deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-15 10:23:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

refreshing build (3/11/16)

Browse Source
This commit is contained in:
Brian Lich
2016-03-11 15:39:26 -08:00
parent f5ee743eef
commit 9da9a0ce14
382 changed files with 3100 additions and 3085 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
windows/manage/TOC.md
View File

@ -1,4 +1,4 @@
# [Manage and update Windows 10](index.md)
# [Manage and update Windows 10]
## [Change history for Manage and update Windows 10](change-history-for-manage-and-update-windows-10.md)
## [Administrative Tools in Windows 10](administrative-tools-in-windows-10.md)
## [Cortana integration in your business or enterprise](manage-cortana-in-your-enterprise.md)
@ -17,7 +17,8 @@
#### [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md)
#### [Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](set-up-a-kiosk-for-windows-10-for-mobile-edition.md)
### [Lock down Windows 10 to specific apps](lock-down-windows-10-to-specific-apps.md)
### [Configure telemetry and other settings in your organization](manage-privacy-for-windows-10-in-your-company.md)
### [Configure telemetry in your organization](configure-telemetry-in-your-organization.md)
### [Disconnect from Microsoft and configure privacy settings in your organization](manage-privacy-for-windows-10-in-your-company.md)
### [Configure access to Windows Store](stop-employees-from-using-the-windows-store.md)
### [Manage Wi-Fi Sense in your company](manage-wi-fi-sense-in-your-company.md)
### [Configure Windows 10 Mobile using Lockdown XML](lockdown-xml.md)

16
windows/manage/add-unsigned-app-to-code-integrity-policy.md
View File

@ -21,16 +21,16 @@ When you want to add an unsigned app to a code integrity policy, you need to sta
## In this section
- [Create a code integrity policy based on a reference device](#create_ci_policy)
- [Create catalog files for your unsigned app](#create_catalog_files)
- [Catalog signing with Device Guard signing portal](#catalog_signing_device_guard_portal)
- [Create a code integrity policy based on a reference device](#create-ci-policy)
- [Create catalog files for your unsigned app](#create-catalog-files)
- [Catalog signing with Device Guard signing portal](#catalog-signing-device-guard-portal)
## Create a code integrity policy based on a reference device
## <a href="" id="create-ci-policy"></a>Create a code integrity policy based on a reference device
To add an unsigned app to a code integrity policy, your code integrity policy must be created from golden image machine. For more information, see [Create a Device Guard code integrity policy based on a reference device](https://technet.microsoft.com/library/mt243445.aspx).
## Create catalog files for your unsigned app
## <a href="" id="create-catalog-files"></a>Create catalog files for your unsigned app
Creating catalog files starts the process for adding an unsigned app to a code integrity policy.
@ -47,7 +47,7 @@ Before you get started, be sure to review these best practices and requirements:
- **Naming convention** -- Using a naming convention makes it easier to find deployed catalog files. We'll use \*-Contoso.cat as the naming convention in this topic. For more information, see the section Inventorying catalog files by using Configuration Manager in the [Device Guard deployment guide](https://technet.microsoft.com/library/mt463091.aspx).
- **Where to deploy code integrity policy** -- The [code integrity policy that you created](#create_ci_policy) should be deployed to the system on which you are running Package Inspector. This will ensure that the code integrity policy binaries are trusted.
- **Where to deploy code integrity policy** -- The [code integrity policy that you created](#create-ci-policy) should be deployed to the system on which you are running Package Inspector. This will ensure that the code integrity policy binaries are trusted.
Copy the commands for each step into an elevated Windows PowerShell session. You'll use Package Inspector to find and trust all binaries in the app.
@ -81,7 +81,7 @@ The Package Inspector scan catalogs the hash values for each binary file that is
After you're done, the files are saved to your desktop. You still need to sign the catalog file so that it will be trusted within the code integrity policy.
## Catalog signing with Device Guard signing portal
## <a href="" id="catalog-signing-device-guard-portal"></a>Catalog signing with Device Guard signing portal
To sign catalog files with the Device Guard signing portal, you need to be signed up with the Windows Store for Business. For more information, see [Sign up for the Windows Store for Business](sign-up-for-windows-store-for-business.md).
@ -94,7 +94,7 @@ Catalog signing is a vital step to adding your unsigned apps to your code integr
2. Click **Settings**, and then choose **Device Guard signing**.
3. Click **Upload** to upload your unsigned catalog files. These are the catalog files you created earlier in [Create catalog files for your unsigned app](#create_catalog_files).
3. Click **Upload** to upload your unsigned catalog files. These are the catalog files you created earlier in [Create catalog files for your unsigned app](#create-catalog-files).
4. After the files are uploaded, click **Sign** to sign the catalog files.

10
windows/manage/app-inventory-managemement-for-windows-store-for-business.md
View File

@ -44,7 +44,7 @@ There are a couple of ways to find specific apps, or groups of apps in your inve
**Refine** - Use **Refine** to scope your list of apps by one or more of these app attributes:
- **License** - Online or offline licenses. For more info, see [Apps in Windows Store for Business](apps-in-the-windows-store-for-business.md#licensing_model).
- **License** - Online or offline licenses. For more info, see [Apps in Windows Store for Business](apps-in-the-windows-store-for-business.md#licensing-model).
- **Platforms** - Lists the devices that apps in your inventory were originally written to support. This list is cumulative for all apps in your inventory.
@ -54,7 +54,7 @@ There are a couple of ways to find specific apps, or groups of apps in your inve
### Manage apps in your inventory
Each app in the Store for Business has an online, or an offline license. For more information on Store for Business licensing model, see [Apps in the Windows Store for Business](apps-in-the-windows-store-for-business.md#licensing_model). There are different actions you can take depending on the app license type. They're summarized in this table.
Each app in the Store for Business has an online, or an offline license. For more information on Store for Business licensing model, see [Apps in the Windows Store for Business](apps-in-the-windows-store-for-business.md#licensing-model). There are different actions you can take depending on the app license type. They're summarized in this table.
<table>
<colgroup>
@ -178,7 +178,7 @@ For each app in your inventory, you can view and manage license details. This gi
Store for Business updates the list of assigned licenses.
### Download offline-licensed app
### <a href="" id="download-offline-licensed-apps"></a>Download offline-licensed app
Offline licensing is a new feature in Windows 10 and allows apps to be deployed to devices that are not connected to the Internet. This means organizations can deploy apps when users or devices do not have connectivity to the Store.
@ -192,9 +192,9 @@ You can download offline-licensed apps from your inventory. You'll need to downl
- App framework
For more information about online and offline licenses, see [Apps in the Windows Store for Business](apps-in-the-windows-store-for-business.md#licensing_model).
For more information about online and offline licenses, see [Apps in the Windows Store for Business](apps-in-the-windows-store-for-business.md#licensing-model).
For more information about downloading offline-licensed apps, see [Download offline apps](../p_ent_manage_Update/download-offline-licensed-app.md).
For more information about downloading offline-licensed apps, see [Download offline apps](../manage/download-offline-licensed-app.md).
 

6
windows/manage/apps-in-the-windows-store-for-business.md
View File

@ -18,7 +18,7 @@ author: jdeckerMS
Windows Store for Business has thousands of apps from many different categories.
##
## <a href="" id="apps"></a>
These app types are supported in Store for Business:
@ -49,14 +49,14 @@ Apps that you acquire from the Store for Business only work on Windows 10-based
Line-of-business (LOB) apps are also supported using the Store for Business. Admins can invite IT devs and ISVs to be LOB publishers. Apps developed by your LOB publishers that are submitted to the Store are only available to your organization. Once an administrator accepts an app submitted by one of their LOB publishers, the app can be distributed just like any other app from Store for Business. For more information, see Working with Line-of-Business apps.
## In-app purchases
## <a href="" id="iap"></a>In-app purchases
Some apps offer you the option to make in-app purchases. In-app purchases are not currently supported for apps that are acquired through Store for Business and distributed to employees.
If an employee makes an in-app purchase, they'll make it with their personal Microsoft account and pay for it with a personal payment method. The employee will own the item purchased, and it cannot be transferred to your organizations inventory.
## Licensing model: online and offline licenses
## <a href="" id="licensing-model"></a>Licensing model: online and offline licenses
Store for Business supports two options to license apps: online and offline.

4
windows/manage/change-history-for-manage-and-update-windows-10.md
View File

@ -11,7 +11,7 @@ author: jdeckerMS
# Change history for Manage and update Windows 10
This topic lists new and updated topics in the [Manage and update Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
This topic lists new and updated topics in the [Manage and update Windows 10] documentation for [Windows 10 and Windows 10 Mobile](../index.md).
## March 2016
@ -59,7 +59,7 @@ This topic lists new and updated topics in the [Manage and update Windows 10](in
</tr>
<tr class="even">
<td align="left">[Customize and export Start layout](customize-and-export-start-layout.md)</td>
<td align="left">Added a note to clarify that partial Start layout is only supported in Windows 10, Version 1511 and later</td>
<td align="left">Added a note to clarify that partial Start layout is only supported in Windows 10, version 1511 and later</td>
</tr>
<tr class="odd">
<td align="left">[Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management--mdm-.md)</td>

8
windows/manage/changes-to-start-policies-in-windows-10.md
View File

@ -18,9 +18,9 @@ author: jdeckerMS
**In this article**
- [Start policy settings supported for Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education](#start_policy_settings_supported_for_windows_10_pro__windows_10_enterprise__and_windows_10_education)
- [Deprecated Group Policy settings for Start](#deprecated_group_policy_settings_for_start_)
- [Related topics](#related_topics)
- [Start policy settings supported for Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education](#start-policy-settings-supported-for-windows-10-pro--windows-10-enterprise--and-windows-10-education)
- [Deprecated Group Policy settings for Start](#deprecated-group-policy-settings-for-start-)
- [Related topics](#related-topics)
Windows 10 has a brand new Start experience. As a result, there are changes to the Group Policy settings that you can use to manage Start. Some policy settings are new or changed, and some old Start policy settings still apply. Other Start policy settings no longer apply and are deprecated.
@ -117,7 +117,7 @@ These policy settings are available in **Administrative Templates\\Start Menu an
 
## Deprecated Group Policy settings for Start
## <a href="" id="deprecated-group-policy-settings-for-start-"></a>Deprecated Group Policy settings for Start
The Start policy settings listed below do not work on Windows 10. Most of them were deprecated in Windows 8 however a few more were deprecated in Windows 10. Deprecation in this case means that the policy setting will not work on Windows 10. The “Supported on” text for a policy setting will not list Windows 10. The policy settings are still in the Group Policy Management Console and can be used on the operating systems that they apply to.

10
windows/manage/configure-devices-without-mdm.md
View File

@ -20,11 +20,11 @@ author: jdeckerMS
**In this article**
- [Advantages](#advantages)
- [Typical use cases](#typical_use_cases)
- [Create package](#create_package)
- [Apply package](#apply_package)
- [Manage a package](#manage_a_package)
- [Learn more](#learn_more)
- [Typical use cases](#typical-use-cases)
- [Create package](#create-package)
- [Apply package](#apply-package)
- [Manage a package](#manage-a-package)
- [Learn more](#learn-more)
Create a runtime provisioning package to apply settings, profiles, and file assets to a device running Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile, or Windows 10 Mobile Enterprise.

314
windows/manage/configure-telemetry-in-your-organization.md Normal file
View File

@ -0,0 +1,314 @@
---
title: Configure telemetry in your organization (Windows 10)
description: Use this article to make informed decisions about how you can configure telemetry in your organization. We discuss telemetry as system data that is uploaded by the Connected User Experience and Telemetry component.
ms.assetid: 68D9BEAD-8ACE-4771-AF10-CCCD65EC7D98
keywords: ["privacy", "telemetry"]
ms.prod: W10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
---
# Configure telemetry in your organization
**Applies to**
- Windows 10
- Windows 10 Mobile
- Windows Server 2016 Technical Preview
Use this article to make informed decisions about how you can configure telemetry in your organization. We discuss telemetry as system data that is uploaded by the Connected User Experience and Telemetry component.
**Note**  
This article does not apply to System Center Configuration Manager, System Center Endpoint Protection, or System Center Data Protection Manager because those products use a different telemetry service than Windows and Windows Server
 
It describes the types of telemetry we collect and the ways you can manage its telemetry. This article also lists some examples of how telemetry can provide you with valuable insights into your enterprise deployments, and how Microsoft uses the data to quickly identify and address issues affecting its customers.
We understand that the privacy and security of our customers information is important and we have taken a thoughtful and comprehensive approach to customer privacy and the protection of their data with Windows 10, Windows Server 2016 Technical Preview, and System Center 2016.
## Overview
*“In order to deliver the experiences our customers need for the mobile-first and cloud-first world, we will modernize our engineering processes to be customer-obsessed, data-driven, speed-oriented, and quality-focused. We will be more effective in predicting and understanding what our customers need and more nimble in adjusting to information we get from the market. We will streamline the engineering process and reduce the amount of time and energy it takes to get things done.” Satya Nadella, July, 2014*
In previous versions of Windows and Windows Server, Microsoft used telemetry to check for updated or new Windows Defender signatures, whether Windows Update installations were successful, collect reliability information through the Reliability Analysis Component (RAC) on Windows Server, and collect reliability information through the Windows Customer Experience Improvement Program (CEIP) on Windows. In Windows 10 and Windows Server 2016 Technical Preview , you can control telemetry streams by using **Settings** &gt; **Privacy**, Group Policy, or MDM.
Microsoft is committed to improving customer experiences in a mobile-first and cloud-first world, and it all starts with our customers. Telemetry is one critical way Microsoft is using data to improve our products and services. Telemetry gives every enterprise customer a voice that helps us shape future versions of Windows, Windows Server and System Center, allowing us to respond quickly to your feedback and providing new features and improved quality to our customers.
Our goal is to leverage the data to drive changes in the product and ecosystem to improve our customer experiences. We are also partnering with enterprises to provide added value from the telemetry information shared by their devices. Some examples include identifying outdated patches and downloading the latest antimalware signatures to help keep their devices secure, identifying application compatibility issues prior to upgrades, gaining insights into driver reliability issues affecting other customers, and using usage data to tune some of their operations to reduce the total cost of ownership (TCO) and downtime.
For Windows 10, we invite IT pros to join the Windows Insider Program to give us feedback on what we can do to make Windows work better for your organization.
## How is telemetry information handled by Microsoft?
### Collection
Information gathered by the Connected User Experience and Telemetry component complies with Microsofts [security and privacy policies](https://privacy.microsoft.com/privacystatement/), as well as international laws and regulations. The principle of least privilege guides access to telemetry data. Only those who can demonstrate a valid business need can access the telemetry info.
### Data transfer
All telemetry info is encrypted during transfer from the device to the Microsoft Data Management Service. Data is uploaded on a schedule that is sensitive to event priority, battery use, and network cost. Real-time events, such as gaming achievements, are always sent immediately. Normal events are not uploaded on metered networks, unless you are on a metered server connection. On a free network, normal events can be uploaded every 4 hours if on battery, or every 15 minutes if on A/C power. Diagnostic and crash data are only uploaded on A/C power and free networks.
### Microsoft Data Management Service
The Microsoft Data Management Service routes information to internal cloud storage. Only people with a valid business justification are permitted access. The Connected User Experiences and Telemetry component connects to the Microsoft Data Management service at v10.vortex-win.data.microsoft.com. The Connected User Experience and Telemetry component also connects to settings-win.data.microsoft.com to download configuration information.
### Data usage
Microsoft does not share personal data of our customers with third parties, except at the customers direction or for the limited purposes described in the Privacy Statement. We do share business reports with OEMs and third party partners that includes aggregated, anonymized telemetry information. Data-sharing decisions are made by an internal team including privacy, legal, and data management.
### Retention
Microsoft believes in and practices information minimization, so we only gather the info we need, and we only store it for as long as its needed to provide a service or for analysis. Much of the info about how Windows 10, Windows Server 2016 Technical Preview, and System Center are functioning is deleted within 30 days. Other info may be retained longer, particularly if there is a regulatory requirement to do so. Info is typically gathered at a fractional sampling rate, which for some client services, can be as low as 1%.
## How is the data gathered?
Windows 10 and Windows 10 includes the Connected User Experience and Telemetry component, which uses Event Tracing for Windows (ETW) [tracelogging](http://msdn.microsoft.com/library/dn904632.aspx) technology to gather and store telemetry events and data. The operating system and some Microsoft management solutions, such as System Center, use the same logging technology.
1. Operating system features and some management applications are instrumented to publish events and data. Examples of management applications include Virtual Machine Manager (VMM), Server Manager, and Storage Spaces.
2. Events are collected using public operating system event logging and tracing APIs.
3. You can configure the telemetry level by using an MDM policy, Group Policy, or registry settings.
4. The Connected User Experience and Telemetry component transmits telemetry data over HTTPS to Microsoft. It uses certificate pinning to protect against man-in-the-middle attacks and moresecurely deliver the data.
## Telemetry levels
This section explains the different telemetry levels in Windows 10, Windows Server 2016 Technical Preview, and System Center. These levels are available on all desktop and mobile editions of Windows 10, with the exception of the Security level which is limited to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server 2016 Technical Preview.
The telemetry data is categorized into four levels:
- **Security**. Information thats required to help keep Windows, Windows Server, and System Center secure, including info about the Connected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender.
- **Basic**. Basic device info, including: quality-related info, app compat, and info from the Security level.
- **Enhanced**. Additional insights, including: how Windows, Windows Server, System Center, and apps are used, how they perform, advanced reliability info, and info from both the Basic and the Security levels.
- **Full**. All info necessary to identify and help to fix problems, plus info from the Security, Basic, and Enhanced levels.
The levels are cumulative and are illustrated into the following diagram:
![breakdown of telemetry levels and types of administrative controls](images/priv-telemetry-levels.png)
### Security level
The security level gathers only the telemetry info that is required to keep Windows devices, Windows Server, and guests secure with the latest security updates.
**Note**  
If your organization relies on Windows Update for updates, you shouldnt use the Security level. Because no Windows Update information is gathered at this level, Microsoft cant tell whether an update successfully installed.
Windows Server Update Services (WSUS) and System Center Configuration Manager functionality is not affected at this level, nor is telemetry data about Windows Server features or System Center collected.
 
Security level info includes:
- **Connected User Experience and Telemetry component settings**. If data has been gathered and is queued to be sent, the Connected User Experience and Telemetry component downloads its settings file from Microsofts servers. The data collected by the client for this request includes OS information, device id (used to identify what specific device is requesting settings) and device class (for example, whether the device is server or desktop).
- **Malicious Software Removal Tool (MSRT)** The MSRT infection report contains information, including device info and IP address.
**Note**  
You can turn off the MSRT infection report. No MSRT information is included if MSRT is not used. If Windows Update is turned off, MSRT will not be offered to users.
 
- **Windows Defender**. Windows Defender requires some information to function, including: anti-malware signatures, diagnostic information, User Account Control settings, Unified Extensible Firmware Interface (UEFI) settings, and IP address.
**Note**  
This reporting can be turned off and no information is included if a customer is using third party antimalware software, or if Windows Defender is turned off.
Microsoft recommends that Windows Update, Windows Defender, and MSRT remain enabled unless the enterprise uses alternative solutions such as Windows Server Update Services, System Center Configuration Manager, or a third party antimalware solution. Windows Update, Windows Defender, and MSRT provide core Windows functionality such as driver and OS updates, including security updates.
 
