installed Windows apps in Windows 10 versions 1703, 1709, a
| | Microsoft.VCLibs.120.00.Universal | | x | | Yes |
| | Microsoft.VCLibs.140.00.UWPDesktop | | | x | Yes |
| | Microsoft.WinJS.2.0 | x | | | Yes |
## Provisioned Windows apps
Here are the typical provisioned Windows apps in Windows 10 versions 1703, 1709, and 1803.
| Name | Full name | 1703 | 1709 | 1803 | Uninstall through UI? |
|---------------------------------|----------------------------------------|:------:|:------:|:------:|---------------------------|
| 3D Builder | Microsoft.3DBuilder | x | | | Yes |
| Alarms & Clock | Microsoft.WindowsAlarms | x | x | x | No |
| App Installer | Microsoft.DesktopAppInstaller | x | x | x | Via Settings App |
| Calculator | Microsoft.WindowsCalculator | x | x | x | No |
| Camera | Microsoft.WindowsCamera | x | x | x | No |
| Feedback Hub | Microsoft.WindowsFeedbackHub | x | x | x | Yes |
| Get Help | Microsoft.GetHelp | | x | x | No |
| Get Office/My Office | Microsoft.Microsoft OfficeHub | x | x | x | Yes |
| Get Skype/Skype (preview)/Skype | Microsoft.SkypeApp | x | x | x | Yes |
| Get Started/Tips | Microsoft.Getstarted | x | x | x | Yes |
| Groove | Microsoft.ZuneMusic | x | x | x | No |
| Mail and Calendar | Microsoft.windows communicationsapps | x | x | x | No |
| Maps | Microsoft.WindowsMaps | x | x | x | No |
| Messaging | Microsoft.Messaging | x | x | x | No |
| Microsoft 3D Viewer | Microsoft.Microsoft3DViewer | x | x | x | No |
| Movies & TV | Microsoft.ZuneVideo | x | x | x | No |
| OneNote | Microsoft.Office.OneNote | x | x | x | Yes |
| Paid Wi-FI | Microsoft.OneConnect | x | x | x | Yes |
| Paint 3D | Microsoft.MSPaint | x | x | x | No |
| People | Microsoft.People | x | x | x | No |
| Photos | Microsoft.Windows.Photos | x | x | x | No |
| Print 3D | Microsoft.Print3D | | x | x | No |
| Solitaire | Microsoft.Microsoft SolitaireCollection| x | x | x | Yes |
| Sticky Notes | Microsoft.MicrosoftStickyNotes | x | x | x | No |
| Store | Microsoft.WindowsStore | x | x | x | No |
| Sway | Microsoft.Office.Sway | * | x | x | Yes |
| Voice Recorder | Microsoft.SoundRecorder | x | x | x | No |
| Wallet | Microsoft.Wallet | x | x | x | No |
| Weather | Microsoft.BingWeather | x | x | x | Yes |
| Xbox | Microsoft.XboxApp | x | x | x | No |
| | Microsoft.OneConnect | x | x | x | No |
| | Microsoft.DesktopAppInstaller | | | x | No |
| | Microsoft.StorePurchaseApp | x | x | x | No |
| | Microsoft.WebMediaExtensions | | | x | No |
| | Microsoft.Xbox.TCUI | | x | x | No |
| | Microsoft.XboxGameOverlay | x | x | x | No |
| | Microsoft.XboxGamingOverlay | | | x | No |
| | Microsoft.XboxIdentityProvider | x | x | x | No |
| | Microsoft.XboxSpeech ToTextOverlay | x | x | x | No |
>[!NOTE]
>The Store app can't be removed. If you want to remove and reinstall the Store app, you can only bring Store back by either restoring your system from a backup or resetting your system. Instead of removing the Store app, you should use group policies to hide or disable it.
---

180
windows/application-management/msix-app-packaging-tool.md
View File

@ -23,14 +23,19 @@ The MSIX Packaging Tool (Preview) is now available to install from the Microsoft
- A valid MSA alias (to access the app from the Store)
## What's new
v1.2018.808.0
v1.2018.821.0
- Command Line Support
- Ability to use existing local virtual machines for packaging environment.
- Ability to cross check publisher information in the manifest with a signing certificate to avoid signing issues.
- Minor updates to the UI for added clarity.
v1.2018.807.0
- Ability to add/edit/remove file and registry exclusion items is now supported in Settings menu.
- Fixed an issue where signing in with password protected certificates would fail in the tool.
- Fixed an issue where signing with password protected certificates would fail in the tool.
- Fixed an issue where the tool was crashing when editing an existing MSIX package.
- Fixed an issue where the tool was injecting whitespaces programmatically to install location paths that was causing conversion failures.
- Minor UI tweaks to add clarity.
- Minor updates to the logs for added clarity.
- Minor updates to the logs to add clarity.
## Installing the MSIX Packaging Tool
@ -45,12 +50,169 @@ This is an early preview build and not all features are supported. Here is what
- Create a modification package for a newly created Application MSIX Package by launching the tool and selecting the **Modification package** icon.
- Open your MSIX package to view and edit its content/properties by navigating to the **Open package editor** tab. Browse to the MSIX package and select **Open package**.
Features not supported in the tool are currently greyed out. Here are some of the highlighted missing features:
## Creating an application package using the Command line interface
To create a new MSIX package for your application, run the MsixPackagingTool.exe create-package command in a Command prompt window.
- Package Support Framework integration. For more detail on how you can use Package Support Framework today, check out the article posted on the [MSIX blog](https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FMSIX-Blog%2FMSIX-Package-Support-Framework-is-now-available-on-GitHub%2Fba-p%2F214548&data=02%7C01%7Cpezan%40microsoft.com%7Cbe2761c174cd465136ce08d5f1252d8a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636680064344941094&sdata=uW3oOOEYQxd0iVgsJkZXZTQwlvf%2FimVCaOdFUXcRoeY%3D&reserved=0).
- Packaging on existing virtual machines. You can still install the Tool on a fresh VM, but the tool cannot currently spawn off a conversion from a local machine to an existing VM.
- Command Line Interface support
- Conversion of App-V 4.x packages
Here are the parameters that can be passed as command line arguments:
|Parameter |Description |
|---------|---------|
|-? <br> --help | Show help information |
|--template | [required] path to the conversion template XML file containing package information and settings for this conversion |
|--virtualMachinePassword | [optional] The password for the Virtual Machine to be used for the conversion environment. Notes: The template file must contain a VirtualMachine element and the Settings::AllowPromptForPassword attribute must not be set to true. |
Examples:
- MsixPackagingTool.exe create-package --template c:\users\documents\ConversionTemplate.xml
- MSIXPackagingTool.exe create-package --template c:\users\documents\ConversionTemplate.xml --virtualMachinePassword pswd112893
## Conversion template file
```xml
<MsixPackagingToolTemplate
xmlns="http://schemas.microsoft.com/appx/msixpackagingtool/template/2018">
<Settings
AllowTelemetry="true"
ApplyAllPrepareComputerFixes="true"
GenerateCommandLineFile="true"
AllowPromptForPassword="false" >
<ExclusionItems>
<FileExclusion ExcludePath="[{CryptoKeys}]" />
<FileExclusion ExcludePath="[{Common AppData}]\Microsoft\Crypto" />
<FileExclusion ExcludePath="[{Common AppData}]\Microsoft\Search\Data" />
<FileExclusion ExcludePath="[{Cookies}]" />
<FileExclusion ExcludePath="[{History}]" />
<FileExclusion ExcludePath="[{Cache}]" />
<FileExclusion ExcludePath="[{Personal}]" />
<FileExclusion ExcludePath="[{Profile}]\Local Settings" />
<FileExclusion ExcludePath="[{Profile}]\NTUSER.DAT.LOG1" />
<FileExclusion ExcludePath="[{Profile}]\ NTUSER.DAT.LOG2" />
<FileExclusion ExcludePath="[{Recent}]" />
<FileExclusion ExcludePath="[{Windows}]\debug" />
<FileExclusion ExcludePath="[{Windows}]\Logs\CBS" />
<FileExclusion ExcludePath="[{Windows}]\Temp" />
<FileExclusion ExcludePath="[{Windows}]\WinSxS\ManifestCache" />
<FileExclusion ExcludePath="[{Windows}]\WindowsUpdate.log" />
<FileExclusion ExcludePath="[{AppVPackageDrive}]\$Recycle.Bin " />
<FileExclusion ExcludePath="[{AppVPackageDrive}]\System Volume Information" />
<FileExclusion ExcludePath="[{AppData}]\Microsoft\AppV" />
<FileExclusion ExcludePath="[{Common AppData}]\Microsoft\Microsoft Security Client" />
<FileExclusion ExcludePath="[{Common AppData}]\Microsoft\Microsoft Antimalware" />
<FileExclusion ExcludePath="[{Common AppData}]\Microsoft\Windows Defender" />
<FileExclusion ExcludePath="[{ProgramFiles}]\Microsoft Security Client" />
<FileExclusion ExcludePath="[{ProgramFiles}]\Windows Defender" />
<FileExclusion ExcludePath="[{Local AppData}]\Temp" />
<RegistryExclusion ExcludePath= "REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography" />
<RegistryExclusion ExcludePath= "REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography" />
<RegistryExclusion ExcludePath= "REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware" />
<RegistryExclusion ExcludePath= "REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware Setup" />
<RegistryExclusion ExcludePath= "REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Security Client" />
<RegistryExclusion ExcludePath= "REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Antimalware" />
<RegistryExclusion ExcludePath= "REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" />
<RegistryExclusion ExcludePath= "REGISTRY\USER\[{AppVCurrentUserSID}]\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU" />
<RegistryExclusion ExcludePath= "REGISTRY\USER\[{AppVCurrentUserSID}]\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU" />
<RegistryExclusion ExcludePath= "REGISTRY\USER\[{AppVCurrentUserSID}]\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams" />
<RegistryExclusion ExcludePath= "REGISTRY\USER\[{AppVCurrentUserSID}]\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Streams" />
<RegistryExclusion ExcludePath= "REGISTRY\MACHINE\SOFTWARE\Microsoft\AppV" />
<RegistryExclusion ExcludePath= "REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\AppV" />
<RegistryExclusion ExcludePath= "REGISTRY\USER\[{AppVCurrentUserSID}]\Software\Microsoft\AppV" />
<RegistryExclusion ExcludePath= "REGISTRY\USER\[{AppVCurrentUserSID}]\Software\Wow6432Node\Microsoft\AppV" />
</ExclusionItems>
</Settings>
<PrepareComputer
DisableDefragService="true"
DisableWindowsSearchService="true"
DisableSmsHostService="true"
DisableWindowsUpdateService ="true"/>
<!--Note: this section takes precedence over the Settings::ApplyAllPrepareComputerFixes attribute -->
<SaveLocation Path="C:\users\user\Desktop" />
<Installer
Path="C:\MyAppInstaller.msi"
Arguments="/quiet"
InstallLocation="C:\Program Files\MyAppInstallLocation" />
<VirtualMachine Name="vmname" Username="vmusername" />
<PackageInformation
PackageName="MyAppPackageName"
PackageDisplayName="MyApp Display Name"
PublisherName="CN=MyPublisher"
PublisherDisplayName="MyPublisher Display Name"
Version="1.1.0.0"
MainPackageNameForModificationPackage="MainPackageIdentityName">
<Applications>
<Application
Id="MyApp1"
Description="MyApp"
DisplayName="My App"
ExecutableName="MyApp.exe"/>
</Applications>
<Capabilities>
<Capability Name="runFullTrust" />
</Capabilities>
</PackageInformation>
</MsixPackagingToolTemplate>
```
## Conversion template parameter reference
Here is the complete list of parameters that you can use in the Conversion template file.
|ConversionSettings entries |Description |
|---------|---------|
|Settings:: AllowTelemetry |[optional] Enables telemetry logging for this invocation of the tool. |
|Settings:: ApplyAllPrepareComputerFixes |[optional] Applies all recommended prepare computer fixes. Cannot be set when other attributes are used. |
|Settings:: GenerateCommandLineFile |[optional] Copies the template file input to the SaveLocation directory for future use. |
|Settings:: AllowPromptForPassword |[optional] Instructs the tool to prompt the user to enter passwords for the Virtual Machine and for the signing certificate if it is required and not specified. |
|ExclusionItems |[optional] 0 or more FileExclusion or RegistryExclusion elements. All FileExclusion elements must appear before any RegistryExclusion elements. |
|ExclusionItems::FileExclusion |[optional] A file to exclude for packaging. |
|ExclusionItems::FileExclusion::ExcludePath |Path to file to exclude for packaging. |
|ExclusionItems::RegistryExclusion |[optional] A registry key to exclude for packaging. |
|ExclusionItems::RegistryExclusion:: ExcludePath |Path to registry to exclude for packaging. |
|PrepareComputer::DisableDefragService |[optional] Disables Windows Defragmenter while the app is being converted. If set to false, overrides ApplyAllPrepareComputerFixes. |
|PrepareComputer:: DisableWindowsSearchService |[optional] Disables Windows Search while the app is being converted. If set to false, overrides ApplyAllPrepareComputerFixes. |
|PrepareComputer:: DisableSmsHostService |[optional] Disables SMS Host while the app is being converted. If set to false, overrides ApplyAllPrepareComputerFixes. |
|PrepareComputer:: DisableWindowsUpdateService |[optional] Disables Windows Update while the app is being converted. If set to false, overrides ApplyAllPrepareComputerFixes. |
|SaveLocation |[optional] An element to specify the save location of the tool. If not specified, the package will be saved under the Desktop folder. |
|SaveLocation::Path |The path to the folder where the resulting MSIX package is saved. |
|Installer::Path |The path to the application installer. |
|Installer::Arguments |The arguments to pass to the installer. You must pass the arguments to force your installer to run unattended/silently. |
|Installer::InstallLocation |[optional] The full path to your application's root folder for the installed files if it were installed (e.g. "C:\Program Files (x86)\MyAppInstalllocation"). |
|VirtualMachine |[optional] An element to specify that the conversion will be run on a local Virtual Machine. |
|VrtualMachine::Name |The name of the Virtual Machine to be used for the conversion environment. |
|VirtualMachine::Username |[optional] The user name for the Virtual Machine to be used for the conversion environment. |
|PackageInformation::PackageName |The Package Name for your MSIX package. |
|PackageInformation::PackageDisplayName |The Package Display Name for your MSIX package. |
|PackageInformation::PublisherName |The Publisher for your MSIX package. |
|PackageInformation::PublisherDisplayName |The Publisher Display Name for your MSIX package. |
|PackageInformation::Version |The version number for your MSIX package. |
|PackageInformation:: MainPackageNameForModificationPackage |[optional] The Package identity name of the main package name. This is used when creating a modification package that takes a dependency on a main (parent) application. |
|Applications |[optional] 0 or more Application elements to configure the Application entries in your MSIX package. |
|Application::Id |The App ID for your MSIX application. This ID will be used for the Application entry detected that matches the specified ExecutableName. You can have multiple Application ID for executables in the package |
|Application::ExecutableName |The executable name for the MSIX application that will be added to the package manifest. The corresponding application entry will be ignored if no application with this name is detected. |
|Application::Description |[optional] The App Description for your MSIX application. If not used, the Application DisplayName will be used. This description will be used for the application entry detected that matches the specified ExecutableName |
|Application::DisplayName |The App Display Name for your MSIX package. This Display Name will be used for the application entry detected that matches the specified ExecutableName |
|Capabilities |[optional] 0 or more Capability elements to add custom capabilities to your MSIX package. “runFullTrust” capability is added by default during conversion. |
|Capability::Name |The capability to add to your MSIX package. |
## Delete temporary conversion files using Command line interface
To delete all the temporary package files, logs, and artifacts created by the tool, run the MsixPackagingTool.exe cleanup command in the Command line window.
Example:
- MsixPackagingTool.exe cleanup
## How to file feedback

