diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index 5300ed797d..f5000c123a 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -391,6 +391,11 @@
"redirect_document_id": true
},
{
+"source_path": "windows/configuration/stop-employees-from-using-the-windows-store.md",
+"redirect_url": "/windows/configuration/stop-employees-from-using-microsoft-store",
+"redirect_document_id": true
+},
+{
"source_path": "windows/manage/configure-devices-without-mdm.md",
"redirect_url": "/windows/configuration/provisioning-packages/provisioning-packages",
"redirect_document_id": false
@@ -636,6 +641,11 @@
"redirect_document_id": true
},
{
+"source_path": "store-for-business/app-inventory-management-windows-store-for-business.md",
+"redirect_url": "/microsoft-store/app-inventory-management-microsoft-store-for-business",
+"redirect_document_id": true
+},
+{
"source_path": "windows/manage/application-development-for-windows-as-a-service.md",
"redirect_url": "https://msdn.microsoft.com/windows/uwp/get-started/application-development-for-windows-as-a-service",
"redirect_document_id": true
@@ -696,6 +706,11 @@
"redirect_document_id": true
},
{
+"source_path": "store-for-business/app-inventory-managemement-windows-store-for-business.md",
+"redirect_url": "/microsoft-store/app-inventory-managemement-microsoft-store-for-business",
+"redirect_document_id": true
+},
+{
"source_path": "windows/manage/uev-accessibility.md",
"redirect_url": "/windows/configuration/ue-v/uev-for-windows",
"redirect_document_id": true
@@ -1171,6 +1186,11 @@
"redirect_document_id": true
},
{
+"source_path": "store-for-business/windows-store-for-business-overview.md",
+"redirect_url": "/microsoft-store/microsoft-store-for-business-overview",
+"redirect_document_id": true
+},
+{
"source_path": "windows/whats-new/windows-update-for-business.md",
"redirect_url": "/windows/whats-new/whats-new-windows-10-version-1507-and-1511",
"redirect_document_id": false
@@ -7071,6 +7091,11 @@
"redirect_document_id": true
},
{
+"source_path": "store-for-business/acquire-apps-windows-store-for-business.md",
+"redirect_url": "/microsoft-store/acquire-apps-microsoft-store-for-business",
+"redirect_document_id": true
+},
+{
"source_path": "windows/manage/add-unsigned-app-to-code-integrity-policy.md",
"redirect_url": "/microsoft-store/add-unsigned-app-to-code-integrity-policy",
"redirect_document_id": true
@@ -7091,6 +7116,11 @@
"redirect_document_id": true
},
{
+"source_path": "store-for-business/apps-in-windows-store-for-business.md",
+"redirect_url": "/microsoft-store/apps-in-microsoft-store-for-business",
+"redirect_document_id": true
+},
+{
"source_path": "windows/manage/appv-about-appv.md",
"redirect_url": "/windows/application-management/app-v/appv-about-appv",
"redirect_document_id": true
@@ -7601,6 +7631,11 @@
"redirect_document_id": true
},
{
+"source_path": "store-for-business/configure-mdm-provider-windows-store-for-business.md",
+"redirect_url": "/microsoft-store/configure-mdm-provider-microsoft-store-for-business",
+"redirect_document_id": true
+},
+{
"source_path": "windows/manage/connect-to-remote-aadj-pc.md",
"redirect_url": "/windows/client-management/connect-to-remote-aadj-pc",
"redirect_document_id": true
@@ -7621,6 +7656,11 @@
"redirect_document_id": true
},
{
+"source_path": "store-for-business/distribute-apps-to-your-employees-windows-store-for-business.md",
+"redirect_url": "/microsoft-store/distribute-apps-to-your-employees-microsoft-store-for-business",
+"redirect_document_id": true
+},
+{
"source_path": "windows/manage/distribute-apps-with-management-tool.md",
"redirect_url": "/microsoft-store/distribute-apps-with-management-tool",
"redirect_document_id": true
@@ -7656,6 +7696,11 @@
"redirect_document_id": true
},
{
+"source_path": "store-for-business/manage-apps-windows-store-for-business-overview.md",
+"redirect_url": "/microsoft-store/manage-apps-microsoft-store-for-business-overview",
+"redirect_document_id": true
+},
+{
"source_path": "windows/manage/manage-corporate-devices.md",
"redirect_url": "/windows/client-management/index",
"redirect_document_id": true
@@ -7666,6 +7711,11 @@
"redirect_document_id": true
},
{
+"source_path": "store-for-business/manage-orders-windows-store-for-business.md",
+"redirect_url": "/microsoft-store/manage-orders-microsoft-store-for-business",
+"redirect_document_id": true
+},
+{
"source_path": "windows/manage/manage-private-store-settings.md",
"redirect_url": "/microsoft-store/manage-private-store-settings",
"redirect_document_id": true
@@ -7676,11 +7726,21 @@
"redirect_document_id": true
},
{
+"source_path": "store-for-business/manage-settings-windows-store-for-business.md",
+"redirect_url": "/microsoft-store/manage-settings-microsoft-store-for-business",
+"redirect_document_id": true
+},
+{
"source_path": "windows/manage/manage-users-and-groups-windows-store-for-business.md",
"redirect_url": "/microsoft-store/manage-users-and-groups-windows-store-for-business",
"redirect_document_id": true
},
{
+"source_path": "store-for-business/manage-users-and-groups-windows-store-for-business.md",
+"redirect_url": "/microsoft-store/manage-users-and-groups-microsoft-store-for-business",
+"redirect_document_id": true
+},
+{
"source_path": "windows/manage/manage-windows-10-in-your-organization-modern-management.md",
"redirect_url": "/windows/client-management/manage-windows-10-in-your-organization-modern-management",
"redirect_document_id": true
@@ -7701,6 +7761,11 @@
"redirect_document_id": true
},
{
+"source_path": "store-for-business/prerequisites-windows-store-for-business.md",
+"redirect_url": "/microsoft-store/prerequisites-microsoft-store-for-business",
+"redirect_document_id": true
+},
+{
"source_path": "windows/manage/reset-a-windows-10-mobile-device.md",
"redirect_url": "/windows/client-management/reset-a-windows-10-mobile-device",
"redirect_document_id": true
@@ -7711,11 +7776,21 @@
"redirect_document_id": true
},
{
+"source_path": "store-for-business/roles-and-permissions-windows-store-for-business.md",
+"redirect_url": "/microsoft-store/roles-and-permissions-microsoft-store-for-business",
+"redirect_document_id": true
+},
+{
"source_path": "windows/manage/settings-reference-windows-store-for-business.md",
"redirect_url": "/microsoft-store/settings-reference-windows-store-for-business",
"redirect_document_id": true
},
{
+"source_path": "store-for-business/settings-reference-windows-store-for-business.md",
+"redirect_url": "/microsoft-store/settings-reference-microsoft-store-for-business",
+"redirect_document_id": true
+},
+{
"source_path": "windows/manage/sign-code-integrity-policy-with-device-guard-signing.md",
"redirect_url": "/microsoft-store/sign-code-integrity-policy-with-device-guard-signing",
"redirect_document_id": true
@@ -7726,16 +7801,31 @@
"redirect_document_id": true
},
{
+"source_path": "store-for-business/sign-up-windows-store-for-business-overview.md",
+"redirect_url": "/microsoft-store/sign-up-microsoft-store-for-business-overview",
+"redirect_document_id": true
+},
+{
"source_path": "windows/manage/sign-up-windows-store-for-business.md",
"redirect_url": "/microsoft-store/sign-up-windows-store-for-business",
"redirect_document_id": true
},
{
+"source_path": "store-for-business/sign-up-windows-store-for-business.md",
+"redirect_url": "/microsoft-store/sign-up-microsoft-store-for-business",
+"redirect_document_id": true
+},
+{
"source_path": "windows/manage/troubleshoot-windows-store-for-business.md",
"redirect_url": "/microsoft-store/troubleshoot-windows-store-for-business",
"redirect_document_id": true
},
{
+"source_path": "store-for-business/troubleshoot-windows-store-for-business.md",
+"redirect_url": "/microsoft-store/troubleshoot-microsoft-store-for-business",
+"redirect_document_id": true
+},
+{
"source_path": "windows/manage/uev-administering-uev-with-windows-powershell-and-wmi.md",
"redirect_url": "/windows/configuration/ue-v/uev-administering-uev-with-windows-powershell-and-wmi",
"redirect_document_id": true
@@ -7876,6 +7966,11 @@
"redirect_document_id": true
},
{
+"source_path": "store-for-business/update-windows-store-for-business-account-settings.md",
+"redirect_url": "/microsoft-store/update-microsoft-store-for-business-account-settings",
+"redirect_document_id": true
+},
+{
"source_path": "windows/manage/windows-10-mobile-and-mdm.md",
"redirect_url": "/windows/client-management/windows-10-mobile-and-mdm",
"redirect_document_id": true
diff --git a/browsers/edge/Index.md b/browsers/edge/Index.md
index 5893fdf819..11310e783a 100644
--- a/browsers/edge/Index.md
+++ b/browsers/edge/Index.md
@@ -20,7 +20,7 @@ ms.localizationpriority: high
Microsoft Edge is the new, default web browser for Windows 10, helping you to experience modern web standards, better performance, improved security, and increased reliability. Microsoft Edge also introduces new features like Web Note, Reading View, and Cortana that you can use along with your normal web browsing abilities.
-Microsoft Edge lets you stay up-to-date through the Windows Store and to manage your enterprise through Group Policy or your mobile device management (MDM) tools.
+Microsoft Edge lets you stay up-to-date through the Microsoft Store and to manage your enterprise through Group Policy or your mobile device management (MDM) tools.
>[!Note]
>For more info about the potential impact of using Microsoft Edge in a large organization, you can download an infographic from here: [Total Economic Impact of Microsoft Edge: Infographic](https://www.microsoft.com/download/details.aspx?id=55956). For a detailed report that provides you with a framework to evaluate the potential financial impact of adopting Microsoft Edge within your organization, you can download the full study here: [Total Economic Impact of Microsoft Edge: Forrester Study](https://www.microsoft.com/download/details.aspx?id=55847).
@@ -55,7 +55,7 @@ However, if you're running web apps that continue to use:
* legacy document modes
-You'll need to keep running them using IE11. If you don't have IE11 installed anymore, you can download it from the Windows Store or from the [Internet Explorer 11 download page](https://go.microsoft.com/fwlink/p/?linkid=290956). Alternatively, you can also use Enterprise Mode with Microsoft Edge to transition only the sites that need these technologies to load in IE11. For info about Enterprise Mode and Edge, see [Use Enterprise Mode to improve compatibility](emie-to-improve-compatibility.md).
+You'll need to keep running them using IE11. If you don't have IE11 installed anymore, you can download it from the Microsoft Store or from the [Internet Explorer 11 download page](https://go.microsoft.com/fwlink/p/?linkid=290956). Alternatively, you can also use Enterprise Mode with Microsoft Edge to transition only the sites that need these technologies to load in IE11. For info about Enterprise Mode and Edge, see [Use Enterprise Mode to improve compatibility](emie-to-improve-compatibility.md).
## Related topics
diff --git a/browsers/edge/enterprise-guidance-using-microsoft-edge-and-ie11.md b/browsers/edge/enterprise-guidance-using-microsoft-edge-and-ie11.md
index 8cb8912f67..23dcb3b5b5 100644
--- a/browsers/edge/enterprise-guidance-using-microsoft-edge-and-ie11.md
+++ b/browsers/edge/enterprise-guidance-using-microsoft-edge-and-ie11.md
@@ -20,7 +20,7 @@ ms.localizationpriority: high
- Windows 10
## Enterprise guidance
-Microsoft Edge is the default browser experience for Windows 10 and Windows 10 Mobile. However, if you're running web apps that need ActiveX controls, we recommend that you continue to use Internet Explorer 11 for them. If you don't have IE11 installed anymore, you can download it from the Windows Store or from the [Internet Explorer 11 download page](https://go.microsoft.com/fwlink/p/?linkid=290956).
+Microsoft Edge is the default browser experience for Windows 10 and Windows 10 Mobile. However, if you're running web apps that need ActiveX controls, we recommend that you continue to use Internet Explorer 11 for them. If you don't have IE11 installed anymore, you can download it from the Microsoft Store or from the [Internet Explorer 11 download page](https://go.microsoft.com/fwlink/p/?linkid=290956).
We also recommend that you upgrade to IE11 if you're running any earlier versions of Internet Explorer. IE11 is supported on Windows 7, Windows 8.1, and Windows 10. So any legacy apps that work with IE11 will continue to work even as you migrate to Windows 10.
diff --git a/browsers/edge/security-enhancements-microsoft-edge.md b/browsers/edge/security-enhancements-microsoft-edge.md
index 3a25ecae1e..8f777c48c3 100644
--- a/browsers/edge/security-enhancements-microsoft-edge.md
+++ b/browsers/edge/security-enhancements-microsoft-edge.md
@@ -65,7 +65,7 @@ Internet Explorer 10 introduced Enhanced Protected Mode (EPM), based on the Wind
Microsoft Edge takes the sandbox even farther, running its content processes in app containers not just by default, but all of the time. Because Microsoft Edge doesn’t support 3rd party binary extensions, there’s no reason for it to run outside of the containers, ensuring that Microsoft Edge is more secure.
#### Microsoft Edge is now a 64-bit app
-The largest security change to Microsoft Edge is that it's designed like a Universal Windows app. By changing the browser to an app, it fundamentally changes the process model so that both the outer manager process and the assorted content processes all live within app container sandboxes; helping to provide the user and the platform with the [confidence](http://blogs.msdn.com/b/b8/archive/2012/05/17/delivering-reliable-and-trustworthy-metro-style-apps.aspx) provided by other Windows store apps.
+The largest security change to Microsoft Edge is that it's designed like a Universal Windows app. By changing the browser to an app, it fundamentally changes the process model so that both the outer manager process and the assorted content processes all live within app container sandboxes; helping to provide the user and the platform with the [confidence](http://blogs.msdn.com/b/b8/archive/2012/05/17/delivering-reliable-and-trustworthy-metro-style-apps.aspx) provided by other Microsoft Store apps.