For servers with default telemetry settings and no Internet connectivity, you should set the telemetry level to Security. This stops data collection for events that would not be uploaded due to the lack of Internet connectivity.
No user content, such as user files or communications, is collected at the Security telemetry level, and we take steps to avoid gathering any information that directly identifies a company or user, such as name, email address, or account ID. However, in rare circumstances, MSRT information may unintentionally contain personal information. For instance, some malware may create entries in a computers registry that include information such as a username, causing it to be gathered. MSRT reporting is optional and can be turned off at any time.
### Basic level
The Basic level gathers a limited set of info thats critical for understanding the device and its configuration. This level also includes the Security level info. This level helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. The Connected User Experience and Telemetry component does not gather telemetry data about System Center, but it can transmit telemetry for other non-Windows applications if they gained user consent.
The data collected at this level includes:
- **Basic device info**. Helps provide an understanding about the types of Windows devices and the configurations and types of native and virtualized Windows Server 2016 Technical Previewinstances in the ecosystem, including:
- Device attributes, such as camera resolution and display type
- Internet Explorer version
- Battery attributes, such as capacity and type
- Networking attributes, such as number of network adapters, speed of network adapters, mobile operator network, and IMEI number
- Processor and memory attributes, such as number of cores, arhcitecture, speed, memory size, and firmware
- o Virtualization attribute, such as SLAT support and guest operating system
- Operating system attributes, such as Windows edition and virtualization state
- Storage attributes, such as number of drives, type, and size
- **Connected User Experience and Telemetry component quality metrics**. Helps provide an understanding about how the Connected User Experience and Telemetry component is functioning, including uploaded events, dropped events, and the last upload time.
- **Quality-related information**. Helps Microsoft develop a basic understanding of how a device and its operating system are performing. Some examples are the amount of time a connected standby device was able to fullsleep, the number of crashes or hangs, and application state change details, such as how much processor time and memory were used, and the total uptime for an app.
- **App compat info**. Helps provide an understanding about which apps are installed on a device and to help identify potential compatibility problems.
- **General app info and app info for Internet Explorer add-ons**. Includes a list of apps that are installed on a native or virtualized instance of the OS and whether these apps function correctly after an upgrade.This app info includes the app name, publisher, version, and basic details about which files have been blocked from usage.
- **Internet Explorer add-on info**. Includes a list of Internet Explorer add-ons that are installed on a device and whether these apps will work after an upgrade.
- **System info**. Helps provide an understanding about whether a device meets the minimum requirements to upgrade to the next version of the operating system. System information includes the amount of memory, as well as info about the processor and BIOS.
- **Accessory device info**. Includes a list of accessory devices, such as printers or external storage devices, that are connected to Windows PCs and whether these devices will function after upgrading to a new version of the operating system.
- **Driver info**. Includes specific driver usage thats meant to help figure out whether apps and devices will function after upgrading to a new version of the operating system. This info can help to determine blocking issues and then help Microsoft and our partners apply fixes and improvements.
- **Store**. Provides info about how the Windows Store performs, including app downloads, installations, and updates. It also includes Windows Store launches, page views, suspend and resumes, and obtaining licenses.
Data collected at the Basic level helps to identify whether a problem occurs on a particular device hardware or software configuration. For example, it can help determine if a crash happens most frequently on devices with a certain memory type or a particular network driver version.
### Enhanced level
The Enhanced level collects info about how Windows and apps are used and how they perform. This level also includes info from both the Basic and Security levels. This level helps to improve experiences by analyzing user interaction with the operating system and apps. Info from this level can be abstracted into patterns and trends that can help Microsoft determine future improvements.
This is the default level, and the minimum level needed to quickly identify and address Windows, Windows Server, and System Center quality issues. For example, in Windows Server 2016 Technical Preview 4, if the operating system or an application crashes or hangs, the memory contents of the faulting process at the time of the crash or hang is gathered in a heap dump. This data provides Microsoft with valuable information needed to analyze and fix the issues.
The data collected at this level includes:
- **Operating system events**. Helps to gain insights into different areas of the operating system, including networking, Hyper-V, Cortana, storage, file system, and other components.
- **Operating system app events**. A set of events resulting from Microsoft applications and management tools that were downloaded from the Store or pre-installed with Windows or Windows Server, including Server Manager, Photos, Mail, and Microsoft Edge.
- **Device-specific events**. Contains info about events that are specific to certain devices, such as Surface Hub and Microsoft HoloLens. For example, Microsoft HoloLens sends Holographic Processing Unit (HPU)-related events.
You can turn on or turn off System Center telemetry collection. The default is on and the data gathered at this level represents what is collected by default when System Center telemetry is turned on. However, setting the operating system telemetry level to Basic will turn off System Center telemetry, even if the System Center telemetry switch is turned on.
If the Connected User Experience and Telemetry component detects a problem on Windows 10 that requires collecting more detailed instrumentation, the Connected User Experience and Telemetry component will only collect info about the events associated with the specific issue. Also, if the operating system or an app crashes or hangs, Microsoft will collect the memory contents of the faulting process only at the time of the crash or hang.
### Full level
The Full level collect data necessary to identify and to help fix problems, following the approval process described below. This level also includes info from the Basic, Enhanced, and Security levels.
Additionally, at this level, devices opted in to the Windows Insider Program will send events that can show Microsoft how pre-release binaries and features are performing. All devices in the Windows Insider Program are automatically set to this level.
If a device experiences problems that are difficult to identify or repeat using Microsofts internal testing, additional info becomes necessary. This info can include any user content that might have triggered the problem and is gathered from a small sample of devices that have both opted into the Full telemetry level and have exhibited the problem.
However, before more info is gathered, Microsofts privacy governance team, including privacy and other subject matter experts, must approve the diagnostics request made by a Microsoft engineer. If the request is approved, Microsoft engineers can use the following capabilities to get the information:
- Ability to run a limited, pre-approved list of Microsoft certified diagnostic tools, such as msinfo32.exe, powercfg.exe, and dxdiag.exe.
- Ability to get registry keys.
- Ability to gather user content, such as documents, if they might have been the trigger for the issue.
### Manage your telemetry settings
We do not recommend that you turn off telemetry in your organization, but we recognize that in some scenarios this may be required. Use the steps in this section to do so for Windows, Windows Server, and System Center.
**Important**  
These telemetry levels only apply to Windows, Windows Server, and System Center components and apps that use the Connected User Experience and Telemetry component. Non-Windows components, such as Microsoft Office or other 3rd-party apps, may communicate with their cloud services outside of these telemetry levels. App publishers must let people know about how they use their telemetry, ways to opt in or opt out, and they must separately document their privacy policies.
 
The lowest telemetry setting level supported through management policies is Security. The lowest telemetry setting supported through the Settings UI is Basic. The default telemetry setting for Windows Server 2016 Technical Preview is Enhanced.
### Configure the operating system telemetry level
You can configure your operating system telemetry settings using the management tools youre already using, such as Group Policy, MDM, or Windows Provisioning. You can also manually change your settings using Registry Editor. Setting your telemetry levels through a management policy overrides any device-level settings.
Use the appropriate value in the table below when you configure the management policy.
| Value | Level | Data collected |
|-------|----------|---------------------------------------------------------------------------------------------------------------------------|
| **0** | Security | Security data only. |
| **1** | Basic | Security data, and basic system and quality data. |
| **2** | Enhanced | Security data, basic system and quality data, and enhanced insights and advanced reliability data. |
| **3** | Full | Security data, basic system and quality data, enhanced insights and advanced reliability data, and full diagnostics data. |
 
### Use Group Policy to set the telemetry level
Use a Group Policy object to set your organizations telemetry level.
1. From the Group Policy Management Console, go to **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Data Collection and Preview Builds**.
2. Double-click **Allow Telemetry**.
3. In the **Options** box, select the level that you want to configure, and then click **OK**.
### Use MDM to set the telemetry level
Use the [Policy Configuration Service Provider (CSP)](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) to apply the System/AllowTelemetry MDM policy.
### Use Registry Editor to set the telemetry level
Use Registry Editor to manually set the registry level on each device in your organization, or write a script to edit the registry. If a management policy already exists, such as Group Policy or MDM, it will override this registry setting.
1. Open Registry Editor, and go to **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection**.
2. Right-click **DataCollection**, click New, and then click **DWORD (32-bit) Value**.
3. Type **AllowTelemetry**, and then press ENTER.
4. Double-click **AllowTelemetry**, set the desired value, and then click **OK.**
5. Click **File** &gt; **Export**, and then save the file as a .reg file, such as **C:\\AllowTelemetry.reg**. You can run this file from a script on each device in your organization.
### Configure System Center 2016 telemetry
For System Center 2016 Technical Preview, you can turn off System Center telemetry by following these steps:
- Turn off telemetry by using the System Center UI Console settings workspace.
- For information about turning off telemetry for Service Management Automation and Service Provider Foundation, see [How to disable telemetry for Service Management Automation and Service Provider Foundation](https://support.microsoft.com/kb/3096505).
### Additional telemetry controls
There are a few more settings that you can turn off that may send telemetry information:
- To turn off Windows Update telemetry, you have two choices. Either turn off Windows Update, or set your devices to be managed by an on premises update server, such as [Windows Server Update Services (WSUS)](http://technet.microsoft.com/library/hh852345.aspx) or [System Center Configuration Manager](http://www.microsoft.com/server-cloud/products/system-center-2012-r2-configuration-manager/).
- Turn off **Windows Defender Cloud-based Protection** and **Automatic sample submission** in **Settings** &gt; **Update & securit**y &gt; **Windows Defender**.
- Manage the Malicious Software Removal Tool in your organization. For more info, see Microsoft KB article [891716.](http://support.microsoft.com/kb/891716)
- Turn off **Linguistic Data Collection** in **Settings** &gt; **Privacy**. At telemetry levels Enhanced and Full, Microsoft uses Linguistic Data Collection info to improve language model features such as autocomplete, spellcheck, suggestions, input pattern recognition, and dictionary.
**Note**  
Microsoft doesn't intentionally gather sensitive information, such as credit card numbers, usernames and passwords, email addresses, or other similarly sensitive information for Linguistic Data Collection. We guard against such events by using technologies to identify and remove sensitive information before linguistic data is sent from the user's device. If we determine that sensitive information has been inadvertently received, we delete the information.
 
## Examples of how Microsoft uses the telemetry data
### Drive higher apps and driver quality in the ecosystem
Telemetry plays an important role in quickly identifying and fixing critical reliability and security issues in our customers deployments and configurations. Insights into the telemetry data we collect help us to quickly identify crashes or hangs associated with a certain application or driver on a given configuration, like a particular storage type (for example, SCSI) or a memory size. For System Center, job usages and statuses can also help us enhance the job workload and the communication between System Center and its managed products. Microsofts ability to get this data from customers and drive improvements into the ecosystem helps raise the bar for the quality of System Center, Windows Server applications, Windows apps, and drivers. Real-time data about Windows installations reduces downtime and the cost associated with troubleshooting unreliable drivers or unstable applications
### Reduce your total cost of ownership and downtime
Telemetry provides a view of which features and services customers use most. For example, the telemetry info provides us with a heat map of the most commonly deployed Windows Server roles, most used Windows features, and which ones are used the least. This helps us make informed decisions on where we should invest our engineering resources to build a leaner operating system. For System Center, understanding the customer environment for management and monitoring will help drive the support compatibilities matrix, such as host and guest OS. This can help you use existing hardware to meet your business needs and reduce your total cost of ownership, as well as reducing downtime associated with security updates.
### <a href="" id="build-features-that-address-our-customers--needs"></a>Build features that address our customers needs
Telemetry also helps us better understand how customers deploy components, use features, and use services to achieve their business goals. Getting insights from that information helps us prioritize our engineering investments in areas that can directly affect our customers experiences and workloads. Some examples include customer usage patterns of containers, storage, and networking configurations associated with Windows Server roles like Clustering and Web. Another example could be to find out when is CPU hyper-threading turned off and the resulting impact. We use the insights to drive improvements and intelligence into some of our management and monitoring solutions, to help customers diagnose quality issues, and save money by making fewer help calls to Microsoft.
 
 

22
windows/manage/customize-and-export-start-layout.md
View File

@ -22,10 +22,10 @@ author: jdeckerMS
**In this article**
- [Customize the Start screen on your test computer](#BKMKCustomizeStartScreen)
- [Export the Start layout](#BMK_ExportStartScreenLayout)
- [Configure a partial Start layout](#configure_a_partial_start_layout)
- [Related topics](#related_topics)
- [Customize the Start screen on your test computer](#bkmkcustomizestartscreen)
- [Export the Start layout](#bmk-exportstartscreenlayout)
- [Configure a partial Start layout](#configure-a-partial-start-layout)
- [Related topics](#related-topics)
The easiest method for creating a customized Start layout to apply to other Windows 10 devices is to set up the Start screen on a test computer and then export the layout.
@ -33,9 +33,9 @@ After you export the layout, decide whether you want to apply a *full* Start lay
When a full Start layout is applied, the users cannot pin, unpin, or uninstall apps from Start. Users can view and open all apps in the **All Apps** view, but they cannot pin any apps to Start.
When [a partial Start layout](#configure_a_partial_start_layout) is applied, the contents of the specified tile groups cannot be changed, but users can move those groups, and can also create and customize their own groups.
When [a partial Start layout](#configure-a-partial-start-layout) is applied, the contents of the specified tile groups cannot be changed, but users can move those groups, and can also create and customize their own groups.
**Note**  Partial Start layout is only supported on Windows 10, Version 1511 and later.
**Note**  Partial Start layout is only supported on Windows 10, version 1511 and later.
 