2
windows/client-management/mdm/enterprisemodernappmanagement-csp.md
View File

@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 07/24/2018
ms.date: 08/21/2018
---
# EnterpriseModernAppManagement CSP

4
windows/client-management/mdm/firewall-csp.md
View File

@ -266,9 +266,9 @@ Sample syncxml to provision the firewall settings to evaluate
<li>"DNS"</li>
<li>"WINS"</li>
<li>"Intranet"</li>
<li>"RemoteCorpNetwork"</li>
<li>"RmtIntranet"</li>
<li>"Internet"</li>
<li>"PlayToRenderers"</li>
<li>"Ply2Renders"</li>
<li>"LocalSubnet" indicates any local address on the local subnet. This token is not case-sensitive.</li>
<li>A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255.</li>
<li>A valid IPv6 address.</li>

BIN
windows/client-management/mdm/images/provisioning-csp-enterprisemodernappmanagement.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 128 KiB

After

Width:  |  Height:  |  Size: 132 KiB

BIN
windows/client-management/mdm/images/provisioning-csp-office.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 9.4 KiB

After

Width:  |  Height:  |  Size: 11 KiB

11
windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
View File

@ -1414,6 +1414,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
<li>Experience/AllowClipboardHistory</li>
<li>Experience/DoNotSyncBrowserSettings</li>
<li>Experience/PreventUsersFromTurningOnBrowserSyncing</li>
<li>Kerberos/UPNNameHints</li>
<li>Privacy/AllowCrossDeviceClipboard</li>
<li>Privacy/DisablePrivacyExperience</li>
<li>Privacy/UploadUserActivities</li>
@ -1478,6 +1479,10 @@ For details about Microsoft mobile device management protocols for Windows 10 s
<td style="vertical-align:top">[TenantLockdown CSP](\tenantlockdown--csp.md)</td>
<td style="vertical-align:top"><p>Added new CSP in Windows 10, next major version.</p>
</td></tr>
<tr>
<td style="vertical-align:top">[Office CSP](office-csp.md)</td>
<td style="vertical-align:top"><p>Added FinalStatus setting in Windows 10, next major version.</p>
</td></tr>
</tbody>
</table>
@ -1763,6 +1768,10 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
</thead>
<tbody>
<tr>
<td style="vertical-align:top">[Office CSP](office-csp.md)</td>
<td style="vertical-align:top"><p>Added FinalStatus setting in Windows 10, next major version.</p>
</td></tr>
<tr>
<td style="vertical-align:top">[RemoteWipe CSP](remotewipe-csp.md)</td>
<td style="vertical-align:top"><p>Added new settings in Windows 10, next major version.</p>
</td></tr>
@ -1801,12 +1810,14 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
<li>Browser/UnlockHomeButton</li>
<li>Experience/DoNotSyncBrowserSettings</li>
<li>Experience/PreventUsersFromTurningOnBrowserSyncing</li>
<li>Kerberos/UPNNameHints</li>
<li>Privacy/AllowCrossDeviceClipboard</li>
<li>Privacy/DisablePrivacyExperience</li>
<li>Privacy/UploadUserActivities</li>
<li>Update/UpdateNotificationLevel</li>
</ul>
<p>Start/DisableContextMenus - added in Windows 10, version 1803.</p>
<p>RestrictedGroups/ConfigureGroupMembership - added new schema to apply and retrieve the policy.</p>
</td></tr>
</tbody>
</table>

48
windows/client-management/mdm/office-csp.md
View File

@ -6,13 +6,16 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 04/25/2018
ms.date: 08/15/2018
---
# Office CSP
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
The Office configuration service provider (CSP) enables a Microsoft Office client to be installed on a device via the Office Deployment Tool (ODT). For more information, see [Configuration options for the Office Deployment Tool](https://technet.microsoft.com/en-us/library/jj219426.aspx) and [How to assign Office 365 apps to Windows 10 devices with Microsoft Intune](https://docs.microsoft.com/en-us/intune/apps-add-office365).
This CSP was added in Windows 10, version 1703.
For additional information, see [Office DDF](office-ddf.md).
@ -21,39 +24,44 @@ The following diagram shows the Office configuration service provider in tree fo
![Office CSP diagram](images/provisioning-csp-office.png)
<a href="" id="office"></a>**Office**
<p style="margin-left: 20px">The root node for the Office configuration service provider.</p>
<a href="" id="office"></a>**./Device/Vendor/MSFT/Office/ or ./User/Vendor/MSFT/Office**
The root node for the Office configuration service provider.</p>
<a href="" id="installation"></a>**Installation**
Specifies the options for the Microsoft Office installation.
<p style="margin-left: 20px">Specifies the options for the Microsoft Office installation.
The supported operations are Add, Delete, Get, and Replace.
<p style="margin-left: 20px">The supported operations are Add, Delete, Get, and Replace.
<a href="" id="id"></a>**Installation/_id_**
Specifies a unique identifier that represents the ID of the Microsoft Office product to install.
<a href="" id="id"></a>**id**
The supported operations are Add, Delete, Get, and Replace.
<p style="margin-left: 20px">Specifies a unique identifier that represents the ID of the Microsoft Office product to install.
<a href="" id="install"></a>**Installation/_id_/Install**
Installs Office by using the XML data specified in the configuration.xml file.
<p style="margin-left: 20px">The supported operations are Add, Delete, Get, and Replace.
The supported operations are Get and Execute.
<a href="" id="install"></a>**Install**
<a href="" id="status"></a>**Installation/_id_/Status**
The Microsoft Office installation status.
<p style="margin-left: 20px">Installs Office by using the XML data specified in the configuration.xml file.
The only supported operation is Get.
<p style="margin-left: 20px">The supported operations are Get and Execute.
<a href="" id="finalstatus"></a>**Installation/_id_/FinalStatus**
Added in Windows 10, next major version. Indicates the status of the Final Office 365 installation.
<a href="" id="status"></a>**Status**
The only supported operation is Get.
<p style="margin-left: 20px">The Microsoft Office installation status.
Behavior:
- When Office CSP is triggered to install, it will first check if the FinalStatus node exists or not. If the node exists, delete it.
- When Office installation reaches any terminal states (either success or failure), this node is created that contains the following values:
- When status = 0: 70 (succeeded)
- When status != 0: 60 (failed)
<p style="margin-left: 20px">The only supported operation is Get.
<a href="" id="currentstatus"></a>**Installation/CurrentStatus**
Returns an XML of current Office 365 installation status on the device.
<a href="" id="currentstatus"></a>**CurrentStatus**
<p style="margin-left: 20px">Returns an XML of current Office 365 installation status on the device.
<p style="margin-left: 20px">The only supported operation is Get.
The only supported operation is Get.
## Examples

68
windows/client-management/mdm/office-ddf.md
View File

@ -7,17 +7,19 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 12/05/2017
ms.date: 08/15/2018
---
# Office DDF
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
This topic shows the OMA DM device description framework (DDF) for the **Office** configuration service provider. DDF files are used only with OMA DM provisioning XML.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
The XML below is for Windows 10, version 1709.
The XML below is for Windows 10, next major version.
``` syntax
<?xml version="1.0" encoding="UTF-8"?>
@ -33,7 +35,7 @@ The XML below is for Windows 10, version 1709.
<AccessType>
<Get />
</AccessType>
<Description>Root of the Office CSP.</Description>
<Description>Root of the office CSP.</Description>
<DFFormat>
<node />
</DFFormat>
@ -44,7 +46,7 @@ The XML below is for Windows 10, version 1709.
<Permanent />
</Scope>
<DFType>
<MIME>com.microsoft/1.3/MDM/Office</MIME>
<MIME>com.microsoft/1.5/MDM/Office</MIME>
</DFType>
</DFProperties>
<Node>
@ -53,7 +55,7 @@ The XML below is for Windows 10, version 1709.
<AccessType>
<Get />
</AccessType>
<Description>Installation options for the Office CSP.</Description>
<Description>Installation options for the office CSP.</Description>
<DFFormat>
<node />
</DFFormat>
@ -98,7 +100,7 @@ The XML below is for Windows 10, version 1709.
<Exec />
<Get />
</AccessType>
<Description>The install action will install Office given the configuration in the data. The string data is the xml configuration to use in order to install Office.</Description>
<Description>The install action will install office given the configuration in the data. The string data is the xml configuration to use in order to install office.</Description>
<DFFormat>
<chr />
</DFFormat>
@ -134,6 +136,27 @@ The XML below is for Windows 10, version 1709.
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>FinalStatus</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Final Office 365 installation status.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>CurrentStatus</NodeName>
@ -175,7 +198,7 @@ The XML below is for Windows 10, version 1709.
<Permanent />
</Scope>
<DFType>
<MIME>com.microsoft/1.3/MDM/Office</MIME>
<MIME>com.microsoft/1.5/MDM/Office</MIME>
</DFType>
</DFProperties>
<Node>
@ -261,6 +284,27 @@ The XML below is for Windows 10, version 1709.
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>FinalStatus</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Final Office 365 installation status.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>CurrentStatus</NodeName>
@ -287,13 +331,3 @@ The XML below is for Windows 10, version 1709.
</Node>
</MgmtTree>
```
 
 

3
windows/client-management/mdm/policy-configuration-service-provider.md
View File

@ -2060,6 +2060,9 @@ The following diagram shows the Policy configuration service provider in tree fo
<dd>
<a href="./policy-csp-kerberos.md#kerberos-setmaximumcontexttokensize" id="kerberos-setmaximumcontexttokensize">Kerberos/SetMaximumContextTokenSize</a>
</dd>
<dd>
<a href="./policy-csp-kerberos.md#kerberos-upnnamehints" id="kerberos-upnnamehints">Kerberos/UPNNameHints</a>
</dd>
</dl>
### KioskBrowser policies