##### 64-bit processes and Address Space Layout Randomization (ASLR)
Microsoft Edge runs in 64-bit not just by default, but anytime it’s running on a 64-bit operating system. Because Microsoft Edge doesn’t support legacy ActiveX controls or 3rd-party binary extensions, there’s no longer a reason to run 32-bit processes on a 64-bit system.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/browser-cache-changes-and-roaming-profiles.md b/browsers/internet-explorer/ie11-deploy-guide/browser-cache-changes-and-roaming-profiles.md
index b0262d2a24..8196de7ec4 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/browser-cache-changes-and-roaming-profiles.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/browser-cache-changes-and-roaming-profiles.md
@@ -14,7 +14,7 @@ ms.sitesec: library
# Browser cache changes and roaming profiles
We’ve redesigned the browser cache to improve the performance, flexibility, reliability, and scalability of Internet Explorer and the apps that rely on the Windows Internet (WinINet) cache. Our new database design stops multiple clients from simultaneously accessing and using cached information, while also providing a higher level of data integrity.
-You won’t notice any changes to the management of your roaming profile data if you use our new database implementation in conjunction with the [roaming user profile guidelines](https://go.microsoft.com/fwlink/p/?LinkId=401544). This means that IE data that’s stored in the `AppData\Roaming` user profile folder is still be uploaded to your normal profile storage location after a user successfully logs off.
**Note** Cookies in a roaming profile can only be set by Internet Explorer for the desktop, with Enhanced Protected Mode turned off. Cookies set by the immersive version of IE or by Windows Store apps, can’t be part of a roaming profile. For more information about persistent cookies and roaming, see [Persistent cookies are not roamed in Internet Explorer](https://go.microsoft.com/fwlink/p/?LinkId=401545).
+You won’t notice any changes to the management of your roaming profile data if you use our new database implementation in conjunction with the [roaming user profile guidelines](https://go.microsoft.com/fwlink/p/?LinkId=401544). This means that IE data that’s stored in the `AppData\Roaming` user profile folder is still be uploaded to your normal profile storage location after a user successfully logs off.
**Note** Cookies in a roaming profile can only be set by Internet Explorer for the desktop, with Enhanced Protected Mode turned off. Cookies set by the immersive version of IE or by Microsoft Store apps, can’t be part of a roaming profile. For more information about persistent cookies and roaming, see [Persistent cookies are not roamed in Internet Explorer](https://go.microsoft.com/fwlink/p/?LinkId=401545).
To get the best results while using roaming profiles, we strongly recommend the following:
diff --git a/browsers/internet-explorer/ie11-deploy-guide/problems-after-installing-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/problems-after-installing-ie11.md
index 9eb372320e..058f277137 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/problems-after-installing-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/problems-after-installing-ie11.md
@@ -59,7 +59,7 @@ After you turn each item back on, see if IE crashes or slows down. Doing it this
If the **Use software rendering instead of GPU rendering** option is greyed out, it means that your current video card or video driver doesn't support GPU hardware acceleration. For more information, see [Windows 10 Support](https://go.microsoft.com/fwlink/?LinkId=746588).
## Adaptive streaming and DRM playback don’t work with Windows Server 2012 R2
-IE11 in Windows Server 2012 R2 doesn’t include media features like adaptive streaming or Digital Rights Management (DRM) playback. To add these features, you’ll need to download and install the Media Feature Pack from the [Microsoft Download Center](https://go.microsoft.com/fwlink/p/?LinkId=320789), as well as an app that uses PlayReady DRM from the Windows Store, such as the Xbox Music app or Xbox Video app. The app must be installed to specifically turn on DRM features, while all other media features are installed with the Media Feature Pack.
+IE11 in Windows Server 2012 R2 doesn’t include media features like adaptive streaming or Digital Rights Management (DRM) playback. To add these features, you’ll need to download and install the Media Feature Pack from the [Microsoft Download Center](https://go.microsoft.com/fwlink/p/?LinkId=320789), as well as an app that uses PlayReady DRM from the Microsoft Store, such as the Xbox Music app or Xbox Video app. The app must be installed to specifically turn on DRM features, while all other media features are installed with the Media Feature Pack.
diff --git a/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.md b/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.md
index 86092448c2..c403f68d94 100644
--- a/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.md
+++ b/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.md
@@ -140,7 +140,7 @@ Group Policy settings can be set to open either IE or Internet Explorer for the
|Setting |Result |
|--------|-------|
-|Let IE decide |Links open in the same type of experience from where they're launched. For example, clicking a link from a Windows Store app, opens IE. However, clicking a link from a desktop app, opens Internet Explorer for the desktop. |
+|Let IE decide |Links open in the same type of experience from where they're launched. For example, clicking a link from a Microsoft Store app, opens IE. However, clicking a link from a desktop app, opens Internet Explorer for the desktop. |
|Always in IE11 |Links always open in IE. |
|Always in Internet Explorer for the desktop |Links always open in Internet Explorer for the desktop. |
diff --git a/devices/surface-hub/manage-windows-updates-for-surface-hub.md b/devices/surface-hub/manage-windows-updates-for-surface-hub.md
index 84340e8542..ece11a95f1 100644
--- a/devices/surface-hub/manage-windows-updates-for-surface-hub.md
+++ b/devices/surface-hub/manage-windows-updates-for-surface-hub.md
@@ -37,15 +37,15 @@ You can also configure Surface Hub to receive updates from both Windows Update f
## Surface Hub servicing model
-Surface Hub uses the Windows 10 servicing model, referred to as Windows as a Service (WaaS). Traditionally, new features are added only in new versions of Windows that are released every few years. Each new version required lengthy and expensive processes to deploy in an organization. As a result, end users and organizations don't frequently enjoy the benefits of new innovation. The goal of Windows as a Service is to continually provide new capabilities while maintaining a high level of quality.
+Surface Hub uses the Windows 10 servicing model, referred to as [Windows as a Service (WaaS)](https://docs.microsoft.com/windows/deployment/update/waas-overview). Traditionally, new features were added only in new versions of Windows that were released every few years. Each new version required lengthy and expensive processes to deploy in an organization. As a result, end users and organizations don't frequently enjoy the benefits of new innovation. The goal of Windows as a Service is to continually provide new capabilities while maintaining a high level of quality.
Microsoft publishes two types of Surface Hub releases broadly on an ongoing basis:
-- **Feature updates** - Updates that install the latest new features, experiences, and capabilities. Microsoft expects to publish an average of two to three new feature upgrades per year.
+- **Feature updates** - Updates that install the latest new features, experiences, and capabilities. Microsoft expects to publish two tnew feature updates per year.
- **Quality updates** - Updates that focus on the installation of security fixes, drivers, and other servicing updates. Microsoft expects to publish one cumulative quality update per month.
In order to improve release quality and simplify deployments, all new releases that Microsoft publishes for Windows 10, including Surface Hub, will be cumulative. This means new feature updates and quality updates will contain the payloads of all previous releases (in an optimized form to reduce storage and networking requirements), and installing the release on a device will bring it completely up to date. Also, unlike earlier versions of Windows, you cannot install a subset of the contents of a Windows 10 quality update. For example, if a quality update contains fixes for three security vulnerabilities and one reliability issue, deploying the update will result in the installation of all four fixes.
-The Surface Hub operating system is available on **Current Branch (CB)** and **Current Branch for Business (CBB)**. Like other editions of Windows 10, the servicing lifetime of CB or CBB is finite. You must install new feature updates on machines running these branches in order to continue receiving quality updates.
+The Surface Hub operating system receives updates on the [Semi-Annual Channel](https://docs.microsoft.com/windows/deployment/update/waas-overview#naming-changes). Like other editions of Windows 10, the servicing lifetime ois finite. You must install new feature updates on machines running these branches in order to continue receiving quality updates.
For more information on Windows as a Service, see [Overview of Windows as a service](https://technet.microsoft.com/itpro/windows/manage/waas-overview).
@@ -55,11 +55,9 @@ Surface Hubs, like all Windows 10 devices, include **Windows Update for Business
**To set up Windows Update for Business:**
1. [Group Surface Hub into deployment rings](#group-surface-hub-into-deployment-rings)
-2. [Configure Surface Hub to use Current Branch or Current Branch for Business](#configure-surface-hub-to-use-current-branch-or-current-branch-for-business).
2. [Configure when Surface Hub receives updates](#configure-when-surface-hub-receives-updates).
> [!NOTE]
-
> You can use Microsoft Intune, System Center Configuration Manager, or a supported third-party MDM provider to set up WUfB. [Walkthrough: use Microsoft Intune to configure Windows Update for Business.](https://technet.microsoft.com/itpro/windows/manage/waas-wufb-intune)
@@ -70,29 +68,22 @@ This table gives examples of deployment rings.
| Deployment ring | Ring size | Servicing branch | Deferral for feature updates | Deferral for quality updates (security fixes, drivers, and other updates) | Validation step |
| --------- | --------- | --------- | --------- | --------- | --------- |
-| Preview (e.g. non-critical or test devices) | Small | Current Branch (CB) | None. Devices receive feature updates immediately after CB is released. | None. Devices receive quality updates immediately after CB is released. | Manually test and evaluate new functionality. Pause updates if there are issues. |
-| Release (e.g. devices used by select teams) | Medium | Current Branch for Business (CBB) | None. Devices receive feature updates immediately once CBB is released. | None. Devices receive quality updates immediately after CBB is released. | Monitor device usage and user feedback. Pause updates if there are issues. |
-| Broad deployment (e.g. most of the devices in your organization) | Large | Current Branch for Business (CBB) | 120 days after CBB is released. | 7-14 days after CBB is released. | Monitor device usage and user feedback. Pause updates if there are issues. |
-| Mission critical (e.g. devices in executive boardrooms) | Small | Current Branch for Business (CBB) | 180 days after CBB is released (maximum deferral for feature updates). | 30 days after CBB is released (maximum deferral for quality updates). | Monitor device usage and user feedback. |
+| Preview (e.g. non-critical or test devices) | Small | Semi-annual channel (Targeted) | None. | None. | Manually test and evaluate new functionality. Pause updates if there are issues. |
+| Release (e.g. devices used by select teams) | Medium | Semi-annual channel | None. | None. | Monitor device usage and user feedback. Pause updates if there are issues. |
+| Broad deployment (e.g. most of the devices in your organization) | Large | Semi-annual channel | 120 days after release. | 7-14 days after release. | Monitor device usage and user feedback. Pause updates if there are issues. |
+| Mission critical (e.g. devices in executive boardrooms) | Small | Semi-annual channel | 180 days after release (maximum deferral for feature updates). | 30 days after release (maximum deferral for quality updates). | Monitor device usage and user feedback. |
-### Configure Surface Hub to use Current Branch or Current Branch for Business
-By default, Surface Hubs are configured to receive updates from Current Branch (CB). CB receives feature updates as soon as they are released by Microsoft. Current Branch for Business (CBB), on the other hand, receives feature updates at least four months after they have been initially offered to CB devices, and includes all of the quality updates that have been released in the interim. For more information on the differences between CB and CBB, see [Servicing branches](https://technet.microsoft.com/itpro/windows/manage/waas-overview#servicing-branches).
-**To manually configure Surface Hub to use CB or CBB:**
-1. Open **Settings** > **Update & Security** > **Windows Update**, and then select **Advanced Options**.
-2. Select **Defer feature updates**.
-
-To configure Surface Hub to use CB or CBB remotely using MDM, set an appropriate [Update/BranchReadinessLevel](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_BranchReadinessLevel) policy.
### Configure when Surface Hub receives updates
Once you've determined deployment rings for your Surface Hubs, configure update deferral policies for each ring:
-- To defer feature updates, set an appropriate [Update/DeferFeatureUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferFeatureUpdatesPeriodInDays) policy for each ring.
-- To defer quality updates, set an appropriate [Update/DeferQualityUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferQualityUpdatesPeriodInDays) policy for each ring.
+- To defer feature updates, set an appropriate [Update/DeferFeatureUpdatesPeriodInDays](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-deferfeatureupdatesperiodindays) policy for each ring.
+- To defer quality updates, set an appropriate [Update/DeferQualityUpdatesPeriodInDays](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-deferqualityupdatesperiodindays) policy for each ring.
> [!NOTE]
-> If you encounter issues during the update rollout, you can pause updates using [Update/PauseFeatureUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseFeatureUpdates) and [Update/PauseQualityUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseQualityUpdates).
+> If you encounter issues during the update rollout, you can pause updates using [Update/PauseFeatureUpdates](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-pausefeatureupdates) and [Update/PauseQualityUpdates](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-pausequalityupdates).
## Use Windows Server Update Services
diff --git a/devices/surface-hub/prepare-your-environment-for-surface-hub.md b/devices/surface-hub/prepare-your-environment-for-surface-hub.md
index 7346763936..ef48bfdc1a 100644
--- a/devices/surface-hub/prepare-your-environment-for-surface-hub.md
+++ b/devices/surface-hub/prepare-your-environment-for-surface-hub.md
@@ -46,7 +46,7 @@ Microsoft collects telemetry to help improve your Surface Hub experience. Add th
### Proxy configuration
-If your organization restricts computers on your network from connecting to the Internet, there is a set of URLs that need to be available for devices to use Store for Business. Some of the Store for Business features use Windows Store app and Windows Store services. Devices using Store for Business – either to acquire, install, or update apps – will need access to these URLs. If you use a proxy server to block traffic, your configuration needs to allow these URLs:
+If your organization restricts computers on your network from connecting to the Internet, there is a set of URLs that need to be available for devices to use Microsoft Store for Business. Some of the Store for Business features use Microsoft Store app and Microsoft Store services. Devices using Store for Business – either to acquire, install, or update apps – will need access to these URLs. If you use a proxy server to block traffic, your configuration needs to allow these URLs:
- login.live.com
- login.windows.net
diff --git a/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md b/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md
index e118798d48..542ff44ce7 100644
--- a/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md
+++ b/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md
@@ -47,7 +47,7 @@ For versions of Windows prior to Windows 10, version 1511 (including Windows 10
## Deploy Surface app with Configuration Manager
-With the release of Windows Store for Business, Surface app is no longer available as a driver and firmware download. Organizations that want to deploy Surface app to managed Surface devices or during deployment with the use of Configuration Manager, must acquire Surface app through Windows Store for Business and then deploy Surface app with PowerShell. You can find the PowerShell commands for deployment of Surface app, instructions to download Surface app, and prerequisite frameworks from Windows Store for Business in the [Deploy Surface app with Windows Store for Business](https://technet.microsoft.com/itpro/surface/deploy-surface-app-with-windows-store-for-business) article in the TechNet Library.