@ -47,7 +47,7 @@ You can deploy the resulting .xml file to devices using one of the following met
- [Mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management--mdm-.md)
## Customize the Start screen on your test computer
## <a href="" id="bkmkcustomizestartscreen"></a>Customize the Start screen on your test computer
To prepare a Start layout for export, you simply customize the Start layout on a test computer.
@ -63,7 +63,7 @@ To prepare a Start layout for export, you simply customize the Start layout on a
2. Create a new user account that you will use to customize the Start layout.
<a href="" id="bmk-customize-start"></a>
**To customize Start**
1. Sign in to your test computer with the user account that you created.
@ -82,7 +82,7 @@ To prepare a Start layout for export, you simply customize the Start layout on a
- **Create your own app groups**. Drag the apps to an empty area. To name a group, click above the group of tiles and then type the name in the **Name group** field that appears above the group.
## Export the Start layout
## <a href="" id="bmk-exportstartscreenlayout"></a>Export the Start layout
When you have the Start layout that you want your users to see, use the [Export-StartLayout](http://go.microsoft.com/fwlink/p/?LinkId=620879) cmdlet in Windows PowerShell to export the Start layout to an .xml file.
@ -114,9 +114,9 @@ If the Start layout is applied by Group Policy or MDM, and the policy is removed
**To configure a partial Start screen layout**
1. [Customize the Start layout](#BMK_customize_start).
1. [Customize the Start layout](#bmk-customize-start).
2. [Export the Start layout](#BMK_ExportStartScreenLayout).
2. [Export the Start layout](#bmk-exportstartscreenlayout).
3. Open the layout .xml file. There is a `<DefaultLayoutOverride>` element. Add `LayoutCustomizationRestrictionType="OnlySpecifiedGroups"` to the **DefaultLayoutOverride** element as follows:
``` syntax

22
windows/manage/customize-windows-10-start-screens-by-using-group-policy.md
View File

@ -22,12 +22,12 @@ author: jdeckerMS
**In this article**
- [Operating system requirements](#operating_system_requirements)
- [How Start layout control works](#BKMK_HowStartScreenControlWorks)
- [Use Group Policy to apply a customized Start layout in a domain](#BKMK_DomainGPODeployment)
- [Use Group Policy to apply a customized Start layout on the local computer](#BKMK_LocalGPImport)
- [Update a customized Start layout](#BKMK_UpdateStartScreenLayout)
- [Related topics](#related_topics)
- [Operating system requirements](#operating-system-requirements)
- [How Start layout control works](#bkmk-howstartscreencontrolworks)
- [Use Group Policy to apply a customized Start layout in a domain](#bkmk-domaingpodeployment)
- [Use Group Policy to apply a customized Start layout on the local computer](#bkmk-localgpimport)
- [Update a customized Start layout](#bkmk-updatestartscreenlayout)
- [Related topics](#related-topics)
In Windows 10 Enterprise and Windows 10 Education, you can use a Group Policy Object (GPO) to deploy a customized Start layout to users in a domain. No reimaging is required, and the Start layout can be updated simply by overwriting the .xml file that contains the layout. This enables you to customize Start layouts for different departments or organizations, with minimal management overhead.
@ -47,7 +47,7 @@ Start layout control using Group Policy is supported in Windows 10 Enterprise a
The GPO can be configured from any computer on which the necessary ADMX and ADML files (StartMenu.admx and StartMenu.adml) for Windows 10 are installed. In Group Policy, ADMX files are used to define Registry-based policy settings in the Administrative Templates category. To find out how to create a central store for Administrative Templates files, see [article 929841](http://go.microsoft.com/fwlink/p/?LinkId=691687) in the Microsoft Knowledge Base.
## How Start layout control works
## <a href="" id="bkmk-howstartscreencontrolworks"></a>How Start layout control works
Two features enable Start layout control:
@ -66,7 +66,7 @@ To learn how customize Start to include your line-of-business apps when you depl
 
## Use Group Policy to apply a customized Start layout in a domain
## <a href="" id="bkmk-domaingpodeployment"></a>Use Group Policy to apply a customized Start layout in a domain
To apply the Start layout to users in a domain, use the Group Policy Management Console (GPMC) to configure a domain-based Group Policy Object (GPO) that sets **Start Layout** policy settings in the **Start Menu and Taskbar** administrative template for users in a domain.
@ -79,13 +79,13 @@ The .xml file with the Start layout must be located on shared network storage th
For information about deploying GPOs in a domain, see [Working with Group Policy Objects](http://go.microsoft.com/fwlink/p/?LinkId=620889).
## Use Group Policy to apply a customized Start layout on the local computer
## <a href="" id="bkmk-localgpimport"></a>Use Group Policy to apply a customized Start layout on the local computer
You can use the Local Group Policy Editor to provide a customized Start layout for any user who signs in on the local computer. To display the customized Start layout for any user who signs in, configure **Start Layout** policy settings for the **Start Menu and Taskbar** administrative template. You can use the **Start Menu and Taskbar** administrative template in **User Configuration** or **Computer Configuration**.
**Note**  
This procedure applies the policy settings on the local computer only. For information about deploying the Start layout to users in a domain, see [Use Group Policy to deploy a customized Start layout in a domain](#BKMK_DomainGPODeployment), later in this topic.
This procedure applies the policy settings on the local computer only. For information about deploying the Start layout to users in a domain, see [Use Group Policy to deploy a customized Start layout in a domain](#bkmk-domaingpodeployment), later in this topic.
This procedure creates a Local Group Policy that applies to all users on the computer. To configure Local Group Policy that applies to a specific user or group on the computer, see [Step-by-Step Guide to Managing Multiple Local Group Policy Objects](http://go.microsoft.com/fwlink/p/?LinkId=620881). The guide was written for Windows Vista and the procedures still apply to Windows 10.
@ -122,7 +122,7 @@ This procedure adds the customized Start layout to the user configuration, which
 
## Update a customized Start layout
## <a href="" id="bkmk-updatestartscreenlayout"></a>Update a customized Start layout
After you use Group Policy to apply a customized Start layout on a computer or in a domain, you can update the layout simply by replacing the .xml file that is specified in the Start Layout policy settings with a file with a newer timestamp.

4
windows/manage/customize-windows-10-start-screens-by-using-mobile-device-management--mdm-.md
View File

@ -29,7 +29,7 @@ When a full Start layout is applied with this method, the users cannot pin, unpi
 
## How Start layout control works
## <a href="" id="bkmk-howstartscreencontrolworks"></a>How Start layout control works
Two features enable Start layout control:
@ -43,7 +43,7 @@ Two features enable Start layout control:
- In MDM, you set the path to the .xml file that defines the Start layout using an OMA-URI setting, which is based on the [Policy configuration service provider (CSP)](http://go.microsoft.com/fwlink/p/?LinkID=623244).
## Create a policy for your customized Start layout
## <a href="" id="bkmk-domaingpodeployment"></a>Create a policy for your customized Start layout
This example uses Microsoft Intune to configure an MDM policy that applies a customized Start layout. See the documentation for your MDM solution for help in applying the policy.

10
windows/manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
View File

@ -22,15 +22,15 @@ author: jdeckerMS
**In this article**
- [How Start layout control works](#BKMK_HowStartScreenControlWorks)
- [Create a provisioning package that contains a customized Start layout](#BKMK_DomainGPODeployment)
- [Related topics](#related_topics)
- [How Start layout control works](#bkmk-howstartscreencontrolworks)
- [Create a provisioning package that contains a customized Start layout](#bkmk-domaingpodeployment)
- [Related topics](#related-topics)
In Windows 10 Enterprise and Windows 10 Education, you can use a provisioning package that you create with Windows Imaging and Configuration Designer (ICD) tool to deploy a customized Start layout to users. No reimaging is required, and the Start layout can be updated simply by overwriting the .xml file that contains the layout. The provisioning package can be applied to a running device. This enables you to customize Start layouts for different departments or organizations, with minimal management overhead.
**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md)
## How Start layout control works
## <a href="" id="bkmk-howstartscreencontrolworks"></a>How Start layout control works
Two features enable Start layout control:
@ -44,7 +44,7 @@ Two features enable Start layout control:
- In ICD, you use the **Start/StartLayout** setting to set the path to the .xml file that defines the Start layout.
## Create a provisioning package that contains a customized Start layout
## <a href="" id="bkmk-domaingpodeployment"></a>Create a provisioning package that contains a customized Start layout
Use the [Imaging and Configuration Designer (ICD) tool](http://go.microsoft.com/fwlink/p/?LinkID=525483) included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package that applies a customized Start layout. [Install the ADK.](http://go.microsoft.com/fwlink/p/?LinkId=526740)

2
windows/manage/distribute-apps-with-a-management-tool.md
View File

@ -43,7 +43,7 @@ MDM tool requirements:
## Distribute offline-licensed apps
If your vendor doesnt support the ability to synchronize applications from the management tool services or cannot connect to the management tool services, your vendor may support the ability to deploy offline licensed applications by downloading the application and license from the store and then deploying the app through your MDM. For more information on online and offline licensing with Store for Business, see [Apps in the Windows Store for Business.](apps-in-the-windows-store-for-business.md#licensing_model)
If your vendor doesnt support the ability to synchronize applications from the management tool services or cannot connect to the management tool services, your vendor may support the ability to deploy offline licensed applications by downloading the application and license from the store and then deploying the app through your MDM. For more information on online and offline licensing with Store for Business, see [Apps in the Windows Store for Business.](apps-in-the-windows-store-for-business.md#licensing-model)
This diagram shows how you can use a management tool to distribute offline-licensed app to employees in your organization. Once synchronized from Store for Business, management tools can use the Windows Management framework to distribute applications to devices.

2
windows/manage/distribute-offline-apps.md
View File

@ -53,7 +53,7 @@ There are several items to download or create for offline-licensed apps. You'll
- **App frameworks** -- App frameworks are required for distributing offline apps, but you might not need to download one. If you already have the required framework, you don't need to download another copy. The Store for Business will select the app framework needed for the app platform and architecture that you selected.
<a href="" id="download-offline-licensed-app"></a>
**To download an offline-licensed app**
1. Sign in to the Store for Business

14
windows/manage/how-it-pros-can-use-configuration-service-providers--csps--.md
View File

@ -18,11 +18,11 @@ author: jdeckerMS
**In this article**
- [What is a CSP?](#what_is_a_csp_)
- [Why should you learn about CSPs?](#why_should_you_learn_about_csps_)
- [How do you use the CSP documentation?](#BKMK_CSP_Doc)
- [CSP examples](#csp_examples)
- [Related topics](#related_topics)
- [What is a CSP?](#what-is-a-csp-)
- [Why should you learn about CSPs?](#why-should-you-learn-about-csps-)
- [How do you use the CSP documentation?](#bkmk-csp-doc)
- [CSP examples](#csp-examples)
- [Related topics](#related-topics)
Configuration service providers (CSPs) expose device configuration settings in Windows 10. This topic is written for people who have no experience with CSPs.
@ -51,7 +51,7 @@ CSPs are behind many of the management tasks and policies for Windows 10 in Mic
Generally, enterprises rely on Group Policy or MDM to configure and manage devices. For devices running Windows, MDM services use CSPs to configure your devices.
In addition, you may have unmanaged devices, or a large number of devices that you want to configure before enrolling them in management, or you want to apply custom settings that aren't available through your MDM service. The [CSP documentation](#BKMK_CSP_doc) can help you understand the settings that can be configured or queried.
In addition, you may have unmanaged devices, or a large number of devices that you want to configure before enrolling them in management, or you want to apply custom settings that aren't available through your MDM service. The [CSP documentation](#bkmk-csp-doc) can help you understand the settings that can be configured or queried.
In addition, some of the topics in the [Windows 10 and Windows 10 Mobile](../index.md) library on Technet include links to applicable CSP reference topics, such as [Cortana integration in your business or enterprise](manage-cortana-in-your-enterprise.md) which links to the [Policy CSP](http://go.microsoft.com/fwlink/p/?LinkID=623244). In the CSP topics, you can learn about all of the available configuration settings.
@ -75,7 +75,7 @@ When a CSP is available but is not explicitly included in your MDM solution, you
Lockdown XML can be used to configure devices running Windows 10 Mobile. You can manually author a [Lockdown XML file](lockdown-xml.md) to make use of the configuration settings available through the [EnterpriseAssignedAccess configuration service provider (CSP)](http://go.microsoft.com/fwlink/p/?LinkID=618601).
## How do you use the CSP documentation?
## <a href="" id="bkmk-csp-doc"></a>How do you use the CSP documentation?
All CSPs in Windows 10 are documented in the [Configuration service provider reference](http://go.microsoft.com/fwlink/p/?LinkId=717390).

BIN
windows/manage/images/aadj3.jpg
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 43 KiB

After

Width:  |  Height:  |  Size: 44 KiB

BIN
windows/manage/images/aadjbrowser.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 66 KiB

BIN
windows/manage/images/aadjonedrive.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 82 KiB

BIN
windows/manage/images/aadjppt.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 42 KiB

BIN
windows/manage/images/aadjword.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 61 KiB

BIN
windows/manage/images/settings-table.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 14 KiB

28
windows/manage/introduction-to-windows-10-servicing.md
View File

@ -21,12 +21,12 @@ author: jdeckerMS
**In this article**
- [Introduction](#introduction)
- [Streamlined product development and release cycles](#streamlined_product_development_and_release_cycles)
- [New Windows 10 delivery and installation alternatives](#new_windows_10_delivery_and_installation_alternatives)
- [Windows 10 servicing options](#windows_10_servicing_options)
- [Plan for Windows 10 deployment](#plan_for_windows_10_deployment)
- [Servicing options and servicing branch designations](#servicing_options_and_servicing_branch_designations)
- [Related topics](#related_topics)
- [Streamlined product development and release cycles](#streamlined-product-development-and-release-cycles)
- [New Windows 10 delivery and installation alternatives](#new-windows-10-delivery-and-installation-alternatives)
- [Windows 10 servicing options](#windows-10-servicing-options)
- [Plan for Windows 10 deployment](#plan-for-windows-10-deployment)
- [Servicing options and servicing branch designations](#servicing-options-and-servicing-branch-designations)
- [Related topics](#related-topics)
This article describes the new servicing options available in Windows 10, Windows 10 Mobile, and IoT Core and how they enable enterprises to keep their devices current with the latest feature upgrades. It also covers related topics, such as how enterprises can make better use of Windows Update, and what the new servicing options mean for support lifecycles.
@ -125,11 +125,11 @@ Historically, because of the length of time between releases of new Windows vers
In fact, when planning to deploy Windows 10 on a device, one of the most important questions for IT administrators to ask is, “What should happen to this device when Microsoft publishes a new feature upgrade?” This is because Microsoft designed Windows 10 to provide businesses with multiple servicing options, centered on enabling different rates of feature upgrade adoption. In particular, IT administrators can configure Windows 10 devices to:
- Receive feature upgrades immediately after Microsoft makes them available publicly, so that users gain access to new features, experiences, and functionality as soon as possible. For more information, see [Immediate feature upgrade installation with Current Branch (CB) servicing](#immediate_upgrade_CB).
- Receive feature upgrades immediately after Microsoft makes them available publicly, so that users gain access to new features, experiences, and functionality as soon as possible. For more information, see [Immediate feature upgrade installation with Current Branch (CB) servicing](#immediate-upgrade-cb).
- Defer receiving feature upgrades for a period of approximately four months after Microsoft makes them available publicly, to provide IT administrators with time to perform pre-deployment testing and provide feature upgrades releases with additional time-in-market to mature. For more information, see [Deferred feature upgrade installation with Current Branch for Business (CBB) servicing](#deferred_upgrade_CBB).
- Defer receiving feature upgrades for a period of approximately four months after Microsoft makes them available publicly, to provide IT administrators with time to perform pre-deployment testing and provide feature upgrades releases with additional time-in-market to mature. For more information, see [Deferred feature upgrade installation with Current Branch for Business (CBB) servicing](#deferred-upgrade-cbb).
- Receive only servicing updates for the duration of their Windows 10 deployment in order to reduce the number of non-essential changes made to the device. For more information, see [Install servicing updates only by using Long-Term Servicing Branch (LTSB) servicing](#install_updates_LTSB).
- Receive only servicing updates for the duration of their Windows 10 deployment in order to reduce the number of non-essential changes made to the device. For more information, see [Install servicing updates only by using Long-Term Servicing Branch (LTSB) servicing](#install-updates-ltsb).
The breakout of a companys devices by the categories above is likely to vary significantly by industry and other factors. What is most important is that companies can decide what works best for them and can choose different options for different devices.
@ -211,7 +211,7 @@ The same underlying figure will be used in subsequent figures to show all three
To simplify the servicing lifetime and feature upgrade behavior explanations that follow, this document refers to branch designations for a specific feature upgrade as the +0 versions, the designations for the feature upgrade after the +0 version as the +1 (or successor) versions, and the designation for the feature upgrade after the +1 version as the +2 (or second successor) versions.
###
### <a href="" id="immediate-upgrade-cb"></a>
**Immediate feature upgrade installation with Current Branch (CB) servicing**
@ -233,7 +233,7 @@ Windows 10 Home supports Windows Update for release deployment. Windows 10 edi
It is important to note that devices serviced from CBs must install two to three feature upgrades per year to remain current and continue to receive servicing updates.
###
### <a href="" id="deferred-upgrade-cbb"></a>
**Deferred feature upgrade installation with Current Branch for Business (CBB) servicing**
@ -255,11 +255,11 @@ Windows 10 (Pro, Education, and Enterprise editions) support release deployment
Microsoft designed Windows 10 servicing lifetime policies so that CBBs will receive servicing updates for approximately twice as many months as CBs. This enables two CBBs to receive servicing support at the same time, which provides businesses with more flexibility when deploying new feature upgrades. That said, it is important to note that Microsoft will not produce servicing updates for a feature upgrade after its corresponding CBB reaches the end of its servicing lifetime. This means that feature upgrade deployments cannot be extended indefinitely and IT administrators should ensure that they deploy newer feature upgrades onto devices before CBBs end.
###
### <a href="" id="install-updates-ltsb"></a>
**Install servicing updates only by using Long-Term Servicing Branch (LTSB) servicing**
As shown in Figure 7, the Long-Term Servicing Branch (LTSB) designation refers to Servicing Branch \#2 from beginning to end. LTSBs begin when a feature upgrade with long-term support is published by Microsoft and end after 10 years. It is important to note that only the Windows 10 Enterprise LTSB edition supports long-term servicing, and there are important differences between this edition and other Windows 10 editions regarding upgradability and feature set (described below in the [Considerations when configuring devices for servicing updates only](#servicing_only) section).
As shown in Figure 7, the Long-Term Servicing Branch (LTSB) designation refers to Servicing Branch \#2 from beginning to end. LTSBs begin when a feature upgrade with long-term support is published by Microsoft and end after 10 years. It is important to note that only the Windows 10 Enterprise LTSB edition supports long-term servicing, and there are important differences between this edition and other Windows 10 editions regarding upgradability and feature set (described below in the [Considerations when configuring devices for servicing updates only](#servicing-only) section).
![figure 7](images/win10servicing-fig7.png)
@ -280,7 +280,7 @@ It is important to note again that not all feature upgrades will have an LTSB. T
 
###
### <a href="" id="servicing-only"></a>
**Considerations when configuring devices for servicing updates only**

52
windows/manage/join-windows-10-mobile-to-azure-active-directory.md
View File

@ -17,14 +17,14 @@ author: jdeckerMS
**In this article**
- [Why join Windows 10 Mobile to Azure AD](#why_join_windows_10_mobile_to_azure_ad)
- [Are you upgrading current devices to Windows 10 Mobile?](#BKMK_upgrade)
- [The difference between "add work account" and "join Azure AD"](#add_work_account)
- [Preparing for Windows 10 Mobile](#preparing_for_windows_10_mobile)
- [How to join Windows 10 Mobile to Azure AD](#how_to_join_windows_10_mobile_to_azure_ad)