160
windows/client-management/mdm/policy-csp-browser.md
View File

@ -425,7 +425,16 @@ Most restricted value: 0
[!INCLUDE [allow-configuration-updates-for-books-library-shortdesc](../../../browsers/edge/shortdesc/allow-configuration-updates-for-books-library-shortdesc.md)]
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Allow configuration updates for the Books Library*
- GP name: *AllowConfigurationUpdateForBooksLibrary*
- GP path: *Windows Components/Microsoft Edge*
- GP ADMX file name: *MicrosoftEdge.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
Supported values:
@ -476,9 +485,6 @@ Supported values:
<!--Description-->
[!INCLUDE [configure-cookies-shortdesc](../../../browsers/edge/shortdesc/configure-cookies-shortdesc.md)]
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
@ -504,7 +510,7 @@ To verify AllowCookies is set to 0 (not allowed):
1. Open Microsoft Edge or Microsoft Edge for Windows 10 Mobile.
2. In the upper-right corner of the browser, click **…**.
3. Click **Settings** in the drop down list, and select **View Advanced Settings**.
4. Verify the setting **Cookies** is greyed out.
4. Verify the setting **Cookies** is disabled.
<!--/Validation-->
<!--/Policy-->
@ -697,8 +703,8 @@ ADMX Info:
<!--SupportedValues-->
Supported values:
- 0 Prevented/not allowed.
- 1 (default) Allowed.
- 0 Prevented/not allowed
- 1 (default) Allowed
<!--/SupportedValues-->
<!--/Policy-->
@ -758,8 +764,8 @@ ADMX Info:
<!--SupportedValues-->
Supported values:
- 0 Prevented/not allowed.
- 1 (default) Allowed.
- 0 Prevented/not allowed
- 1 (default) Allowed
<!--/SupportedValues-->
<!--/Policy-->
@ -803,7 +809,7 @@ Supported values:
<!--/Scope-->
<!--Description-->
>*Supported versions: Microsoft Edge on Windows 10, version 1703*
>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
[!INCLUDE [configure-adobe-flash-click-to-run-setting-shortdesc](../../../browsers/edge/shortdesc/configure-adobe-flash-click-to-run-setting-shortdesc.md)]
@ -821,9 +827,10 @@ ADMX Info:
Supported values:
- 0 Load and run Adobe Flash content automatically.
- 1 (default) Do not load or run Adobe Flash content automatically. Requires user action.
- 1 (default) Does not load or run Adobe Flash content automatically. Requires action from the user.
Most restricted value: 1
<!--/SupportedValues-->
<!--/Policy-->
@ -882,10 +889,12 @@ ADMX Info:
<!--/ADMXMapped-->
<!--SupportedValues-->
Supported values:
- 0 - Prevented/not allowed
- 1 (default) - Allowed
Most restricted value: 0
<!--/SupportedValues-->
<!--Example-->
@ -936,8 +945,6 @@ Most restricted value: 0
<!--Description-->
[!INCLUDE [allow-inprivate-browsing-shortdesc](../../../browsers/edge/shortdesc/allow-inprivate-browsing-shortdesc.md)]
Most restricted value: 0
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
@ -953,6 +960,8 @@ Supported values:
- 0 Prevented/not allowed
- 1 (default) Allowed
Most restricted value: 0
<!--/SupportedValues-->
<!--/Policy-->
@ -995,12 +1004,11 @@ Supported values:
<!--/Scope-->
<!--Description-->
>*Supported versions: Microsoft Edge on Windows 10, version 1703*
>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
[!INCLUDE [allow-microsoft-compatibility-list-shortdesc](../../../browsers/edge/shortdesc/allow-microsoft-compatibility-list-shortdesc.md)]
Most restricted value: 0
<!--/Description-->
<!--ADMXMapped-->
@ -1017,6 +1025,8 @@ Supported values:
- 0 Prevented/not allowed
- 1 (default) Allowed
Most restricted value: 0
<!--/SupportedValues-->
<!--/Policy-->
@ -1074,7 +1084,7 @@ ADMX Info:
<!--SupportedValues-->
Supported values:
- Blank - Users can shoose to save and manage passwords locally.
- Blank - Users can choose to save and manage passwords locally.
- 0 Not allowed.
- 1 (default) Allowed.
@ -1084,10 +1094,8 @@ Most restricted value: 0
<!--Validation-->
To verify AllowPasswordManager is set to 0 (not allowed):
1. Open Microsoft Edge or Microsoft Edge for Windows 10 Mobile.
2. In the upper-right corner of the browser, click **…**.
3. Click **Settings** in the drop down list, and select **View Advanced Settings**.
4. Verify the settings **Offer to save password** and **Manage my saved passwords** are greyed out.
1. Click or tap **More** (…) and select **Settings** > **View Advanced settings**.
2. Verify the settings **Save Password** is disabled.
<!--/Validation-->
<!--/Policy-->
@ -1151,14 +1159,13 @@ Supported values:
- 1 Turn on Pop-up Blocker stopping pop-up windows from opening.
Most restricted value: 1
<!--/SupportedValues-->
<!--Validation-->
To verify AllowPopups is set to 0 (not allowed):
1. Open Microsoft Edge.
2. In the upper-right corner of the browser, click **…**.
3. Click **Settings** in the drop down list, and select **View Advanced Settings**.
4. Verify the setting **Block pop-ups** is greyed out.
1. Click or tap **More** (…) and select **Settings** > **View Advanced settings**.
2. Verify the setting **Block pop-ups** is disabled.
<!--/Validation-->
<!--/Policy-->
@ -1219,10 +1226,12 @@ ADMX Info:
<!--/ADMXMapped-->
<!--SupportedValues-->
Supported values:
- 0 - Prevented/not allowed
- 1 (default) - Allowed
Most restricted value: 0
<!--/SupportedValues-->
<!--Example-->
@ -1287,10 +1296,12 @@ ADMX Info:
<!--/ADMXMapped-->
<!--SupportedValues-->
Supported values:
- 0 - Prevented/not allowed
- 1 (default) - Allowed
Most restricted value: 0
<!--/SupportedValues-->
<!--Example-->
@ -1355,10 +1366,12 @@ ADMX Info:
<!--/ADMXMapped-->
<!--SupportedValues-->
Supported values:
- 0 - Prevented/not allowed
- 1 (default) - Allowed
Most restricted value: 0
<!--/SupportedValues-->
<!--Example-->
@ -1408,7 +1421,7 @@ Most restricted value: 0
<!--/Scope-->
<!--Description-->
>*Supported versions: Microsoft Edge on Windows 10, version 1703*
>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
[!INCLUDE [allow-search-engine-customization-shortdesc](../../../browsers/edge/shortdesc/allow-search-engine-customization-shortdesc.md)]
@ -1493,6 +1506,7 @@ Supported values:
- 1 Allowed. Show the search suggestions.
Most restricted value: 0
<!--/SupportedValues-->
<!--/Policy-->
@ -1543,7 +1557,7 @@ Most restricted value: 0
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Allow Sideloading of extension*
- GP English name: *Allow sideloading of Extensions*
- GP name: *AllowSideloadingOfExtensions*
- GP path: *Windows Components/Microsoft Edge*
- GP ADMX file name: *MicrosoftEdge.admx*
@ -1552,10 +1566,11 @@ ADMX Info:
<!--SupportedValues-->
Supported values:
- 0 - Prevented, but does not prevent sideloading of extensions using Add-AppxPackage via PowerShell. To prevent this, set the **ApplicationManagement/AllowDeveloperUnlock** policy to 1 (enabled).
- 0 - Prevented/not allowed. Disabling does not prevent sideloading of extensions using Add-AppxPackage via PowerShell. To prevent this, set the **ApplicationManagement/AllowDeveloperUnlock** policy to 1 (enabled).
- 1 (default) - Allowed.
Most restricted value: 0
<!--/SupportedValues-->
<!--Example-->
@ -1618,19 +1633,18 @@ ADMX Info:
<!--SupportedValues-->
Supported values:
- Blank - Users can choose to use Windows Defender SmartScreen or not.
- Blank - Users can choose to use Windows Defender SmartScreen.
- 0 Turned off. Do not protect users from potential threats and prevent users from turning it on.
- 1 (default) Turned on. Protect users from potential threats and prevent users from turning it off.
Most restricted value: 1
<!--/SupportedValues-->
<!--Validation-->
To verify AllowSmartScreen is set to 0 (not allowed):
1. Open Microsoft Edge or Microsoft Edge for Windows 10 Mobile.
2. In the upper-right corner of the browser, click **…**.
3. Click **Settings** in the drop down list, and select **View Advanced Settings**.
4. Verify the setting **Help protect me from malicious sites and download with SmartScreen Filter** is greyed out.
1. Click or tap **More** (…) and select **Settings** > **View Advanced settings**.
2. Verify the setting **Help protect me from malicious sites and download with SmartScreen Filter** is disabled.
<!--/Validation-->
<!--/Policy-->
@ -1691,8 +1705,8 @@ ADMX Info:
<!--SupportedValues-->
Supported values:
- 0 (default) - Allowed. Preload Start and New tab pages.
- 1 - Prevented/not allowed.
- 0 - Prevented/not allowed.
- 1 (default) - Allowed. Preload Start and New tab pages.
Most restricted value: 1
<!--/SupportedValues-->
@ -1747,6 +1761,7 @@ Most restricted value: 1
[!INCLUDE [allow-web-content-on-new-tab-page-shortdesc](../../../browsers/edge/shortdesc/allow-web-content-on-new-tab-page-shortdesc.md)]
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
@ -1832,6 +1847,7 @@ Supported values:
- 1 - Show the Books Library, regardless of the devices country or region.
Most restricted value: 0
<!--/SupportedValues-->
<!--/Policy-->
@ -1874,7 +1890,7 @@ Most restricted value: 0
<!--/Scope-->
<!--Description-->
>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
[!INCLUDE [allow-clearing-browsing-data-on-exit-shortdesc](../../../browsers/edge/shortdesc/allow-clearing-browsing-data-on-exit-shortdesc.md)]
@ -1894,6 +1910,7 @@ Supported values:
- 1 Allowed. Clear the browsing data upon exit automatically.
Most restricted value: 1
<!--/SupportedValues-->
<!--Validation-->
To verify that browsing data is cleared on exit (ClearBrowsingDataOnExit is set to 1):
@ -1945,12 +1962,12 @@ To verify that browsing data is cleared on exit (ClearBrowsingDataOnExit is set
<!--/Scope-->
<!--Description-->
>*Supported versions: Microsoft Edge on Windows 10, version 1703*
>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
[!INCLUDE [configure-additional-search-engines-shortdesc](../../../browsers/edge/shortdesc/configure-additional-search-engines-shortdesc.md)]
> [!IMPORTANT]
> Due to Protected Settings (aka.ms/browserpolicy), this setting will apply only on domain-joined machines or when the device is MDM-enrolled. 
> Due to Protected Settings (aka.ms/browserpolicy), this setting applies only on domain-joined machines or when the device is MDM-enrolled. 
<!--/Description-->
@ -2106,7 +2123,7 @@ Supported values:
- 3 - Hide home button.
>[!TIP]
>If you want to make changes to this policy:<ol><li>Set the **Unlock Home Button** policy to 1 (enabled).</li><li>Make changes to the **Configure Home Button** policy or **Set Home Button URL** policy.</li><li>Set the **Unlock Home Button** policy to 0 (disabled).</li></ol>
>If you want to make changes to this policy:<ol><li>Set **UnlockHomeButton** to 1 (enabled).</li><li>Make changes to **ConfigureHomeButton** or **SetHomeButtonURL** policy.</li><li>Set **UnlockHomeButton** 0 (disabled).</li></ol>
<!--/SupportedValues-->
@ -2179,13 +2196,14 @@ ADMX Info:
<!--SupportedValues-->
Supported values:
**0 (Default or not configured)**:
**0 (Default or not configured)**:
- If its a single app, it runs InPrivate full screen for digital signage or interactive displays.
- If its one of many apps, Microsoft Edge runs as normal.
**1**:
**1**:
- • If its a single app, it runs a limited multi-tab version of InPrivate and is the only app available for public browsing. Users cant minimize, close, or open windows or customize Microsoft Edge, but can clear browsing data and downloads and restart by clicking “End session.” You can configure Microsoft Edge to restart after a period of inactivity by using the “Configure kiosk reset after idle timeout” policy. _**For single-app public browsing:**_ If you do not configure the Configure kiosk reset after idle timeout policy and you enable this policy, Microsoft Edge kiosk resets after 5 minutes of idle time.
- If its one of many apps, it runs in a limited multi-tab version of InPrivate for public browsing with other apps. Users can minimize, close, and open multiple InPrivate windows, but they cant customize Microsoft Edge.
<!--/SupportedValues-->
<!--Example-->
@ -2239,7 +2257,7 @@ Supported values:
[!INCLUDE [configure-kiosk-reset-after-idle-timeout-shortdesc](../../../browsers/edge/shortdesc/configure-kiosk-reset-after-idle-timeout-shortdesc.md)]
You must set the Configure kiosk mode policy to enabled (1 - InPrivate public browsing) and configure Microsoft Edge as a single-app in assigned access for this policy to take effect; otherwise, Microsoft Edge ignores this setting. To learn more about assigned access and kiosk configuration, see [Configure kiosk and shared devices running Windows desktop editions](https://docs.microsoft.com/en-us/windows/configuration/kiosk-shared-pc).
You must set ConfigureKioskMode to enabled (1 - InPrivate public browsing) and configure Microsoft Edge as a single-app in assigned access for this policy to take effect; otherwise, Microsoft Edge ignores this setting. To learn more about assigned access and kiosk configuration, see [Configure kiosk and shared devices running Windows desktop editions](https://docs.microsoft.com/en-us/windows/configuration/kiosk-shared-pc).
<!--/Description-->
<!--ADMXMapped-->
@ -2253,9 +2271,11 @@ ADMX Info:
<!--/ADMXMapped-->
<!--SupportedValues-->
Supported values:
- **Any integer from 1-1440 (5 minutes is the default)** The time in minutes from the last user activity before Microsoft Edge kiosk mode resets to the default kiosk configuration. A confirmation dialog displays for the user to cancel or continue and automatically continues after 30 seconds.
- **0** No idle timer.
<!--/SupportedValues-->
<!--Example-->
@ -2313,8 +2333,8 @@ Supported values:
If you don't want to send traffic to Microsoft, use the \<about:blank\> value, which honors both domain and non domain-joined devices when it's the only configured URL.
**Version 1810**:<br>
When you enable this policy and select an option, and also enable the Configure Start Pages policy, Microsoft Edge ignores the Configure Start Page policy.
**Next major version**:<br>
When you enable this policy and select an option, and also enter the URLs of the pages you want in HomePages, Microsoft Edge ignores HomePages.
<!--/Description-->
<!--ADMXMapped-->
@ -2329,14 +2349,14 @@ ADMX Info:
<!--SupportedValues-->
Supported values:
- Blank - If you don't configure this policy and you enable the Disable Lockdown of Start Pages policy, users can change or customize the Start page.
- Blank - If you don't configure this policy and you set DisableLockdownOfStartPages to 1 (enabled), users can change or customize the Start page.
- 0 - Load the Start page.
- 1 - Load the New tab page.
- 2 - Load the previous pages.
- 3 (default) - Load a specific page or pages.
>[!TIP]
>If you want to make changes to this policy:<ol><li>Set the Disabled Lockdown of Start Pages policy to 0 (not configured).</li><li>Make changes to the Configure Open Microsoft With policy.</li><li>Set the Disabled Lockdown of Start Pages policy to 1 (enabled).</li></ol>
>If you want to make changes to this policy:<ol><li>Set DisableLockdownOfStartPages to 0 (not configured).</li><li>Make changes to ConfigureOpenEdgeWith.</li><li>Set DisableLockdownOfStartPages to 1 (enabled).</li></ol>
<!--/SupportedValues-->
@ -2459,7 +2479,7 @@ Most restricted value: 0
<!--/Scope-->
<!--Description-->
>*Supported versions: Microsoft Edge on Windows 10, version 1703*
>*Supported versions: Microsoft Edge on Windows 10*
[!INCLUDE [disable-lockdown-of-start-pages-shortdesc](../../../browsers/edge/shortdesc/disable-lockdown-of-start-pages-shortdesc.md)]
 
@ -2483,8 +2503,8 @@ ADMX Info:
<!--SupportedValues-->
Supported values:
- 0 Locked. Lockdown the Start pages configured in either the Configure Open Microsoft Edge With policy or Configure Start Pages policy. 
- 1 (default) Unlocked. Users can make changes to all configured start pages.<p><p>When you enable this policy and define a set of URLs in the Configure Start Pages policy, Microsoft Edge uses the URLs defined in the Configure Open Microsoft Edge With policy.
- 0 Lock down Start pages configured in either the ConfigureOpenEdgeWith policy and HomePages policy.
- 1 (default) Unlocked. Users can make changes to all configured start pages.<p><p>When you enable this policy and define a set of URLs in the HomePages policy, Microsoft Edge uses the URLs defined in the ConfigureOpenEdgeWith policy.
Most restricted value: 0
<!--/SupportedValues-->
@ -2544,8 +2564,8 @@ ADMX Info:
<!--SupportedValues-->
Supported values:
- 0 (default) - Gather and send only basic diagnotic data, depending on the device configuration.
- 1 - Gather both basic and additional data, such as usage data.
- 0 (default) - Gather and send only basic diagnostic data, depending on the device configuration.
- 1 - Gather all diagnostic data.
Most restricted value: 0
<!--/SupportedValues-->
@ -2598,7 +2618,6 @@ Most restricted value: 0
 