+With the release of Microsoft Store for Business, Surface app is no longer available as a driver and firmware download. Organizations that want to deploy Surface app to managed Surface devices or during deployment with the use of Configuration Manager, must acquire Surface app through Microsoft Store for Business and then deploy Surface app with PowerShell. You can find the PowerShell commands for deployment of Surface app, instructions to download Surface app, and prerequisite frameworks from Microsoft Store for Business in the [Deploy Surface app with Microsoft Store for Business](https://technet.microsoft.com/itpro/surface/deploy-surface-app-with-windows-store-for-business) article in the TechNet Library.
## Use prestaged media with Surface clients
diff --git a/devices/surface/deploy-surface-app-with-windows-store-for-business.md b/devices/surface/deploy-surface-app-with-windows-store-for-business.md
index 52626b026e..a9d29612a7 100644
--- a/devices/surface/deploy-surface-app-with-windows-store-for-business.md
+++ b/devices/surface/deploy-surface-app-with-windows-store-for-business.md
@@ -19,7 +19,7 @@ author: miladCA
>[!NOTE]
>The Surface app ships in Surface Studio.
-The Surface app is a lightweight Windows Store app that provides control of many Surface-specific settings and options, including:
+The Surface app is a lightweight Microsoft Store app that provides control of many Surface-specific settings and options, including:
* Enable or disable the Windows button on the Surface device
@@ -31,11 +31,11 @@ The Surface app is a lightweight Windows Store app that provides control of many
* Quick access to support documentation and information for your device
-If your organization is preparing images that will be deployed to your Surface devices, you may want to include the Surface app (formerly called the Surface Hub) in your imaging and deployment process instead of requiring users of each individual device to download and install the app from the Windows Store or your Microsoft Store for Business.
+If your organization is preparing images that will be deployed to your Surface devices, you may want to include the Surface app (formerly called the Surface Hub) in your imaging and deployment process instead of requiring users of each individual device to download and install the app from the Microsoft Store or your Microsoft Store for Business.
##Surface app overview
-The Surface app is available as a free download from the [Windows Store](https://www.microsoft.com/store/apps/Surface/9WZDNCRFJB8P). Users can download and install it from the Windows Store, but if your organization uses Microsoft Store for Business instead, you will need to add it to your store’s inventory and possibly include the app as part of your Windows deployment process. These processes are discussed throughout this article. For more information about Microsoft Store for Business, see [Microsoft Store for Business](https://technet.microsoft.com/windows/store-for-business) in the Windows TechCenter.
+The Surface app is available as a free download from the [Microsoft Store](https://www.microsoft.com/store/apps/Surface/9WZDNCRFJB8P). Users can download and install it from the Microsoft Store, but if your organization uses Microsoft Store for Business instead, you will need to add it to your store’s inventory and possibly include the app as part of your Windows deployment process. These processes are discussed throughout this article. For more information about Microsoft Store for Business, see [Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/) in the Windows TechCenter.
##Add Surface app to a Microsoft Store for Business account
@@ -45,7 +45,7 @@ Before users can install or deploy an app from a company’s Microsoft Store for
2. Log on to the portal.
-3. Enable offline licensing: click **Manage->Store settings**, and then select the **Show offline licensed apps to people shopping in the store** checkbox, as shown in Figure 1. For more information about Microsoft Store for Business app licensing models, see [Apps in Microsoft Store for Business](https://technet.microsoft.com/itpro/windows/manage/apps-in-windows-store-for-business#licensing_model).
+3. Enable offline licensing: click **Manage->Store settings**, and then select the **Show offline licensed apps to people shopping in the store** checkbox, as shown in Figure 1. For more information about Microsoft Store for Business app licensing models, see [Apps in Microsoft Store for Business and Education](https://docs.microsoft.com/microsoft-store/).
*Figure 1. Enable apps for offline use*
@@ -113,7 +113,7 @@ The following procedure provisions the Surface app onto your computer and makes
Add-AppxProvisionedPackage –Online –PackagePath \ Microsoft.SurfaceHub_10.0.342.0_neutral_~_8wekyb3d8bbwe.AppxBundle –LicensePath \ Microsoft.SurfaceHub_8wekyb3d8bbwe_a53ef8ab-9dbd-dec1-46c5-7b664d4dd003.xml
```
- Where `` is the folder where you downloaded the AppxBundle and license file from the Windows Store for Business account.
+ Where `` is the folder where you downloaded the AppxBundle and license file from the Microsoft Store for Business account.
For example, if you downloaded the files to c:\Temp, the command you run is:
````
diff --git a/devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md b/devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md
index f3393feea4..f6b63353f6 100644
--- a/devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md
+++ b/devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md
@@ -530,9 +530,9 @@ Now that the installation and configuration files are prepared, the application
#### Import Surface app installer
-The Surface app is a Windows Store app that provides the user with greater control over specific Surface device functions and capabilities (for example, control over the sensitivity of the Surface Pen). It is a highly recommended app for Surface devices to provide end users with the best experience and greatest control over their device. Find out more about the Surface app at [Install and use the Surface app](https://www.microsoft.com/surface/support/apps-and-windows-store/surface-app?os=windows-10).
+The Surface app is a Microsoft Store app that provides the user with greater control over specific Surface device functions and capabilities (for example, control over the sensitivity of the Surface Pen). It is a highly recommended app for Surface devices to provide end users with the best experience and greatest control over their device. Find out more about the Surface app at [Install and use the Surface app](https://www.microsoft.com/surface/support/apps-and-windows-store/surface-app?os=windows-10).
-To perform a deployment of the Surface app, you will need to download the app files through Windows Store for Business. You can find detailed instructions on how to download the Surface app through Windows Store for Business at [Deploy Surface app with Windows Store for Business](https://technet.microsoft.com/itpro/surface/deploy-surface-app-with-windows-store-for-business).
+To perform a deployment of the Surface app, you will need to download the app files through Microsoft Store for Business. You can find detailed instructions on how to download the Surface app through Microsoft Store for Business at [Deploy Surface app with Microsoft Store for Business](https://technet.microsoft.com/itpro/surface/deploy-surface-app-with-windows-store-for-business).
After you have downloaded the installation files for Surface app, including the AppxBundle and license files, you can import these files into the deployment share through the same process as a desktop application like Microsoft Office. Both the AppxBundle and license files must be together in the same folder for the import process to complete successfully. Use the following command on the **Command Details** page to install the Surface app:
```
diff --git a/devices/surface/index.md b/devices/surface/index.md
index a1ac675f47..75d7f71807 100644
--- a/devices/surface/index.md
+++ b/devices/surface/index.md
@@ -24,7 +24,7 @@ For more information on planning for, deploying, and managing Surface devices in
| [Deploy Surface devices](deploy.md) | Get deployment guidance for your Surface devices including information about MDT, OOBE customization, Ethernet adaptors, and Surface Deployment Accelerator. |
| [Surface firmware and driver updates](update.md) | Find out how to download and manage the latest firmware and driver updates for your Surface device. |
| [Considerations for Surface and System Center Configuration Manager](considerations-for-surface-and-system-center-configuration-manager.md) | Get guidance on how to deploy and manage Surface devices with System Center Configuration Manager. |
-| [Deploy Surface app with Microsoft Store for Business](deploy-surface-app-with-windows-store-for-business.md) | Find out how to add and download Surface app with Windows Store for Business, as well as install Surface app with PowerShell and MDT. |
+| [Deploy Surface app with Microsoft Store for Business](deploy-surface-app-with-windows-store-for-business.md) | Find out how to add and download Surface app with Microsoft Store for Business, as well as install Surface app with PowerShell and MDT. |
| [Enable PEAP, EAP-FAST, and Cisco LEAP on Surface devices](enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md) | Find out how to enable support for PEAP, EAP-FAST, or Cisco LEAP protocols on your Surface device. |
| [Manage Surface UEFI settings](manage-surface-uefi-settings.md) | Use Surface UEFI settings to enable or disable devices, configure security settings, and adjust Surface device boot settings. |
| [Surface Enterprise Management Mode](surface-enterprise-management-mode.md) | See how this feature of Surface devices with Surface UEFI allows you to secure and manage firmware settings within your organization. |
diff --git a/devices/surface/surface-device-compatibility-with-windows-10-ltsb.md b/devices/surface/surface-device-compatibility-with-windows-10-ltsb.md
index f1f5afdf72..0048723f2f 100644
--- a/devices/surface/surface-device-compatibility-with-windows-10-ltsb.md
+++ b/devices/surface/surface-device-compatibility-with-windows-10-ltsb.md
@@ -38,7 +38,7 @@ The LTSB servicing option is designed for device types and scenarios where the k
* Devices that run productivity software such as Microsoft Office
-* Devices that use Windows Store applications
+* Devices that use Microsoft Store applications
* Devices that are used for general Internet browsing (for example, research or access to social media)
diff --git a/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md b/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md
index ea32d404cc..4e3fcf3fad 100644
--- a/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md
+++ b/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md
@@ -94,7 +94,7 @@ In the import process example shown in the [Deploy Windows 10 to Surface devices
Installation of applications in an upgrade deployment is not always necessary because the applications from the previous environment will remain on the device. (For example, in the [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md) article, the deployment includes Office 365 which is not required in an upgrade deployment where the user is already using Office 365 on the device.)
-There are still some circumstances where you will want to deploy an application, even during an upgrade deployment. For example, you may have Surface Pro 3 devices on which you would like to add the Surface app. To deploy the Surface app in an upgrade scenario use the same process as you would for a traditional deployment. See the [Deploy Surface app with Windows Store for Business](https://technet.microsoft.com/itpro/surface/deploy-surface-app-with-windows-store-for-business) article for instructions on how to add the Surface app to an MDT task sequence.
+There are still some circumstances where you will want to deploy an application, even during an upgrade deployment. For example, you may have Surface Pro 3 devices on which you would like to add the Surface app. To deploy the Surface app in an upgrade scenario use the same process as you would for a traditional deployment. See the [Deploy Surface app with Microsoft Store for Business](https://technet.microsoft.com/itpro/surface/deploy-surface-app-with-windows-store-for-business) article for instructions on how to add the Surface app to an MDT task sequence.
### Create the upgrade task sequence
diff --git a/devices/surface/using-the-sda-deployment-share.md b/devices/surface/using-the-sda-deployment-share.md
index 1cd440c9aa..8c118e635e 100644
--- a/devices/surface/using-the-sda-deployment-share.md
+++ b/devices/surface/using-the-sda-deployment-share.md
@@ -29,7 +29,7 @@ One of the primary scenarios for use of SDA is as a Proof of Concept. A *Proof o
Using SDA to prepare a PoC of Surface devices enables you to very quickly prepare a demonstration of Surface device or devices, which gives you more time for customization or preparation. The flexibility of SDA even lets you import resources, like applications and drivers, from existing MDT deployment infrastructure. See the [Work with existing deployment shares](#work-with-existing-deployment-shares) section later in this article for more information.
-SDA is also an excellent PoC of the capabilities of MDT. SDA demonstrates just how quickly an MDT deployment environment can be prepared and made ready for deployment to devices. It also shows just how flexible and customizable the MDT solution can be, with support for Windows 10 and Windows 8.1, for Windows Store and desktop applications, and several models of Surface devices.
+SDA is also an excellent PoC of the capabilities of MDT. SDA demonstrates just how quickly an MDT deployment environment can be prepared and made ready for deployment to devices. It also shows just how flexible and customizable the MDT solution can be, with support for Windows 10 and Windows 8.1, for Microsoft Store and desktop applications, and several models of Surface devices.
Some recommendations for a successful PoC with SDA are:
diff --git a/devices/surface/wake-on-lan-for-surface-devices.md b/devices/surface/wake-on-lan-for-surface-devices.md
index cee0c58856..c264f50a22 100644
--- a/devices/surface/wake-on-lan-for-surface-devices.md
+++ b/devices/surface/wake-on-lan-for-surface-devices.md
@@ -50,7 +50,7 @@ The Surface WOL driver conforms to the WOL standard, whereby the device is woken
>[!NOTE]
>To send a magic packet and wake up a device by using WOL, you must know the MAC address of the target device and Ethernet adapter. Because the magic packet does not use the IP network protocol, it is not possible to use the IP address or DNS name of the device.
-Many management solutions, such as System Center Configuration Manager, provide built-in support for WOL. There are also many solutions, including Windows Store apps, PowerShell modules, third-party applications, and third-party management solutions that allow you to send a magic packet to wake up a device. For example, you can use the [Wake On LAN PowerShell module](https://gallery.technet.microsoft.com/scriptcenter/Wake-On-Lan-815424c4) from the TechNet Script Center.
+Many management solutions, such as System Center Configuration Manager, provide built-in support for WOL. There are also many solutions, including Microsoft Store apps, PowerShell modules, third-party applications, and third-party management solutions that allow you to send a magic packet to wake up a device. For example, you can use the [Wake On LAN PowerShell module](https://gallery.technet.microsoft.com/scriptcenter/Wake-On-Lan-815424c4) from the TechNet Script Center.
>[!NOTE]
>After a device has been woken up with a magic packet, the device will return to sleep if an application is not actively preventing sleep on the system or if the AllowSystemRequiredPowerRequests registry key is not configured to 1, which allows applications to prevent sleep. See the [WOL driver](#wol-driver) section of this article for more information about this registry key.
diff --git a/education/windows/TOC.md b/education/windows/TOC.md
index 30aa3f0ba5..a5adbaef71 100644
--- a/education/windows/TOC.md
+++ b/education/windows/TOC.md
@@ -11,6 +11,7 @@
### [Set up Take a Test on a single PC](take-a-test-single-pc.md)
### [Set up Take a Test on multiple PCs](take-a-test-multiple-pcs.md)
### [Take a Test app technical reference](take-a-test-app-technical.md)
+## [Reset devices with Windows Automatic Redeployment](windows-automatic-redeployment.md)
## [Working with Microsoft Store for Education](education-scenarios-store-for-business.md)
## [Get Minecraft: Education Edition](get-minecraft-for-education.md)
### [For teachers: get Minecraft Education Edition](teacher-get-minecraft.md)
diff --git a/education/windows/change-history-edu.md b/education/windows/change-history-edu.md
index f5cf7d1f00..4d7afe9e0a 100644
--- a/education/windows/change-history-edu.md
+++ b/education/windows/change-history-edu.md
@@ -15,6 +15,13 @@ ms.date: 08/01/2017
This topic lists new and updated topics in the [Windows 10 for Education](index.md) documentation.