- [Set up mail and calendar](#set_up_mail_and_calendar)
- [Use Office and OneDrive apps](#use_office_and_onedrive_apps)
- [Use Windows Store for Business](#use_windows_store_for_business)
- [Why join Windows 10 Mobile to Azure AD](#why-join-windows-10-mobile-to-azure-ad)
- [Are you upgrading current devices to Windows 10 Mobile?](#bkmk-upgrade)
- [The difference between "Add work account" and "Azure AD Join"](#add-work-account)
- [Preparing for Windows 10 Mobile](#preparing-for-windows-10-mobile)
- [How to join Windows 10 Mobile to Azure AD](#how-to-join-windows-10-mobile-to-azure-ad)
- [Set up mail and calendar](#set-up-mail-and-calendar)
- [Use Office and OneDrive apps](#use-office-and-onedrive-apps)
- [Use Windows Store for Business](#use-windows-store-for-business)
Devices running Windows 10 Mobile can join Azure Active Directory (Azure AD) when the device is configured during the out-of-box experience (OOBE). This article describes the considerations and options for using Windows 10 Mobile with Azure AD in your organization.
@ -35,7 +35,7 @@ When a device running Windows 10 Mobile is joined to Azure AD, the device can e
- Single sign-on (SSO) in applications like Mail, Word, and OneDrive using resources backed by Azure AD.
- SSO in Edge browser to Azure AD-connected web applications like Office 365 Portal, Visual Studio, and more than [2500 non-Microsoft apps](http://go.microsoft.com/fwlink/p/?LinkID=746211).
- SSO in Microsoft Edge browser to Azure AD-connected web applications like Office 365 Portal, Visual Studio, and more than [2500 non-Microsoft apps](http://go.microsoft.com/fwlink/p/?LinkID=746211).
- SSO to resources on-premises.
@ -45,7 +45,7 @@ When a device running Windows 10 Mobile is joined to Azure AD, the device can e
- Use Windows Store for Business to target applications to users.
## Are you upgrading current devices to Windows 10 Mobile?
## <a href="" id="bkmk-upgrade"></a>Are you upgrading current devices to Windows 10 Mobile?
Windows Phone 8.1 only supported the ability to connect the device to personal cloud services using a Microsoft account for authentication. This required creating Microsoft accounts to be used for work purposes. In Windows 10 Mobile, you have the ability to join devices directly to Azure AD without requiring a personal Microsoft account.
@ -54,16 +54,22 @@ If you have existing Windows Phone 8.1 devices, the first thing to understand is
Before upgrading and joining devices to Azure AD, you will want to consider existing data usage. How users are using the existing devices and what data is stored locally will vary for every customer. Are text messages used for work purposes and need to be backed up and available after the upgrade? Are there photos stored locally or stored associated with an Microsoft account? Are there device and app settings that to be retained? Are there contacts stored in the SIM or associated with an Microsoft account? You will need to explore methods for capturing and storing the data that needs to be retained before you join the devices to Azure AD. Photos, music files, and documents stored locally on the device can be copied from the device using a USB connection to a PC.
To join upgraded mobile devices to Azure AD, [the devices must be reset](reset-a-windows-10-mobile-device.md) to start the out-of-box experience for device setup. When the device is joined to Azure AD, the account used for authentication changes from the Microsoft account to an Azure AD account and this is not a change that can be done while maintaining all existing user data. This is similar to changing a device from personally owned to organizationally owned. When a user joins an organizations domain, the user is then required to log in as the domain user and start with a fresh user profile. A new user profile means there would not be any persisted settings, apps, or data from the previous personal profile.
To join upgraded mobile devices to Azure AD, [the devices must be reset](reset-a-windows-10-mobile-device.md) to start the out-of-box experience for device setup. Joining a device to Azure AD is not a change that can be done while maintaining existing user data. This is similar to changing a device from personally owned to organizationally owned. When a user joins an organizations domain, the user is then required to log in as the domain user and start with a fresh user profile. A new user profile means there would not be any persisted settings, apps, or data from the previous personal profile.
If you want to avoid the device reset process, consider [adding work accounts](#add_work_account) rather than joining the devices to Azure AD.
If you want to avoid the device reset process, consider [adding work accounts](#add-work-account) rather than joining the devices to Azure AD.
## The difference between "add work account" and "join Azure AD"
## <a href="" id="add-work-account"></a>The difference between "Add work account" and "Azure AD Join"
You can add access to Azure AD-backed resources on the device without resetting the device. However, this method does not provide SSO in the Windows Store and does not provide the ability to roam settings based on the Azure AD account using enterprise roaming. [Learn about enterprise state roaming in Azure AD.](http://go.microsoft.com/fwlink/p/?LinkId=734996)
Even though Azure AD Join on Windows 10 Mobile provides the best overall experience, there are two ways that you can use an added work account instead of joining the device to Azure AD due to organizational requirements.
Using **Settings** &gt; **Accounts** &gt; **Your email and accounts** &gt; **Add work or school account**, users can add their Azure AD account to the device, keeping their Microsoft account as the primary account. If you [enable auto-enrollment in your MDM settings](http://go.microsoft.com/fwlink/p/?LinkID=691615), the device will automatically be enrolled in MDM.
- You can complete OOBE using the **Sign in later** option. This lets you start using Windows 10 Mobile with any connected Azure AD account or Microsoft account.
- You can add access to Azure AD-backed resources on the device without resetting the device.
However, neither of these methods provides SSO in the Windows Store and does not provide the ability to roam settings based on the Azure AD account using enterprise roaming. [Learn about enterprise state roaming in Azure AD.](http://go.microsoft.com/fwlink/p/?LinkId=734996)
Using **Settings** &gt; **Accounts** &gt; **Your email and accounts** &gt; **Add work or school account**, users can add their Azure AD account to the device. Alternatively, a work account can be added when the user signs in to an application like Mail, Word, etc. If you [enable auto-enrollment in your MDM settings](http://go.microsoft.com/fwlink/p/?LinkID=691615), the device will automatically be enrolled in MDM.
An added work account provides the same SSO experience in browser apps like Office 365 (Office portal, Outlook Web Access, Calendar, People, OneDrive), Azure AD profile and change password app, and Visual Studio. You get SSO to built-in applications like Mail, Calendar, People, OneDrive and files hosted on OneDrive without prompts for a password. In Office apps like Microsoft Word, Microsoft Excel, etc., you simply select the Azure AD account and you are able to open files without entering a password.
@ -72,13 +78,13 @@ An added work account provides the same SSO experience in browser apps like Offi
- **Azure AD configuration**
Currently, Azure AD join only supports self-provisioning, meaning the credentials of the user of the device must be used during the initial setup of the device. If your mobile operator prepares devices on your behalf, this will impact your ability to join the device to Azure AD.
Currently, Azure AD Join only supports self-provisioning, meaning the credentials of the user of the device must be used during the initial setup of the device. If your mobile operator prepares devices on your behalf, this will impact your ability to join the device to Azure AD. Many IT administrators may start with a desire to set up devices for their employees, but the Azure AD Join experience is optimized for end-users, including the option for automatic MDM enrollment.
By default, Azure AD is set up to allow devices to join and to allow users to use their corporate credentials on organizational-owned devices or personal devices. The blog post [Azure AD Join on Windows 10 devices](http://go.microsoft.com/fwlink/p/?LinkID=616791) has more information on where you can review your Azure AD settings. You can configure Azure AD to not allow anyone to join, to allow everyone in your organization to join, or you can select specific Azure AD groups which are allowed to join.
- **Device setup**
A device running Windows 10 Mobile can only join Azure AD during OOBE. New devices from mobile operators will be in this state when they are received. Windows Phone 8.1 devices that are [upgraded](#BKMK_upgrade) to Windows 10 Mobile will need to be reset to get back to OOBE for device setup.
A device running Windows 10 Mobile can only join Azure AD during OOBE. New devices from mobile operators will be in this state when they are received. Windows Phone 8.1 devices that are [upgraded](#bkmk-upgrade) to Windows 10 Mobile will need to be reset to get back to OOBE for device setup.
- **Mobile device management**
@ -163,12 +169,22 @@ Return to **Settings** &gt; **Accounts** &gt; **Your email and accounts**, and y
Office applications like Microsoft Word and Microsoft PowerPoint will automatically sign you in with your Azure AD account. When you open an Office app, you see a screen that allows you to choose between a Microsoft account and Azure AD account. Office shows this screen while it is automatically signing you in, so just be patient for a couple seconds and Office will automatically sign you in using your Azure AD account.
Microsoft Word automatically shows the documents recently opened on other devices. Opening a document allows you to jump straight to the same section you were last editing on another device. Microsoft PowerPoint shows your recently opened slide decks.
Microsoft Word automatically shows the documents recently opened on other devices. Opening a document allows you to jump straight to the same section you were last editing on another device.
![word](images/aadjword.jpg)
Microsoft PowerPoint shows your recently opened slide decks.
![powerpoint](images/aadjppt.jpg)
The OneDrive application also uses SSO, showing you all your documents and enabling you to open them without any authentication experience.
![onedrive](images/aadjonedrive.jpg)
In addition to application SSO, Azure AD joined devices also get SSO for browser applications which trust Azure AD, such as web applications, Visual Studio, Office 365 portal, and OneDrive for Business.
![browser apps](images/aadjbrowser.jpg)
OneNote requires a Microsoft account, but you can use it with your Azure AD account as well.
![sign in to onenote](images/aadjonenote.jpg)

8
windows/manage/lock-down-windows-10-to-specific-apps.md
View File

@ -18,10 +18,10 @@ author: jdeckerMS
**In this article**
- [Install apps](#install_apps)
- [Use AppLocker to set rules for apps](#use_applocker_to_set_rules_for_apps)
- [Other settings to lock down](#other_settings_to_lock_down)
- [Customize Start screen layout for the device](#customize_start_screen_layout_for_the_device)
- [Install apps](#install-apps)
- [Use AppLocker to set rules for apps](#use-applocker-to-set-rules-for-apps)
- [Other settings to lock down](#other-settings-to-lock-down)
- [Customize Start screen layout for the device](#customize-start-screen-layout-for-the-device)
Learn how to configure a device running Windows 10 Enterprise or Windows 10 Education so that users can only run a few specific apps. The result is similar to [a kiosk device](set-up-a-device-for-anyone-to-use.md), but with multiple apps available. For example, you might set up a library computer so that users can search the catalog and browse the Internet, but can't run any other apps or change computer settings.

15
windows/manage/lock-down-windows-10.md
View File

@ -43,23 +43,28 @@ Enterprises often need to manage how people use corporate devices. Windows 10 p
<td align="left"><p>Learn how to configure a device running Windows 10 Enterprise or Windows 10 Education so that users can only run a few specific apps. The result is similar to [a kiosk device](set-up-a-device-for-anyone-to-use.md), but with multiple apps available. For example, you might set up a library computer so that users can search the catalog and browse the Internet, but can't run any other apps or change computer settings.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Configure telemetry and other settings in your organization](manage-privacy-for-windows-10-in-your-company.md)</p></td>
<td align="left"><p>Learn about the telemetry that Microsoft gathers, the network connections that Windows components make to Microsoft, and also the privacy settings that affect data that is shared with either Microsoft or apps and how they can be managed by an IT Pro.</p></td>
<td align="left"><p>[Configure telemetry in your organization](configure-telemetry-in-your-organization.md)</p></td>
<td align="left"><p>Use this article to make informed decisions about how you can configure telemetry in your organization. We discuss telemetry as system data that is uploaded by the Connected User Experience and Telemetry component.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Disconnect from Microsoft and configure privacy settings in your organization](manage-privacy-for-windows-10-in-your-company.md)</p></td>
<td align="left"><p>If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, this article covers the settings that you could consider.</p>
<p>If youre looking for content on what each telemetry level means and how to configure it in your organization, see [Configure telemetry in your organization](configure-telemetry-in-your-organization.md).</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Configure access to Windows Store](stop-employees-from-using-the-windows-store.md)</p></td>
<td align="left"><p>IT Pros can configure access to Windows Store for client computers in their organization. For some organizations, business policies require blocking access to Windows Store.</p></td>
</tr>
<tr class="odd">
<tr class="even">
<td align="left"><p>[Manage Wi-Fi Sense in your company](manage-wi-fi-sense-in-your-company.md)</p></td>
<td align="left"><p>Wi-Fi Sense automatically connects you to Wi-Fi, so you can get online quickly in more places. It can connect you to open Wi-Fi hotspots it knows about through crowdsourcing, or to Wi-Fi networks your contacts have shared with you by using Wi-Fi Sense.</p>
<p>The initial settings for Wi-Fi Sense are determined by the options you chose when you first set up your PC with Windows 10.</p></td>
</tr>
<tr class="even">
<tr class="odd">
<td align="left"><p>[Configure Windows 10 Mobile using Lockdown XML](lockdown-xml.md)</p></td>
<td align="left"><p>Windows 10 Mobile allows enterprises to lock down a device, define multiple user roles, and configure custom layouts on a device.</p></td>
</tr>
<tr class="odd">
<tr class="even">
<td align="left"><p>[Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md)</p></td>
<td align="left"><p>There are two methods for resetting a Windows 10 Mobile device: factory reset and &quot;wipe and persist&quot; reset.</p></td>
</tr>

18
windows/manage/lockdown-xml.md
View File

@ -17,12 +17,12 @@ author: jdeckerMS
**In this article**
- [Order of lockdown settings](#order_of_lockdown_settings)
- [Configuring multiple app packages](#BMK_map)
- [Lockdown example to use in a lockdown XML file](#lockdown_example_to_use_in_a_lockdown_xml_file)
- [Add lockdown XML to a provisioning package](#add_lockdown_xml_to_a_provisioning_package)
- [Push lockdown XML using MDM](#push_lockdown_xml_using_mdm)
- [Related topics](#related_topics)
- [Order of lockdown settings](#order-of-lockdown-settings)
- [Configuring multiple app packages](#bmk-map)
- [Lockdown example to use in a lockdown XML file](#lockdown-example-to-use-in-a-lockdown-xml-file)
- [Add lockdown XML to a provisioning package](#add-lockdown-xml-to-a-provisioning-package)
- [Push lockdown XML using MDM](#push-lockdown-xml-using-mdm)
- [Related topics](#related-topics)
Windows 10 Mobile allows enterprises to lock down a device, define multiple user roles, and configure custom layouts on a device. For example, the enterprise can lock down a device so that only applications and settings in an allow list are available.
@ -41,7 +41,7 @@ The configuration items must be in the following order when you lock down settin
- ActionCenter
- Apps
- Application product ID, as described in [Product IDs in Windows 10 Mobile](http://go.microsoft.com/fwlink/p/?LinkId=698449)
- App User Model ID, as described in [Configuring Multiple App Packages](#BMK_map)
- App User Model ID, as described in [Configuring Multiple App Packages](#bmk-map)
- PinToStart
- Size
- Location
@ -66,7 +66,7 @@ The configuration items must be in the following order when you lock down settin
- ActionCenter
- Apps
- Application product ID, as described in [Product IDs in Windows 10 Mobile](http://go.microsoft.com/fwlink/p/?LinkId=698449)
- App User Model ID (AUMID), as described in [Configuring Multiple App Packages](#BMK_map)
- App User Model ID (AUMID), as described in [Configuring Multiple App Packages](#bmk-map)
- PinToStart
- Size
- Location
@ -87,7 +87,7 @@ The configuration items must be in the following order when you lock down settin
- Enable tile manipulation
- StartScreenSize
## Configuring multiple app packages
## <a href="" id="bmk-map"></a>Configuring multiple app packages
Multiple app packages enable multiple apps to exist inside the same package. Since product IDs identify packages and not applications, specifying a product ID is not enough to distinguish between individual apps inside a multiple app package. Trying to pin application tiles from a multiple app package with just a product ID can result in unexpected behavior.

2
windows/manage/manage-access-to-private-store.md
View File

@ -21,7 +21,7 @@ The private store is a feature in Store for Business that organizations receive
![](images/wsfb-wsappprivatestore.png)
Organizations using an MDM to manage apps can use a policy to show only the private store. When your MDM supports the Store for Business, the MDM can use the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#group_policy_table). More specifically, the **ApplicationManagement/RequirePrivateStoreOnly** policy.
Organizations using an MDM to manage apps can use a policy to show only the private store. When your MDM supports the Store for Business, the MDM can use the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#group-policy-table). More specifically, the **ApplicationManagement/RequirePrivateStoreOnly** policy.
You can also prevent employees from using the Windows Store. For more information, see [Configure access to Windows Store](stop-employees-from-using-the-windows-store.md).

10
windows/manage/manage-corporate-devices.md
View File

@ -19,11 +19,11 @@ author: jdeckerMS
**In this article**
- [Identity and management options](#identity_and_management_options)
- [How setting conflicts are resolved](#how_setting_conflicts_are_resolved)
- [MDM enrollment](#mdm_enrollment)
- [Learn more](#learn_more)
- [Related topics](#related_topics)
- [Identity and management options](#identity-and-management-options)
- [How setting conflicts are resolved](#how-setting-conflicts-are-resolved)
- [MDM enrollment](#mdm-enrollment)
- [Learn more](#learn-more)
- [Related topics](#related-topics)
You can use the same management tools to manage all device types running Windows 10 : desktops, laptops, tablets, and phones. And your current management tools, such as Group Policy, Windows Management Instrumentation (WMI), Windows PowerShell scripts, Orchestrator runbooks, System Center tools, and so on, will continue to work for Windows 10 on desktop editions.

19
windows/manage/manage-cortana-in-your-enterprise.md
View File

@ -15,7 +15,7 @@ author: jdeckerMS
The worlds first personal digital assistant helps users get things done, even at work. Cortana includes powerful configuration options specifically to optimize for unique small to medium-sized business and enterprise environments.
## Cortana integration with Office 365
## <a href="" id="cortana-integration-with-o365"></a>Cortana integration with Office 365
Cortana in Windows 10 is already great at letting your employees quickly see what the day is going to look like, see where and when their meetings are going to be, get a sense of travel times to and from work, and even get updates from a calendar for upcoming trips.
@ -28,7 +28,7 @@ But Cortana works even harder when she connects to Office 365, helping employees
- For a quick review of the frequently asked questions about Cortana and Office 365 integration, see the blog post, [An early look at Cortana integration with Office 365](http://go.microsoft.com/fwlink/p/?LinkId=717379).
## Set up Cortana using Group Policy and MDM policies
## <a href="" id="set-up-cortana-using-gp-and-mdm"></a>Set up Cortana using Group Policy and MDM policies
Set up and manage Cortana by using the following Group Policy and mobile device management (MDM) policies.
@ -169,7 +169,7 @@ Set up and manage Cortana by using the following Group Policy and mobile device
- For specific info about how to set, manage, and use each of these MDM policies to configure Cortana in your enterprise, see the [Policy CSP](http://go.microsoft.com/fwlink/p/?LinkId=717380) topic, located in the configuration service provider reference topics. For specific info about how to set, manage, and use each of these Group Policies to configure Cortana in your enterprise, see the [Group Policy TechCenter](http://go.microsoft.com/fwlink/p/?LinkId=717381).
## Cortana and Power BI
## <a href="" id="cortana-and-bi-power"></a>Cortana and Power BI
Integration between Cortana and Power BI shows how Cortana can work with custom business analytics solutions to enable you to get answers directly from your key business data, including introducing new features that let you create custom Cortana answers using the full capabilities of Power BI Desktop.
@ -178,6 +178,19 @@ Integration between Cortana and Power BI shows how Cortana can work with custom
- For specific info about how to start using Power BI and Cortana integration, how to customize your data results, and how to use the “Hey Cortana” functionality, see the [Power BI: Announcing Power BI integration with Cortana and new ways to quickly find insights in your data](http://go.microsoft.com/fwlink/p/?LinkId=717382) blog.
## Cortana and Microsoft Dynamics CRM
Cortana integration is a Preview feature that's available for your test or dev environment, starting with the CRM Online 2016 Update. If you decide to use this Preview feature, you'll need to turn in on and accept the license terms. After that, salespeople will get proactive insights from Cortana on important CRM activities, including sales leads, accounts, and opportunities; presenting the most relevant info at any given time.
**More info:**
- For more info about Preview features, see [What are Preview features and how do I enable them?](http://go.microsoft.com/fwlink/p/?LinkId=746817).