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
@ -2613,7 +2632,8 @@ ADMX Info:
Supported values:
- 0 (default) - Turned off. Microsoft Edge does not check the Enterprise Mode Site List, and in this case, users might experience problems while using legacy apps.
- Turned on. Microsoft Edge checks the Enterprise Mode Site List if configured. If an XML file exists in the cache container, IE11 waits 65 seconds and then checks the local cache for a new version from the server. If the server has a different version, Microsoft Edge uses the server file and stores it in the cache container. If you already use a site list, Enterprise Mode continues to work during the 65 second, but uses the existing file. To add the location to your site list, enter it in the {URI} box.
- Turned on. Microsoft Edge checks the Enterprise Mode Site List if configured. If an XML file exists in the cache container, IE11 waits 65 seconds and then checks the local cache for a new version from the server. If the server has a different version, Microsoft Edge uses the server file and stores it in the cache container. If you already use a site list, Enterprise Mode continues to work during the 65 second, but uses the existing file. To add the location to your site list, enter it in the {URI} box.<p>For details on how to configure the Enterprise Mode Site List, see [Interoperability and enterprise guidance](https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/interoperability-enterprise-guidance-gp).
<!--/SupportedValues-->
<!--/Policy-->
@ -2658,7 +2678,7 @@ Supported values:
<!--/Scope-->
<!--Description-->
> [!IMPORTANT]
> We discontinued this policy in Windows 10, version 1511. Use the [Browser/EnterpriseModeSiteList](#browser-enterprisemodesitelist) policy instead.
> Discontinued in Windows 10, version 1511. Use the [Browser/EnterpriseModeSiteList](#browser-enterprisemodesitelist) policy instead.
<!--/Description-->
<!--/Policy-->
@ -2707,8 +2727,6 @@ Supported values:
Enter a URL in string format for the site you want to load when Microsoft Edge for Windows 10 Mobile opens for the first time, for example, contoso.com.
Data type = String
<!--/Description-->
<!--/Policy-->
@ -2892,7 +2910,7 @@ Most restricted value: 1
<!--/Scope-->
<!--Description-->
[!INCLUDE [prevent-changes-to-favorites-shortdesc](../../../browsers/edge/shortdesc/prevent-changes-to-favorites-shortdesc.md)]
[!INCLUDE [prevent-access-to-about-flags-page-shortdesc](../../../browsers/edge/shortdesc/prevent-access-to-about-flags-page-shortdesc.md)]
<!--/Description-->
<!--ADMXMapped-->
@ -2907,7 +2925,7 @@ ADMX Info:
Supported values:
- 0 (default) Allowed.
- 1 Prevented/not allowed. Users cannot access the about:flags page.
- 1 Prevents users from accessing the about:flags page.
Most restricted value: 1
<!--/SupportedValues-->
@ -3036,7 +3054,7 @@ ADMX Info:
<!--SupportedValues-->
Supported values:
- 0 (default) Allowed. Microsoft Edge loads the First Run webpage.
- 0 (default) Allowed. Load the First Run webpage.
- 1 Prevented/not allowed.
Most restricted value: 1
@ -3082,7 +3100,7 @@ Most restricted value: 1
<!--/Scope-->
<!--Description-->
>*Supported versions: Microsoft Edge on Windows 10, version 1703*
>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
[!INCLUDE [prevent-edge-from-gathering-live-tile-info-shortdesc](../../../browsers/edge/shortdesc/prevent-edge-from-gathering-live-tile-info-shortdesc.md)]
@ -3098,7 +3116,7 @@ ADMX Info:
<!--SupportedValues-->
Supported values:
- 0 (default) Collect and send Live Tile metadata to Microsoft.
- 0 (default) Collect and send Live Tile metadata.
- 1 No data collected.
Most restricted value: 1
@ -3395,9 +3413,9 @@ Most restricted value: 1
<!--/Scope-->
<!--Description-->
>*Supported versions: Microsoft Edge on Windows 10, version 1709*
>*Supported versions: Microsoft Edge on Windows 10, version 1709 or later*
[!INCLUDE [prevent-using-localhost-ip-address-for-webrtc-shortdesc](../../../browsers/edge/shortdesc/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md)]
[!INCLUDE [provision-favorites-shortdesc](../../../browsers/edge/shortdesc/provision-favorites-shortdesc.md)]
 
Define a default list of favorites in Microsoft Edge. In this case, the Save a Favorite, Import settings, and context menu options (such as Create a new folder) are turned off.
@ -3405,14 +3423,14 @@ Define a default list of favorites in Microsoft Edge. In this case, the Save a F
To define a default list of favorites:
1. In the upper-right corner of Microsoft Edge, click the ellipses (**...**) and select **Settings**.
2. Click **Import from another browser**, click **Export to file** and save the file.
3. In the **Options** section of the Group Policy Editor, provide the location that points the file with the list of favorites to provision. <p><p>Specify the URL as:<ul><li>HTTP location: "SiteList"="http://localhost:8080/URLs.html"</li><li>Local network: "SiteList"="\\network\\shares\\URLs.html"</li><li>Local file: "SiteList"="file:///c:\\Users\\<user\>\\Documents\\URLs.html"</li></ul>
3. In the **Options** section of the Group Policy Editor, provide the location that points the file with the list of favorites to provision. <p><p>Specify the URL as:<ul><li>HTTP location: "SiteList"=http://localhost:8080/URLs.html</li><li>Local network: "SiteList"="\network\shares\URLs.html"</li><li>Local file: "SiteList"=file:///c:/Users/Documents/URLs.html</li></ul>
> [!Important]
> Enable only this policy or the Keep favorites in sync between Internet Explorer and Microsoft Edge policy. If you enable both, Microsoft Edge prevents users from syncing their favorites between the two browsers.
>[!IMPORTANT]
>Enable only this policy or the Keep favorites in sync between Internet Explorer and Microsoft Edge policy. If you enable both, Microsoft Edge prevents users from syncing their favorites between the two browsers.
Data type = string
<!--/Description-->
<!--ADMXMapped-->
@ -3424,6 +3442,7 @@ ADMX Info:
- GP ADMX file name: *MicrosoftEdge.admx*
<!--/ADMXMapped-->
<!--/Policy-->
<hr/>
@ -3485,9 +3504,10 @@ ADMX Info:
Supported values:
- 0 (default) - All sites, including intranet sites, open in Microsoft Edge automatically.
- 1 - Only intranet sites open in Internet Explorer 11 automatically. Enabling this policy opens all intranet sites in IE11 automatically, even if the users have Microsoft Edge as their default browser.
- 1 - Only intranet sites open in Internet Explorer 11 automatically.<p><p>Enabling this policy automatically opens all intranet sites in IE11, even if the users have Microsoft Edge as their default browser.<ol><li>In Group Policy Editor, navigate to:<br><br>**Computer Configuration\\Administrative Templates\\Windows Components\\File Explorer\\Set a default associations configuration file** and click **Enable**.<p></li><li>Refresh the policy and then view the affected sites in Microsoft Edge.<p><p>A message displays saying that the page needs to open in IE. At the same time, the page opens in IE11 automatically; in a new frame if it is not yet running, or in a new tab.</li></ol>
Most restricted value: 0
<!--/SupportedValues-->
<!--/Policy-->
@ -3553,7 +3573,7 @@ ADMX Info:
<!--SupportedValues-->
Supported values:
- Blank (default) - Microsoft Edge uses the default search engine specified in App settings. If you don't configure this policy and disable the AllowSearchEngineCustomization policy, users cannot make changes.
- Blank (default) - Microsoft Edge uses the default search engine specified in App settings. If you don't configure this policy and disable the [AllowSearchEngineCustomization](https://review.docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser?branch=microsoft-edge-preview#browser-allowsearchenginecustomization) policy, users cannot make changes.
- 0 - Microsoft Edge removes the policy-set search engine and uses the Microsoft Edge specified engine for the market.
- 1 - Microsoft Edge uses the policy-set search engine specified in the OpenSearch XML file. Users cannot change the default search engine.<p><p>Specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://docs.microsoft.com/en-us/microsoft-edge/dev-guide/browser/search-provider-discovery). Use this format to specify the link you want to add.<p><p>If you want users to use the default Microsoft Edge settings for each market, set the string to **EDGEDEFAULT**.<p><p>If you want users to use Microsoft Bing as the default search engine, then set the string to **EDGEBING**.
@ -3802,7 +3822,7 @@ Most restricted value: 0
<!--/Scope-->
<!--Description-->
>*Supported versions: Microsoft Edge on Windows 10, version 1703*
>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
[!INCLUDE [keep-favorites-in-sync-between-ie-and-edge-shortdesc](../../../browsers/edge/shortdesc/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md)]
@ -3894,7 +3914,7 @@ ADMX Info:
<!--SupportedValues-->
Supported values:
- 0 (default) - Lock down the home button to prevent users from making changes to the settings.
- 0 (default) - Lock down and prevent users from making changes to the settings.
- 1 - Let users make changes.
<!--/SupportedValues-->
@ -3961,7 +3981,7 @@ ADMX Info:
Supported values:
- 0 - Prevented/not allowed, but Microsoft Edge downloads book files to a per-user folder for each user.
- 1 - Allowed. Microsoft Edge downloads book files into a shared folder.
- 1 - Allowed. Microsoft Edge downloads book files to a shared folder. For this policy to work correctly, you must also enable the Allow a Windows app to share application data between users group policy. Also, the users must be signed in with a school or work account.
Most restricted value: 0
<!--/SupportedValues-->

55
windows/client-management/mdm/policy-csp-experience.md
View File

@ -1454,7 +1454,25 @@ Supported values:
- 0 (default) - Allowed/turned on. The "browser" group syncs automatically between users devices and lets users to make changes.
- 2 - Prevented/turned off. The "browser" group does not use the _Sync your Settings_ option.
Value type: integer
_**Sync the browser settings automatically**_
Set both **DoNotSyncBrowserSettings** and **PreventUsersFromTurningOnBrowserSyncing** to 0 (Allowed/turned on).
_**Prevent syncing of browser settings and prevent users from turning it on**_
1. Set **DoNotSyncBrowserSettings** to 2 (Prevented/turned off).
2. Set **PreventUsersFromTurningOnBrowserSyncing** to 1 (Prevented/turned off).
_**Prevent syncing of browser settings and let users turn on syncing**_
1. Set **DoNotSyncBrowserSettings** to 2 (Prevented/turned off).
2. Set **PreventUsersFromTurningOnBrowserSyncing** to 0 (Allowed/turned on).
_**Turn syncing off by default but dont disable**_
Set **DoNotSyncBrowserSettings** to 2 (Prevented/turned off) and select the _Allow users to turn “browser” syncing_ option.
<!--/SupportedValues-->
<!--Example-->
@ -1508,21 +1526,11 @@ Related policy:
[DoNotSyncBrowserSettings](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-donotsyncbrowsersetting)
If you want to prevent syncing of browser settings and prevent users from turning it on:
1. Set DoNotSyncBrowserSettings to 2 (enabled).
1. Set this policy (PreventUsersFromTurningOnBrowserSyncing) to 1 (enabled or not configured).
If you want to prevent syncing of browser settings but give users a choice to turn on syncing:
1. Set DoNotSyncBrowserSettings to 2 (enabled).
2. Set this policy (PreventUsersFromTurningOnBrowserSyncing) to 0 (disabled).
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Do not sync browser settings*
- GP name: *DisableWebBrowserSettingSync*
- GP element: *CheckBox_UserOverride*
- GP English name: *Prevent users from turning on browser syncing*
- GP name: *PreventUsersFromTurningOnBrowserSyncing*
- GP path: *Windows Components/Sync your settings*
- GP ADMX file name: *SettingSync.admx*
@ -1533,17 +1541,30 @@ Supported values:
- 0 - Allowed/turned on. Users can sync the browser settings.
- 1 (default) - Prevented/turned off.
Value type is integer.
_**Sync the browser settings automatically**_
Set both **DoNotSyncBrowserSettings** and **PreventUsersFromTurningOnBrowserSyncing** to 0 (Allowed/turned on).
_**Prevent syncing of browser settings and prevent users from turning it on**_
1. Set **DoNotSyncBrowserSettings** to 2 (Prevented/turned off).
2. Set **PreventUsersFromTurningOnBrowserSyncing** to 1 (Prevented/turned off).
_**Prevent syncing of browser settings and let users turn on syncing**_
1. Set **DoNotSyncBrowserSettings** to 2 (Prevented/turned off).
2. Set **PreventUsersFromTurningOnBrowserSyncing** to 0 (Allowed/turned on).
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
**Validation procedure:**
Validation procedure:
Microsoft Edge on your PC:
1. Select **More > Settings**.
1. See if the setting is enabled or disabled based on your setting.
1. See if the setting is enabled or disabled based on your selection.
<!--/Validation-->
<!--/Policy-->