+## RELEASE: Windows 10, version 1709 (Fall Creators Update)
+
+| New or changed topic | Description |
+| --- | ---- |
+| [Reset devices with Windows Automatic Redeployment](windows-automatic-redeployment.md) | New. Learn how you can use this new feature to quickly reset student PCs from the lock screen and apply original settings and management enrollment (Azure Active Directory and device management) so the devices are ready to use and returned to a fully configured or known IT-approved state. |
+| [Test Windows 10 S on existing Windows 10 education devices](test-windows10s-for-edu.md) | Updated the *Go back to your previous edition of Windows 10* section with new information on how to work around cases where Win32 apps are blocked after switching from Windows 10 S back to your previous Windows edition. |
+
## September 2017
| New or changed topic | Description |
@@ -74,13 +81,13 @@ This topic lists new and updated topics in the [Windows 10 for Education](index.
| New or changed topic | Description |
| --- | --- |
-| [Upgrade Windows 10 Pro to Pro Education from Windows Store for Business] | New. Learn how to opt-in to a free upgrade to Windows 10 Pro Education. As of May 2017, this topic has been replaced with [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](switch-to-pro-education.md). |
+| [Upgrade Windows 10 Pro to Pro Education from Microsoft Store for Business] | New. Learn how to opt-in to a free upgrade to Windows 10 Pro Education. As of May 2017, this topic has been replaced with [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](switch-to-pro-education.md). |
## November 2016
| New or changed topic | Description|
| --- | --- |
-| [Working with Windows Store for Business – education scenarios](education-scenarios-store-for-business.md) | New. Learn about education scenarios for Windows Store for Business. |
+| [Working with Microsoft Store for Business – education scenarios](education-scenarios-store-for-business.md) | New. Learn about education scenarios for Microsoft Store for Business. |
| [For teachers - get Minecraft: Education Edition](teacher-get-minecraft.md) | Updates. Subscription support for Minecraft: Education Edition. |
| [For IT administrators - get Minecraft: Education Edition](school-get-minecraft.md) | Updates. Subscription support for Minecraft: Education Edition. |
diff --git a/education/windows/chromebook-migration-guide.md b/education/windows/chromebook-migration-guide.md
index 94d98ad536..a70112829b 100644
--- a/education/windows/chromebook-migration-guide.md
+++ b/education/windows/chromebook-migration-guide.md
@@ -84,11 +84,11 @@ Table 1. Google App replacements
It may be that you will decide to replace Google Apps after you deploy Windows devices. For more information on making this decision, see the [Select cloud services migration strategy](#select-cs-migrationstrat) section of this guide.
-**Find the same or similar apps in the Windows Store**
+**Find the same or similar apps in the Microsoft Store**
-In many instances, software vendors will create a version of their app for multiple platforms. You can search the Windows Store to find the same or similar apps to any apps not identified in the [Select Google Apps replacements](#select-googleapps) section.
+In many instances, software vendors will create a version of their app for multiple platforms. You can search the Microsoft Store to find the same or similar apps to any apps not identified in the [Select Google Apps replacements](#select-googleapps) section.
-In other instances, the offline app does not have a version written for the Windows Store or is not a web app. In these cases, look for an app that provides similar functions. For example, you might have a graphing calculator offline Android app published on the Chrome OS, but the software publisher does not have a version for Windows devices. Search the Windows Store for a graphing calculator app that provides similar features and functionality. Use that Windows Store app as a replacement for the graphing calculator offline Android app published on the Chrome OS.
+In other instances, the offline app does not have a version written for the Microsoft Store or is not a web app. In these cases, look for an app that provides similar functions. For example, you might have a graphing calculator offline Android app published on the Chrome OS, but the software publisher does not have a version for Windows devices. Search the Microsoft Store for a graphing calculator app that provides similar features and functionality. Use that Microsoft Store app as a replacement for the graphing calculator offline Android app published on the Chrome OS.
Record the Windows app that replaces the Chromebook app in your app portfolio.
diff --git a/education/windows/deploy-windows-10-in-a-school-district.md b/education/windows/deploy-windows-10-in-a-school-district.md
index 677ecadbb9..2a04a913e8 100644
--- a/education/windows/deploy-windows-10-in-a-school-district.md
+++ b/education/windows/deploy-windows-10-in-a-school-district.md
@@ -55,7 +55,7 @@ This district configuration has the following characteristics:
* The classrooms connect to each other through multiple subnets.
* All devices in each classroom connect to a single subnet.
* All devices have high-speed, persistent connections to each other and to the Internet.
-* All teachers and students have access to Windows Store or Windows Store for Business.
+* All teachers and students have access to Microsoft Store or Microsoft Store for Business.
* You install a 64-bit version of Windows 10 on the admin device.
* You install the Windows Assessment and Deployment Kit (Windows ADK) on the admin device.
* You install the 64-bit version of the Microsoft Deployment Toolkit (MDT) 2013 Update 2 on the admin device.
@@ -125,7 +125,7 @@ The high-level process for deploying and configuring devices within individual c
3. On the admin device, configure integration between on-premises AD DS and Azure AD (if you have an on premises AD DS configuration).
-4. On the admin device, create and configure a Windows Store for Business portal.
+4. On the admin device, create and configure a Microsoft Store for Business portal.
5. On the admin device, prepare for management of the Windows 10 devices after deployment.
@@ -149,7 +149,7 @@ In this district, you looked at the final configuration of your individual class
## Select deployment and management methods
-Now that you know what a typical district looks like and how to configure the devices in your district, you need to make a few decisions. You must select the methods you’ll use to deploy Windows 10 to the faculty and student devices in your district. Next, you must select the method you’ll use to manage configuration settings for your users and devices. Finally, you must select the method you’ll use to manage Windows desktop apps, Windows Store apps, and software updates.
+Now that you know what a typical district looks like and how to configure the devices in your district, you need to make a few decisions. You must select the methods you’ll use to deploy Windows 10 to the faculty and student devices in your district. Next, you must select the method you’ll use to manage configuration settings for your users and devices. Finally, you must select the method you’ll use to manage Windows desktop apps, Microsoft Store apps, and software updates.
### Typical deployment and management scenarios
@@ -196,7 +196,7 @@ To deploy Windows 10 and your apps, you can use MDT by itself or System Center C
MDT
-
MDT is an on-premises solution that supports initial operating system deployment and upgrade. You can use MDT to deploy and upgrade Windows 10. In addition, you can initially deploy Windows desktop and Windows Store apps and software updates.
+
MDT is an on-premises solution that supports initial operating system deployment and upgrade. You can use MDT to deploy and upgrade Windows 10. In addition, you can initially deploy Windows desktop and Microsoft Store apps and software updates.
Select this method when you:
Want to deploy Windows 10 to institution-owned and personal devices. (Devices need not be domain joined.)
@@ -229,7 +229,7 @@ Select this method when you:
System Center Configuration Manager
-
System Center Configuration Manager is an on-premises solution that supports operating system management throughout the entire operating system life cycle. You can use System Center Configuration Manager to deploy and upgrade Windows 10. In addition, you can manage Windows desktop and Windows Store apps and software updates as well as provide antivirus and antimalware protection.
+
System Center Configuration Manager is an on-premises solution that supports operating system management throughout the entire operating system life cycle. You can use System Center Configuration Manager to deploy and upgrade Windows 10. In addition, you can manage Windows desktop and Microsoft Store apps and software updates as well as provide antivirus and antimalware protection.
Select this method when you:
Want to deploy Windows 10 to institution-owned devices that are domain joined (personal devices are typically not domain joined).
@@ -240,7 +240,7 @@ Select this method when you:
The advantages of this method are that:
You can deploy Windows 10 operating systems.
-
You can manage (deploy) Windows desktop and Windows Store apps throughout entire application life cycle.
+
You can manage (deploy) Windows desktop and Microsoft Store apps throughout entire application life cycle.
You can manage software updates for Windows 10 and apps.
You can manage antivirus and malware protection.
It scales to large number of users and devices.
@@ -381,7 +381,7 @@ Use the information in Table 6 to determine which combination of app and update
System Center Configuration Manager
-
System Center Configuration Manager is an on-premises solution that allows you to specify configuration settings for Windows 10; previous versions of Windows; and other operating systems, such as iOS or Android, through integration with Intune.
System Center Configuration Manager supports application management throughout the entire application life cycle. You can deploy, upgrade, manage multiple versions, and retire applications by using System Center Configuration Manager. You can also manage Windows desktop and Windows Store applications.
Select this method when you:
+
System Center Configuration Manager is an on-premises solution that allows you to specify configuration settings for Windows 10; previous versions of Windows; and other operating systems, such as iOS or Android, through integration with Intune.
System Center Configuration Manager supports application management throughout the entire application life cycle. You can deploy, upgrade, manage multiple versions, and retire applications by using System Center Configuration Manager. You can also manage Windows desktop and Microsoft Store applications.
Select this method when you:
Selected System Center Configuration Manager to deploy Windows 10.
Want to manage institution-owned devices that are domain joined (personally owned devices are typically not domain joined).
@@ -441,7 +441,7 @@ Select this method when you:
System Center Configuration Manager and Intune (hybrid)
System Center Configuration Manager and Intune together extend System Center Configuration Manager from an on-premises management system for domain-joined devices to a solution that can manage devices regardless of their location and connectivity options. This hybrid option provides the benefits of both System Center Configuration Manager and Intune.
-System Center Configuration Manager and Intune in the hybrid configuration allow you to support application management throughout the entire application life cycle. You can deploy, upgrade, manage multiple versions, and retire applications by using System Center Configuration Manager, and you can manage Windows desktop and Windows Store applications for both institution-owned and personal devices.
+System Center Configuration Manager and Intune in the hybrid configuration allow you to support application management throughout the entire application life cycle. You can deploy, upgrade, manage multiple versions, and retire applications by using System Center Configuration Manager, and you can manage Windows desktop and Microsoft Store applications for both institution-owned and personal devices.
Select this method when you:
Selected System Center Configuration Manager to deploy Windows 10.
@@ -488,7 +488,7 @@ Record the app and update management methods that you selected in Table 7.
*Table 7. App and update management methods selected*
#### Summary
-In this section, you selected the methods that you will use to deploy Windows 10 to the faculty and student devices in your district. You selected the methods that you will use to manage configuration settings. Finally, you selected the methods that you will use to manage Windows desktop apps, Windows Store apps, and software updates.
+In this section, you selected the methods that you will use to deploy Windows 10 to the faculty and student devices in your district. You selected the methods that you will use to manage configuration settings. Finally, you selected the methods that you will use to manage Windows desktop apps, Microsoft Store apps, and software updates.
## Prepare the admin device
@@ -526,7 +526,7 @@ For more information about how to create a deployment share, see [Step 3-1: Crea
>**Note** If you selected System Center Configuration Manager to deploy Windows 10 or manage your devices (in the [Select the deployment methods](#select-the-deployment-methods) and [Select the configuration setting management methods](#select-the-configuration-setting-management-methods) sections, respectively), perform the steps in this section. Otherwise, skip this section and continue to the next.
-You can use System Center Configuration Manager to manage Windows 10 deployments, Windows desktop apps, Windows Store apps, and software updates. To manage System Center Configuration Manager, you use the Configuration Manager console. You must install the Configuration Manager console on every device you use to manage System Center Configuration Manager (specifically, the admin device). The Configuration Manager console is automatically installed when you install System Center Configuration Manager primary site servers.
+You can use System Center Configuration Manager to manage Windows 10 deployments, Windows desktop apps, Microsoft Store apps, and software updates. To manage System Center Configuration Manager, you use the Configuration Manager console. You must install the Configuration Manager console on every device you use to manage System Center Configuration Manager (specifically, the admin device). The Configuration Manager console is automatically installed when you install System Center Configuration Manager primary site servers.
For more information about how to install the Configuration Manager console, see [Install System Center Configuration Manager consoles](https://technet.microsoft.com/en-us/library/mt590197.aspx#bkmk_InstallConsole).
@@ -908,62 +908,62 @@ If you enabled Azure AD Premium in the [Enable Azure AD Premium](#enable-azure-a
For more information about assigning user licenses for Azure AD Premium, see [How to assign EMS/Azure AD Premium licenses to user accounts](https://channel9.msdn.com/Series/Azure-Active-Directory-Videos-Demos/How-to-assign-Azure-AD-Premium-Licenses-to-user-accounts).
-## Create and configure a Windows Store for Business portal
+## Create and configure a Microsoft Store for Business portal
-Windows Store for Business allows you to create your own private portal to manage Windows Store apps in your institution. With Windows Store for Business, you can:
+Microsoft Store for Business allows you to create your own private portal to manage Microsoft Store apps in your institution. With Microsoft Store for Business, you can:
-* Find and acquire Windows Store apps.
+* Find and acquire Microsoft Store apps.
* Manage apps, app licenses, and updates.
* Distribute apps to your users.
-For more information about Windows Store for Business, see [Windows Store for Business overview](https://technet.microsoft.com/itpro/windows/whats-new/windows-store-for-business-overview).
+For more information about Microsoft Store for Business, see [Microsoft Store for Business overview](https://technet.microsoft.com/itpro/windows/whats-new/windows-store-for-business-overview).
-This section shows you how to create a Windows Store for Business portal and configure it for your school.
+This section shows you how to create a Microsoft Store for Business portal and configure it for your school.
-### Create and configure your Windows Store for Business portal
+### Create and configure your Microsoft Store for Business portal
-To create and configure your Windows Store for Business portal, simply use the administrative account for your Office 365 subscription to sign in to Windows Store for Business. Windows Store for Business automatically creates a portal for your institution and uses your account as its administrator.
+To create and configure your Microsoft Store for Business portal, simply use the administrative account for your Office 365 subscription to sign in to Microsoft Store for Business. Microsoft Store for Business automatically creates a portal for your institution and uses your account as its administrator.
-#### To create and configure a Windows Store for Business portal
+#### To create and configure a Microsoft Store for Business portal
1. In Microsoft Edge or Internet Explorer, type `http://microsoft.com/business-store` in the address bar.
-2. On the **Windows Store for Business** page, click **Sign in with an organizational account**.
+2. On the **Microsoft Store for Business** page, click **Sign in with an organizational account**.