- For more info about Cortana, see [What is Cortana?](http://go.microsoft.com/fwlink/p/?LinkId=746818).
- For more info about CRM integration, how to turn on Cortana, and how to provide feedback, see [Preview feature: Set up Cortana integration](http://go.microsoft.com/fwlink/?LinkId=746819).
## Cortana and privacy

594
windows/manage/manage-privacy-for-windows-10-in-your-company.md
View File

@ -1,142 +1,139 @@
---
title: Configure telemetry and other settings in your organization (Windows 10)
description: Learn about the telemetry that Microsoft gathers, the network connections that Windows components make to Microsoft, and also the privacy settings that affect data that is shared with either Microsoft or apps and how they can be managed by an IT Pro.
title: Disconnect from Microsoft and configure privacy settings in your organization (Windows 10)
description: If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, this article covers the settings that you could consider.If youre looking for content on what each telemetry level means and how to configure it in your organization, see Configure telemetry in your organization.
ms.assetid: ACCEB0DD-BC6F-41B1-B359-140B242183D9
keywords: ["privacy"]
ms.prod: W10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
---
# Configure telemetry and other settings in your organization
# Disconnect from Microsoft and configure privacy settings in your organization
**Applies to**
- Windows 10
Learn about the telemetry that Microsoft gathers, the network connections that Windows components make to Microsoft, and also the privacy settings that affect data that is shared with either Microsoft or apps and how they can be managed by an IT Pro.
If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, this article covers the settings that you could consider.
If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, this article covers the settings that you could consider. You can configure telemetry at the lowest level for your edition of Windows, and also evaluate which other connections Windows makes to Microsoft services you want to turn off in your environment from the list in this article.
If youre looking for content on what each telemetry level means and how to configure it in your organization, see [Configure telemetry in your organization](configure-telemetry-in-your-organization.md).
**Note**  Telemetry is a term that means different things to different people and organizations. For the purpose of this article, we discuss telemetry as system data that is uploaded by the Connected User Experience and Telemetry component. The telemetry data is used to keep Windows devices secure, and to help Microsoft improve the quality of Windows and Microsoft services. We discuss separately the network connections that Windows features and components make directly to Microsoft Services. It is used to provide a service to the user as part of Windows.
Some of the network connections discussed in this article can be managed in Windows 10 Mobile, Windows 10 Mobile Enterprise, and the July release of Windows 10. However, you must use Windows 10 Enterprise, version 1511 or Windows 10 Education, version 1511 to manage them all.
 
In Windows 10 Enterprise, version 1511 or Windows 10 Education, version 1511, you can configure telemetry at the [Security level](configure-telemetry-in-your-organization.md#security-level), turn off Windows Defender telemetry and MSRT reporting, and turn off all other connections to Microsoft services as described in this article to prevent Windows from sending any data to Microsoft. We strongly recommend against this, as this data helps us deliver a secure, reliable, and more delightful personalized experience.
Some of the network connections discussed in this article can be managed in Windows 10 Mobile, Windows 10 Mobile Enterprise, and the July release of Windows 10. However, you must use Windows 10 Enterprise, Version 1511 or Windows 10 Education, Version 1511 to manage them all.
In Windows 10 Enterprise, Version 1511 or Windows 10 Education, Version 1511, you can configure telemetry at the Security level, turn off Windows Defender telemetry and MSRT reporting, and turn off all other connections to Microsoft services as described in this article to prevent Windows from sending any data to Microsoft. We strongly recommend against this, as this data helps us deliver a secure, reliable, and more delightful personalized experience.
The settings in this article assume you are using Windows 10, version 1511 (currently available in the Current Branch and Current Branch for Business). They will also be included in the next update for the Long Term Servicing Branch.
We are always working on improving Windows 10 for our customers. We invite IT pros to join the [Windows Insider Program](http://insider.windows.com) to give us feedback on what we can do to make Windows 10 work better for your organization.
Here's what's covered in this article:
- [Info management settings](#bkmk-othersettings)
- [1. Cortana](#cortana)
- [1. Cortana](#1-cortana)
- [1.1 Cortana Group Policies](#cortana-group-policies)
- [1.1 Cortana Group Policies](#bkmk-cortana-gp)
- [1.2 Cortana MDM policies](#cortana-mdm-policies)
- [1.2 Cortana MDM policies](#bkmk-cortana-mdm)
- [1.3 Cortana Windows Provisioning](#cortana-windows-provisioning)
- [1.3 Cortana Windows Provisioning](#bkmk-cortana-prov)
- [2. Device metadata retrieval](#device-metadata-retrieval)
- [2. Device metadata retrieval](#bkmk-devinst)
- [3. Insider Preview builds](#insider-preview-builds)
- [3. Insider Preview builds](#bkmk-previewbuilds)
- [4. Internet Explorer](#internet-explorer)
- [4. Internet Explorer](#bkmk-ie)
- [4.1 Internet Explorer Group Policies](#internet-explorer-group-policies)
- [4.1 Internet Explorer Group Policies](#bkmk-ie-gp)
- [4.2 ActiveX control blocking](#internet-explorer-activex-control-blocking)
- [4.2 ActiveX control blocking](#bkmk-ie-activex)
- [5. Mail synchronization](#mail-synchronization)
- [5. Mail synchronization](#bkmk-mailsync)
- [6. Microsoft Edge](#microsoft-edge)
- [6. Microsoft Edge](#bkmk-edge)
- [6.1 Microsoft Edge Group Policies](#microsoft-edge-group-policies)
- [6.1 Microsoft Edge Group Policies](#bkmk-edgegp)
- [6.2 Microsoft Edge MDM policies](#microsoft-edge-mdm-policies)
- [6.2 Microsoft Edge MDM policies](#bkmk-edge-mdm)
- [6.3 Microsoft Edge Windows Provisioning](#microsoft-edge-windows-provisioning)
- [6.3 Microsoft Edge Windows Provisioning](#bkmk-edge-prov)
- [7. Network Connection Status Indicator](#network-connection-status-indicator)
- [7. Network Connection Status Indicator](#bkmk-ncsi)
- [8. Offline maps](#offline-maps)
- [8. Offline maps](#bkmk-offlinemaps)
- [9. OneDrive](#onedrive)
- [9. OneDrive](#bkmk-onedrive)
- [10. Preinstalled apps](#preinstalled-apps)
- [10. Preinstalled apps](#bkmk-preinstalledapps)
- [11. Settings &gt; Privacy](#settings--privacy)
- [11. Settings &gt; Privacy](#bkmk-settingssection)
- [11.1 General](#general)
- [11.1 General](#bkmk-general)
- [11.2 Location](#location)
- [11.2 Location](#bkmk-priv-location)
- [11.3 Camera](#camera)
- [11.3 Camera](#bkmk-priv-camera)
- [11.4 Microphone](#microphone)
- [11.4 Microphone](#bkmk-priv-microphone)
- [11.5 Speech, inking, & typing](#speech-inking--typing)
- [11.5 Speech, inking, & typing](#bkmk-priv-speech)
- [11.6 Account info](#account-info)
- [11.6 Account info](#bkmk-priv-accounts)
- [11.7 Contacts](#contacts)
- [11.7 Contacts](#bkmk-priv-contacts)
- [11.8 Calendar](#calendar)
- [11.8 Calendar](#bkmk-priv-calendar)
- [11.9 Call history](#settings-call-history)
- [11.9 Call history](#bkmk-priv-callhistory)
- [11.10 Email](#settings-email)
- [11.10 Email](#bkmk-priv-email)
- [11.11 Messaging](#settings-messaging)
- [11.11 Messaging](#bkmk-priv-messaging)
- [11.12 Radios](#settings-radios)
- [11.12 Radios](#bkmk-priv-radios)
- [11.13 Other devices](#settings-other-devices)
- [11.13 Other devices](#bkmk-priv-other-devices)
- [11.14 Feedback & diagnostics](#settings-feedback)
- [11.14 Feedback & diagnostics](#bkmk-priv-feedback)
- [11.15 Background apps](#settings-background-apps)
- [11.15 Background apps](#bkmk-priv-background)
- [12. Software Protection Platform](#software-protection-platform)
- [12. Software Protection Platform](#bkmk-spp)
- [13. Sync your settings](#sync-your-settings)
- [13. Sync your settings](#bkmk-syncsettings)
- [14. Teredo](#teredo)
- [14. Teredo](#bkmk-teredo)
- [15. Wi-Fi Sense](#wi-fi-sense)
- [15. Wi-Fi Sense](#bkmk-wifisense)
- [16. Windows Defender](#windows-defender)
- [16. Windows Defender](#bkmk-defender)
- [17. Windows Media Player](#windows-media-player)
- [17. Windows Media Player](#bkmk-wmp)
- [18. Windows spotlight](#windows-spotlight)
- [18. Windows spotlight](#bkmk-spotlight)
- [19. Windows Store](#windows-store)
- [19. Windows Store](#bkmk-windowsstore)
- [20. Windows Update Delivery Optimization](#windows-update-delivery-optimization)
- [20 Windows Update Delivery Optimization](#bkmk-updates)
- [20.1 Settings &gt; Update & security](#settings--update-security)
- [20.1 Settings &gt; Update & security](#bkmk-wudo-ui)
- [20.2 Delivery Optimization Group Policies](#delivery-optimization-group-policies)
- [20.2 Delivery Optimization Group Policies](#bkmk-wudo-gp)
- [20.3 Delivery Optimization MDM policies](#delivery-optimization-mdm-policies)
- [20.3 Delivery Optimization MDM policies](#bkmk-wudo-mdm)
- [20.4 Delivery Optimization Windows Provisioning](#delivery-optimization-windows-provisioning)
- [20.4 Delivery Optimization Windows Provisioning](#bkmk-wudo-prov)
- [21. Windows Update](#windows-update)
- [21. Windows Update](#bkmk-wu)
See the following table for a summary of the settings. For more info, see its corresponding section.
- [Manage your telemetry settings](#bkmk-utc)
![](images/settings-table.png)
- [How telemetry works](#bkmk-moreutc)
## What's new in Windows 10, Version 1511
## What's new in Windows 10, version 1511
Here's a list of changes that were made to this article for Windows 10, Version 1511:
Here's a list of changes that were made to this article for Windows 10, version 1511:
- Added the following new sections:
@ -186,64 +183,12 @@ Here's a list of changes that were made to this article for Windows 10, Version
- Changed the Windows Update section to apply system-wide settings, and not just per user.
## <a href="" id="bkmk-othersettings"></a>Info management settings
## <a href="" id="cortana"></a>1. Cortana
This section lists the components that make network connections to Microsoft services automatically. You can configure these settings to control the data that is sent to Microsoft. To prevent Windows from sending any data to Microsoft, configure telemetry at the Security level, turn off Windows Defender telemetry and MSRT reporting, and turn off all of these connections. We strongly recommend against this, as this data helps us deliver a secure, reliable, and more delightful personalized experience.
The settings in this section assume you are using Windows 10, Version 1511 (currently available in the Current Branch and Current Branch for Business). They will also be included in the next update for the Long Term Servicing Branch.
- [1. Cortana](#bkmk-cortana)
- [2. Device metadata retrieval](#bkmk-devinst)
- [3. Insider Preview builds](#bkmk-previewbuilds)
- [4. Internet Explorer](#bkmk-ie)
- [5. Mail synchronization](#bkmk-mailsync)
- [6. Microsoft Edge](#bkmk-edge)
- [7. Network Connection Status Indicator](#bkmk-ncsi)
- [8. Offline maps](#bkmk-offlinemaps)
- [9. OneDrive](#bkmk-onedrive)
- [10. Preinstalled apps](#bkmk-preinstalledapps)
- [11. Settings &gt; Privacy](#bkmk-settingssection)
- [12. Software Protection Platform](#bkmk-spp)
- [13. Sync your settings](#bkmk-syncsettings)
- [14. Teredo](#bkmk-teredo)
- [15. Wi-Fi Sense](#bkmk-wifisense)
- [16. Windows Defender](#bkmk-defender)
- [17. Windows Media Player](#bkmk-wmp)
- [18. Windows spotlight](#bkmk-spotlight)
- [19. Windows Store](#bkmk-windowsstore)
- [20. Windows Update](#bkmk-wu)
- [21. Windows Update Delivery Optimization](#bkmk-updates)
See the following table for a summary of the management settings. For more info, see its corresponding section.
![](images/priv-settings-table-1511.png)
### 1. Cortana
Use either Group Policy or MDM policies to manage settings for Cortana. For more info, see [Cortana, Search, and privacy: FAQ]( http://go.microsoft.com/fwlink/p/?LinkId=730683).
### <a href="" id="bkmk-cortana-gp"></a>1.1 Cortana Group Policies
### <a href="" id="cortana-group-policies"></a>1.1 Cortana Group Policies
Find the Cortana Group Policy objects under **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Search**.
@ -319,7 +264,7 @@ If your organization tests network traffic, you should not use Fiddler to test W
 
### <a href="" id="bkmk-cortana-mdm"></a>1.2 Cortana MDM policies
### <a href="" id="cortana-mdm-policies"></a>1.2 Cortana MDM policies
The following Cortana MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
@ -350,15 +295,17 @@ The following Cortana MDM policies are available in the [Policy CSP](http://msdn
 
### <a href="" id="bkmk-cortana-prov"></a>1.3 Cortana Windows Provisioning
### <a href="" id="cortana-windows-provisioning"></a>1.3 Cortana Windows Provisioning
To use Windows Imaging and Configuration Designer (ICD) to create a provisioning package with the settings for these policies, go to **Runtime settings** &gt; **Policies** to find **Experience** &gt; **AllowCortana** and **Search** &gt; **AllowSearchToUseLocation**.
### <a href="" id="bkmk-devinst"></a>2. Device metadata retrieval
## <a href="" id="device-metadata-retrieval"></a>2. Device metadata retrieval
To prevent Windows from retrieving device metadata from the Internet, apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **System** &gt; **Device Installation** &gt; **Prevent device metadata retrieval from the Internet**.
### <a href="" id="bkmk-previewbuilds"></a>3. Insider Preview builds
## <a href="" id="insider-preview-builds"></a>3. Insider Preview builds
To turn off Insider Preview builds if you're running a released version of Windows 10. If you're running a preview version of Windows 10, you must roll back to a released version before you can turn off Insider Preview builds.
@ -388,11 +335,12 @@ To turn off Insider Preview builds if you're running a released version of Windo
- **2**. (default) Not configured. Users can make their devices available for download and installing preview software.
### <a href="" id="bkmk-ie"></a>4. Internet Explorer
## <a href="" id="internet-explorer"></a>4. Internet Explorer
Use Group Policy to manage settings for Internet Explorer.
### <a href="" id="bkmk-ie-gp"></a>4.1 Internet Explorer Group Policies
### <a href="" id="internet-explorer-group-policies"></a>4.1 Internet Explorer Group Policies
Find the Internet Explorer Group Policy objects under **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Internet Explorer**.
@ -440,13 +388,14 @@ Find the Internet Explorer Group Policy objects under **Computer Configuration**
 
### <a href="" id="bkmk-ie-activex"></a>4.2 ActiveX control blocking
### <a href="" id="internet-explorer-activex-control-blocking"></a>4.2 ActiveX control blocking
ActiveX control blocking periodically downloads a new list of out-of-date ActiveX controls that should be blocked. You can turn this off by changing the REG\_DWORD registry setting **HKEY\_CURRENT\_USER\\Software\\Microsoft\\Internet Explorer\\VersionManager\\DownloadVersionList** to 0 (zero).
For more info, see [Out-of-date ActiveX control blocking](http://technet.microsoft.com/library/dn761713.aspx).
### <a href="" id="bkmk-mailsync"></a>5. Mail synchronization
## <a href="" id="mail-synchronization"></a>5. Mail synchronization
To turn off mail synchronization for Microsoft Accounts that are configured on a device:
@ -464,16 +413,17 @@ To turn off the Windows Mail app:
- Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Windows Mail** &gt; **Turn off Windows Mail application**
### <a href="" id="bkmk-edge"></a>6. Microsoft Edge
## <a href="" id="microsoft-edge"></a>6. Microsoft Edge
Use either Group Policy or MDM policies to manage settings for Microsoft Edge. For more info, see [Microsoft Edge and privacy: FAQ](http://go.microsoft.com/fwlink/p/?LinkId=730682).
### <a href="" id="bkmk-edgegp"></a>6.1 Microsoft Edge Group Policies
### <a href="" id="microsoft-edge-group-policies"></a>6.1 Microsoft Edge Group Policies
Find the Microsoft Edge Group Policy objects under **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Microsoft Edge**.
**Note**  
The Microsoft Edge Group Policy names were changed in Windows 10, Version 1511. The table below reflects those changes.
The Microsoft Edge Group Policy names were changed in Windows 10, version 1511. The table below reflects those changes.
 
@ -529,7 +479,7 @@ The Microsoft Edge Group Policy names were changed in Windows 10, Version 1511.
 
### <a href="" id="bkmk-edge-mdm"></a>6.2 Microsoft Edge MDM policies
### <a href="" id="microsoft-edge-mdm-policies"></a>6.2 Microsoft Edge MDM policies
The following Microsoft Edge MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
@ -575,13 +525,14 @@ The following Microsoft Edge MDM policies are available in the [Policy CSP](http
 
### <a href="" id="bkmk-edge-prov"></a>6.3 Microsoft Edge Windows Provisioning
### <a href="" id="microsoft-edge-windows-provisioning"></a>6.3 Microsoft Edge Windows Provisioning
Use Windows ICD to create a provisioning package with the settings for these policies, go to **Runtime settings** &gt; **Policies**.
For a complete list of the Microsoft Edge policies, see [Available policies for Microsoft Edge](http://technet.microsoft.com/library/mt270204.aspx).
### <a href="" id="bkmk-ncsi"></a>7. Network Connection Status Indicator
## <a href="" id="network-connection-status-indicator"></a>7. Network Connection Status Indicator
Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to http://www.msftncsi.com to determine if the device can communicate with the Internet. For more info about NCIS, see [The Network Connection Status Icon](http://blogs.technet.com/b/networking/archive/2012/12/20/the-network-connection-status-icon.aspx).
@ -589,7 +540,8 @@ You can turn off NCSI through Group Policy:
- Enable the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **System** &gt; **Internet Communication Management** &gt; **Internet Communication Settings** &gt; **Turn off Windows Network Connectivity Status Indicator active tests**
### <a href="" id="bkmk-offlinemaps"></a>8. Offline maps
## <a href="" id="offline-maps"></a>8. Offline maps
You can turn off the ability to download and update offline maps.
@ -599,13 +551,15 @@ You can turn off the ability to download and update offline maps.
- Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Maps** &gt; **Turn off Automatic Download and Update of Map Data**
### <a href="" id="bkmk-onedrive"></a>9. OneDrive
## <a href="" id="onedrive"></a>9. OneDrive
To turn off OneDrive in your organization:
- Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **OneDrive** &gt; **Prevent the usage of OneDrive for file storage**
### <a href="" id="bkmk-preinstalledapps"></a>10. Preinstalled apps
## <a href="" id="preinstalled-apps"></a>10. Preinstalled apps
Some preinstalled apps get content before they are opened to ensure a great experience. You can remove these using the steps in this section.
@ -717,41 +671,12 @@ To remove the Get Skype app:
Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.SkypeApp | Remove-AppxPackage**
### <a href="" id="bkmk-settingssection"></a>11. Settings &gt; Privacy
## <a href="" id="settings--privacy"></a>11. Settings &gt; Privacy
Use Settings &gt; Privacy to configure some settings that may be important to your organization. Except for the Feedback & Diagnostics page, these settings must be configured for every user account that signs into the PC.
- [11.1 General](#bkmk-general)
- [11.2 Location](#bkmk-priv-location)
- [11.3 Camera](#bkmk-priv-camera)
- [11.4 Microphone](#bkmk-priv-microphone)
- [11.5 Speech, inking, & typing](#bkmk-priv-speech)
- [11.6 Account info](#bkmk-priv-accounts)
- [11.7 Contacts](#bkmk-priv-contacts)
- [11.8 Calendar](#bkmk-priv-calendar)
- [11.9 Call history](#bkmk-priv-callhistory)
- [11.10 Email](#bkmk-priv-email)
- [11.11 Messaging](#bkmk-priv-messaging)
- [11.12 Radios](#bkmk-priv-radios)
- [11.13 Other devices](#bkmk-priv-other-devices)
- [11.14 Feedback & diagnostics](#bkmk-priv-feedback)
- [11.15 Background apps](#bkmk-priv-background)
### <a href="" id="bkmk-priv-general"></a>11.1 General
### <a href="" id="general"></a>11.1 General
**General** includes options that don't fall into other areas.
@ -823,7 +748,7 @@ To turn off **Let websites provide locally relevant content by accessing my lang
- Create a new REG\_DWORD registry setting called **HttpAcceptLanguageOptOut** in **HKEY\_CURRENT\_USER\\Control Panel\\International\\User Profile**, with a value of 1.
### <a href="" id="bkmk-priv-location"></a>11.2 Location
### <a href="" id="location"></a>11.2 Location
In the **Location** area, you choose whether devices have access to location-specific sensors and which apps have access to the device's location.
@ -876,7 +801,7 @@ To turn off **Choose apps that can use your location**:
- Turn off each app using the UI.
### <a href="" id="bkmk-priv-camera"></a>11.3 Camera
### <a href="" id="camera"></a>11.3 Camera
In the **Camera** area, you can choose which apps can access a device's camera.
@ -915,7 +840,7 @@ To turn off **Choose apps that can use your camera**:
- Turn off the feature in the UI for each app.
### <a href="" id="bkmk-priv-microphone"></a>11.4 Microphone
### <a href="" id="microphone"></a>11.4 Microphone
In the **Microphone** area, you can choose which apps can access a device's microphone.
@ -933,7 +858,7 @@ To turn off **Choose apps that can use your microphone**:
- Turn off the feature in the UI for each app.
### <a href="" id="bkmk-priv-speech"></a>11.5 Speech, inking, & typing
### <a href="" id="speech-inking--typing"></a>11.5 Speech, inking, & typing
In the **Speech, Inking, & Typing** area, you can let Windows and Cortana better understand your employee's voice and written input by sampling their voice and writing, and by comparing verbal and written input to contact names and calendar entrees.
@ -958,7 +883,7 @@ To turn off the functionality:
Create a REG\_DWORD registry setting called **HarvestContacts** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\InputPersonalization\\TrainedDataStore**, with a value of 0 (zero).
### <a href="" id="bkmk-priv-accounts"></a>11.6 Account info
### <a href="" id="account-info"></a>11.6 Account info
In the **Account Info** area, you can choose which apps can access your name, picture, and other account info.
@ -976,7 +901,7 @@ To turn off **Choose the apps that can access your account info**:
- Turn off the feature in the UI for each app.
### <a href="" id="bkmk-priv-contacts"></a>11.7 Contacts
### <a href="" id="contacts"></a>11.7 Contacts
In the **Contacts** area, you can choose which apps can access an employee's contacts list.
@ -990,7 +915,7 @@ To turn off **Choose apps that can access contacts**:
- Set the **Select a setting** box to **Force Deny**.
### <a href="" id="bkmk-priv-calendar"></a>11.8 Calendar
### <a href="" id="calendar"></a>11.8 Calendar
In the **Calendar** area, you can choose which apps have access to an employee's calendar.