792
windows/client-management/mdm/policy-csp-kerberos.md
View File

@ -1,366 +1,426 @@
---
title: Policy CSP - Kerberos
description: Policy CSP - Kerberos
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 03/12/2018
---
# Policy CSP - Kerberos
<hr/>
<!--Policies-->
## Kerberos policies
<dl>
<dd>
<a href="#kerberos-allowforestsearchorder">Kerberos/AllowForestSearchOrder</a>
</dd>
<dd>
<a href="#kerberos-kerberosclientsupportsclaimscompoundarmor">Kerberos/KerberosClientSupportsClaimsCompoundArmor</a>
</dd>
<dd>
<a href="#kerberos-requirekerberosarmoring">Kerberos/RequireKerberosArmoring</a>
</dd>
<dd>
<a href="#kerberos-requirestrictkdcvalidation">Kerberos/RequireStrictKDCValidation</a>
</dd>
<dd>
<a href="#kerberos-setmaximumcontexttokensize">Kerberos/SetMaximumContextTokenSize</a>
</dd>
</dl>
<hr/>
<!--Policy-->
<a href="" id="kerberos-allowforestsearchorder"></a>**Kerberos/AllowForestSearchOrder**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting defines the list of trusting forests that the Kerberos client searches when attempting to resolve two-part service principal names (SPNs).
If you enable this policy setting, the Kerberos client searches the forests in this list, if it is unable to resolve a two-part SPN. If a match is found, the Kerberos client requests a referral ticket to the appropriate domain.
If you disable or do not configure this policy setting, the Kerberos client does not search the listed forests to resolve the SPN. If the Kerberos client is unable to resolve the SPN because the name is not found, NTLM authentication might be used.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Use forest search order*
- GP name: *ForestSearch*
- GP path: *System/Kerberos*
- GP ADMX file name: *Kerberos.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="kerberos-kerberosclientsupportsclaimscompoundarmor"></a>**Kerberos/KerberosClientSupportsClaimsCompoundArmor**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting controls whether a device will request claims and compound authentication for Dynamic Access Control and Kerberos armoring using Kerberos authentication with domains that support these features.
If you enable this policy setting, the client computers will request claims, provide information required to create compounded authentication and armor Kerberos messages in domains which support claims and compound authentication for Dynamic Access Control and Kerberos armoring.
If you disable or do not configure this policy setting, the client devices will not request claims, provide information required to create compounded authentication and armor Kerberos messages. Services hosted on the device will not be able to retrieve claims for clients using Kerberos protocol transition.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Kerberos client support for claims, compound authentication and Kerberos armoring*
- GP name: *EnableCbacAndArmor*
- GP path: *System/Kerberos*
- GP ADMX file name: *Kerberos.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="kerberos-requirekerberosarmoring"></a>**Kerberos/RequireKerberosArmoring**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting controls whether a computer requires that Kerberos message exchanges be armored when communicating with a domain controller.
Warning: When a domain does not support Kerberos armoring by enabling "Support Dynamic Access Control and Kerberos armoring", then all authentication for all its users will fail from computers with this policy setting enabled.
If you enable this policy setting, the client computers in the domain enforce the use of Kerberos armoring in only authentication service (AS) and ticket-granting service (TGS) message exchanges with the domain controllers.
Note: The Kerberos Group Policy "Kerberos client support for claims, compound authentication and Kerberos armoring" must also be enabled to support Kerberos armoring.
If you disable or do not configure this policy setting, the client computers in the domain enforce the use of Kerberos armoring when possible as supported by the target domain.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Fail authentication requests when Kerberos armoring is not available*
- GP name: *ClientRequireFast*
- GP path: *System/Kerberos*
- GP ADMX file name: *Kerberos.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="kerberos-requirestrictkdcvalidation"></a>**Kerberos/RequireStrictKDCValidation**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting controls the Kerberos client's behavior in validating the KDC certificate for smart card and system certificate logon.
If you enable this policy setting, the Kerberos client requires that the KDC's X.509 certificate contains the KDC key purpose object identifier in the Extended Key Usage (EKU) extensions, and that the KDC's X.509 certificate contains a dNSName subjectAltName (SAN) extension that matches the DNS name of the domain. If the computer is joined to a domain, the Kerberos client requires that the KDC's X.509 certificate must be signed by a Certificate Authority (CA) in the NTAuth store. If the computer is not joined to a domain, the Kerberos client allows the root CA certificate on the smart card to be used in the path validation of the KDC's X.509 certificate.
If you disable or do not configure this policy setting, the Kerberos client requires only that the KDC certificate contain the Server Authentication purpose object identifier in the EKU extensions which can be issued to any server.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Require strict KDC validation*
- GP name: *ValidateKDC*
- GP path: *System/Kerberos*
- GP ADMX file name: *Kerberos.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="kerberos-setmaximumcontexttokensize"></a>**Kerberos/SetMaximumContextTokenSize**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting allows you to set the value returned to applications which request the maximum size of the SSPI context token buffer size.
The size of the context token buffer determines the maximum size of SSPI context tokens an application expects and allocates. Depending upon authentication request processing and group memberships, the buffer might be smaller than the actual size of the SSPI context token.
If you enable this policy setting, the Kerberos client or server uses the configured value, or the locally allowed maximum value, whichever is smaller.
If you disable or do not configure this policy setting, the Kerberos client or server uses the locally configured value or the default value.
Note: This policy setting configures the existing MaxTokenSize registry value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters, which was added in Windows XP and Windows Server 2003, with a default value of 12,000 bytes. Beginning with Windows 8 the default is 48,000 bytes. Due to HTTP's base64 encoding of authentication context tokens, it is not advised to set this value more than 48,000 bytes.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Set maximum Kerberos SSPI context token buffer size*
- GP name: *MaxTokenSize*
- GP path: *System/Kerberos*
- GP ADMX file name: *Kerberos.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
<!--/Policies-->
---
title: Policy CSP - Kerberos
description: Policy CSP - Kerberos
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 08/08/2018
---
# Policy CSP - Kerberos
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<hr/>
<!--Policies-->
## Kerberos policies
<dl>
<dd>
<a href="#kerberos-allowforestsearchorder">Kerberos/AllowForestSearchOrder</a>
</dd>
<dd>
<a href="#kerberos-kerberosclientsupportsclaimscompoundarmor">Kerberos/KerberosClientSupportsClaimsCompoundArmor</a>
</dd>
<dd>
<a href="#kerberos-requirekerberosarmoring">Kerberos/RequireKerberosArmoring</a>
</dd>
<dd>
<a href="#kerberos-requirestrictkdcvalidation">Kerberos/RequireStrictKDCValidation</a>
</dd>
<dd>
<a href="#kerberos-setmaximumcontexttokensize">Kerberos/SetMaximumContextTokenSize</a>
</dd>
<dd>
<a href="#kerberos-upnnamehints">Kerberos/UPNNameHints</a>
</dd>
</dl>
<hr/>
<!--Policy-->
<a href="" id="kerberos-allowforestsearchorder"></a>**Kerberos/AllowForestSearchOrder**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting defines the list of trusting forests that the Kerberos client searches when attempting to resolve two-part service principal names (SPNs).
If you enable this policy setting, the Kerberos client searches the forests in this list, if it is unable to resolve a two-part SPN. If a match is found, the Kerberos client requests a referral ticket to the appropriate domain.
If you disable or do not configure this policy setting, the Kerberos client does not search the listed forests to resolve the SPN. If the Kerberos client is unable to resolve the SPN because the name is not found, NTLM authentication might be used.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Use forest search order*
- GP name: *ForestSearch*
- GP path: *System/Kerberos*
- GP ADMX file name: *Kerberos.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="kerberos-kerberosclientsupportsclaimscompoundarmor"></a>**Kerberos/KerberosClientSupportsClaimsCompoundArmor**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting controls whether a device will request claims and compound authentication for Dynamic Access Control and Kerberos armoring using Kerberos authentication with domains that support these features.
If you enable this policy setting, the client computers will request claims, provide information required to create compounded authentication and armor Kerberos messages in domains which support claims and compound authentication for Dynamic Access Control and Kerberos armoring.
If you disable or do not configure this policy setting, the client devices will not request claims, provide information required to create compounded authentication and armor Kerberos messages. Services hosted on the device will not be able to retrieve claims for clients using Kerberos protocol transition.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Kerberos client support for claims, compound authentication and Kerberos armoring*
- GP name: *EnableCbacAndArmor*
- GP path: *System/Kerberos*
- GP ADMX file name: *Kerberos.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="kerberos-requirekerberosarmoring"></a>**Kerberos/RequireKerberosArmoring**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting controls whether a computer requires that Kerberos message exchanges be armored when communicating with a domain controller.
Warning: When a domain does not support Kerberos armoring by enabling "Support Dynamic Access Control and Kerberos armoring", then all authentication for all its users will fail from computers with this policy setting enabled.
If you enable this policy setting, the client computers in the domain enforce the use of Kerberos armoring in only authentication service (AS) and ticket-granting service (TGS) message exchanges with the domain controllers.
Note: The Kerberos Group Policy "Kerberos client support for claims, compound authentication and Kerberos armoring" must also be enabled to support Kerberos armoring.
If you disable or do not configure this policy setting, the client computers in the domain enforce the use of Kerberos armoring when possible as supported by the target domain.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Fail authentication requests when Kerberos armoring is not available*
- GP name: *ClientRequireFast*
- GP path: *System/Kerberos*
- GP ADMX file name: *Kerberos.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="kerberos-requirestrictkdcvalidation"></a>**Kerberos/RequireStrictKDCValidation**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting controls the Kerberos client's behavior in validating the KDC certificate for smart card and system certificate logon.
If you enable this policy setting, the Kerberos client requires that the KDC's X.509 certificate contains the KDC key purpose object identifier in the Extended Key Usage (EKU) extensions, and that the KDC's X.509 certificate contains a dNSName subjectAltName (SAN) extension that matches the DNS name of the domain. If the computer is joined to a domain, the Kerberos client requires that the KDC's X.509 certificate must be signed by a Certificate Authority (CA) in the NTAuth store. If the computer is not joined to a domain, the Kerberos client allows the root CA certificate on the smart card to be used in the path validation of the KDC's X.509 certificate.
If you disable or do not configure this policy setting, the Kerberos client requires only that the KDC certificate contain the Server Authentication purpose object identifier in the EKU extensions which can be issued to any server.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Require strict KDC validation*
- GP name: *ValidateKDC*
- GP path: *System/Kerberos*
- GP ADMX file name: *Kerberos.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="kerberos-setmaximumcontexttokensize"></a>**Kerberos/SetMaximumContextTokenSize**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting allows you to set the value returned to applications which request the maximum size of the SSPI context token buffer size.
The size of the context token buffer determines the maximum size of SSPI context tokens an application expects and allocates. Depending upon authentication request processing and group memberships, the buffer might be smaller than the actual size of the SSPI context token.
If you enable this policy setting, the Kerberos client or server uses the configured value, or the locally allowed maximum value, whichever is smaller.
If you disable or do not configure this policy setting, the Kerberos client or server uses the locally configured value or the default value.
Note: This policy setting configures the existing MaxTokenSize registry value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters, which was added in Windows XP and Windows Server 2003, with a default value of 12,000 bytes. Beginning with Windows 8 the default is 48,000 bytes. Due to HTTP's base64 encoding of authentication context tokens, it is not advised to set this value more than 48,000 bytes.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Set maximum Kerberos SSPI context token buffer size*
- GP name: *MaxTokenSize*
- GP path: *System/Kerberos*
- GP ADMX file name: *Kerberos.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="kerberos-upnnamehints"></a>**Kerberos/UPNNameHints**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Adds a list of domains that an Azure Active Directory joined device can attempt to contact when it cannot resolve a UPN to a principal.
Devices joined to Azure Active Directory in a hybrid environment need to interact with Active Directory Domain Controllers, but they lack the built-in ability to find a Domain Controller that a domain-joined device has. This can cause failures when such a device needs to resolve an Azure Active Directory UPN into an Active Directory Principal. You can use this policy to avoid those failures.
<!--/Description-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
- 5 - Added in the next major release of Windows 10.
<!--/Policies-->

47
windows/client-management/mdm/policy-csp-restrictedgroups.md
View File

@ -66,12 +66,59 @@ This security setting allows an administrator to define the members of a securit
Caution: If a Restricted Groups policy is applied, any current member not on the Restricted Groups policy members list is removed. This can include default members, such as administrators. Restricted Groups should be used primarily to configure membership of local groups on workstation or member servers. An empty Members list means that the restricted group has no members.
Starting in Windows 10, next major version, you can use this schema for retrieval and application of the RestrictedGroups/ConfigureGroupMembership policy. A minimum occurrence of 0 members when applying the policy implies clearing the access group and should be used with caution.
``` syntax
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" version="1.0">
<xs:simpleType name="member_name">
<xs:restriction base="xs:string">
<xs:maxLength value="255" />
</xs:restriction>
</xs:simpleType>
<xs:element name="accessgroup">
<xs:complexType>
<xs:sequence>
<xs:element name="member" minOccurs="0" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>Restricted Group Member</xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:attribute name="name" type="member_name" use="required"/>
</xs:complexType>
</xs:element>
</xs:sequence>
<xs:attribute name="desc" type="member_name" use="required"/>
</xs:complexType>
</xs:element>
<xs:element name="groupmembership">
<xs:complexType>
<xs:sequence>
<xs:element name="accessgroup" minOccurs="0" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>Restricted Group</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:schema>
```
<!--/Description-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Example-->
Here is an example:
```
<groupmembership>
<accessgroup desc="Administrators">
<member name="Contoso\Alice" />
<member name = "S-188-5-5666-5-688" / >
</accessgroup>
</groupmembership>
```
<!--/Example-->
<!--Validation-->

55
windows/client-management/mdm/policy-csp-userrights.md
View File

@ -12,6 +12,61 @@ ms.date: 03/12/2018
# Policy CSP - UserRights
<hr/>
User rights are assigned for user accounts or groups. The name of the policy defines the user right in question, and the values are always users or groups. Values can be represented as SIDs or strings. Here is a list for reference, [Well-Known SID Structures](https://msdn.microsoft.com/en-us/library/cc980032.aspx). Even though strings are supported for well-known accounts and groups, it is better to use SIDs because strings are localized for different languages. Some user rights allow things, like AccessFromNetwork, while others disallow things, like DenyAccessFromNetwork.
Here is an example syncml for setting the user right BackupFilesAndDirectories for Administrators and Authenticated Users groups.
```syntax
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>2</CmdID>
<Item>
<Meta>
<Format>chr</Format>
<Type>text/plain</Type>
</Meta>
<Target>
<LocURI>./Device/Vendor/MSFT/Policy/Config/UserRights/BackupFilesAndDirectories</LocURI>
</Target>
<Data>Authenticated Users&#xF000;Administrators</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
```
Here are examples of data fields. The encoded 0xF000 is the standard delimiter/separator
- Grant an user right to Administrators group via SID:
```
<Data>*S-1-5-32-544</Data>
```
- Grant an user right to multiple groups (Administrators, Authenticated Users) via SID
```
<Data>*S-1-5-32-544&#xF000;*S-1-5-11</Data>
```
- Grant an user right to multiple groups (Administrators, Authenticated Users) via a mix of SID and Strings
```
<Data>*S-1-5-32-544&#xF000;Authenticated Users</Data>
```
- Grant an user right to multiple groups (Authenticated Users, Administrators) via strings
```
<Data>Authenticated Users&#xF000;Administrators</Data>
```
- Empty input indicates that there are no users configured to have that user right
```
<Data></Data>
```
<hr/>
<!--Policies-->

17
windows/configuration/kiosk-single-app.md
View File

@ -50,6 +50,14 @@ Method | Description
You can use **Settings** to quickly configure one or a few devices as a kiosk.
When your kiosk is a local device that is not managed by Active Directory or Azure Active Directory, there is a default setting that enables automatic sign-in after a restart. That means that when the device restarts, the last signed-in user will be signed in automatically. If the last signed-in user is the kiosk account, the kiosk app will be launched automatically after the device restarts.
- If you want the kiosk account signed in automatically and the kiosk app launched when the device restarts, there is nothing you need to do.
- If you do not want the kiosk account signed in automatically when the device restarts, you must change the default setting before you configure the device as a kiosk. Sign in with the account that you will assign as the kiosk account, go to **Settings** > **Accounts** > **Sign-in options**, and toggle the **Use my sign-in info to automatically finish setting up my device after an update or restart** setting to **Off**. After you change the setting, you can apply the kiosk configuration to the device.
![Screenshot of automatic sign-in setting](images/auto-signin.png)
### Instructions for Windows 10, version 1809
When you set up a kiosk (also known as *assigned access*) in **Settings** for Windows 10, version 1809, you create the kiosk user account at the same time.
@ -73,6 +81,9 @@ When you set up a kiosk (also known as *assigned access*) in **Settings** for Wi
5. Select **Close**.
To remove assigned access, select the account tile on the **Set up a kiosk** page, and then select **Remove kiosk**.
### Instructions for Windows 10, version 1803 and earlier
When you set up a kiosk (also known as *assigned access*) in **Settings** for Windows 10, version 1803 and earlier, you must select an existing local standard user account. [Learn how to create a local standard user account.](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10)
@ -93,13 +104,7 @@ When you set up a kiosk (also known as *assigned access*) in **Settings** for Wi
To remove assigned access, choose **Turn off assigned access and sign out of the selected account**.
When your kiosk is a local device that is not managed by Active Directory or Azure Active Directory, there is a default setting that enables automatic sign-in after a restart. That means that when the device restarts, the last signed-in user will be signed in automatically. If the last signed-in user is the kiosk account, the kiosk app will be launched automatically after the device restarts.
- If you want the kiosk account signed in automatically and the kiosk app launched when the device restarts, there is nothing you need to do.
- If you do not want the kiosk account signed in automatically when the device restarts, you must change the default setting before you configure the device as a kiosk. Sign in with the account that you will assign as the kiosk account, go to **Settings** > **Accounts** > **Sign-in options**, and toggle the **Use my sign-in info to automatically finish setting up my device after an update or restart** setting to **Off**. After you change the setting, you can apply the kiosk configuration to the device.
![Screenshot of automatic sign-in setting](images/auto-signin.png)