-3. On the Windows Store for Business sign-in page, use the administrative account for the Office 365 subscription you created in the [Create a new Office 365 Education subscription](#create-a-new-office-365-education-subscription) section to sign in.
+3. On the Microsoft Store for Business sign-in page, use the administrative account for the Office 365 subscription you created in the [Create a new Office 365 Education subscription](#create-a-new-office-365-education-subscription) section to sign in.
-4. On the **Windows Store for Business Services Agreement** page, review the agreement, select the **I accept this agreement and certify that I have the authority to bind my organization to its terms** check box, and then click **Accept**.
+4. On the **Microsoft Store for Business Services Agreement** page, review the agreement, select the **I accept this agreement and certify that I have the authority to bind my organization to its terms** check box, and then click **Accept**.
-5. In the **Welcome to the Windows Store for Business** dialog box, click **OK**.
+5. In the **Welcome to the Microsoft Store for Business** dialog box, click **OK**.
-After you create the Windows Store for Business portal, configure it by using the commands in the **Settings** menu listed in Table 14. Depending on your institution, you may (or may not) need to change these settings to further customize your portal.
+After you create the Microsoft Store for Business portal, configure it by using the commands in the **Settings** menu listed in Table 14. Depending on your institution, you may (or may not) need to change these settings to further customize your portal.
|Menu selection|What can you do in this menu|
|--------------|----------------------------|
-|Account information |Displays information about your Windows Store for Business account (no settings can be changed). You make changes to this information in Office 365 or the Azure Management Portal. For more information, see [Update Windows Store for Business account settings](https://technet.microsoft.com/itpro/windows/manage/update-windows-store-for-business-account-settings).|
+|Account information |Displays information about your Microsoft Store for Business account (no settings can be changed). You make changes to this information in Office 365 or the Azure Management Portal. For more information, see [Update Microsoft Store for Business account settings](https://technet.microsoft.com/itpro/windows/manage/update-windows-store-for-business-account-settings).|
|Device Guard signing |Allows you to upload and sign Device Guard catalog and policy files. For more information about Device Guard, see [Device Guard deployment guide](https://technet.microsoft.com/itpro/windows/keep-secure/device-guard-deployment-guide).|
|LOB publishers |Allows you to add line-of-business (LOB) publishers that can then publish apps to your private store. LOB publishers are usually internal developers or software vendors that are working with your institution. For more information, see [Working with line-of-business apps](https://technet.microsoft.com/itpro/windows/manage/working-with-line-of-business-apps).|
|Management tools |Allows you to add tools that you can use to distribute (deploy) apps in your private store. For more information, see [Distribute apps with a management tool](https://technet.microsoft.com/itpro/windows/manage/distribute-apps-with-management-tool).|
-|Offline licensing|Allows you to show (or not show) offline licensed apps to people shopping in your private store. For more information, see the “Licensing model: online and offline licenses” section in [Apps in Windows Store for Business](https://technet.microsoft.com/itpro/windows/manage/apps-in-windows-store-for-business#licensing-model).|
-|Permissions |Allows you to grant other users in your organization the ability to buy, manage, and administer your Windows Store for Business portal. You can also remove permissions you have previously granted. For more information, see [Roles and permissions in Windows Store for Business](https://technet.microsoft.com/itpro/windows/manage/roles-and-permissions-windows-store-for-business).|
-|Private store |Allows you to change the organization name used in your Windows Store for Business portal. When you create your portal, the private store uses the organization name that you used to create your Office 365 subscription. For more information, see [Distribute apps using your private store](https://technet.microsoft.com/itpro/windows/manage/distribute-apps-from-your-private-store).|
+|Offline licensing|Allows you to show (or not show) offline licensed apps to people shopping in your private store. For more information, see the “Licensing model: online and offline licenses” section in [Apps in Microsoft Store for Business](https://technet.microsoft.com/itpro/windows/manage/apps-in-windows-store-for-business#licensing-model).|
+|Permissions |Allows you to grant other users in your organization the ability to buy, manage, and administer your Microsoft Store for Business portal. You can also remove permissions you have previously granted. For more information, see [Roles and permissions in Microsoft Store for Business](https://technet.microsoft.com/itpro/windows/manage/roles-and-permissions-windows-store-for-business).|
+|Private store |Allows you to change the organization name used in your Microsoft Store for Business portal. When you create your portal, the private store uses the organization name that you used to create your Office 365 subscription. For more information, see [Distribute apps using your private store](https://technet.microsoft.com/itpro/windows/manage/distribute-apps-from-your-private-store).|
-*Table 14. Menu selections to configure Windows Store for Business settings*
+*Table 14. Menu selections to configure Microsoft Store for Business settings*
### Find, acquire, and distribute apps in the portal
-Now that you have created your Windows Store for Business portal, you’re ready to find, acquire, and distribute apps that you will add to your portal. You do this from the **Inventory** page in Windows Store for Business.
+Now that you have created your Microsoft Store for Business portal, you’re ready to find, acquire, and distribute apps that you will add to your portal. You do this from the **Inventory** page in Microsoft Store for Business.
->**Note** Your educational institution can now use a credit card or purchase order to pay for apps in Windows Store for Business.
+>**Note** Your educational institution can now use a credit card or purchase order to pay for apps in Microsoft Store for Business.
You can deploy apps to individual users or make apps available to users through your private store. Deploying apps to individual users restricts the app to those specified users. Making apps available through your private store allows all your users to install the apps.
-For more information about how to find, acquire, and distribute apps in the portal, see [App inventory management for Windows Store for Business](https://technet.microsoft.com/itpro/windows/manage/app-inventory-managemement-windows-store-for-business).
+For more information about how to find, acquire, and distribute apps in the portal, see [App inventory management for Microsoft Store for Business](https://technet.microsoft.com/itpro/windows/manage/app-inventory-managemement-windows-store-for-business).
#### Summary
-At the end of this section, you should have a properly configured Windows Store for Business portal. You have also found and acquired your apps from Windows Store. Finally, you should have deployed all your Windows Store apps to your users. Now, you’re ready to deploy Windows Store apps to your users.
+At the end of this section, you should have a properly configured Microsoft Store for Business portal. You have also found and acquired your apps from Microsoft Store. Finally, you should have deployed all your Microsoft Store apps to your users. Now, you’re ready to deploy Microsoft Store apps to your users.
## Plan for deployment
@@ -987,7 +987,7 @@ Depending on your school’s requirements, you may need any combination of the f
* Upgrade institution-owned devices to Windows 10 Education.
* Deploy new instances of Windows 10 Education so that new devices have a known configuration.
->**Note** Although you can use Windows 10 Home on institution-owned devices, Microsoft recommends that you use Windows 10 Pro or Windows 10 Education, instead. Windows 10 Pro and Windows 10 Education provide support for MDM, policy-based management, and Windows Store for Business—features not available in Windows 10 Home. For more information about how to upgrade Windows 10 Home to Windows 10 Pro or Windows 10 Education, see [Windows 10 edition upgrade](https://technet.microsoft.com/itpro/windows/deploy/windows-10-edition-upgrades).
+>**Note** Although you can use Windows 10 Home on institution-owned devices, Microsoft recommends that you use Windows 10 Pro or Windows 10 Education, instead. Windows 10 Pro and Windows 10 Education provide support for MDM, policy-based management, and Microsoft Store for Business—features not available in Windows 10 Home. For more information about how to upgrade Windows 10 Home to Windows 10 Pro or Windows 10 Education, see [Windows 10 edition upgrade](https://technet.microsoft.com/itpro/windows/deploy/windows-10-edition-upgrades).
For more information about the Windows 10 editions, see [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare).
@@ -1075,7 +1075,7 @@ At the end of this section, you should know the Windows 10 editions and processo
## Prepare for deployment
-Before you can deploy Windows 10 and your apps to devices, you need to prepare your MDT environment, Windows Deployment Services, and System Center Configuration Manager (if you selected it to do operating system deployment in the [Select the deployment methods](#select-the-deployment-methods) section). In this section, you ensure that the deployment methods you selected in the [Select the deployment methods](#select-the-deployment-methods) section have the necessary Windows 10 editions and versions, Windows desktop apps, Windows Store apps, and device drivers.
+Before you can deploy Windows 10 and your apps to devices, you need to prepare your MDT environment, Windows Deployment Services, and System Center Configuration Manager (if you selected it to do operating system deployment in the [Select the deployment methods](#select-the-deployment-methods) section). In this section, you ensure that the deployment methods you selected in the [Select the deployment methods](#select-the-deployment-methods) section have the necessary Windows 10 editions and versions, Windows desktop apps, Microsoft Store apps, and device drivers.
### Configure the MDT deployment share
@@ -1110,18 +1110,18 @@ Import device drivers for each device in your institution. For more information
-
3. Create MDT applications for Windows Store apps
-
Create an MDT application for each Windows Store app you want to deploy. You can deploy Windows Store apps by using sideloading, which allows you to use the **Add-AppxPackage** Windows PowerShell cmdlet to deploy the .appx files associated with the app (called *provisioned apps*). Use this method to deploy up to 24 apps to Windows 10.
-
Prior to sideloading the .appx files, obtain the Windows Store .appx files that you will use to deploy (sideload) the apps in your provisioning package. For apps in Windows Store, you will need to obtain the .appx files by performing one of the following tasks:
+
3. Create MDT applications for Microsoft Store apps
+
Create an MDT application for each Microsoft Store app you want to deploy. You can deploy Microsoft Store apps by using sideloading, which allows you to use the **Add-AppxPackage** Windows PowerShell cmdlet to deploy the .appx files associated with the app (called *provisioned apps*). Use this method to deploy up to 24 apps to Windows 10.
+
Prior to sideloading the .appx files, obtain the Microsoft Store .appx files that you will use to deploy (sideload) the apps in your provisioning package. For apps in Microsoft Store, you will need to obtain the .appx files by performing one of the following tasks:
-
For offline-licensed apps, download the .appx files from the Windows Store for Business.
+
For offline-licensed apps, download the .appx files from the Microsoft Store for Business.
For apps that are not offline licensed, obtain the .appx files from the app software vendor directly.
- If you are unable to obtain the .appx files from the app software vendor, then you or the students will need to install the apps on the student devices directly from Windows Store or Windows Store for Business.
-If you have Intune or System Center Configuration Manager, you can deploy Windows Store apps after you deploy Windows 10, as described in the [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune) and [Deploy and manage apps by using System Center Configuration Manager](#deploy-and-manage-apps-by-using-system-center-configuration-manager) sections. This method provides granular deployment of Windows Store apps, and you can use it for ongoing management of Windows Store apps. This is the preferred method of deploying and managing Windows Store apps.
-In addition, you must prepare your environment for sideloading Windows Store apps. For more information about how to:
+ If you are unable to obtain the .appx files from the app software vendor, then you or the students will need to install the apps on the student devices directly from Microsoft Store or Microsoft Store for Business.
+If you have Intune or System Center Configuration Manager, you can deploy Microsoft Store apps after you deploy Windows 10, as described in the [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune) and [Deploy and manage apps by using System Center Configuration Manager](#deploy-and-manage-apps-by-using-system-center-configuration-manager) sections. This method provides granular deployment of Microsoft Store apps, and you can use it for ongoing management of Microsoft Store apps. This is the preferred method of deploying and managing Microsoft Store apps.
+In addition, you must prepare your environment for sideloading Microsoft Store apps. For more information about how to:
-
Prepare your environment for sideloading, see [Try it out: sideload Windows Store apps](https://technet.microsoft.com/en-us/windows/jj874388.aspx).
+
Prepare your environment for sideloading, see [Try it out: sideload Microsoft Store apps](https://technet.microsoft.com/en-us/windows/jj874388.aspx).
Create an MDT application, see [Create a New Application in the Deployment Workbench](https://technet.microsoft.com/en-us/library/dn759415.aspx#CreateaNewApplicationintheDeploymentWorkbench).
@@ -1198,9 +1198,9 @@ Deploying a new System Center Configuration Manager infrastructure is beyond the
Create a System Center Configuration Manager driver package for each device type in your district. For more information, see [Manage drivers in System Center Configuration Manager](https://technet.microsoft.com/en-us/library/mt627934.aspx).
4. Add Windows apps.
- Install the Windows apps (Windows desktop and Windows Store apps) that you want to deploy after the task sequence deploys your customized image (a thick, reference image that include Windows 10 and your core Windows desktop apps). These apps are in addition to the apps included in your reference image. You can only deploy Windows Store apps after you deploy Windows 10 because you cannot capture Windows Store apps in a reference image. Windows Store apps target users, not devices.
+ Install the Windows apps (Windows desktop and Microsoft Store apps) that you want to deploy after the task sequence deploys your customized image (a thick, reference image that include Windows 10 and your core Windows desktop apps). These apps are in addition to the apps included in your reference image. You can only deploy Microsoft Store apps after you deploy Windows 10 because you cannot capture Microsoft Store apps in a reference image. Microsoft Store apps target users, not devices.
- Create a System Center Configuration Manager application for each Windows desktop or Windows Store app that you want to deploy after you apply the reference image to a device. For more information, see [Deploy and manage applications with System Center Configuration Manager](https://technet.microsoft.com/en-us/library/mt627959.aspx).
+ Create a System Center Configuration Manager application for each Windows desktop or Microsoft Store app that you want to deploy after you apply the reference image to a device. For more information, see [Deploy and manage applications with System Center Configuration Manager](https://technet.microsoft.com/en-us/library/mt627959.aspx).
### Configure Window Deployment Services for MDT
@@ -1397,10 +1397,10 @@ Use the information in Table 17 to help you determine whether you need to config
-
Control Windows Store access
-
You can control access to Windows Store and whether existing Windows Store apps receive updates. You can only disable the Windows Store app in Windows 10 Education and Windows 10 Enterprise.
-**Group Policy.** To disable the Windows Store app, use the **Turn off the Store Application** group policy setting. To prevent Windows Store apps from receiving updates, use the **Turn off Automatic Download and Install of updates** Group Policy setting. For more information about configuring these settings, see [Can I use Group Policy to control the Windows Store in my enterprise environment?](https://technet.microsoft.com/en-us/library/hh832040.aspx#BKMK_UseGP).
-**Intune.** To enable or disable Windows Store access, use the **Allow application store** policy setting in the **Apps** section of a **Windows 10 General Configuration policy**.
