diff --git a/windows/application-management/media/user-service-flag.png b/windows/application-management/media/user-service-flag.png new file mode 100644 index 0000000000..310d4703ec Binary files /dev/null and b/windows/application-management/media/user-service-flag.png differ diff --git a/windows/application-management/per-user-services-in-windows.md b/windows/application-management/per-user-services-in-windows.md index 6d2daad557..1d1cc91b2b 100644 --- a/windows/application-management/per-user-services-in-windows.md +++ b/windows/application-management/per-user-services-in-windows.md @@ -17,10 +17,16 @@ Per-user services are services that are created when a user signs into Windows o > [!NOTE] > Per-user services are only in available in Windows Server if you have installed the Desktop Experience. If you are running a Server Core or Nano Server installation, you won't see these services. -You can't prevent per-user services from being created, but you can configure the template service to create them in a stopped and disabled state. You do this by setting the template service's **Startup Type** to **Disabled**. +Beginning with Windows 10, version 1709 and Windows Server, version 1709, there are two ways to prevent per-user services from being created: -> [!IMPORTANT] -> If you change the template service's Startup Type, make sure you carefully test that change prior to rolling it out in your production environment. +- Configure the template service to create them in a stopped and disabled state. You do this by setting the template service's **Startup Type** to **Disabled**. + + > [!IMPORTANT] + > If you change the template service's Startup Type, make sure you carefully test that change prior to rolling it out in your production environment. + +- Create a new Registry entry named UserServiceFlags under the service configuration in the registry as a DWORD (32 bit) value set to 0, as shown in the following example: + + ![UserServiceFlags registry entry](media/user-service-flag.png) Use the following information to understand per-user services, change the template service Startup Type, and manage per-user services through Group Policy and security templates. diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md index 43db69d30f..2d1385d654 100644 --- a/windows/client-management/connect-to-remote-aadj-pc.md +++ b/windows/client-management/connect-to-remote-aadj-pc.md @@ -8,6 +8,8 @@ ms.sitesec: library ms.pagetype: devices author: jdeckerms ms.localizationpriority: medium +ms.author: jdecker +ms.date: 10/17/2017 --- # Connect to remote Azure Active Directory-joined PC @@ -33,7 +35,13 @@ From its release, Windows 10 has supported remote connections to PCs that are jo 3. If the user who joined the PC to Azure AD is the only one who is going to connect remotely, no additional configuration is needed. To allow additional users to connect to the PC, you must allow remote connections for the local **Authenticated Users** group. Click **Select Users**. >[!NOTE] - >You cannot specify individual Azure AD accounts for remote connections. + >You can specify individual Azure AD accounts for remote connections by having the user sign in to the remote device at least once and then running the following PowerShell cmdlet: + > + >`net localgroup "Remote Desktop Users" /add "AzureAD\FirstnameLastname"` + > + >In Windows 10, version 1709, the user does not have to sign in to the remote device first. + > + >In Windows 10, version 1709, you can add other Azure AD users to the **Administrators** group on a device in **Settings** and restrict remote credentials to **Administrators**. If there is a problem connecting remotely, make sure that both devices are joined to Azure AD and that TPM is functioning properly on both devices. 4. Enter **Authenticated Users**, then click **Check Names**. If the **Name Not Found** window opens, click **Locations** and select this PC.