26
windows/configuration/kiosk-xml.md
View File

@ -30,7 +30,7 @@ ms.topic: article
<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration
xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"
xmlns:rs5="http://schemas.microsoft.com/AssignedAccess/201810/config"
xmlns:Windows10October2018Update="http://schemas.microsoft.com/AssignedAccess/201810/config"
>
<Profiles>
<Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}">
@ -47,9 +47,9 @@ ms.topic: article
<App DesktopAppPath="%SystemDrive%\LOB\MyLOB.exe" />
</AllowedApps>
</AllAppsList>
<rs5:FileExplorerNamespaceRestrictions>
<rs5:AllowedNamespace Name="Downloads"/>
</rs5:FileExplorerNamespaceRestrictions>
<Windows10October2018Update:FileExplorerNamespaceRestrictions>
<Windows10October2018Update:AllowedNamespace Name="Downloads"/>
</Windows10October2018Update:FileExplorerNamespaceRestrictions>
<StartLayout>
<![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification">
<LayoutOptions StartTileGroupCellWidth="6" />
@ -86,7 +86,7 @@ ms.topic: article
<App AppUserModelId="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!F12" />
<App AppUserModelId="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge" />
<App AppUserModelId="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!PdfReader" />
<App DesktopAppPath="%SystemRoot%\system32\notepad.exe" rs5:AutoLaunch="true" rs5:AutoLaunchArguments="123.txt"/>
<App DesktopAppPath="%SystemRoot%\system32\notepad.exe" Windows10October2018Update:AutoLaunch="true" Windows10October2018Update:AutoLaunchArguments="123.txt"/>
</AllowedApps>
</AllAppsList>
<StartLayout>
@ -123,7 +123,7 @@ ms.topic: article
<DefaultProfile Id="{5B328104-BD89-4863-AB27-4ED6EE355485}"/>
</Config>
<Config>
<AutoLogonAccount rs5:DisplayName="Hello World"/>
<AutoLogonAccount Windows10October2018Update:DisplayName="Hello World"/>
<DefaultProfile Id="{5B328104-BD89-4863-AB27-4ED6EE355485}"/>
</Config>
<Config>
@ -147,7 +147,7 @@ ms.topic: article
<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration
xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"
xmlns:rs5="http://schemas.microsoft.com/AssignedAccess/201810/config"
xmlns:Windows10October2018Update="http://schemas.microsoft.com/AssignedAccess/201810/config"
>
<Profiles>
<Profile Id="{AFF9DA33-AE89-4039-B646-3A5706E92957}">
@ -176,7 +176,7 @@ ms.topic: article
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"
xmlns:default="http://schemas.microsoft.com/AssignedAccess/2017/config"
xmlns:rs5="http://schemas.microsoft.com/AssignedAccess/201810/config"
xmlns:Windows10October2018Update="http://schemas.microsoft.com/AssignedAccess/201810/config"
targetNamespace="http://schemas.microsoft.com/AssignedAccess/2017/config"
>
@ -196,7 +196,7 @@ ms.topic: article
<xs:choice>
<xs:sequence minOccurs="1" maxOccurs="1">
<xs:element name="AllAppsList" type="allappslist_t" minOccurs="1" maxOccurs="1"/>
<xs:element ref="rs5:FileExplorerNamespaceRestrictions" minOccurs="0" maxOccurs="1"/>
<xs:element ref="Windows10October2018Update:FileExplorerNamespaceRestrictions" minOccurs="0" maxOccurs="1"/>
<xs:element name="StartLayout" type="xs:string" minOccurs="1" maxOccurs="1"/>
<xs:element name="Taskbar" type="taskbar_t" minOccurs="1" maxOccurs="1"/>
</xs:sequence>
@ -215,7 +215,7 @@ ms.topic: article
</xs:unique>
<xs:unique name="OnlyOneAppCanHaveAutoLaunch">
<xs:selector xpath="default:App"/>
<xs:field xpath="@rs5:AutoLaunch"/>
<xs:field xpath="@Windows10October2018Update:AutoLaunch"/>
</xs:unique>
</xs:element>
</xs:sequence>
@ -239,8 +239,8 @@ ms.topic: article
</xs:complexType>
<xs:attributeGroup name="autoLaunch_attributeGroup">
<xs:attribute ref="rs5:AutoLaunch"/>
<xs:attribute ref="rs5:AutoLaunchArguments" use="optional"/>
<xs:attribute ref="Windows10October2018Update:AutoLaunch"/>
<xs:attribute ref="Windows10October2018Update:AutoLaunchArguments" use="optional"/>
</xs:attributeGroup>
<xs:complexType name="taskbar_t">
@ -277,7 +277,7 @@ ms.topic: article
<xs:complexType name="autologon_account_t">
<xs:attribute name="HiddenId" type="guid_t" fixed="{74331115-F68A-4DF9-8D2C-52BA2CE2ADB1}"/>
<xs:attribute ref="rs5:DisplayName" use="optional" />
<xs:attribute ref="Windows10October2018Update:DisplayName" use="optional" />
</xs:complexType>
<xs:complexType name="group_t">

16
windows/configuration/lock-down-windows-10-to-specific-apps.md
View File

@ -110,7 +110,7 @@ You can start your file by pasting the following XML (or any other examples in t
<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration
xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"
xmlns:rs5="http://schemas.microsoft.com/AssignedAccess/201810/config"
xmlns:Windows10October2018Update="http://schemas.microsoft.com/AssignedAccess/201810/config"
>
<Profiles>
<Profile Id="">
@ -175,7 +175,7 @@ The profile **Id** is a GUID attribute to uniquely identify the profile. You can
- For UWP apps, you need to provide the App User Model ID (AUMID). [Learn how to get the AUMID](https://go.microsoft.com/fwlink/p/?LinkId=614867), or [get the AUMID from the Start Layout XML](#startlayout).
- For desktop apps, you need to specify the full path of the executable, which can contain one or more system environment variables in the form of %variableName% (i.e. %systemroot%, %windir%).
- To configure the app to launch automatically when the user signs in, include `rs5:AutoLaunch="true"` after the AUMID or path. You can also include arguments to be passed to the app. For an example, see [the AllowedApps sample XML](#apps-sample).
- To configure the app to launch automatically when the user signs in, include `Windows10October2018Update:AutoLaunch="true"` after the AUMID or path. You can also include arguments to be passed to the app. For an example, see [the AllowedApps sample XML](#apps-sample).
When the mult-app kiosk configuration is applied to a device, AppLocker rules will be generated to allow the apps that are listed in the configuration. Here are the predefined assigned access AppLocker rules for **UWP apps**:
@ -205,7 +205,7 @@ The following example allows Groove Music, Movies & TV, Photos, Weather, Calcula
<App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
<App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
<App DesktopAppPath="%windir%\system32\mspaint.exe" />
<App DesktopAppPath="C:\Windows\System32\notepad.exe" rs5:AutoLaunch="true" rs5:AutoLaunchArguments="123.txt"/>
<App DesktopAppPath="C:\Windows\System32\notepad.exe" Windows10October2018Update:AutoLaunch="true" Windows10October2018Update:AutoLaunchArguments="123.txt"/>
</AllowedApps>
</AllAppsList>
```
@ -220,7 +220,7 @@ The following example shows how to allow user access to the Downloads folder in
<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration
xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"
xmlns:rs5="http://schemas.microsoft.com/AssignedAccess/201810/config"
xmlns:Windows10October2018Update="http://schemas.microsoft.com/AssignedAccess/201810/config"
> <Profiles>
<Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}">
<AllAppsList>
@ -228,9 +228,9 @@ The following example shows how to allow user access to the Downloads folder in
...
</AllowedApps>
</AllAppsList>
<rs5:FileExplorerNamespaceRestrictions>
<rs5:AllowedNamespace Name="Downloads"/>
</rs5:FileExplorerNamespaceRestrictions>
<Windows10October2018Update:FileExplorerNamespaceRestrictions>
<Windows10October2018Update:AllowedNamespace Name="Downloads"/>
</Windows10October2018Update:FileExplorerNamespaceRestrictions>
<StartLayout>
...
</StartLayout>
@ -354,7 +354,7 @@ In Windows 10, version 1809, you can configure the display name that will be sho
```xml
<Configs>
<Config>
<AutoLogonAccount rs5:DisplayName="Hello World"/>
<AutoLogonAccount Windows10October2018Update:DisplayName="Hello World"/>
<DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
</Config>
</Configs>