+
Control Microsoft Store access
+
You can control access to Microsoft Store and whether existing Microsoft Store apps receive updates. You can only disable the Microsoft Store app in Windows 10 Education and Windows 10 Enterprise.
+**Group Policy.** To disable the Microsoft Store app, use the **Turn off the Store Application** group policy setting. To prevent Microsoft Store apps from receiving updates, use the **Turn off Automatic Download and Install of updates** Group Policy setting. For more information about configuring these settings, see [Can I use Group Policy to control the Microsoft Store in my enterprise environment?](https://technet.microsoft.com/en-us/library/hh832040.aspx#BKMK_UseGP).
+**Intune.** To enable or disable Microsoft Store access, use the **Allow application store** policy setting in the **Apps** section of a **Windows 10 General Configuration policy**.
@@ -1499,7 +1499,7 @@ For more information about Intune, see [Microsoft Intune Documentation](https://
If you selected to deploy and manage apps by using System Center Configuration Manager and Intune in a hybrid configuration, then skip this section and continue to the [Deploy and manage apps by using System Center Configuration Manager](#deploy-and-manage-apps-by-using-system-center-configuration-manager) section.
-You can use Intune to deploy Windows Store and Windows desktop apps. Intune provides improved control over which users receive specific apps. In addition, Intune allows you to deploy apps to companion devices (such as Windows 10 Mobile, iOS, or Android devices). Finally, Intune helps you manage app security and features, such as mobile application management policies that let you manage apps on devices that are not enrolled in Intune or that another solution manages.
+You can use Intune to deploy Microsoft Store and Windows desktop apps. Intune provides improved control over which users receive specific apps. In addition, Intune allows you to deploy apps to companion devices (such as Windows 10 Mobile, iOS, or Android devices). Finally, Intune helps you manage app security and features, such as mobile application management policies that let you manage apps on devices that are not enrolled in Intune or that another solution manages.
For more information about how to configure Intune to manage your apps, see the following resources:
@@ -1511,7 +1511,7 @@ For more information about how to configure Intune to manage your apps, see the
### Deploy and manage apps by using System Center Configuration Manager
-You can use System Center Configuration Manager to deploy Windows Store and Windows desktop apps. System Center Configuration Manager allows you to create a System Center Configuration Manager application that you can use to deploy apps to different devices (such as Windows 10 desktop, Windows 10 Mobile, iOS, or Android devices) by using *deployment types*. You can think of a System Center Configuration Manager application as a box. You can think of deployment types as one or more sets of installation files and installation instructions within that box.
+You can use System Center Configuration Manager to deploy Microsoft Store and Windows desktop apps. System Center Configuration Manager allows you to create a System Center Configuration Manager application that you can use to deploy apps to different devices (such as Windows 10 desktop, Windows 10 Mobile, iOS, or Android devices) by using *deployment types*. You can think of a System Center Configuration Manager application as a box. You can think of deployment types as one or more sets of installation files and installation instructions within that box.
For example, you could create a Skype application that contains a deployment type for Windows 10 desktop, Windows 10 Mobile, iOS, and Android. You can deploy the one application to multiple device types.
@@ -1560,7 +1560,7 @@ Prior to deployment of Windows 10, complete the tasks in Table 18. Most of these
|----|----|
|1. |Ensure that the target devices have sufficient system resources to run Windows 10.|
|2. |Identify the necessary devices drivers, and then import them into the MDT deployment share or System Center Configuration Manager.|
-|3. |For each Windows Store and Windows desktop app, create an MDT application or System Center Configuration Manager application.|
+|3. |For each Microsoft Store and Windows desktop app, create an MDT application or System Center Configuration Manager application.|
|4. |Notify the students and faculty about the deployment.|
*Table 18. Deployment preparation checklist*
@@ -1616,7 +1616,7 @@ As a final quality control step, verify the device configuration to ensure that
* Windows Update is active and current with software updates.
* Windows Defender is active and current with malware signatures.
* The SmartScreen Filter is active.
-* All Windows Store apps are properly installed and updated.
+* All Microsoft Store apps are properly installed and updated.
* All Windows desktop apps are properly installed and updated.
* Printers are properly configured.
@@ -1735,9 +1735,9 @@ For more information, see:
-
Install new or update existing Windows Store apps used in the curriculum.
-Windows Store apps are automatically updated from Windows Store. The menu bar in the Windows Store app shows whether any Windows Store app updates are available for download.
-You can also deploy Windows Store apps directly to devices by using Intune, System Center Configuration Manager, or both in a hybrid configuration. For more information, see:
+
Install new or update existing Microsoft Store apps used in the curriculum.
+Microsoft Store apps are automatically updated from Microsoft Store. The menu bar in the Microsoft Store app shows whether any Microsoft Store app updates are available for download.
+You can also deploy Microsoft Store apps directly to devices by using Intune, System Center Configuration Manager, or both in a hybrid configuration. For more information, see:
[Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune)
[Deploy and manage apps by using System Center Configuration Manager](#deploy-and-manage-apps-by-using-system-center-configuration-manager)
@@ -1853,4 +1853,4 @@ You have now identified the tasks you need to perform monthly, at the end of an
* [Manage Windows 10 updates and upgrades in a school environment (video)](https://technet.microsoft.com/en-us/windows/mt723347)
* [Reprovision devices at the end of the school year (video)](https://technet.microsoft.com/en-us/windows/mt723344)
* [Use MDT to deploy Windows 10 in a school (video)](https://technet.microsoft.com/en-us/windows/mt723343)
-* [Use Windows Store for Business in a school environment (video)](https://technet.microsoft.com/en-us/windows/mt723348)
+* [Use Microsoft Store for Business in a school environment (video)](https://technet.microsoft.com/en-us/windows/mt723348)
diff --git a/education/windows/deploy-windows-10-in-a-school.md b/education/windows/deploy-windows-10-in-a-school.md
index e83be61c46..f4a35bc19b 100644
--- a/education/windows/deploy-windows-10-in-a-school.md
+++ b/education/windows/deploy-windows-10-in-a-school.md
@@ -45,7 +45,7 @@ This school configuration has the following characteristics:
- The classrooms connect to each other through multiple subnets.
- All devices in each classroom connect to a single subnet.
- All devices have high-speed, persistent connections to each other and to the Internet.
-- All teachers and students have access to Windows Store or Windows Store for Business.
+- All teachers and students have access to Microsoft Store or Microsoft Store for Business.
- All devices receive software updates from Intune (or another device management system).
- You install a 64-bit version of Windows 10 on the admin device.
- You install the Windows Assessment and Deployment Kit (Windows ADK) on the admin device.
@@ -105,7 +105,7 @@ The high-level process for deploying and configuring devices within individual c
1. Prepare the admin device for use, which includes installing the Windows ADK and MDT.
2. On the admin device, create and configure the Office 365 Education subscription that you will use for each classroom in the school.
3. On the admin device, configure integration between on-premises AD DS and Azure AD (if you have an on premises AD DS configuration).
-4. On the admin device, create and configure a Windows Store for Business portal.
+4. On the admin device, create and configure a Microsoft Store for Business portal.
5. On the admin device, prepare for management of the Windows 10 devices after deployment.
6. On the student and faculty devices, deploy Windows 10 to new or existing devices, or upgrade eligible devices to Windows 10.
7. On the admin device, manage the Windows 10 devices and apps, the Office 365 subscription, and the AD DS and Azure AD integration.
@@ -525,57 +525,57 @@ For more information about:
- Azure AD editions, see [Azure Active Directory editions](https://azure.microsoft.com/en-us/documentation/articles/active-directory-editions/).
- How to assign user licenses for Azure AD Premium, see [How to assign EMS/Azure AD Premium licenses to user accounts](https://channel9.msdn.com/Series/Azure-Active-Directory-Videos-Demos/How-to-assign-Azure-AD-Premium-Licenses-to-user-accounts).
-## Create and configure a Windows Store for Business portal
+## Create and configure a Microsoft Store for Business portal
-Windows Store for Business allows you to create your own private portal to manage Windows Store apps in your institution. With Windows Store for Business, you can do the following:
+Microsoft Store for Business allows you to create your own private portal to manage Microsoft Store apps in your institution. With Microsoft Store for Business, you can do the following:
-- Find and acquire Windows Store apps.
+- Find and acquire Microsoft Store apps.
- Manage apps, app licenses, and updates.
- Distribute apps to your users.
-For more information about Windows Store for Business, see [Windows Store for Business overview](https://technet.microsoft.com/itpro/windows/whats-new/windows-store-for-business-overview).
+For more information about Microsoft Store for Business, see [Microsoft Store for Business overview](https://technet.microsoft.com/itpro/windows/whats-new/windows-store-for-business-overview).
-The following section shows you how to create a Windows Store for Business portal and configure it for your school.
+The following section shows you how to create a Microsoft Store for Business portal and configure it for your school.
-### Create and configure your Windows Store for Business portal
+### Create and configure your Microsoft Store for Business portal
-To create and configure your Windows Store for Business portal, simply use the administrative account for your Office 365 subscription to sign in to Windows Store for Business. Windows Store for Business automatically creates a portal for your institution and uses your account as its administrator.
+To create and configure your Microsoft Store for Business portal, simply use the administrative account for your Office 365 subscription to sign in to Microsoft Store for Business. Microsoft Store for Business automatically creates a portal for your institution and uses your account as its administrator.
-#### To create and configure a Windows Store for Business portal
+#### To create and configure a Microsoft Store for Business portal
1. In Microsoft Edge or Internet Explorer, type `http://microsoft.com/business-store` in the address bar.
-2. On the **Windows Store for Business** page, click **Sign in with an organizational account**.
**Note** If your institution has AD DS, then don’t create security accounts in Office 365. Instead, create the security groups in AD DS, and then use Azure AD integration to synchronize the security groups with your Office 365 tenant.
-3. On the Windows Store for Business sign-in page, use the administrative account for the Office 365 subscription you created in the [Create a new Office 365 Education subscription](#create-a-new-office-365-education-subscription) section to sign in.
-4. On the **Windows Store for Business Services Agreement** page, review the agreement, select the **I accept this agreement and certify that I have the authority to bind my organization to its terms** check box, and then click **Accept**
-5. In the **Welcome to the Windows Store for Business** dialog box, click **OK**.
+2. On the **Microsoft Store for Business** page, click **Sign in with an organizational account**.
**Note** If your institution has AD DS, then don’t create security accounts in Office 365. Instead, create the security groups in AD DS, and then use Azure AD integration to synchronize the security groups with your Office 365 tenant.
+3. On the Microsoft Store for Business sign-in page, use the administrative account for the Office 365 subscription you created in the [Create a new Office 365 Education subscription](#create-a-new-office-365-education-subscription) section to sign in.
+4. On the **Microsoft Store for Business Services Agreement** page, review the agreement, select the **I accept this agreement and certify that I have the authority to bind my organization to its terms** check box, and then click **Accept**
+5. In the **Welcome to the Microsoft Store for Business** dialog box, click **OK**.
-After you create the Windows Store for Business portal, configure it by using the commands in the settings menu listed in Table 7. Depending on your institution, you may (or may not) need to change these settings to further customize your portal.
+After you create the Microsoft Store for Business portal, configure it by using the commands in the settings menu listed in Table 7. Depending on your institution, you may (or may not) need to change these settings to further customize your portal.
-*Table 7. Menu selections to configure Windows Store for Business settings*
+*Table 7. Menu selections to configure Microsoft Store for Business settings*
| Menu selection | What you can do in this menu |
|---------------| -------------------|
-|Account information|Displays information about your Windows Store for Business account (no settings can be changed). You make changes to this information in Office 365 or the Azure Portal. For more information, see [Update Windows Store for Business account settings](https://technet.microsoft.com/itpro/windows/manage/update-windows-store-for-business-account-settings).|
+|Account information|Displays information about your Microsoft Store for Business account (no settings can be changed). You make changes to this information in Office 365 or the Azure Portal. For more information, see [Update Microsoft Store for Business account settings](https://technet.microsoft.com/itpro/windows/manage/update-windows-store-for-business-account-settings).|
|Device Guard signing|Allows you to upload and sign Device Guard catalog and policy files. For more information about Device Guard, see [Device Guard deployment guide](https://technet.microsoft.com/itpro/windows/keep-secure/device-guard-deployment-guide).|
|LOB publishers| Allows you to add line-of-business (LOB) publishers that can then publish apps to your private store. LOB publishers are usually internal developers or software vendors that are working with your institution. For more information, see [Working with line-of-business apps](https://technet.microsoft.com/itpro/windows/manage/working-with-line-of-business-apps).|
|Management tools| Allows you to add tools that you can use to distribute (deploy) apps in your private store. For more information, see [Distribute apps with a management tool](https://technet.microsoft.com/itpro/windows/manage/distribute-apps-with-management-tool).|
|Offline licensing|Allows you to show (or not show) offline licensed apps to people shopping in your private store. For more information, see [Licensing model: online and offline licenses](https://technet.microsoft.com/itpro/windows/manage/apps-in-windows-store-for-business#licensing-model).|
-|Permissions|Allows you to grant other users in your organization the ability to buy, manage, and administer your Windows Store for Business portal. You can also remove permissions you have previously granted. For more information, see [Roles and permissions in Windows Store for Business](https://technet.microsoft.com/itpro/windows/manage/roles-and-permissions-windows-store-for-business).|
-|Private store|Allows you to change the organization name used in your Windows Store for Business portal. When you create your portal, the private store uses the organization name that you used to create your Office 365 subscription. For more information, see [Distribute apps using your private store](https://technet.microsoft.com/itpro/windows/manage/distribute-apps-from-your-private-store).|
+|Permissions|Allows you to grant other users in your organization the ability to buy, manage, and administer your Microsoft Store for Business portal. You can also remove permissions you have previously granted. For more information, see [Roles and permissions in Microsoft Store for Business](https://technet.microsoft.com/itpro/windows/manage/roles-and-permissions-windows-store-for-business).|
+|Private store|Allows you to change the organization name used in your Microsoft Store for Business portal. When you create your portal, the private store uses the organization name that you used to create your Office 365 subscription. For more information, see [Distribute apps using your private store](https://technet.microsoft.com/itpro/windows/manage/distribute-apps-from-your-private-store).|
### Find, acquire, and distribute apps in the portal
-Now that you have created your Windows Store for Business portal, you’re ready to find, acquire, and distribute apps that you will add to your portal. You do this by using the Inventory page in Windows Store for Business.