@ -1008,7 +933,7 @@ To turn off **Choose apps that can access calendar**:
- Turn off the feature in the UI for each app.
### <a href="" id="bkmk-priv-callhistory"></a>11.9 Call history
### <a href="" id="call-history"></a>11.9 Call history
In the **Call history** area, you can choose which apps have access to an employee's call history.
@ -1022,7 +947,7 @@ To turn off **Let apps access my call history**:
- Set the **Select a setting** box to **Force Deny**.
### <a href="" id="bkmk-priv-email"></a>11.10 Email
### <a href="" id="email"></a>11.10 Email
In the **Email** area, you can choose which apps have can access and send email.
@ -1036,7 +961,7 @@ To turn off **Let apps access and send email**:
- Set the **Select a setting** box to **Force Deny**.
### <a href="" id="bkmk-priv-messaging"></a>11.11 Messaging
### <a href="" id="messaging"></a>11.11 Messaging
In the **Messaging** area, you can choose which apps can read or send messages.
@ -1054,7 +979,7 @@ To turn off **Choose apps that can read or send messages**:
- Turn off the feature in the UI for each app.
### <a href="" id="bkmk-priv-radios"></a>11.12 Radios
### <a href="" id="radios"></a>11.12 Radios
In the **Radios** area, you can choose which apps can turn a device's radio on or off.
@ -1072,7 +997,7 @@ To turn off **Choose apps that can control radios**:
- Turn off the feature in the UI for each app.
### <a href="" id="bkmk-priv-other-devices"></a>11.13 Other devices
### <a href="" id="other-devices"></a>11.13 Other devices
In the **Other Devices** area, you can choose whether devices that aren't paired to PCs, such as an Xbox One, can share and sync info.
@ -1090,7 +1015,7 @@ To turn off **Let your apps use your trusted devices (hardware you've already co
- Set the **Select a setting** box to **Force Deny**.
### <a href="" id="bkmk-priv-feedback"></a>11.14 Feedback & diagnostics
### <a href="" id="feedback--diagnostics"></a>11.14 Feedback & diagnostics
In the **Feedback & Diagnostics** area, you can choose how often you're asked for feedback and how much diagnostic and usage information is sent to Microsoft.
@ -1164,7 +1089,7 @@ To change the level of diagnostic and usage data sent when you **Send your devic
- **3**. Maps to the [Full](#bkmk-utc-full) level.
### <a href="" id="bkmk-priv-background"></a>11.15 Background apps
### <a href="" id="background-apps"></a>11.15 Background apps
In the **Background Apps** area, you can choose which apps can run in the background.
@ -1172,7 +1097,8 @@ To turn off **Let apps run in the background**:
- Turn off the feature in the UI for each app.
### <a href="" id="bkmk-spp"></a>12. Software Protection Platform
## <a href="" id="software-protection-platform"></a>12. Software Protection Platform
Enterprise customers can manage their Windows activation status with volume licensing using an on-premise Key Management Server. You can opt out of sending KMS client activation data to Microsoft automatically by applying the following Group Policy:
@ -1180,7 +1106,8 @@ Enterprise customers can manage their Windows activation status with volume lice
The Windows activation status will be valid for a rolling period of 180 days with weekly activation status checks to the KMS.
### <a href="" id="bkmk-syncsettings"></a>13. Sync your settings
## <a href="" id="sync-your-settings"></a>13. Sync your settings
You can control if your settings are synchronized:
@ -1206,13 +1133,15 @@ To turn off Messaging cloud sync:
- Create a REG\_DWORD registry setting called **CloudServiceSyncEnabled** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Messaging**, with a value of 0 (zero).
### <a href="" id="bkmk-teredo"></a>14. Teredo
## <a href="" id="teredo"></a>14. Teredo
You can disable Teredo by using the netsh.exe command. For more info on Teredo, see [Internet Protocol Version 6, Teredo, and Related Technologies](http://technet.microsoft.com/library/cc722030.aspx).
- From an elevated command prompt, run **netsh interface teredo set state disabled**
### <a href="" id="bkmk-wifisense"></a>15. Wi-Fi Sense
## <a href="" id="wi-fi-sense"></a>15. Wi-Fi Sense
Wi-Fi Sense automatically connects devices to known hotspots and to the wireless networks the persons contacts have shared with them.
@ -1238,7 +1167,8 @@ To turn off **Connect to suggested open hotspots** and **Connect to networks sha
When turned off, the Wi-Fi Sense settings still appear on the Wi-Fi Settings screen, but theyre non-functional and they cant be controlled by the employee.
### <a href="" id="bkmk-defender"></a>16. Windows Defender
## <a href="" id="windows-defender"></a>16. Windows Defender
You can opt of the Microsoft Antimalware Protection Service.
@ -1274,7 +1204,8 @@ You can stop sending file samples back to Microsoft.
You can also use the registry to turn off Malicious Software Reporting Tool telemetry by setting the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\MRT\\DontReportInfectionInformation** to 1.
### <a href="" id="bkmk-wmp"></a>17. Windows Media Player
## <a href="" id="windows-media-player"></a>17. Windows Media Player
To remove Windows Media Player:
@ -1284,7 +1215,8 @@ To remove Windows Media Player:
- Run the following DISM command from an elevated command prompt: **dism /online /Disable-Feature /FeatureName:WindowsMediaPlayer**
### <a href="" id="bkmk-spotlight"></a>18. Windows spotlight
## <a href="" id="windows-spotlight"></a>18. Windows spotlight
Windows spotlight provides different background images and text on the lock screen. You can control it by using the user interface or through Group Policy.
@ -1315,13 +1247,15 @@ Windows spotlight provides different background images and text on the lock scre
For more info, see [Windows spotlight on the lock screen](../whats-new/windows-spotlight.md).
### <a href="" id="bkmk-windowsstore"></a>19. Windows Store
## <a href="" id="windows-store"></a>19. Windows Store
You can turn off the ability to launch apps from the Windows Store that were preinstalled or downloaded. This will also turn off automatic app updates, and the Windows Store will be disabled.
- Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Store** &gt; **Disable all apps from Windows Store**.
### <a href="" id="bkmk-updates"></a>20. Windows Update Delivery Optimization
## <a href="" id="windows-update-delivery-optmization"></a>20. Windows Update Delivery Optimization
Windows Update Delivery Optimization lets you get Windows updates and Windows Store apps from sources in addition to Microsoft, which not only helps when you have a limited or unreliable Internet connection, but can also help you reduce the amount of bandwidth needed to keep all of your organizations PCs up-to-date. If you have Delivery Optimization turned on, PCs on your network may send and receive updates and apps to other PCs on your local network, if you choose, or to PCs on the Internet.
@ -1329,13 +1263,13 @@ By default, PCs running Windows 10 Enterprise and Windows 10 Education will on
Use the UI, Group Policy, MDM policies, or Windows Provisioning to set up Delivery Optimization.
### <a href="" id="bkmk-wudo-ui"></a>20.1 Settings &gt; Update & security
### <a href="" id="settings--update--security"></a>20.1 Settings &gt; Update & security
You can set up Delivery Optimization from the **Settings** UI.
- Go to **Settings** &gt; **Update & security** &gt; **Windows Update** &gt; **Advanced options** &gt; **Choose how updates are delivered**.
### <a href="" id="bkmk-wudo-gp"></a>20.2 Delivery Optimization Group Policies
### <a href="" id="delivery-optimization-group-policies"></a>20.2 Delivery Optimization Group Policies
You can find the Delivery Optimization Group Policy objects under **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Delivery Optimization**.
@ -1392,7 +1326,7 @@ You can find the Delivery Optimization Group Policy objects under **Computer Con
 
### <a href="" id="bkmk-wudo-mdm"></a>20.3 Delivery Optimization MDM policies
### <a href="" id="delivery-optimization-mdm-policies"></a>20.3 Delivery Optimization MDM policies
The following Delivery Optimization MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
@ -1449,7 +1383,7 @@ The following Delivery Optimization MDM policies are available in the [Policy CS
 
### <a href="" id="bkmk-wudo-prov"></a>20.4 Delivery Optimization Windows Provisioning
### <a href="" id="delivery-optimization-windows-provisioning"></a>20.4 Delivery Optimization Windows Provisioning
If you don't have an MDM server in your enterprise, you can use Windows Provisioning to configure the Delivery Optimization policies
@ -1465,7 +1399,8 @@ Use Windows ICD, included with the [Windows Assessment and Deployment Kit (Windo
For more info about Delivery Optimization in general, see [Windows Update Delivery Optimization: FAQ](http://go.microsoft.com/fwlink/p/?LinkId=730684).
### <a href="" id="bkmk-wu"></a>21. Windows Update
## <a href="" id="windows-update"></a>21. Windows Update
You can turn off Windows Update by setting the following registry entries:
@ -1497,275 +1432,6 @@ You can turn off automatic updates by doing one of the following. This is not re
To learn more, see [Device update management](http://msdn.microsoft.com/library/windows/hardware/dn957432.aspx) and [Configure Automatic Updates by using Group Policy](http://technet.microsoft.com/library/cc720539.aspx).
## <a href="" id="bkmk-utc"></a>Manage your telemetry settings
You can manage your telemetry settings using the management tools youre already using, such as Group Policy, MDM, or Windows Provisioning. You can also manually change your settings using Registry Editor. Setting your telemetry levels through a management policy overrides any device-level settings.
You can set your organizations devices to use 1 of 4 telemetry levels:
- [Security](#bkmk-utc-security) (only available on Windows 10 Enterprise, Windows 10 Education, and Windows 10 IoT Core (IoT Core) editions)
- [Basic](#bkmk-utc-basic)
- [Enhanced](#bkmk-utc-enhanced)
- [Full](#bkmk-utc-full)
For more info about these telemetry levels, see [Telemetry levels](#bkmk-telemetrylevels). In Windows 10 Enterprise, Windows 10 Education, and IoT Core, the default telemetry level is [Enhanced](#bkmk-utc-enhanced).
**Important**  
These telemetry levels only apply to Windows components and apps that use the Connected User Experience and Telemetry component. Non-Windows components, such as Microsoft Office or other 3rd-party apps, may communicate with their cloud services outside of these telemetry levels. App publishers must let people know about how they use their telemetry, ways to opt in or opt out, and they must separately document their privacy policies.
 
### <a href="" id="use-group-policy-to-set-the-telemetry-level"></a>Use Group Policy to set the telemetry level
Use a Group Policy object to set your organizations telemetry level.
1. From the Group Policy Management Console, go to **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Data Collection and Preview Builds**.
2. Double-click **Allow Telemetry**.
3. In the **Options** box, select the level that you want to configure, and then click **OK**.
### <a href="" id="use-mdm-to-set-the-telemetry-level"></a>Use MDM to set the telemetry level
Use the [Policy Configuration Service Provider (CSP)](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) to apply the System/AllowTelemetry MDM policy, using one of these telemetry values:
- **0**. Maps to the [Security](#bkmk-utc-security) level.
- **1**. Maps to the [Basic](#bkmk-utc-basic) level.
- **2**. Maps to the [Enhanced](#bkmk-utc-enhanced) level.
- **3**. Maps to the [Full](#bkmk-utc-full) level.
### <a href="" id="use-windows-provisioning-to-set-the-telemetry-level"></a>Use Windows Provisioning to set the telemetry level
Use Windows Provisioning and the Windows Imaging and Configuration Designer (Windows ICD) tool part of the [Windows Assessment and Deployment Kit (Windows ADK) toolkit](http://go.microsoft.com/fwlink/p/?LinkId=526803) - to create a provisioning package and runtime setting that sets your organizations telemetry level.
After you create the provisioning package, you can email it to your employees, put it on a network share, or integrate the package directly into a custom image using Windows ICD.
**To use Windows ICD to integrate your package into a custom image**
1. Open Windows ICD, and then click **New provisioning package**.
2. In the **Name** box, type a name for the provisioning package, and then click **Next**.
3. Click **Common to all Windows editions** &gt; **Next** &gt; **Finish**.
4. Go to **Runtime settings** &gt; **Policies** &gt; **System** &gt; **AllowTelemetry** to configure the policies. You can set it to one of the following:
- **Disabled \[Enterprise SKU Only\]**. Maps to the [Security](#bkmk-utc-security) level.
- **Basic**. Maps to the [Basic](#bkmk-utc-basic) level.
- **Full**. Maps to the [Enhanced](#bkmk-utc-enhanced) level
- **Diagnostic**. Maps to the [Full](#bkmk-utc-full) level.
5. After you've added all of your settings to the provisioning package, click **Export** &gt; **Provisioning package**.
6. On the **Describe the provisioning package** step, in the **Owner** box, click **IT Admin** &gt; **Next**.
7. On the **Select security details for the provisioning package** step, if you want to protect the package with a password, select the **Encrypt package** check box. If you'd like to sign the package with a certificate, select the **Sign package** check box and select the certificate to use. Click **Next**.
8. On the **Select where to save the provisioning package** step, if you want to save it somewhere other than the Windows ICD project folder, choose a new location, and then click **Next**.
9. On the **Build the provisioning package** step, click **Build**.
### <a href="" id="use-registry-editor-to-set-the-telemetry-level"></a>Use Registry Editor to set the telemetry level
Use Registry Editor to manually set the registry level on each device in your organization, or write a script to edit the registry.
If a management policy already exists (from Group Policy, MDM, or Windows Provisioning), it will override this registry setting.
1. Open Registry Editor, and go to **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection**.
2. Right-click **DataCollection**, click **New**, and then click **DWORD (32-bit) Value**.
3. Type **AllowTelemetry**, and then press ENTER.
4. Double-click **AllowTelemetry** and set the value to one of the following levels, and the click **OK**.
- **0**. This setting maps to the [Security](#bkmk-utc-security) level.
- **1**. This setting maps to the [Basic](#bkmk-utc-basic) level.
- **2**. This setting maps to the [Enhanced](#bkmk-utc-enhanced) level
- **3**. This setting maps to the [Full](#bkmk-utc-full) level.
5. Click **File** &gt; **Export**, and then save the file as a .reg file, such as **C:\\AllowTelemetry.reg**. You can run this file from a script on each device in your organization.
### <a href="" id="additional-telemetry-controls"></a>Additional telemetry controls
There are a few more settings that you can turn off that may send telemetry information:
- To turn off Windows Update telemetry, you have two choices. Either turn off Windows Update, or set your devices to be managed by an on premises update server, such as [Windows Server Update Services (WSUS)](http://technet.microsoft.com/library/hh852345.aspx) or [System Center Configuration Manager](http://www.microsoft.com/server-cloud/products/system-center-2012-r2-configuration-manager/).
- Turn off **Windows Defender Cloud-based Protection** and **Automatic sample submission** in **Settings** &gt; **Update & security** &gt; **Windows Defender**.
- Manage the Malicious Software Removal Tool in your organization. For more info, see Microsoft KB article [891716](http://support.microsoft.com/kb/891716).
- Turn off Linguistic Data Collection in **Settings** &gt; **Privacy**. At telemetry levels Enhanced and Full, Microsoft uses Linguistic Data Collection info to improve language model features such as autocomplete, spellcheck, suggestions, input pattern recognition, and dictionary. For more info, see the **Get to know me** setting in the [Speech, inking, & typing](#bkmk-priv-speech) section of this article and the **Send Microsoft info about how I write to help us improve typing and writing in the future** setting in the [General](#bkmk-priv-general) section of this article.
**Note**  
Microsoft doesn't intentionally gather sensitive information, such as credit card numbers, usernames and passwords, email addresses, or other similarly sensitive information for Linguistic Data Collection. We guard against such events by using technologies to identify and remove sensitive information before linguistic data is sent from the user's device. If we determine that sensitive information has been inadvertently received, we delete the information.
 
## <a href="" id="bkmk-moreutc"></a>How telemetry works
Windows uses telemetry information to analyze and fix software problems. It also helps Microsoft improve its software and provide updates that enhance the security and reliability of devices within your organization.
### <a href="" id="bkmk-telemetrylevels"></a>Telemetry levels
This section explains the different telemetry levels in Windows 10. These levels are available on all desktop and mobile editions of Windows 10, with the exception of the Security level which is limited to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and IoT Core.
- **Security**. Information thats required to help keep Windows secure, including info about theConnected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender. This level is available only on Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and IoT Core.
- **Basic**. Basic device info, including: quality-related info, app compat, and info from the Security level.
- **Enhanced** Additional insights, including: how Windows and Windows apps are used, how they perform, advanced reliability info, and info from both the Basic and the Security levels.
- **Full**. All info necessary to identify and help to fix problems, plus info from the Security, Basic, and Enhanced levels.
As a diagram:
![](images/priv-telemetry-levels.png)
### <a href="" id="bkmk-utc-security"></a>Security level
The Security level gathers only telemetry info thats required to keep Windows devices secure. This level is only available on Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and IoT Core editions.
**Note**  
If your organization relies on Windows Update for updates, you shouldnt use the Security level. Because no Windows Update information is gathered at this level, Microsoft cant tell whether an update successfully installed.
You can continue to use Windows Server Update Services and System Center Configuration Manager while using the Security level.
 
Security level info includes:
- **Connected User Experience and Telemetry component settings**. If data has been gathered and is queued to be sent, the Connected User Experience and Telemetry component downloads its settings file from Microsofts servers. The data collected by the client for this request includes OS information, device id (used to identify what specific device is requesting settings) and device class (for example, whether the device is server or desktop).
- **Malicious Software Removal Tool (MSRT)** The MSRT infection report contains information, including device info and IP address.
**Note**  
You can turn off the MSRT infection report. No MSRT information is included if MSRT is not used. If Windows Update is turned off, MSRT will not be offered to users.
 
- **Windows Defender**. Windows Defender requires some information to function, including: anti-malware signatures, diagnostic information, User Account Control settings, Unified Extensible Firmware Interface (UEFI) settings, and IP address. To configure this, see [Windows Defender](#bkmk-defender).
**Note**  
This reporting can be turned off and no information is included if a customer is using third party antimalware software, or if Windows Defender is turned off.
Microsoft recommends that Windows Update, Windows Defender, and MSRT remain enabled unless the enterprise uses alternative solutions such as Windows Server Update Services, System Center Configuration Manager, or a third party antimalware solution. Windows Update, Windows Defender, and MSRT provide core Windows functionality such as driver and OS updates, including security updates; moreover, Window Defender requires updated anti-malware signatures in order to provide security functionality.
 
No user content, such as user files or communications, is gathered at the Security telemetry level, and we take steps to avoid gathering any information that directly identifies a company or user, such as name, email address, or account ID. However, in rare circumstances, MSRT information may unintentionally contain personal information. For instance, some malware may create entries in a computers registry that include information such as a username, causing it to be gathered. MSRT reporting is optional and can be turned off at any time.
To set the telemetry level to Security, use a management policy (Group Policy or MDM) or by manually changing the setting in the registry. For more info, see the [Manage your telemetry settings](#bkmk-utc) section of this article.
### <a href="" id="bkmk-utc-basic"></a>Basic level
The Basic level gathers a limited set of info thats critical for understanding the device and its configuration. This level also includes the Security level info. This level helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version.
Basic level info includes:
- **Basic device info**. Helps provide an understanding about the various types of devices in the Windows 10 ecosystem, including:
- Device attributes, such as camera resolution and display type
- Internet Explorer version
- Battery attributes, such as capacity and type
- Networking attributes, such as mobile operator network and IMEI number
- Processor and memory attributes, such as number of cores, speed, and firmware
- Operating system attributes, such as Windows edition and IsVirtualDevice
- Storage attributes, such as number of drives and memory size
- **Connected User Experience and Telemetry component quality metrics**. Helps provide an understanding about how the Connected User Experience and Telemetry component is functioning, including uploaded events, dropped events, and the last upload time.
- **Quality-related information**. Helps Microsoft develop a basic understanding of how a device and its operating system are performing. Some examples are the amount of time a connected standby device was able to fullsleep, the number of crashes or hangs, and application state change details, such as how much processor time and memory were used, and the total uptime for an app.
- **App compat info**. Helps provide understanding about which apps are installed on a device and to help identify potential compatibility problems.
- **General app info and app info for Internet Explorer add-ons**. Includes a list of apps and Internet Explorer add-ons that are installed on a device and whether these apps will work after an upgrade. This app info includes the app name, publisher, version, and basic details about which files have been blocked from usage.