2
windows/configuration/set-up-shared-or-guest-pc.md
View File

@ -109,7 +109,7 @@ $sharedPC.KioskModeAUMID = ""
$sharedPC.KioskModeUserTileDisplayText = ""
$sharedPC.InactiveThreshold = 0
Set-CimInstance -CimInstance $sharedPC
Get-CimInstance -Namespace $namespaceName -ClassName $MDM_SharedPCClass
Get-CimInstance -Namespace $namespaceName -ClassName MDM_SharedPC
```
### Create a provisioning package for shared use

2
windows/configuration/start-layout-xml-desktop.md
View File

@ -55,7 +55,7 @@ The following table lists the supported elements and attributes for the LayoutMo
| [RequiredStartGroups](#requiredstartgroups)</br></br>Parent:</br>RequiredStartGroupsCollection | Region | Use to contain the AppendGroup tags, which represent groups that can be appended to the default Start layout |
| [AppendGroup](#appendgroup)</br></br>Parent:</br>RequiredStartGroups | Name | Use to specify the tiles that need to be appended to the default Start layout |
| [start:Tile](#specify-start-tiles)</br></br>Parent:</br>AppendGroup | AppUserModelID</br>Size</br>Row</br>Column | Use to specify any of the following:</br>- A Universal Windows app</br>- A Windows 8 or Windows 8.1 app</br></br>Note that AppUserModelID is case-sensitive. |
[start:Folder](#start-folder)<br><br>Parent:<br>start:Group | Name (in Windows 10, version 1809 and later only)<br>Size<br>Row<br>Column<br>LocalizedNameResourcetag | Use to specify a folder of icons; can include [Tile](#start-tile), [SecondaryTile](#start-secondarytile), and [DesktopApplicationTile](#start-desktopapplicationtile).
start:Folder<br><br>Parent:<br>start:Group | Name (in Windows 10, version 1809 and later only)<br>Size<br>Row<br>Column<br>LocalizedNameResourcetag | Use to specify a folder of icons; can include [Tile](#start-tile), [SecondaryTile](#start-secondarytile), and [DesktopApplicationTile](#start-desktopapplicationtile).
| start:DesktopApplicationTile</br></br>Parent:</br>AppendGroup | DesktopApplicationID</br>DesktopApplicationLinkPath</br>Size</br>Row</br>Column | Use to specify any of the following:</br>- A Windows desktop application with a known AppUserModelID</br>- An application in a known folder with a link in a legacy Start Menu folder</br>- A Windows desktop application link in a legacy Start Menu folder</br>- A Web link tile with an associated .url file that is in a legacy Start Menu folder |
| start:SecondaryTile</br></br>Parent:</br>AppendGroup | AppUserModelID</br>TileID</br>Arguments</br>DisplayName</br>Square150x150LogoUri</br>ShowNameOnSquare150x150Logo</br>ShowNameOnWide310x150Logo</br>Wide310x150LogoUri</br>BackgroundColor</br>ForegroundText</br>IsSuggestedApp</br>Size</br>Row</br>Column | Use to pin a Web link through a Microsoft Edge secondary tile. Note that AppUserModelID is case-sensitive. |
| TopMFUApps</br></br>Parent:</br>LayoutModificationTemplate | n/a | Use to add up to 3 default apps to the frequently used apps section in the system area.</br></br>**Note**: Only applies to versions of Windows 10 earlier than version 1709. In Windows 10, version 1709, you can no longer pin apps to the Most Frequently Used apps list in Start. |

1
windows/deployment/TOC.md
View File

@ -238,6 +238,7 @@
### [Change history for Update Windows 10](update/change-history-for-update-windows-10.md)
## [Windows Analytics](update/windows-analytics-overview.md)
### [Windows Analytics in the Azure Portal](update/windows-analytics-azure-portal.md)
### [Windows Analytics and privacy](update/windows-analytics-privacy.md)
### [Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md)
#### [Upgrade Readiness architecture](upgrade/upgrade-readiness-architecture.md)

4
windows/deployment/planning/act-technical-reference.md
View File

@ -39,7 +39,7 @@ Use Upgrade Analytics to get:
The Upgrade Analytics workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. For more information about Upgrade Analytics, see [Manage Windows upgrades with Upgrade Analytics](https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics)
At the same time, we've kept the Standard User Analyzer tool, which helps you test your apps and to monitor API calls for potential compatibility issues, and the Compatiblility Administrator, which helps you to resolve potential compatibility issues.
At the same time, we've kept the Standard User Analyzer tool, which helps you test your apps and to monitor API calls for potential compatibility issues, and the Compatibility Administrator, which helps you to resolve potential compatibility issues.
## In this section
@ -47,4 +47,4 @@ At the same time, we've kept the Standard User Analyzer tool, which helps you te
|------|------------|
|[Standard User Analyzer (SUA) User's Guide](sua-users-guide.md) |The Standard User Analyzer (SUA) helps you test your applications and monitor API calls to detect compatibility issues related to the User Account Control (UAC) feature in Windows. |
|[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md) |The Compatibility Administrator tool helps you resolve potential application-compatibility issues before deploying a new version of Windows to your organization. |
|[Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista](compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md) |You can fix some compatibility issues that are due to the changes made between Windows operating system versions. These issues can include User Account Control (UAC) restrictions. |
|[Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista](compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md) |You can fix some compatibility issues that are due to the changes made between Windows operating system versions. These issues can include User Account Control (UAC) restrictions. |

5
windows/deployment/update/device-health-get-started.md
View File

@ -5,7 +5,7 @@ keywords: Device Health, oms, operations management suite, prerequisites, requir
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.date: 06/12/2018
ms.date: 08/21/2018
ms.pagetype: deploy
author: jaimeo
ms.author: jaimeo
@ -14,6 +14,9 @@ ms.localizationpriority: medium
# Get started with Device Health
>[!IMPORTANT]
>**The OMS portal has been deprecated; you should start using the [Azure portal](https://portal.azure.com) instead as soon as possible.** Many experiences are the same in the two portals, but there are some key differences. See [Windows Analytics in the Azure Portal](windows-analytics-azure-portal.md) for steps to use Windows Analytics in the Azure portal. For much more information about the transition from OMS to Azure, see [OMS portal moving to Azure](https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-portal-transition).
This topic explains the steps necessary to configure your environment for Windows Analytics: Device Health.
Steps are provided in sections that follow the recommended setup process:

1
windows/deployment/update/device-health-monitor.md
View File

@ -45,7 +45,6 @@ Use of Windows Analytics Device Health requires one of the following licenses:
- Windows 10 Enterprise E3 or E5 per-device or per-user subscription (including Microsoft 365 F1, E3, or E5)
- Windows 10 Education A3 or A5 (including Microsoft 365 Education A3 or A5)
- Windows VDA E3 or E5 per-device or per-user subscription
- Windows Server 2016 and on
You don't have to install Windows 10 Enterprise on a per-device basis--you just need enough of the above licenses for the number of devices using Device Health.

BIN
windows/deployment/update/images/azure-portal-LA-wkspcsumm.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 76 KiB

BIN
windows/deployment/update/images/azure-portal-LA-wkspcsumm_sterile.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 103 KiB

BIN
windows/deployment/update/images/azure-portal-LAfav.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 34 KiB

BIN
windows/deployment/update/images/azure-portal-LAfav1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 31 KiB

BIN
windows/deployment/update/images/azure-portal-LAmain-sterile.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 162 KiB

BIN
windows/deployment/update/images/azure-portal-LAmain-wkspc-subname-sterile.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 162 KiB

BIN
windows/deployment/update/images/azure-portal-LAmain.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 104 KiB

BIN
windows/deployment/update/images/azure-portal-LAsearch.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 13 KiB

BIN
windows/deployment/update/images/azure-portal-UR-settings.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 59 KiB

BIN
windows/deployment/update/images/azure-portal-create-resource-boxes.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 24 KiB

BIN
windows/deployment/update/images/azure-portal-create-resource.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 26 KiB

BIN
windows/deployment/update/images/azure-portal1.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 27 KiB

BIN
windows/deployment/update/images/azure-portal1_allserv.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 25 KiB

BIN
windows/deployment/update/images/temp-azure-portal-soltn-setting.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 101 KiB

6
windows/deployment/update/servicing-stack-updates.md
View File

@ -34,6 +34,6 @@ Typically, the improvements are reliability, security, and performance improveme
## Installation notes
Servicing stack updates contain the full servicing stack; as a result, typically administrators only need to install the latest servicing stack update for the operating system.
Installing servicing stack update does not require restarting the device, so installation should not be disruptive.
Servicing stack update releases are specific to the operating system version (build number), much like quality updates.
* Servicing stack updates contain the full servicing stack; as a result, typically administrators only need to install the latest servicing stack update for the operating system.
* Installing servicing stack update does not require restarting the device, so installation should not be disruptive.
* Servicing stack update releases are specific to the operating system version (build number), much like quality updates.

5
windows/deployment/update/update-compliance-get-started.md
View File

@ -8,12 +8,15 @@ ms.sitesec: library
ms.pagetype: deploy
author: Jaimeo
ms.author: jaimeo
ms.date: 03/15/2018
ms.date: 08/21/2018
ms.localizationpriority: medium
---
# Get started with Update Compliance
>[!IMPORTANT]
>**The OMS portal has been deprecated; you should start using the [Azure portal](https://portal.azure.com) instead as soon as possible.** Many experiences are the same in the two portals, but there are some key differences. See [Windows Analytics in the Azure Portal](windows-analytics-azure-portal.md) for steps to use Windows Analytics in the Azure portal. For much more information about the transition from OMS to Azure, see [OMS portal moving to Azure](https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-portal-transition).
This topic explains the steps necessary to configure your environment for Windows Analytics: Update Compliance.
Steps are provided in sections that follow the recommended setup process:

2
windows/deployment/update/waas-optimize-windows-10-updates.md
View File

@ -27,7 +27,7 @@ Two methods of peer-to-peer content distribution are available in Windows 10.
Windows Update, Windows Update for Business, and Windows Server Update Services (WSUS) can use Delivery Optimization. Delivery Optimization can significantly reduce the amount of network traffic to external Windows Update sources as well as the time it takes for clients to retrieve the updates.
- [BranchCache](waas-branchcache.md) is a bandwidth optimization technology that is included in some editions of the Windows Server 2016 Technical Preview and Windows 10 operating systems, as well as in some editions of Windows Server 2012 R2, Windows 8.1, Windows Server 2012, Windows 8, Windows Server 2008 R2, and Windows 7.
- [BranchCache](waas-branchcache.md) is a bandwidth optimization technology that is included in some editions of Windows Server 2016 and Windows 10 operating systems, as well as in some editions of Windows Server 2012 R2, Windows 8.1, Windows Server 2012, Windows 8, Windows Server 2008 R2, and Windows 7.
>[!NOTE]
>Full BranchCache functionality is supported in Windows 10 Enterprise and Education; Windows 10 Pro supports some BranchCache functionality, including BITS transfers used for servicing operations.

5
windows/deployment/update/windows-analytics-FAQ-troubleshooting.md
View File

@ -8,12 +8,15 @@ ms.sitesec: library
ms.pagetype: deploy
author: jaimeo
ms.author: jaimeo
ms.date: 07/20/2018
ms.date: 08/21/2018
ms.localizationpriority: medium
---
# Frequently asked questions and troubleshooting Windows Analytics
>[!IMPORTANT]
>**The OMS portal has been deprecated; you should start using the [Azure portal](https://portal.azure.com) instead as soon as possible.** Many experiences are the same in the two portals, but there are some key differences. See [Windows Analytics in the Azure Portal](windows-analytics-azure-portal.md) for steps to use Windows Analytics in the Azure portal. For much more information about the transition from OMS to Azure, see [OMS portal moving to Azure](https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-portal-transition).
This topic compiles the most common issues encountered with configuring and using Windows Analytics, as well as general questions. This FAQ, along with the [Windows Analytics Technical Community](https://techcommunity.microsoft.com/t5/Windows-Analytics/ct-p/WindowsAnalytics), are recommended resources to consult before contacting Microsoft support.
## Troubleshooting common problems

63
windows/deployment/update/windows-analytics-azure-portal.md Normal file
View File

@ -0,0 +1,63 @@
---
title: Windows Analytics in the Azure Portal
description: Use the Azure Portal to add and configure Windows Analytics solutions
keywords: Device Health, oms, Azure, portal, operations management suite, add, manage, configure, Upgrade Readiness, Update Compliance
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.date: 08/21/2018
ms.pagetype: deploy
author: jaimeo
ms.author: jaimeo
ms.localizationpriority: medium
---
# Windows Analytics in the Azure portal
Windows Analytics uses Azure Log Analytics (formerly known as Operations Management Suite or OMS), a collection of cloud-based servicing for monitoring and automating your on-premises and cloud environments.
**The OMS portal has been deprecated; you should start using the [Azure portal](https://portal.azure.com) instead as soon as possible.** Many experiences are the same in the two portals, but there are some key differences, which this topic will explain. For much more information about the transition from OMS to Azure, see [OMS portal moving to Azure](https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-portal-transition).
## Navigation and permissions in the Azure portal
Go to the [Azure portal](https://portal.azure.com), select **All services**, and search for *Log Analytics*. Once it appears, you can select the star to add it to your favorites for easy access in the future.
[![Azure portal all services page with Log Analytics found and selected as favorite](images/azure-portal-LAfav1.png)](images/azure-portal-LAfav1.png)
### Permissions
>[!IMPORTANT]
>Unlike the OMS portal, the Azure portal requires access to both an Azure Log Analytics subscription and a linked Azure subscription.
To check the Log Analytics workspaces you can access, select **Log Analytics**. You should see a grid control listing all workspaces, along with the Azure subscription each is linked to:
[![Log Analytics workspace page showing accessible workspaces and linked Azure subscriptions](images/azure-portal-LAmain-wkspc-subname-sterile.png)](images/azure-portal-LAmain-wkspc-subname-sterile.png)
If you do not see your workspace in this view, you do not have access to the underlying Azure subscription. To view and assign permissions for a workspace, select its name and then, in the flyout that opens, select **Access control (IAM)**. You can view and assign permissions for a subscription similarly by selecting the subscription name and selecting **Access control (IAM)**.
Both the workspace and Azure subscription require at least "read" permissions. To make changes (for example, to set app importantance in Upgrade Readiness), both the subscription and workspace require "contributor" permissions. You can view your current role and make changes in other roles by using the **Access control (IAM)** tab in Azure.
When permissions are configured, you can select the workspace and then select **Workspace summary** to see information similar to what was shown in the OMS overview page.
[![Log Analytics workspace page showing workspace summary](images/azure-portal-LA-wkspcsumm_sterile.png)](images/azure-portal-LA-wkspcsumm_sterile.png)
## Adding Windows Analytics solutions
In the Azure portal, the simplest way to add Windows Analytics solutions (Upgrade Readiness, Update Compliance, and Device Health) is to select **+ Create a resource** and then type the solution name in the search box. In this example, the search is for "Device Health":
[![Add WA solutions with "create a resource"](images/azure-portal-create-resource-boxes.png)](images/azure-portal-create-resource-boxes.png)
Select the solution from the list that is returned by the search, and then select **Create** to add the solution.
## Navigating to Windows Analytics solutions settings
To adjust settings for a Windows Analytics solution, first navigate to the **Solutions** tab for your workspace, and then select the solution to configure. In this example, Upgrade Readiness is being adjusted by selecting **CompatibilityAssessment**:
[![Select WA solution to adjust settings](images/temp-azure-portal-soltn-setting.png)](images/temp-azure-portal-soltn-setting.png)
From there, select the settings page to adjust specific settings:
[![Settings page for Upgrade Readiness in Azure portsl](images/azure-portal-UR-settings.png)](images/azure-portal-UR-settings.png)
>[!NOTE]
>To adjust these settings, both the subscription and workspace require "contributor" permissions. You can view your current role and make changes in other roles by using the **Access control (IAM)** tab in Azure.

5
windows/deployment/upgrade/upgrade-readiness-get-started.md
View File

@ -8,12 +8,15 @@ ms.sitesec: library
ms.pagetype: deploy
author: jaimeo
ms.author: jaimeo
ms.date: 06/12/2018
ms.date: 08/21/2018
ms.localizationpriority: medium
---
# Get started with Upgrade Readiness
>[!IMPORTANT]
>**The OMS portal has been deprecated; you should start using the [Azure portal](https://portal.azure.com) instead as soon as possible.** Many experiences are the same in the two portals, but there are some key differences. See [Windows Analytics in the Azure Portal](../update/windows-analytics-azure-portal.md) for steps to use Windows Analytics in the Azure portal. For much more information about the transition from OMS to Azure, see [OMS portal moving to Azure](https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-portal-transition).
This topic explains how to obtain and configure Upgrade Readiness for your organization.
You can use Upgrade Readiness to plan and manage your upgrade project end-to-end. Upgrade Readiness works by establishing communications between computers in your organization and Microsoft. Upgrade Readiness collects computer, application, and driver data for analysis. This data is used to identify compatibility issues that can block your upgrade and to suggest fixes that are known to Microsoft.

1
windows/deployment/windows-autopilot/TOC.md
View File

@ -17,7 +17,6 @@
### [Administering Autopilot via Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/add-profile-to-devices#manage-autopilot-deployment-profiles)
### [Administering Autopilot via Microsoft Intune](https://docs.microsoft.com/intune/enrollment-autopilot)
### [Administering Autopilot via Microsoft 365 Business & Office 365 Admin portal](https://support.office.com/article/Create-and-edit-Autopilot-profiles-5cf7139e-cfa1-4765-8aad-001af1c74faa)
### [Administering Autopilot via Partner Center](https://msdn.microsoft.com/partner-center/autopilot)
## Getting started
### [Demonstrate Autopilot deployment on a VM](demonstrate-deployment-on-vm.md)
## [Troubleshooting](troubleshooting.md)

5