+Now that you have created your Microsoft Store for Business portal, you’re ready to find, acquire, and distribute apps that you will add to your portal. You do this by using the Inventory page in Microsoft Store for Business.
-**Note** Your educational institution can now use a credit card to pay for apps in Windows Store for Business.
+**Note** Your educational institution can now use a credit card to pay for apps in Microsoft Store for Business.
You can deploy apps to individual users or make apps available to users through your private store. Deploying apps to individual users restricts the app to those specified users. Making apps available through your private store allows all your users.
-For more information about how to find, acquire, and distribute apps in the portal, see [App inventory management for Windows Store for Business](https://technet.microsoft.com/itpro/windows/manage/app-inventory-managemement-windows-store-for-business).
+For more information about how to find, acquire, and distribute apps in the portal, see [App inventory management for Microsoft Store for Business](https://technet.microsoft.com/itpro/windows/manage/app-inventory-managemement-windows-store-for-business).
### Summary
-At the end of this section, you should have a properly configured Windows Store for Business portal. You have also found and acquired your apps from Windows Store. Finally, you should have deployed all your Windows Store apps to your users. Now, you’re ready to deploy Windows Store apps to your users.
+At the end of this section, you should have a properly configured Microsoft Store for Business portal. You have also found and acquired your apps from Microsoft Store. Finally, you should have deployed all your Microsoft Store apps to your users. Now, you’re ready to deploy Microsoft Store apps to your users.
## Plan for deployment
@@ -598,7 +598,7 @@ Depending on your school’s requirements, you may need any combination of the f
- Upgrade institution-owned devices to Windows 10 Education.
- Deploy new instances of Windows 10 Education so that new devices have a known configuration.
-**Note** Although you can use Windows 10 Home on institution-owned devices, Microsoft recommends that you use Windows 10 Pro or Windows 10 Education, instead. Windows 10 Pro and Windows 10 Education provide support for MDM, policy-based management, and Windows Store for Business. These features are not available in Windows 10 Home.
+**Note** Although you can use Windows 10 Home on institution-owned devices, Microsoft recommends that you use Windows 10 Pro or Windows 10 Education, instead. Windows 10 Pro and Windows 10 Education provide support for MDM, policy-based management, and Microsoft Store for Business. These features are not available in Windows 10 Home.
One other consideration is the mix of processor architectures you will support. If you can, support only 64-bit versions of Windows 10. If you have devices that can run only 32 bit versions of Windows 10, you will need to import both 64-bit and 32-bit versions of the Windows 10 editions listed above.
@@ -716,14 +716,14 @@ Import device drivers for each device in your institution. For more information
-
3. Create MDT applications for Windows Store apps
-
Create an MDT application for each Windows Store app you want to deploy. You can deploy Windows Store apps by using *sideloading*, which allows you to use the **Add-AppxPackage** Windows PowerShell cmdlet to deploy the .appx files associated with the app (called *provisioned apps*). Use this method to deploy up to 24 apps to Windows 10.
+
3. Create MDT applications for Microsoft Store apps
+
Create an MDT application for each Microsoft Store app you want to deploy. You can deploy Microsoft Store apps by using *sideloading*, which allows you to use the **Add-AppxPackage** Windows PowerShell cmdlet to deploy the .appx files associated with the app (called *provisioned apps*). Use this method to deploy up to 24 apps to Windows 10.
-Prior to sideloading the .appx files, obtain the Windows Store .appx files that you will use to deploy (sideload) the apps in your provisioning package. For apps in Windows Store, you will need to obtain the .appx files from the app software vendor directly. If you are unable to obtain the .appx files from the app software vendor, then you or the students will need to install the apps on the student devices directly from Windows Store or Windows Store for Business.
+Prior to sideloading the .appx files, obtain the Microsoft Store .appx files that you will use to deploy (sideload) the apps in your provisioning package. For apps in Microsoft Store, you will need to obtain the .appx files from the app software vendor directly. If you are unable to obtain the .appx files from the app software vendor, then you or the students will need to install the apps on the student devices directly from Microsoft Store or Microsoft Store for Business.
-If you have Intune, you can deploy Windows Store apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section. This method provides granular deployment of Windows Store apps, and you can use it for ongoing management of Windows Store apps. This is the preferred method of deploying and managing Windows Store apps.
+If you have Intune, you can deploy Microsoft Store apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section. This method provides granular deployment of Microsoft Store apps, and you can use it for ongoing management of Microsoft Store apps. This is the preferred method of deploying and managing Microsoft Store apps.
-In addition, you must prepare your environment for sideloading (deploying) Windows Store apps. For more information about how to:
+In addition, you must prepare your environment for sideloading (deploying) Microsoft Store apps. For more information about how to:
Prepare your environment for sideloading, see [Sideload LOB apps in Windows 10](https://technet.microsoft.com/en-us/itpro/windows/deploy/sideload-apps-in-windows-10).
Create an MDT application, see [Create a New Application in the Deployment Workbench](https://technet.microsoft.com/en-us/library/dn759415.aspx#CreateaNewApplicationintheDeploymentWorkbench).
@@ -930,9 +930,9 @@ Microsoft has several recommended settings for educational institutions. Table 1
-
Control Windows Store access
-
You can control access to Windows Store and whether existing Windows Store apps receive updates. You can only disable the Windows Store app in Windows 10 Education and Windows 10 Enterprise.
-**Group Policy**. You can disable the Windows Store app by using the **Turn off the Store Application** Group Policy setting. You can prevent Windows Store apps from receiving updates by using the **Turn off Automatic Download and Install of updates** Group Policy setting. For more information about configuring these settings, see [Can I use Group Policy to control the Windows Store in my enterprise environment?](https://technet.microsoft.com/en-us/library/hh832040.aspx#BKMK_UseGP).
+
Control Microsoft Store access
+
You can control access to Microsoft Store and whether existing Microsoft Store apps receive updates. You can only disable the Microsoft Store app in Windows 10 Education and Windows 10 Enterprise.
+**Group Policy**. You can disable the Microsoft Store app by using the **Turn off the Store Application** Group Policy setting. You can prevent Microsoft Store apps from receiving updates by using the **Turn off Automatic Download and Install of updates** Group Policy setting. For more information about configuring these settings, see [Can I use Group Policy to control the Microsoft Store in my enterprise environment?](https://technet.microsoft.com/en-us/library/hh832040.aspx#BKMK_UseGP).
**Intune**. You can enable or disable the camera by using the **Allow application store** policy setting in the **Apps** section of a **Windows 10 General Configuration** policy.
@@ -1015,7 +1015,7 @@ For more information about Intune, see [Documentation for Microsoft Intune](http
### Deploy apps by using Intune
-You can use Intune to deploy Windows Store and Windows desktop apps. Intune provides improved control over which users receive specific apps. In addition, Intune allows you deploy apps to companion devices (such as Windows 10 Mobile, iOS, or Android devices) Finally, Intune helps you manage app security and features, such as mobile application management policies that let you manage apps on devices that are not enrolled in Intune or are managed by another solution.
+You can use Intune to deploy Microsoft Store and Windows desktop apps. Intune provides improved control over which users receive specific apps. In addition, Intune allows you deploy apps to companion devices (such as Windows 10 Mobile, iOS, or Android devices) Finally, Intune helps you manage app security and features, such as mobile application management policies that let you manage apps on devices that are not enrolled in Intune or are managed by another solution.
For more information about how to configure Intune to manage your apps, see [Deploy and configure apps with Microsoft Intune](https://docs.microsoft.com/en-us/intune/).
@@ -1037,7 +1037,7 @@ Prior to deployment of Windows 10, ensure that you complete the tasks listed in
| ---| --- |
| |The target devices have sufficient system resources to run Windows 10. |
| | Identify the necessary devices drivers, and import them to the MDT deployment share.|
-| | Create an MDT application for each Windows Store and Windows desktop app.|
+| | Create an MDT application for each Microsoft Store and Windows desktop app.|
| | Notify the students and faculty about the deployment.|
### Perform the deployment
@@ -1078,7 +1078,7 @@ As a final quality control step, verify the device configuration to ensure that
- Windows Update is active and current with software updates.
- Windows Defender is active and current with malware signatures.
- The SmartScreen Filter is active.
-- All Windows Store apps are properly installed and updated.
+- All Microsoft Store apps are properly installed and updated.
- All Windows desktop apps are properly installed and updated.
- Printers are properly configured.
@@ -1179,9 +1179,9 @@ For more information, see the [Deploy apps by using Intune](#deploy-apps-by-usin
-
Install new or update existing Windows Store apps that are used in the curriculum.
-Windows Store apps are automatically updated from Windows Store. The menu bar in the Windows Store app shows whether any Windows Store app updates are available for download.
-You can also deploy Windows Store apps directly to devices by using Intune. For more information, see the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section.
+
Install new or update existing Microsoft Store apps that are used in the curriculum.
+Microsoft Store apps are automatically updated from Microsoft Store. The menu bar in the Microsoft Store app shows whether any Microsoft Store app updates are available for download.
+You can also deploy Microsoft Store apps directly to devices by using Intune. For more information, see the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section.
diff --git a/education/windows/edu-deployment-recommendations.md b/education/windows/edu-deployment-recommendations.md
index b6da8e4c04..9d9363576f 100644
--- a/education/windows/edu-deployment-recommendations.md
+++ b/education/windows/edu-deployment-recommendations.md
@@ -26,7 +26,7 @@ We want all students to have the chance to use the apps they need for success in
Keep these best practices in mind when deploying any edition of Windows 10 in schools or districts:
* A Microsoft account is only intended for consumer services. Enterprises and educational institutions should use enterprise versions where possible, such as Skype for Business, OneDrive for Business, and so on. For schools, consider using mobile device management (MDM) or Group Policy to block students from adding a Microsoft account as a secondary account.
* If schools allow the use of personal accounts by their students to access personal services, schools should be aware that these accounts belong to individuals, not the school.
-* IT administrators, school officials, and teachers should also consider ratings when picking apps from the Windows Store.
+* IT administrators, school officials, and teachers should also consider ratings when picking apps from the Microsoft Store.
* If you have students or school personnel who rely on assistive technology apps that are not available in the Microsoft Store for Education, and who are using a Windows 10 S device, configure their device to Windows 10 Pro Education to allow the download and use of non-Microsoft Store assistive technology apps. See [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](switch-to-pro-education.md) for more info.
## Windows 10 Contacts privacy settings
diff --git a/education/windows/education-scenarios-store-for-business.md b/education/windows/education-scenarios-store-for-business.md
index 24b149b435..f401bc62e1 100644
--- a/education/windows/education-scenarios-store-for-business.md
+++ b/education/windows/education-scenarios-store-for-business.md
@@ -146,7 +146,7 @@ For info on how to distribute **Minecraft: Education Edition**, see [For teacher
3. Find an app, click the ellipses under **Action**, and then choose **Assign to people**.
4. Type the email address, or name for the student that you're assigning the app to, and click **Assign**.
-Employees will receive an email with a link that will install the app on their device. Click the link to start the Windows Store app, and then click **Install**. Also, in the Windows Store app, they can find the app under **My Library**.
+Employees will receive an email with a link that will install the app on their device. Click the link to start the Microsoft Store app, and then click **Install**. Also, in the Microsoft Store app, they can find the app under **My Library**.
### Purchase additional licenses
Applies to: IT admins and teachers
diff --git a/education/windows/images/windows-automatic-redeployment-customlogin.png b/education/windows/images/windows-automatic-redeployment-customlogin.png
new file mode 100644
index 0000000000..d86cb57895
Binary files /dev/null and b/education/windows/images/windows-automatic-redeployment-customlogin.png differ
diff --git a/education/windows/images/windows-automatic-redeployment-lockscreen.png b/education/windows/images/windows-automatic-redeployment-lockscreen.png
new file mode 100644
index 0000000000..f6fa6d3467
Binary files /dev/null and b/education/windows/images/windows-automatic-redeployment-lockscreen.png differ
diff --git a/education/windows/images/windows-automatic-redeployment-provisioningcomplete.png b/education/windows/images/windows-automatic-redeployment-provisioningcomplete.png
new file mode 100644
index 0000000000..dd62db8c72
Binary files /dev/null and b/education/windows/images/windows-automatic-redeployment-provisioningcomplete.png differ
diff --git a/education/windows/images/windows_glyph.png b/education/windows/images/windows_glyph.png
new file mode 100644
index 0000000000..3a41d4dfb1
Binary files /dev/null and b/education/windows/images/windows_glyph.png differ
diff --git a/education/windows/index.md b/education/windows/index.md
index dc90bc8480..81f54fc144 100644
--- a/education/windows/index.md
+++ b/education/windows/index.md
@@ -59,7 +59,7 @@ Follow these links to find step-by-step guidance on how to deploy Windows 8.1 in
BYOD Explore Bring Your Own Device (BYOD) considerations, including device types, infrastructure, and deployment models.
Deploying Windows RT 8.1 Get step-by-step instructions on how to configure and deploy Windows RT devices (like Surface and other tablets) in educational environments.
Virtual Desktop Infrastructure Learn how to address challenges related to BYOD scenarios using Virtual Desktop Infrastructure (VDI).
-
Windows Store apps Explore Windows Store app deployment strategies and considerations for educational institutions running Windows 8.1.
+
Microsoft Store apps Explore Microsoft Store app deployment strategies and considerations for educational institutions running Windows 8.1.
Windows To Go Learn about the benefits, limitations, and processes involved in deploying Windows To Go.
## Related topics
diff --git a/education/windows/school-get-minecraft.md b/education/windows/school-get-minecraft.md
index 572ace9f5f..5b40562d1e 100644
--- a/education/windows/school-get-minecraft.md
+++ b/education/windows/school-get-minecraft.md
@@ -23,7 +23,7 @@ When you sign up for a [Minecraft: Education Edition](http://education.minecraft
>[!Note]
>If you don't have an Azure AD or Office 365 tenant, you can set up a free Office 365 Education subscription when you request Minecraft: Education Edition. For more information see [Office 365 Education plans and pricing](https://products.office.com/academic/compare-office-365-education-plans).
-## Add Minecraft to your Windows Store for Education
+## Add Minecraft to your Microsoft Store for Education
You can start with the Minecraft: Education Edition trial to get individual copies of the app. For more information, see [Minecraft: Education Edition - direct purchase](#individual-copies).