- **System info**. Helps provide understanding about whether a device meets the minimum requirements to upgrade to the next version of the operating system. System information includes the amount of memory, as well as info about the processor and BIOS.
- **Accessory device info**. Includes a list of accessory devices, such as printers or external storage devices, that are connected to Windows PCs and whether these devices will function after upgrading to a new version of the operating system.
- **Driver info**. Includes specific driver usage thats meant to help figure out whether apps and devices will function after upgrading to a new version of the operating system. This info can help to determine blocking issues and then help Microsoft and our partners apply fixes and improvements.
- **Store**. Provides info about how the Windows Store performs, including app downloads, installations, and updates. It also includes Windows Store launches, page views, suspend and resumes, and obtaining licenses.
### <a href="" id="bkmk-utc-enhanced"></a>Enhanced level
The Enhanced level gathers info about how Windows and apps are used and how they perform. This level also includes info from both the Basic and Security levels. This level helps to improve experiences by analyzing user interaction with the operating system and apps. Info from this level can be abstracted into patterns and trends that can help Microsoft determine future improvements.
Enhanced level info includes:
- **Operating system events**. Helps to gain insights into different areas of the operating system, including networking, Hyper-V, Cortana, and other components.
- **Operating system app events**. A set of events resulting from Microsoft apps that were downloaded from the Store or pre-installed with Windows, including Photos, Mail, and Microsoft Edge.
- **Device-specific events**. Contains info about events that are specific to certain devices, such as Surface Hub and Microsoft HoloLens. For example, Microsoft HoloLens sends Holographic Processing Unit (HPU)-related events.
If the Connected User Experience and Telemetry component detects a problem that requires gathering more detailed instrumentation, then the Connected User Experience and Telemetry component will only gather info about the events associated with the specific issue, for no more than 2 weeks. Also, if the operating system or an app crashes or hangs, Microsoft will gather the memory contents of the faulting process only at the time of the crash or hang.
### <a href="" id="bkmk-utc-full"></a>Full level
The Full level gathers info necessary to identify and to help fix problems, following the approval process described below. This level also includes info from the Basic, Enhanced, and Security levels.
Additionally, at this level, devices opted in to the Windows Insider Program will send events that can show Microsoft how pre-release binaries and features are performing. All devices in the Windows Insider Program are automatically set to this level.
If a device experiences problems that are difficult to identify or repeat using Microsofts internal testing, additional info becomes necessary. This info can include any user content that might have triggered the problem and is gathered from a small sample of devices that have both opted into the Full telemetry level and have exhibited the problem.
However, before more info is gathered, Microsofts privacy governance team, including privacy and other subject matter experts, must approve the diagnostics request made by a Microsoft engineer. If the request is approved, Microsoft engineers can use the following capabilities to get the information:
- Ability to run a limited, pre-approved list of Microsoft certified diagnostic tools, such as msinfo32.exe, powercfg.exe, and dxdiag.exe.
- Ability to get registry keys.
- Ability to gather user content, such as documents, if they might have been the trigger for the issue.
### <a href="" id="how-is-telemetry-information-handled-by-microsoft-"></a>How is telemetry information handled by Microsoft?
### <a href="" id="collection"></a>Collection
Information gathered by the Connected User Experience and Telemetry component complies with Microsofts security and privacy policies, as well as international laws and regulations. Only those who can demonstrate a valid business need can access the telemetry info.
### <a href="" id="data-transfer"></a>Data Transfer
All telemetry info is encrypted during transfer from the device to the Microsoft Data Management Service. Data is uploaded on a schedule that is sensitive to event priority, battery use, and network cost. Real-time events, such as gaming achievements, are always sent immediately. Normal events are not uploaded on metered networks. On a free network, normal events can be uploaded every 4 hours if on battery, or every 15 minutes if on A/C power. Diagnostic and crash data are only uploaded on A/C power and free networks.
### <a href="" id="microsoft-data-management-service"></a>Microsoft Data Management Service
The Microsoft Data Management Service routes information to internal cloud storage, where it's compiled into business reports for analysis and research. Sensitive info is stored in a separate data store thats locked down to a small subset of Microsoft employees in the Windows Devices Group. The privacy governance team permits access only to people with a valid business justification. The Connected User Experiences and Telemetry component connects to the Microsoft Data Management service at v10.vortex-win.data.microsoft.com. The Connected User Experience and Telemetry component connects to settings-win.data.microsoft.com to collect its settings.
### <a href="" id="usage"></a>Usage
Information is used by teams within Microsoft to provide, improve, and personalize experiences, and for security, health, quality, and performance analysis.
An example of personalization is to create individually tailored in-product messages.
Microsoft doesnt share organization-specific customer information with third parties, except at the customers direction or for the limited purposes described in the privacy statement. However, we do share business reports with partners that include aggregated, anonymous telemetry information. Decisions to share info are made by an internal team that includes privacy, legal, and data management professionals.
### <a href="" id="retention"></a>Retention
Microsoft believes in and practices information minimization, so we only gather the info we need, and we only store it for as long as its needed to provide a service or for analysis. Much of the info about how Windows and apps are functioning is deleted within 30 days. Other info may be retained longer, particularly if there is a regulatory requirement to do so. Info is typically gathered at a fractional sampling rate, which for some client services, can be as low as 1%.
 
 

10
windows/manage/manage-wi-fi-sense-in-your-company.md
View File

@ -26,7 +26,7 @@ Wi-Fi Sense isnt available in all countries or regions.
 
## How does Wi-Fi Sense work?
## <a href="" id="how-does-wifi-sense-work"></a>How does Wi-Fi Sense work?
Wi-Fi Sense connects your employees to the available Wi-Fi networks, including:
@ -42,7 +42,7 @@ Employees can't share network info with their contacts for any company network u
 
## How to manage Wi-Fi Sense in your company
## <a href="" id="how-to-manage-wifi-sense-in-your-company"></a>How to manage Wi-Fi Sense in your company
In a company environment, you will most likely deploy Windows 10 to your employees' PCs using your preferred deployment method and then manage their settings globally. With that in mind, you have a few options for managing how your employees will use Wi-Fi Sense.
@ -52,7 +52,7 @@ Turning off Wi-Fi Sense also turns off all related features, including: connecti
 
### Using Group Policy (available starting with Windows 10, Version 1511)
### Using Group Policy (available starting with Windows 10, version 1511)
You can manage your Wi-Fi Sense settings by using Group Policy and your Group Policy editor.
@ -88,7 +88,7 @@ You can manage your Wi-Fi Sense settings by changing the Windows provisioning se
Setting this value to **0** turns off Wi-Fi Sense and all Wi-Fi sense features. When turned off, the Wi-Fi Sense settings still appear on the **Wi-Fi Settings** screen, but can't be controlled by the employee and all of the Wi-Fi Sense features are turned off. For more info, see the Windows Provisioning settings reference topic, [WiFiSenseAllowed](http://go.microsoft.com/fwlink/p/?LinkId=620909).
### Using Unattended Windows Setup settings
### <a href="" id="using-the-unattended-windows-setup-settings"></a>Using Unattended Windows Setup settings
If your company still uses Unattend, you can manage your Wi-Fi Sense settings by changing the Unattended Windows Setup setting, **WiFiSenseAllowed**.
@ -98,7 +98,7 @@ If your company still uses Unattend, you can manage your Wi-Fi Sense settings by
Setting this value to **0** turns off Wi-Fi Sense and all Wi-Fi sense features. When turned off, the Wi-Fi Sense settings still appear on the **Wi-Fi Settings** screen, but can't be controlled by the employee and all of the Wi-Fi Sense features are turned off. For more info, see the Unattended Windows Setup Reference topic, [WiFiSenseAllowed](http://go.microsoft.com/fwlink/p/?LinkId=620910).
### How employees can change their own Wi-Fi Sense settings
### <a href="" id="how-emps-can-change-their-own-wifi-sense-settings"></a>How employees can change their own Wi-Fi Sense settings
If you dont turn off the ability for your employees to use Wi-Fi Sense, they can turn the settings on locally by selecting **Settings &gt; Network & Internet &gt; Wi-Fi &gt; Manage Wi-Fi settings**, and then changing one or both of these settings under **Wi-Fi Sense**:

2
windows/manage/prerequisites-for-windows-store-for-business.md
View File

@ -27,7 +27,7 @@ You'll need this software to work with Store for Business.
- IT Pros that are administering Store for Business need a browser compatible with Store for Business running on a PC or mobile device. Supported browsers include: Internet Explorer 10 or later, Microsoft Edge, or current versions of Chrome or Firefox.
- Employees using apps from Store for Business need Windows 10, Version 1511 running on a PC or mobile device.
- Employees using apps from Store for Business need Windows 10, version 1511 running on a PC or mobile device.
Microsoft Azure Active Directory (AD) accounts for your employees:

6
windows/manage/product-ids-in-windows-10-mobile.md
View File

@ -18,9 +18,9 @@ author: jdeckerMS
**In this article**
- [Apps included in Windows 10 Mobile](#apps_included_in_windows_10_mobile)
- [Get product ID and AUMID for other apps](#get_product_id_and_aumid_for_other_apps)
- [Related topics](#related_topics)
- [Apps included in Windows 10 Mobile](#apps-included-in-windows-10-mobile)
- [Get product ID and AUMID for other apps](#get-product-id-and-aumid-for-other-apps)
- [Related topics](#related-topics)
You can use the product ID and Application User Model (AUMID) in Lockdown.xml to specify apps that will be available to the user.

6
windows/manage/reset-a-windows-10-mobile-device.md
View File

@ -17,9 +17,9 @@ author: jdeckerMS
**In this article**
- [Reset using MDM](#reset_using_mdm)
- [Reset using the UI](#_reset_using_the_ui)
- [Reset using hardware buttons](#reset_using_hardware_buttons)
- [Reset using MDM](#reset-using-mdm)
- [Reset using the UI](#-reset-using-the-ui)
- [Reset using hardware buttons](#reset-using-hardware-buttons)
There are two methods for resetting a Windows 10 Mobile device: factory reset and "wipe and persist" reset.

24
windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
View File

@ -22,12 +22,12 @@ author: jdeckerMS
**In this article**
- [Other settings to lock down](#other_settings_to_lock_down)
- [Assigned access method for Universal Windows apps](#assigned_access_method)
- [Shell Launcher for Classic Windows applications](#local_user_policy)
- [Related topics](#related_topics)
- [Other settings to lock down](#other-settings-to-lock-down)
- [Assigned access method for Universal Windows apps](#assigned-access-method)
- [Shell Launcher for Classic Windows applications](#local-user-policy)
- [Related topics](#related-topics)
A single-use device is easy to set up in Windows 10 for desktop editions (Pro, Enterprise, and Education). For a kiosk device to run a Universal Windows app, use the **assigned access** feature. For a kiosk device (Windows 10 Enterprise or Education) to run a Classic Windows application, use **Shell Launcher** to set a custom user interface as the shell. To return the device to the regular shell, see [Sign out of assigned access](#sign_out_of_assigned_access).
A single-use device is easy to set up in Windows 10 for desktop editions (Pro, Enterprise, and Education). For a kiosk device to run a Universal Windows app, use the **assigned access** feature. For a kiosk device (Windows 10 Enterprise or Education) to run a Classic Windows application, use **Shell Launcher** to set a custom user interface as the shell. To return the device to the regular shell, see [Sign out of assigned access](#sign-out-of-assigned-access).
**Note**  
A Universal Windows app is built on the Universal Windows Platform (UWP), which was first introduced in Windows 8 as the Windows Runtime. A Classic Windows application uses the Classic Windows Platform (CWP) (e.g., COM, Win32, WPF, WinForms, etc.) and is typically launched using an .EXE or .DLL file.
@ -68,18 +68,18 @@ For a more secure kiosk experience, we recommend that you make the following con
 
## Assigned access method for Universal Windows apps
## <a href="" id="assigned-access-method"></a>Assigned access method for Universal Windows apps
Using assigned access, Windows 10 runs the designated Universal Windows app above the lockscreen, so that the assigned access account has no access to any other functionality on the device. You have these choices for setting up assigned access:
- [Use Settings on the PC](#set_up_assigned_access_in_pc_settings) - Windows 10 Pro, Enterprise, and Education
- [Use Settings on the PC](#set-up-assigned-access-in-pc-settings) - Windows 10 Pro, Enterprise, and Education
- [Apply a mobile device management (MDM) policy](#set_up_assigned_access_in_mdm) - Windows 10 Enterprise and Education
- [Apply a mobile device management (MDM) policy](#set-up-assigned-access-in-mdm) - Windows 10 Enterprise and Education
- [Create a provisioning package using Windows Imaging and Configuration Designer (ICD)](#icd) - Windows 10 Enterprise and Education
- [Run a PowerShell script](#set_up_assigned_access_using_windows_powershell) - Windows 10 Pro, Enterprise, and Education
- [Run a PowerShell script](#set-up-assigned-access-using-windows-powershell) - Windows 10 Pro, Enterprise, and Education
### Requirements
@ -120,7 +120,7 @@ Assigned Access has one setting, KioskModeApp. In the KioskModeApp setting, you
[See the technical reference for the Assigned Access configuration service provider.](http://go.microsoft.com/fwlink/p/?LinkId=626608)
### Set up assigned access using Windows Imaging and Configuration Designer (ICD)
### <a href="" id="icd"></a>Set up assigned access using Windows Imaging and Configuration Designer (ICD)
Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package that configures a device as a kiosk. [Install the ADK.](http://go.microsoft.com/fwlink/p/?LinkId=526740)
@ -249,7 +249,7 @@ If you press **Ctrl + Alt + Del** and do not sign in to another account, after a
To change the default time for assigned access to resume, add *IdleTimeOut* (DWORD) and enter the value data as milliseconds in hexadecimal.
## Shell Launcher for Classic Windows applications
## <a href="" id="local-user-policy"></a>Shell Launcher for Classic Windows applications
Using Shell Launcher, you can configure a kiosk device that runs a Classic Windows application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on.
@ -380,7 +380,7 @@ Alternatively, you can turn on Shell Launcher using the Deployment Image Servici
[Set up a kiosk for Windows 10 for mobile edition](set-up-a-kiosk-for-windows-10-for-mobile-edition.md)
[Manage and update Windows 10](index.md)
[Manage and update Windows 10]
 

6
windows/manage/set-up-a-kiosk-for-windows-10-for-mobile-edition.md
View File

@ -18,9 +18,9 @@ author: jdeckerMS
**In this article**
- [Apps Corner](#apps_corner)
- [Enterprise Assigned Access](#enterprise_assigned_access)
- [Related topics](#related_topics)
- [Apps Corner](#apps-corner)
- [Enterprise Assigned Access](#enterprise-assigned-access)
- [Related topics](#related-topics)
A device in kiosk mode runs a specified app with no access to other device functions, menus, or settings. You configure a device running Windows 10 Mobile or Windows 10 Mobile Enterprise for kiosk mode by using the Apps Corner feature. You can also use the Enterprise Assigned Access configuration service provider (CSP) to configure a kiosk experience.

10
windows/manage/sign-up-for-windows-store-for-business.md
View File

@ -27,17 +27,17 @@ Before signing up for the Store for Business, make sure you're the global admini
1. Go to [https://www.microsoft.com/business-store](http://go.microsoft.com/fwlink/p/?LinkId=691845), and click **Sign up**.
- If you start the Store for Business sign up process, and don't have an Azure AD directory for your organization, we'll help you create one. For more info, see [Sign up for Azure AD accounts](#o365_welcome).
- If you start the Store for Business sign up process, and don't have an Azure AD directory for your organization, we'll help you create one. For more info, see [Sign up for Azure AD accounts](#o365-welcome).
<!-- -->
- If you already have an Azure AD directory, you'll [sign in to Store for Business](#sign_in), and then accept Store for Business terms.
- If you already have an Azure AD directory, you'll [sign in to Store for Business](#sign-in), and then accept Store for Business terms.
![](images/wsfb-landing.png)
**To sign up for Azure AD accounts through Office 365 for Business**
- Signing up for Store for Business will create an Azure AD directory and global administrator account for you. There are just a few steps.
- <a href="" id="o365-welcome"></a>Signing up for Store for Business will create an Azure AD directory and global administrator account for you. There are just a few steps.
Step 1: About you.
@ -71,11 +71,11 @@ Before signing up for the Store for Business, make sure you're the global admini
- At this point, you'll have an Azure AD directory created with one user account. That user account is the global administrator. You can use that account to sign in to Store for Business.
2. Sign in with your Azure AD account.
2. <a href="" id="sign-in"></a>Sign in with your Azure AD account.
![](images/wsfb-onboard-7.png)
3. Read through and accept Store for Business terms.
3. <a href="" id="accept-terms"></a>Read through and accept Store for Business terms.
4. Welcome to the Store for Business. Click **Next** to continue.

10
windows/manage/stop-employees-from-using-the-windows-store.md
View File

@ -23,7 +23,7 @@ IT Pros can configure access to Windows Store for client computers in their orga
You can use these tools to configure access to Windows Store: AppLocker or Group Policy. For Windows 10, this is only supported on Windows 10 Enterprise edition.
## Block Windows Store using AppLocker
## <a href="" id="block-store-applocker"></a>Block Windows Store using AppLocker
Applies to: Windows 10 Enterprise, Windows 10 Mobile
@ -52,10 +52,10 @@ For more information on AppLocker, see [What is AppLocker?](../keep-secure/what-
8. Optional: On **Exceptions**, specify conditions by which to exclude files from being affected by the rule. This allows you to add exceptions based on the same rule reference and rule scope as you set before. Click **Next**.
## Block Windows Store using Group Policy
## <a href="" id="block-store-group-policy"></a>Block Windows Store using Group Policy
Applies to: Windows 10 Enterprise, Version 1511
Applies to: Windows 10 Enterprise, version 1511
You can also use Group Policy to manage access to Windows Store.
@ -69,12 +69,12 @@ You can also use Group Policy to manage access to Windows Store.
4. On the **Turn off Store application** setting page, click **Enabled**, and then click **OK**.
## Block Windows Store using management tool
## <a href="" id="block-store-mdm"></a>Block Windows Store using management tool
Applies to: Windows 10 Mobile
If you have mobile devices in your organization that you upgraded from earlier versions of Windows Phone 8 to Windows 10 Mobile, existing policies created using the Windows Phone 8.1 configuration service providers (CSP) with your MDM tool will continue to work on Windows 10 Mobile. If you are starting with Windows 10 Mobile, we recommend using [AppLocker](#block_store_applocker) to manage access to Windows Store app.
If you have mobile devices in your organization that you upgraded from earlier versions of Windows Phone 8 to Windows 10 Mobile, existing policies created using the Windows Phone 8.1 configuration service providers (CSP) with your MDM tool will continue to work on Windows 10 Mobile. If you are starting with Windows 10 Mobile, we recommend using [AppLocker](#block-store-applocker) to manage access to Windows Store app.
When your MDM tool supports Windows Store for Business, the MDM can use these CSPs to block Windows Store app:

86
windows/manage/windows-10-mobile-and-mdm.md
View File

@ -19,12 +19,12 @@ author: jdeckerMS
**In this article**
- [Overview](#overview)
- [Device deployment](#device_deployment__)
- [Device configuration](#device_configuration)
- [App management](#__app_management)
- [Device operations](#device_operations)
- [Device retirement](#device_retirement)
- [Related topics](#related_topics)
- [Device deployment](#device-deployment--)
- [Device configuration](#device-configuration)
- [App management](#--app-management)
- [Device operations](#device-operations)
- [Device retirement](#device-retirement)
- [Related topics](#related-topics)
This guide provides an overview of the mobile device and app management technologies in the Windows 10 Mobile operating system. It describes how mobile device management (MDM) systems use the built-in device management client to deploy, configure, maintain, and support phones and small tablets running Windows 10 Mobile.
@ -37,7 +37,7 @@ Windows 10 Mobile not only delivers more comprehensive, restrictive configurati
Organizations users increasingly depend on their mobile devices, but phones and tablets bring new and unfamiliar challenges for IT departments. IT must be able to deploy and manage mobile devices and apps quickly to support the business while balancing the growing need to protect corporate data because of evolving laws, regulations, and cybercrime. IT must ensure that the apps and data on those mobile devices are safe, especially on personal devices. Windows 10 Mobile helps organizations address these challenges by providing a robust, flexible, built-in MDM client. IT departments can use the MDM system of their choice to manage this client.