windows/deployment/windows-autopilot/windows-10-autopilot.md
View File

@ -1,7 +1,7 @@
---
title: Overview of Windows Autopilot
description: This topic goes over Windows Autopilot and how it helps setup OOBE Windows 10 devices.
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, msfb, intune
ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: medium
@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: deploy
author: coreyp-at-msft
ms.author: coreyp
ms.date: 05/09/2018
ms.date: 08/22/2018
---
# Overview of Windows Autopilot
@ -89,7 +89,6 @@ For guidance on how to register devices, configure and apply deployment profiles
* [Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/add-profile-to-devices#manage-autopilot-deployment-profiles)
* [Microsoft Intune](https://docs.microsoft.com/intune/enrollment-autopilot)
* [Microsoft 365 Business & Office 365 Admin](https://support.office.com/article/Create-and-edit-Autopilot-profiles-5cf7139e-cfa1-4765-8aad-001af1c74faa)
* [Partner Center](https://msdn.microsoft.com/partner-center/autopilot)
##### Configure company branding for OOBE

2
windows/privacy/TOC.md
View File

@ -5,7 +5,7 @@
## [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md)
## [Diagnostic Data Viewer Overview](diagnostic-data-viewer-overview.md)
## Basic level Windows diagnostic data events and fields
### [Windows 10, version 1803 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md)
### [Windows 10, version 1803 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md)
### [Windows 10, version 1709 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md)
### [Windows 10, version 1703 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md)
## Enhanced level Windows diagnostic data events and fields

2
windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md
View File

@ -23,6 +23,8 @@ The Basic level gathers a limited set of information that is critical for unders
Use this article to learn about diagnostic events, grouped by event area, and the fields within each event. A brief description is provided for each field. Every event generated includes common data, which collects device data. You can learn more about Windows functional and diagnostic data through these articles:
- [Windows 10, version 1803 basic diagnostic events and fields](https://docs.microsoft.com/windows/configuration/basic-level-windows-diagnostic-events-and-fields-1803)
- [Windows 10, version 1709 basic diagnostic events and fields](https://docs.microsoft.com/windows/configuration/basic-level-windows-diagnostic-events-and-fields-1709)
- [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
- [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md)

1
windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md
View File

@ -30,6 +30,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th
You can learn more about Windows functional and diagnostic data through these articles:
- [Windows 10, version 1803 basic diagnostic events and fields](https://docs.microsoft.com/windows/configuration/basic-level-windows-diagnostic-events-and-fields-1803)
- [Windows 10, version 1703 basic diagnostic events and fields](https://docs.microsoft.com/windows/configuration/basic-level-windows-diagnostic-events-and-fields-1703)
- [Manage connections from Windows operating system components to Microsoft services](https://docs.microsoft.com/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services)
- [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization)

0
windows/privacy/basic-level-windows-diagnostic-events-and-fields.md → windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
View File

6
windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md
View File

@ -109,7 +109,6 @@ The following fields are available:
- **isSystemManagedAccount:** Indicates if the user's account is System Managed
- **isUnlockScenario:** Flag indicating whether the event is a Logon or an Unlock
- **PartA_UserSid:** The security identifier of the user
- **userType:** Indicates the user type: 0 = unknown; 1 = local; 2 = Active Directory domain user; 3 = Microsoft Account; 4 = Azure Active Directory user
## Microsoft.Windows.LogonController.SignInFailure
@ -251,3 +250,8 @@ The following fields are available:
- **WindowFlags:** Flags denoting runtime properties of an app window
- **WindowHeight:** Number of vertical pixels in the application window
- **WindowWidth:** Number of horizontal pixels in the application window
# Revisions to the diagnostic data events and fields
## PartA_UserSid removed
A previous revision of this list stated that a field named PartA_UserSid was a member of the event Microsoft.Windows.LogonController.LogonAndUnlockSubmit. This was incorrect. The list has been updated to reflect that no such field is present in the event. Note that you can use the Windows Diagnostic Data Viewer to review the contents of the event.

2
windows/security/identity-protection/vpn/vpn-profile-options.md
View File

@ -304,7 +304,7 @@ After you configure the settings that you want using ProfileXML, you can apply i
5. Choose **Windows 10 and later** as the platform.
6. Choose **Custom** as the profile type and click **Add**.
8. Enter a name and (optionally) a description.
9. Enter the OMA-URI **./user/vendor/MSFT/_VPN profile name_/ProfileXML**.
9. Enter the OMA-URI **./user/vendor/MSFT/VPNv2/_VPN profile name_/ProfileXML**.
10. Set Data type to **String (XML file)**.
11. Upload the profile XML file.
12. Click **OK**.

15
windows/security/information-protection/tpm/trusted-platform-module-overview.md
View File

@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: brianlic-msft
ms.date: 06/18/2018
ms.date: 08/21/2018
---
# Trusted Platform Module Technology Overview
@ -68,14 +68,15 @@ Some things that you can check on the device are:
- Is SecureBoot supported and enabled?
> [!NOTE]
> The device must be running Windows 10 and it must support at least TPM 2.0 in order to utilize Device Health Attestation.
> Windows 10 and Windows Server 2016 support Device Health Attestation with TPM 2.0. Support for TPM 1.2 was added beginning with Windows version 1607 (RS1).
## Supported versions
## Supported versions for device health attestation
| TPM version | Windows 10 | Windows Server 2016 |
|-------------|-------------|---------------------|
| TPM 1.2 | >= ver 1607 | >= ver 1607 |
| TPM 2.0 | X | X |
| TPM version | Windows 10 | Windows Server 2016 |
|-------------|------------|---------------------|
| TPM 1.2 | X | X |
| TPM 2.0 | X | X |
## Related topics

8
windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
View File

@ -1,15 +1,15 @@
---
title: Windows Defender Application Control Configurable Code Integrity and Virtualization-based security (Windows 10)
description: Microsoft Windows 10 has a feature set that consists of both hardware and software system integrity hardening capabilites that revolutionize the Windows operating systems security.
title: Device Guard is the combination of Windows Defender Application Control and Virtualization-based security (Windows 10)
description: Device Guard consists of both hardware and software system integrity hardening capabilites that can be deployed separately or in combination.
keywords: virtualization, security, malware
ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: medium
author: mdsakibMSFT
ms.date: 04/19/2018
ms.date: 08/23/2018
---
# Windows Defender Application Control Configurable Code Integrity and Virtualization-based security (aka Windows Defender Device Guard)
# Device Guard: Windows Defender Application Control Configurable Code Integrity and Virtualization-based security
**Applies to**
- Windows 10

2
windows/security/threat-protection/intelligence/TOC.md
View File

@ -34,6 +34,8 @@
## [Safety Scanner download](safety-scanner-download.md)
## [Industry antivirus tests](top-scoring-industry-antivirus-tests.md)
## [Industry collaboration programs](cybersecurity-industry-partners.md)
### [Virus information alliance](virus-information-alliance-criteria.md)

89
windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md Normal file
View File

@ -0,0 +1,89 @@
---
title: Top scoring in industry antivirus tests
description: Industry antivirus tests landing page
keywords: security, malware, av-comparatives, av-test, av, antivirus
ms.prod: w10
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
ms.author: ellevin
author: levinec
ms.date: 08/17/2018
---
# Top scoring in industry antivirus tests
[Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10?ocid=cx-docs-avreports) **consistently achieves high scores** from independent tests, displaying how it is a top choice in the antivirus market.
We want to be transparent and have gathered top industry reports that demonstrate our enterprise antivirus capabilities. Note that these tests only provide results for antivirus and do not test for additional security protections.
In the real world, millions of devices are protected from cyberattacks every day, sometimes [milliseconds after a campaign starts](https://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign?ocid=cx-docs-avreports). In many cases, customers might not even know they were protected. That's because Windows Defender Advanced Threat Protection ([Windows Defender ATP](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=cx-docs-avreports)) [next generation protection](https://www.youtube.com/watch?v=Xy3MOxkX_o4) detects and stops malware at first sight by using predictive technologies, [machine learning](https://cloudblogs.microsoft.com/microsoftsecure/2018/06/07/machine-learning-vs-social-engineering?ocid=cx-docs-avreports), [artificial intelligence](https://cloudblogs.microsoft.com/microsoftsecure/2018/02/14/how-artificial-intelligence-stopped-an-emotet-outbreak?ocid=cx-docs-avreports), behavioral analysis, and other advanced technologies.
> [!TIP]
> Learn why [Windows Defender Antivirus is the most deployed in the enterprise](https://cloudblogs.microsoft.com/microsoftsecure/2018/03/22/why-windows-defender-antivirus-is-the-most-deployed-in-the-enterprise?ocid=cx-docs-avreports).
<br></br><br></br>
![AV-TEST logo](./images/av-test-logo.png)
## AV-TEST: Perfect protection score of 6.0/6.0 in the latest test
**[Analysis of the latest AV-TEST results](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2v60I?ocid=cx-docs-avreports)**
The AV-TEST Product Review and Certification Report tests on three categories: protection, performance, and usability. The scores listed below are for the protection category which has two scores: real world testing and the AV-TEST reference set (known as "prevalent malware").
**Real-World testing** as defined by AV-TEST attempts to test protection against zero-day malware attacks, inclusive of web and email threats.
**Prevalent malware** as defined by AV-TEST attempts to test detection of widespread and prevalent malware discovered in the last four weeks.
The below scores are the results of AV-TEST's evaluations on **Windows Defender Antivirus**.
|Month (2018)|Real-World test score| Prevalent malware test score | AV-TEST report| Microsoft analysis|
|---|---|---|---|---|
|January| 100.00%| 99.92%| [Report (Jan-Feb)](https://www.av-test.org/en/antivirus/home-windows/windows-7/february-2018/kaspersky-lab-internet-security-18.0-180557/)| [Analysis (Jan-Feb)](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE27O5A?ocid=cx-docs-avreports)|
|February| 100.00% | 100.00%|[Report (Jan-Feb)](https://www.av-test.org/en/antivirus/home-windows/windows-7/february-2018/kaspersky-lab-internet-security-18.0-180557/)| [Analysis (Jan-Feb)](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE27O5A?ocid=cx-docs-avreports)|
March |98.00%| 100.00%|[Report (Mar-Apr)](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/april-2018/microsoft-windows-defender-antivirus-4.12-181574/)|[Analysis (Mar-Apr)](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2ouJA?ocid=cx-docs-avreports)|
April|100.00%| 100.00%|[Report (Mar-Apr)](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/april-2018/microsoft-windows-defender-antivirus-4.12-181574/)|[Analysis (Mar-Apr)](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2ouJA?ocid=cx-docs-avreports)|
May|100.00%| 100.00%| [Report (May-Jun)](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/june-2018/microsoft-windows-defender-antivirus-4.12-182374/) |[Analysis (May-Jun)](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2v60I?ocid=cx-docs-avreports) <sup>**Latest**</sup>|
June|100.00%| 100.00%| [Report (May-Jun)](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/june-2018/microsoft-windows-defender-antivirus-4.12-182374/)|[Analysis (May-Jun)](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2v60I?ocid=cx-docs-avreports) <sup>**Latest**</sup>|
|||
|---|---|
|![Graph describing Real-World detection rate](./images/RealWorld-67-percent.png)|![Graph describing Prevalent Malware](./images/PrevalentMalware-67-percent.png)|
<br></br>
![AV-Comparatives Logo](./images/av-comparatives-logo-3.png)
## AV-Comparatives: Perfect protection rating of 100% in the latest test
AV-Comparatives is an independent organization offering systematic testing for security software such as PC/Mac-based antivirus products and mobile security solutions.
The **Real-World Protection Test (Enterprise)** as defined by AV-Comparatives attempts to evaluate the “real-world” protection capabilities with default settings. The goal is to find out whether the security software protects the computer by either hindering the malware from changing any systems or remediating all changes if any were made.
The **Malware Protection Test Enterprise** as defined by AV-Comparatives attempts to assesses a security programs ability to protect a system against infection by malicious files before, during or after execution. It is only tested every six months.
The below scores are the results of AV-Comparatives tests on **Windows Defender Antivirus**. The scores represent the percentage of blocked malware.
|Month (2018)| Real-World test score| Malware test score (every 6 months)|
|---|---|---|
|February| 100.00%| N/A|
|March| 94.40%| 99.90%|
|April| 96.40%| N/A|
|May| 100.00%| N/A|
|June| 99.50%| N/A|
|July| 100.00%| N/A|
* [Real-World Protection Test (Enterprise) February - June 2018](https://www.av-comparatives.org/tests/real-world-protection-test-february-june-2018/)
* [Malware Protection Test Enterprise March 2018](https://www.av-comparatives.org/tests/malware-protection-test-enterprise-march-2018-testresult/)
* [Real-World Protection Test (Enterprise) July 2018](https://www.av-comparatives.org/tests/real-world-protection-test-july-2018-factsheet/) <sup>**Latest**</sup>
## To what extent are tests representative of protection in the real world?
It is important to remember that Microsoft sees a wider and broader set of threats beyond just whats tested in the AV evaluations highlighted above. The capabilities within [Windows Defender ATP](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=cx-docs-avreports) also provide [additional layers of protection](https://cloudblogs.microsoft.com/microsoftsecure/2017/12/11/detonating-a-bad-rabbit-windows-defender-antivirus-and-layered-machine-learning-defenses?ocid=cx-docs-avreports) that are not factored into AV tests. Using these tests, customer can view one aspect of their security suite but can't assess the complete protection of all the security features.
There are other technologies in nearly every endpoint security suite not represented in AV tests that address some of the latest and most sophisticated threats. For example, the capabilities such as attack surface reduction and endpoint detection & response help prevent malware from getting onto devices in the first place.
Microsoft is highly engaged in working with several independent testers to evolve security testing to focus on the end-to-end security stack. In the meantime, customers can evaluate Windows Defender Advanced Threat Protection in their own networks by signing up for a [90-day trial of Windows Defender ATP](https://www.microsoft.com/windowsforbusiness/windows-atp?ocid=cx-docs-avreports), or [enabling Preview features on existing tenants](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection?ocid=cx-docs-avreports).
![ATP](./images/wdatp-pillars2.png)

4
windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md
View File

@ -29,6 +29,7 @@ ms.date: 04/30/2018
- System Center Configuration Manager
- PowerShell cmdlets
- Windows Management Instruction (WMI)
- Mobile Device Management (MDM)
<a id="protection-updates"></a>
<!-- this has been used as anchor in VDI content -->
@ -147,6 +148,9 @@ SignatureDefinitionUpdateFileSharesSouce
See the following for more information:
- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
**Use Mobile Device Management (MDM) to manage the update location:**
See [Policy CSP - Defender/SignatureUpdateFallbackOrder](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-signatureupdatefallbackorder) for details on configuring MDM.

1
windows/security/threat-protection/windows-defender-application-control/TOC.md
View File

@ -21,6 +21,7 @@
### [Deploy WDAC with Intelligent Security Graph (ISG)](use-windows-defender-application-control-with-intelligent-security-graph.md)
### [Deploy WDAC policies using Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md)
### [Deploy WDAC policies using Intune](deploy-windows-defender-application-control-policies-using-intune.md)
### [Use WDAC with .NET hardening](use-windows-defender-application-control-with-dynamic-code-security.md)
### [Use code signing to simplify application control for classic Windows applications](use-code-signing-to-simplify-application-control-for-classic-windows-applications.md)
#### [Optional: Use the Device Guard Signing Portal in the Microsoft Store for Business](use-device-guard-signing-portal-in-microsoft-store-for-business.md)
#### [Optional: Create a code signing cert for WDAC](create-code-signing-cert-for-windows-defender-application-control.md)

32
windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md Normal file
View File

@ -0,0 +1,32 @@
---
title: Windows Defender Application Control and .NET Hardening (Windows 10)
description: Dynamic Code Security is an application control feature that can verify code loaded by .NET at runtime.
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: morganbr
ms.date: 08/20/2018
---
# Windows Defender Application Control and .NET hardening
Historically, Windows Defender Application Control (WDAC) has restricted the set of applications, libraries, and scripts that are allowed to run to those approved by an organization.
Security researchers have found that some .NET applications may be used to circumvent those controls by using .NETs capabilities to load libraries from external sources or generate new code on the fly.
Beginning with Windows 10, version 1803, WDAC features a new capability, called *Dynamic Code Security* to verify code loaded by .NET at runtime.
When the Dynamic Code Security option is enabled, WDAC policy is applied to libraries that .NET loads from external sources.
Additionally, it detects tampering in code generated to disk by .NET and blocks loading code that has been tampered with.
Dynamic Code Security is not enabled by default because existing policies may not account for externally loaded libraries.
Additionally, a small number of .NET loading features, including loading unsigned assemblies built with System.Reflection.Emit, are not currently supported with Dynamic Code Security enabled.
Microsoft recommends testing Dynamic Code Security in audit mode before enforcing it to discover whether any new libraries should be included in the policy.
To enable Dynamic Code Security, add the following option to the <Rules> section of your policy:
```xml
<Rule>
<Option>Enabled:Dynamic Code Security</Option>
</Rule>
```