### Built-in MDM client
### <a href="" id="built-in-mdm-client--"></a>Built-in MDM client
The built-in MDM client is common to all editions of the Windows 10 operating system, including desktop, mobile, and Internet of Things (IoT). The client provides a single interface through which you can manage any device that runs Windows 10. The client has two important roles: device enrollment in an MDM system and device management.
@ -47,7 +47,7 @@ The built-in MDM client is common to all editions of the Windows 10 operating s
The MDM client is an integral part of Windows 10 Mobile. As a result, there is no need for an additional, custom MDM app to enroll the device or to allow an MDM system to manage it. All MDM systems have equal access to Windows 10 Mobile MDM application programming interfaces (APIs), so you can choose Microsoft Intune or a third-party MDM product to manage Windows 10 Mobile devices. For more information about Windows 10 Mobile device management APIs, see [Mobile device management](http://go.microsoft.com/fwlink/p/?LinkId=734050).
### Windows 10 Mobile editions
### <a href="" id="mobile-edition"></a>Windows 10 Mobile editions
Every device that runs Windows 10 Mobile includes all the enterprise mobile device security and management capabilities the MDM client provides. Microsoft also offers an Enterprise edition of Windows 10 Mobile, which includes three additional capabilities. To enable these capabilities, you can provision a license file without reinstalling the operating system:
@ -64,7 +64,7 @@ Your organization can opt to purchase a code signing certificate from Verisign t
To activate Windows 10 Mobile Enterprise on any Windows 10 Mobile device, use your companys MDM system or a provisioning package to inject a license onto the device. You can download a Windows 10 Mobile Enterprise license from the Business Support Portal.
### Lifecycle management
### <a href="" id="lifecycle-management--"></a>Lifecycle management
Windows 10 Mobile supports end-to-end lifecycle device management to give companies control of their devices, data, and apps. Comprehensive MDM systems use the built-in MDM client to manage devices throughout their lifecycle, as Figure 1 illustrates. The remainder of this guide describes the operating systems mobile device and app management capabilities through each phase of the lifecycle, showing how MDM systems use specific features.
@ -72,7 +72,7 @@ Windows 10 Mobile supports end-to-end lifecycle device management to give compa
Figure 1. Device management lifecycle
## Device deployment
## <a href="" id="device-deployment--"></a>Device deployment
Device deployment includes the initial registration and configuration of the device, including its enrollment with an MDM system. Sometimes, companies preinstall apps. The major factors in how you deploy devices and which controls you put in place are device ownership and how the user will use the device. This guide covers two scenarios:
@ -85,7 +85,7 @@ Often, employees can choose devices from a list of supported models, or companie
Microsoft recommends Azure AD Join and MDM enrollment and management for corporate devices and Azure AD Registration and MDM enrollment and management for personal devices.
### Deployment scenarios
### <a href="" id="deployment-scenarios--"></a>Deployment scenarios
Most organizations support both personal and corporate device scenarios. The infrastructure for these scenarios is similar, but the deployment process and configuration policies differ. Table 1 describes characteristics of the personal and corporate device scenarios. Activation of a device with an organizational identity is unique to Windows 10 Mobile.
@ -123,7 +123,7 @@ Table 1. Characteristics of personal and corporate device scenarios
 
### Identity management
### <a href="" id="identity-management--"></a>Identity management
People can use only one account to activate a device, so its imperative that your organization control which account you enable first. The account you choose will determine who controls the device and influence your management capabilities. The following list describes the impact that users identities have on management (Table 2 summarizes these considerations):
@ -182,7 +182,7 @@ Table 2. Personal vs. organizational identity
 
### Infrastructure requirements
### <a href="" id="infrastructure-requirements--"></a>Infrastructure requirements
For both device scenarios, the essential infrastructure and tools required to deploy and manage Windows 10 Mobile devices include an Azure AD subscription and an MDM system.
@ -210,7 +210,7 @@ In addition, Microsoft recently added MDM capabilities powered by Intune to Offi
 
### Provisioning
### <a href="" id="provisioning--"></a>Provisioning
Provisioning is new to Windows 10 and uses the MDM client in Windows 10 Mobile. You can create a runtime provisioning package to apply settings, profiles, and file assets to a device running Windows 10.
@ -241,7 +241,7 @@ The following sections describe the device configuration capabilities of the bui
- [Account restrictions](#restrictions)
- [Device lock restrictions](#device_lock)
- [Device lock restrictions](#device-lock)
- [Hardware restrictions](#hardware)
@ -264,7 +264,7 @@ Although all the MDM settings this section describes are available in Windows 1
 
### Email accounts
### <a href="" id="email"></a>Email accounts
You can use your corporate MDM system to manage corporate email accounts. Define email account profiles in the MDM system, and then deploy them to devices. You would usually deploy these settings immediately after enrollment, regardless of scenario.
@ -329,7 +329,7 @@ Table 4. Windows 10 Mobile settings for other email profiles
 
### Account restrictions
### <a href="" id="restrictions"></a>Account restrictions
On a corporate device registered with Azure AD and enrolled in the MDM system, you can control whether users can use a Microsoft account or add other consumer email accounts. Table 5 lists the settings that you can use to manage accounts on Windows 10 Mobile devices.
@ -343,7 +343,7 @@ Table 5. Windows 10 Mobile account management settings
 
### Device lock restrictions
### <a href="" id="device-lock"></a>Device lock restrictions
Its common sense to lock a device when it is not in use. Microsoft recommends that you secure Windows 10 Mobile devices and implement a device lock policy. A device password or PIN lock is a best practice for securing apps and data on devices. [Windows Hello](http://go.microsoft.com/fwlink/p/?LinkId=723994) is the name given to the new biometric sign-in option that allows users to use their face, iris, or fingerprints to unlock their compatible device, all of which Windows 10 supports.
@ -432,7 +432,7 @@ Table 6. Windows 10 Mobile device lock restrictions
 
### Hardware restrictions
### <a href="" id="hardware"></a>Hardware restrictions
Windows 10 Mobile devices use state-of-the-art technology that includes popular hardware features such as cameras, global positioning system (GPS) sensors, microphones, speakers, near-field communication (NFC) radios, storage card slots, USB interfaces, Bluetooth interfaces, cellular radios, and Wi-Fi. You can also use hardware restrictions to control the availability of these features. Table 7 lists the MDM settings that Windows 10 Mobile supports to configure hardware restrictions.
@ -463,7 +463,7 @@ Table 7. Windows 10 Mobile hardware restrictions
 
### Certificate management
### <a href="" id="certificate"></a>Certificate management
Managing certificates can be difficult for users, but certificates are pervasive for a variety of uses, including, account authentication, Wi-Fi authentication, VPN encryption, and SSL encryption of web content. Although users could manage certificates on devices manually, its a best practice to use your MDM system to manage those certificates for their entire life cycle, from enrollment through renewal to revocation. You can use the Simple Certificate Enrollment Protocol (SCEP) and Personal Information Exchange (PFX) certificates files to install certificates on Windows 10 Mobile. Certificate management through SCEP and MDM systems is fully transparent to users and requires no user intervention, so it helps improve user productivity and reduce support calls. Your MDM system can automatically deploy these certificates to the devices certificate stores after you enroll the device. Table 8 lists the SCEP settings that the MDM client in Windows 10 Mobile provides.
@ -526,7 +526,7 @@ To diagnose certificate-related issues on Windows 10 Mobile devices, use the fr
 
### Wi-Fi
### <a href="" id="wifi"></a>Wi-Fi
People use Wi-Fi on their mobile devices as much as or more than cellular data. Most corporate Wi-Fi networks require certificates and other complex information to restrict and secure user access. This advanced Wi-Fi information is difficult for typical users to configure, but you can use your MDM system to fully configure Wi-Fi settings without user intervention.
@ -864,7 +864,7 @@ Table 14. Windows 10 Mobile VPN management settings
 
### APN profiles
### <a href="" id="apn"></a>APN profiles
An APN defines network paths for cellular data connectivity. Typically, you define just one APN for a device in collaboration with a mobile operator, but you can define multiple APNs if your company uses multiple mobile operators.
@ -936,7 +936,7 @@ Table 15. Windows 10 Mobile APN profile settings
 
### Data leak protection
### <a href="" id="data"></a>Data leak protection
Some user experiences can risk corporate data stored on corporate devices. For example, allowing users to copy and paste information out of the organizations LOB app can put data at risk. To mitigate the risk, you can restrict the Windows 10 Mobile user experience to help protect corporate data and prevent data leaks. For example, you can prevent settings synchronization, copy-and-paste operations, and screen captures. Table 16 lists the MDM settings in Windows 10 Mobile that you can use to help prevent data leaks.
@ -957,7 +957,7 @@ Table 16. Windows 10 Mobile data leak protection settings
 
### Storage management
### <a href="" id="storage"></a>Storage management
Protecting the apps and data stored on a device is critical to device security. One method for helping protect your apps and data is to encrypt internal device storage by using the device encryption in Windows 10 Mobile. This encryption helps protect corporate data against unauthorized access, even when an unauthorized user has physical possession of the device.
@ -1024,26 +1024,26 @@ Table 17. Windows 10 Mobile storage management settings
 
## App management
## <a href="" id="--app-management"></a> App management
Apps help improve user productivity on mobile devices. New to Windows 10 is the ability for organizations purchase apps from Windows Store for their employees and deploy those apps from Windows Store or an MDM system. App management is becoming a key capability of MDM systems, helping reduce the effort required to perform common app-related tasks, such as distributing apps, and protecting data through app policies. This section describes the app management features in Windows 10 Mobile and includes the following topics:
- [Universal Windows Platform (UWP)](#UWP)
- [Universal Windows Platform (UWP)](#uwp)
- [Sourcing the right app](#sourcing)
- [Windows Store for Business](#store)
- [Mobile application management (MAM) policies](#MAM)
- [Mobile application management (MAM) policies](#mam)
- [Microsoft Edge](#edge)
### Universal Windows Platform
### <a href="" id="uwp"></a>Universal Windows Platform
Windows 10 introduces UWP, converging the application platform for all devices running some edition of Windows 10. UWP apps run without modification on all editions of Windows 10, and Windows Store now has apps that you can license and purchased for all your Windows 10 devices. Windows Phone 8.1 and Windows 8.1 apps still run on Windows 10 devices, but the MAM improvements in Windows 10 work only with UWP apps. See the [Guide to Universal Windows Platform (UWP) apps](http://go.microsoft.com/fwlink/p/?LinkId=734056) for additional information.
### Sourcing the right app
### <a href="" id="sourcing"></a>Sourcing the right app
The first step in app management is to obtain the apps your users need, and you can now acquire apps from Windows Store. Developers can also create apps specific to an organization, known as *line-of-business (LOB) apps* (the developers of these apps are *LOB publishers*). An LOB developer (internal or external) can now publish these apps to Windows Store at your request, or you can obtain the app packages offline and distribute them through your MDM system.
@ -1051,11 +1051,11 @@ To install Windows Store or LOB apps, use the Windows Store cloud service or you
IT administrators can obtain apps through Store for Business. Most apps can be distributed online, meaning that the user must be logged in to the device with an Azure AD account and have Internet access at the time of installation. To distribute an app offline, the developer must opt in. If the app developer doesnt allow download of the app from Windows Store, then you must obtain the files directly from the developer or use the online method. See [Windows Store for Business](windows-store-for-business.md) for additional information about apps obtained through Store for Business.
Windows Store apps are automatically trusted. For custom LOB apps developed internally or by a trusted software vendor, ensure that the device trusts the app signing certificate. There are two ways to establish this trust: use a signing certificate from a trusted source, or generate your own signing certificate and add your chain of trust to the trusted certificates on the device. You can install up to 20 self-signed apps on a Windows 10 Mobile device. When you purchase a signing certificate from a public CA, you can install more than 20 apps on a device, although you can install more than 20 self-signed apps per device with [Windows 10 Mobile Enterprise](#mobile_edition).
Windows Store apps are automatically trusted. For custom LOB apps developed internally or by a trusted software vendor, ensure that the device trusts the app signing certificate. There are two ways to establish this trust: use a signing certificate from a trusted source, or generate your own signing certificate and add your chain of trust to the trusted certificates on the device. You can install up to 20 self-signed apps on a Windows 10 Mobile device. When you purchase a signing certificate from a public CA, you can install more than 20 apps on a device, although you can install more than 20 self-signed apps per device with [Windows 10 Mobile Enterprise](#mobile-edition).
Users can install apps from Windows Store that the organization purchases through the Store app on their device. If you allow your users to log in with a Microsoft account, the Store app on the device provides a unified method for installing personal and corporate apps.
### Store for Business
### <a href="" id="store"></a>Store for Business
[Windows Store for Business](http://go.microsoft.com/fwlink/p/?LinkId=722910) is a web portal that IT pros and purchasers use to find, acquire, manage, and distribute apps to Windows 10 devices. This online portal gives Azure AD authenticated managers access to Store for Business functionality and settings. Store managers can create a private section of Windows Store in which organizations can manage apps specific and private to them. Store for Business allows organizations to make apps available to their users and purchase app licenses for them. They can also integrate their Store for Business subscriptions with their MDM systems, so the MDM system can deploy apps from their free Store for Business subscription.
@ -1073,7 +1073,7 @@ The process for using Store for Business is as follows:
For more information about Store for Business, see [Windows Store for Business](windows-store-for-business.md).
### Mobile application management (MAM) policies
### <a href="" id="mam"></a>Mobile application management (MAM) policies
With MDM, you can manage Device Guard on Windows 10 Mobile and create an allow (whitelist) or deny (blacklist) list of apps. This capability extends to built-in apps, as well, such as phone, text messaging, email, and calendar. The ability to allow or deny apps helps to ensure that people use their mobile devices for their intended purposes.
@ -1099,7 +1099,7 @@ Table 18. Windows 10 Mobile app management settings
One potential security issue is that users can register as Windows 10 Mobile app developers and turn on developer features on their device, potentially installing apps from unknown sources and opening the device to malware threats. To prevent users from turning on developer features on their devices, set the **Disable development unlock (side loading)** policy, which you can configure through your MDM system.
### Microsoft Edge
### <a href="" id="edge"></a>Microsoft Edge
MDM systems give you the ability to manage Microsoft Edge on mobile devices. Table 19 lists the Microsoft Edge settings for Windows 10 Mobile.
@ -1129,21 +1129,21 @@ Table 19. Microsoft Edge settings for Windows 10 Mobile
In this section, you learn how MDM settings in Windows 10 Mobile enable the following scenarios:
- [Device update](#device_update)
- [Device update](#device-update)
- [Device compliance monitoring](#device_comp)
- [Device compliance monitoring](#device-comp)
- [Device inventory](#data_inv)
- [Device inventory](#data-inv)
- [Remote assistance](#remote_assist)
- [Remote assistance](#remote-assist)
- [Cloud services](#cloud_serv)
- [Cloud services](#cloud-serv)
### Device update
To help protect mobile devices and their data, you must keep those devices updated. Windows Update automatically installs updates and upgrades when they become available.
The device update features described in this section are available only in [Windows 10 Mobile Enterprise](#mobile_edition). You can use your MDM system to postpone system upgrades when you activate an Enterprise license on managed Windows 10 Mobile devices and control how updates and upgrades are applied. For example, you can disable updates altogether, defer updates and upgrades, and schedule the day and time to install updates, as you would with Windows Server Update Services (WSUS) on Windows 10 desktops running the [Current Branch for Business](introduction-to-windows-10-servicing.md). Table 20 lists the Windows 10 Mobile Enterprise settings that you can use to configure updates and upgrades.
The device update features described in this section are available only in [Windows 10 Mobile Enterprise](#mobile-edition). You can use your MDM system to postpone system upgrades when you activate an Enterprise license on managed Windows 10 Mobile devices and control how updates and upgrades are applied. For example, you can disable updates altogether, defer updates and upgrades, and schedule the day and time to install updates, as you would with Windows Server Update Services (WSUS) on Windows 10 desktops running the [Current Branch for Business](introduction-to-windows-10-servicing.md). Table 20 lists the Windows 10 Mobile Enterprise settings that you can use to configure updates and upgrades.
Table 20. Windows 10 Mobile Enterprise update management settings
@ -1282,7 +1282,7 @@ Table 21. Windows 10 Mobile Enterprise approved update information
 
### Device compliance monitoring
### <a href="" id="device-comp"></a>Device compliance monitoring
You can use your MDM system to monitor compliance. Windows 10 Mobile provides audit information to track issues or perform remedial actions. This information helps you ensure that devices are configured to comply with organizational standards.
@ -1339,7 +1339,7 @@ Table 21. Windows 10 Mobile HAS data points
 
### Device inventory
### <a href="" id="data-inv"></a>Device inventory
Device inventory helps organizations better manage devices because it provides in-depth information about those devices. MDM systems collect inventory information remotely, and you can use the systems reporting capabilities to analyze device resources and information. With this information, you can determine the current hardware and software resources of the device (for example, installed updates).
@ -1370,7 +1370,7 @@ Table 22. Windows 10 Mobile software and hardware inventory examples
 
### Remote assistance
### <a href="" id="remote-assist"></a>Remote assistance
The remote assistance features in Windows 10 Mobile help resolve issues that users might encounter even when the help desk does not have physical access to the device. These features include:
@ -1394,7 +1394,7 @@ Table 23. Windows 10 Mobile remote find settings
 
### Cloud services
### <a href="" id="cloud-serv"></a>Cloud services
On mobile devices that run Windows 10 Mobile, users can easily connect to apps and data. As a result, they frequently connect to cloud services that provide user notifications and collect telemetry (usage data). Windows 10 Mobile enables organizations to manage how devices consume these cloud services.

8
windows/manage/working-with-line-of-business-apps.md
View File

@ -22,7 +22,7 @@ Developers within your own company, or ISVs that you invite, can become LOB publ
One advantage of making apps available through Store for Business is that the app has been signed by the Store, and uses the standard Store policies. For companies that cant submit their application through the Windows Dev Center (for example, those needing additional capabilities or due to compliance purposes), [Sideloading](http://go.microsoft.com/fwlink/p/?LinkId=623433) is also supported in Windows 10.
## Adding LOB apps to your private store
## <a href="" id="adding-lob-apps"></a>Adding LOB apps to your private store
Your Store for Business admin and ISV each own different parts of the process for getting LOB apps created, submitted, and deployed to your employees. Theyll use the Store for Business portal, and the Windows Dev center on MSDN. Heres whats involved:
@ -41,7 +41,7 @@ What you'll have to set up:
- LOB publishers need to have an app in the Store, or have an app ready to submit to the Store.
### Add an LOB publisher (admin)
### <a href="" id="add-lob-publisher"></a>Add an LOB publisher (admin)
For developers within your own organization, or ISVs you're working with to create LOB apps, you'll need to invite them to become a LOB publisher.
@ -51,7 +51,7 @@ For developers within your own organization, or ISVs you're working with to crea
2. Click **Settings**, and then choose **LOB publishers**.
3. On the Line-of business publishers page, click **Add** to complete a form and send an email invitation to a developer.
### Submit apps (LOB publisher)
### <a href="" id="submit-lob-app"></a>Submit apps (LOB publisher)
The developer receives an email invite to become an LOB publisher for your company. Once they accept the invite, they can log in to the Windows Dev Center to create an app submission for your company. The info here assumes that devs or ISVs have an active developer account.
@ -79,7 +79,7 @@ After an app is published and available in the Store, ISVs publish an updated ve
For more information, see [Organizational licensing options]( http://go.microsoft.com/fwlink/p/?LinkId=708615) and [Distributing LOB apps to enterprises](http://go.microsoft.com/fwlink/p/?LinkId=627543).
### Add app to inventory (admin)
### <a href="" id="add-lob-app-to-inventory"></a>Add app to inventory (admin)
After an ISV submits the LOB app for your company, the Store for Businessadmin needs to accept the app.