@@ -60,7 +60,7 @@ Qualified education institutions can purchase Minecraft: Education Edition licen
- Your channel partner will submit and process your volume license order, your licenses will be shown on [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx), and the licenses will be available in your [Microsoft Store for Education](https://www.microsoft.com/business-store) inventory.
- You’ll receive an email with a link to Microsoft Store for Education.
-- Sign in to [Windows Store for Education](https://educationstore.microsoft.com) to distribute and manage the Minecraft: Education Edition licenses. For more information on distribution options, see [Distribute Minecraft](#distribute-minecraft)
+- Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com) to distribute and manage the Minecraft: Education Edition licenses. For more information on distribution options, see [Distribute Minecraft](#distribute-minecraft)
## Minecraft: Education Edition payment options
You can pay for Minecraft: Education Edition with a debit or credit card, or with an invoice.
@@ -114,7 +114,7 @@ After Minecraft: Education Edition is added to your Microsoft Store for Educatio
Admins can also add Minecraft: Education Edition to the private store. This allows people in your organization to install the app from the private store. For more information, see [Distribute apps using your private store](https://technet.microsoft.com/itpro/windows/manage/distribute-apps-from-your-private-store).
@@ -263,21 +263,21 @@ Minecraft: Education Edition adds a new role for teachers: **Basic Purchaser**.
2. Click **Settings**, and then choose **Permissions**.
- 
+ 
3. Click **Add people**, type a name, select the correct person, choose the role you want to assign, and click **Save**.
- 
+ 
- Windows Store for Business updates the list of people and permissions.
+ Microsoft Store for Business updates the list of people and permissions.
- 
+ 
-->
diff --git a/education/windows/set-up-school-pcs-technical.md b/education/windows/set-up-school-pcs-technical.md
index 89cd5cab6a..1982510bd4 100644
--- a/education/windows/set-up-school-pcs-technical.md
+++ b/education/windows/set-up-school-pcs-technical.md
@@ -136,7 +136,7 @@ The Set up School PCs app produces a specialized provisioning package that makes
- By default, saving content locally to the PC is blocked, but you can choose to enable it. This prevents data loss by forcing students to save to the cloud.
- A custom Start layout, taskbar layout, and lock screen image are set.
- Prohibits unlocking the PC to developer mode.
-- Prohibits untrusted Windows Store apps from being installed.
+- Prohibits untrusted Microsoft Store apps from being installed.
- Prohibits students from removing MDM.
- Prohibits students from adding new provisioning packages.
- Prohibits student from removing existing provisioning packages (including the one set by Set up School PCs).
diff --git a/education/windows/set-up-students-pcs-with-apps.md b/education/windows/set-up-students-pcs-with-apps.md
index 660b765246..09099b2501 100644
--- a/education/windows/set-up-students-pcs-with-apps.md
+++ b/education/windows/set-up-students-pcs-with-apps.md
@@ -80,25 +80,25 @@ Use the Windows Imaging and Configuration Designer (ICD) tool included in the Wi
## Add a universal app to your package
-Universal apps that you can distribute in the provisioning package can be line-of-business (LOB) apps developed by your organization, Windows Store for Business apps that you acquire with [offline licensing](https://technet.microsoft.com/itpro/windows/manage/acquire-apps-windows-store-for-business), or third-party apps. This procedure will assume you are distributing apps from the Windows Store for Business. For other apps, obtain the necessary information (such as the package family name) from the app developer.
+Universal apps that you can distribute in the provisioning package can be line-of-business (LOB) apps developed by your organization, Microsoft Store for Business apps that you acquire with [offline licensing](https://technet.microsoft.com/itpro/windows/manage/acquire-apps-windows-store-for-business), or third-party apps. This procedure will assume you are distributing apps from the Microsoft Store for Business. For other apps, obtain the necessary information (such as the package family name) from the app developer.
1. In the **Available customizations** pane, go to **Runtime settings** > **UniversalAppInstall**.
-2. For **DeviceContextApp**, specify the **PackageFamilyName** for the app. In Windows Store for Business, the package family name is listed in the **Package details** section of the download page.
+2. For **DeviceContextApp**, specify the **PackageFamilyName** for the app. In Microsoft Store for Business, the package family name is listed in the **Package details** section of the download page.
3. For **ApplicationFile**, click **Browse** to find and select the target app (either an \*.appx or \*.appxbundle).
-4. For **DependencyAppxFiles**, click **Browse** to find and add any dependencies for the app. In Windows Store for Business, any dependencies for the app are listed in the **Required frameworks** section of the download page.
+4. For **DependencyAppxFiles**, click **Browse** to find and add any dependencies for the app. In Microsoft Store for Business, any dependencies for the app are listed in the **Required frameworks** section of the download page.
-5. For **DeviceContextAppLicense**, enter the **LicenseProductID**. In Windows Store for Business, you generate the license for the app on the app's download page.
+5. For **DeviceContextAppLicense**, enter the **LicenseProductID**. In Microsoft Store for Business, you generate the license for the app on the app's download page.
-[Learn more about distributing offline apps from the Windows Store for Business.](https://technet.microsoft.com/itpro/windows/manage/distribute-offline-apps)
+[Learn more about distributing offline apps from the Microsoft Store for Business.](https://technet.microsoft.com/itpro/windows/manage/distribute-offline-apps)
> [!NOTE]
> Removing a provisioning package will not remove any apps installed by device context in that provisioning package.
diff --git a/education/windows/take-a-test-app-technical.md b/education/windows/take-a-test-app-technical.md
index e1c9c918d3..d6c65cfc60 100644
--- a/education/windows/take-a-test-app-technical.md
+++ b/education/windows/take-a-test-app-technical.md
@@ -45,7 +45,7 @@ When Take a Test is running, the following MDM policies are applied to lock down
| Policy | Description | Value |
|---|---|---|
| AllowToasts | Disables toast notifications from being shown | 0 |
-| AllowAppStoreAutoUpdate | Disables automatic updates for Windows Store apps that are installed on the PC | 0 |
+| AllowAppStoreAutoUpdate | Disables automatic updates for Microsoft Store apps that are installed on the PC | 0 |
| AllowDeviceDiscovery | Disables UI for screen sharing | 0 |
| AllowInput Panel | Disables the onscreen keyboard which will disable auto-fill | 0 |
| AllowCortana | Disables Cortana functionality | 0 |
diff --git a/education/windows/teacher-get-minecraft.md b/education/windows/teacher-get-minecraft.md
index 4873c007c6..2434ed8e9b 100644
--- a/education/windows/teacher-get-minecraft.md
+++ b/education/windows/teacher-get-minecraft.md
@@ -89,14 +89,14 @@ Students will receive an email with a link that will install the app on their PC
-1. Click **Get the app** to start the app install in Windows Store app.
-2. In Windows Store app, click **Install**.
+1. Click **Get the app** to start the app install in Microsoft Store app.
+2. In Microsoft Store app, click **Install**.
- 
+ 
- After installing the app, students can find Minecraft: Education Edition in Windows Store app under **My Library**.
+ After installing the app, students can find Minecraft: Education Edition in Microsoft Store app under **My Library**.
- 
+ 
When students click **My Library** they'll find apps assigned to them.
@@ -113,17 +113,17 @@ Download for others allows teachers or IT admins to download a packages that the
- Windows 10 (at least version 1511) is required for PCs running Minecraft: Education Edition.
#### Check for updates
-Minecraft: Education Edition will not install if there are updates pending for other apps on the PC. Before installing Minecraft, check to see if there are pending updates for Windows Store apps.
+Minecraft: Education Edition will not install if there are updates pending for other apps on the PC. Before installing Minecraft, check to see if there are pending updates for Microsoft Store apps.
**To check for app updates**
-1. Start Windows Store app on the PC (click **Start**, and type **Store**).
+1. Start Microsoft Store app on the PC (click **Start**, and type **Store**).
2. Click the account button, and then click **Downloads and updates**.
- 
+ 
3. Click **Check for updates**, and install all available updates.
- 
+ 
4. Restart the computer before installing Minecraft: Education Edition.
@@ -132,7 +132,7 @@ You'll download a .zip file, extract the files, and then use one of the files to
1. **Download Minecraft Education Edition.zip**. From the **Minecraft: Education Edition** page, click **Download for others** tab, and then click **Download**.
- 
+ 
2. **Extract files**. Find the .zip file that you downloaded and extract the files. This is usually your **Downloads** folder, unless you chose to save the .zip file to a different location. Right-click the file and choose **Extract all**.
3. **Save to USB drive**. After you've extracted the files, save the Minecraft: Education Edition folder to a USB drive, or to a network location that you can access from each PC.
diff --git a/education/windows/test-windows10s-for-edu.md b/education/windows/test-windows10s-for-edu.md
index 087af433c9..28761e9071 100644
--- a/education/windows/test-windows10s-for-edu.md
+++ b/education/windows/test-windows10s-for-edu.md
@@ -9,7 +9,7 @@ ms.sitesec: library
ms.localizationpriority: high
author: CelesteDG
ms.author: celested
-ms.date: 08/30/2017
+ms.date: 10/17/2017
---
# Test Windows 10 S on existing Windows 10 education devices
@@ -21,11 +21,11 @@ The Windows 10 S self-installer will allow you to test Windows 10 S on a variety
Windows 10 S is built to give schools the familiar, robust, and productive experiences you count on from Windows in an experience that's been streamlined for security and performance in the classroom, and built to work with Microsoft Education[2](#footnote2).
-Windows 10 S is different from other editions of Windows 10 as everything that runs on the device is verfied by Microsoft for security and performance. Therefore, Windows 10 S works exclusively with apps from the Windows Store. Some accessories and apps compatible with Windows 10 may not work and performance may vary. Certain default settings, features, and apps cannot be changed. When you install Windows 10 S, your existing applications and settings will be deleted and you will only be able to install apps from the Windows Store.
+Windows 10 S is different from other editions of Windows 10 as everything that runs on the device is verfied by Microsoft for security and performance. Therefore, Windows 10 S works exclusively with apps from the Microsoft Store. Some accessories and apps compatible with Windows 10 may not work and performance may vary. Certain default settings, features, and apps cannot be changed. When you install Windows 10 S, your existing applications and settings will be deleted and you will only be able to install apps from the Microsoft Store.
**Configuring Windows 10 S for school use is easy:** Education customers must configure **SetEduPolicies** for use in K-12 schools. For more information on how to do these, see [Use the Set up School PCs app](use-set-up-school-pcs-app.md) and [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md).
-**Installing Office 365 for Windows 10 S (Education preview)**: To install the Office applications in a school environment, you must use the free Set up School PCs app, which is available on the Microsoft Store for Education and from the Windows Store.
+**Installing Office 365 for Windows 10 S (Education preview)**: To install the Office applications in a school environment, you must use the free Set up School PCs app, which is available on the Microsoft Store for Education and from the Microsoft Store.
As we finalize development of Office 365 for Windows 10 S (Education preview), the applications will be updated automatically. You must have an Office license to activate the applications once they are installed.To learn more about Office 365 for Education plans, see [FAQ: Office on Windows 10 S](https://support.office.com/article/717193b5-ff9f-4388-84c0-277ddf07fe3f).
@@ -33,7 +33,7 @@ As we finalize development of Office 365 for Windows 10 S (Education preview), t
### Important information
-Before you install Windows 10 S, be aware that non-Windows Store apps will not work, peripherals that require custom drivers may not work, and other errors may occur. In particular, this release of Windows 10 S:
+Before you install Windows 10 S, be aware that non-Microsoft Store apps will not work, peripherals that require custom drivers may not work, and other errors may occur. In particular, this release of Windows 10 S:
* Is intended for education customers to test compatibility with existing hardware
* May not work with some device drivers, which may not yet be ready for Windows 10 S and may cause some loss in functionality
* May not be compatible with all peripherals that require custom drivers and, even if compatible, may cause aspects of the peripheral to not function
@@ -161,6 +161,21 @@ If going back is not available:
* Check if you can restore your PC to factory settings. This will reinstall the version of Windows that came with your PC and remove personal files, apps, and drivers you installed and any changes you made to **Settings**. Go to **Settings > Update & security > Recovery > Reset this PC > Get started** and look for **Restore factory settings**.
* If you have a product key for your previous version of Windows, use the media creation tool to create installation media of your previous Windows 10 edition and use it to do a clean install.
+After going back to your previous edition of Windows 10, you may receive the following message when launching Win32 apps:
+
+> For security and performance, this mode of Windows only runs verified apps from the Store.
+
+If you see this message, follow these steps to stop receiving the message:
+
+1. Restart your PC and enter UEFI/BIOS. Depending on your PC, you may need to press **Delete**, **F1**, or **F2** as soon as the PC begins to power on.
+2. Once you've accessed the UEFI/BIOS, look for the menu item labeled **Security** or **Security Settings** and navigate to it.
+3. Look for an option called **Secure boot configuration**, **Secure boot**, or **UEFI Boot** and disable this option.
+4. Save your settings and then exit UEFI/BIOS. This will restart your PC.
+5. After Windows is done booting up, confirm that you no longer see the message.
+
+ > [!NOTE]
+ > We recommend following these steps again to re-enable the **Secure boot configuration**, **Secure boot**, or **UEFI Boot** option, which you disabled in step 3.
+
### Use installation media to reinstall Windows 10
> [!WARNING]
@@ -179,7 +194,7 @@ To use an installation media to reinstall Windows 10, follow these steps.
If you're not seeing the setup screen, your PC might not be set up to boot from a drive. Check your PC manufacturer's website for information on how to change your PC's boot order, and then try again.
8. Select **Install now**.
-9. On the **Enter the product key to active Windows** page, enter a product key if you have one. If you upgraded to Windows 10 for free, or bought and activated Windows 10 from the Windows Store, select **Skip** and Windows will automatically activate later. For more information, see [Activation in Windows 10](https://support.microsoft.com/en-us/help/12440/windows-10-activation).
+9. On the **Enter the product key to active Windows** page, enter a product key if you have one. If you upgraded to Windows 10 for free, or bought and activated Windows 10 from the Microsoft Store, select **Skip** and Windows will automatically activate later. For more information, see [Activation in Windows 10](https://support.microsoft.com/en-us/help/12440/windows-10-activation).
10. On the **License terms** page, select **I accept the license terms** if you agree, and then select **Next**.
11. On the **Which type of installation do you want?** page, select **Custom**.
12. On the **where do you want to install Windows?** page, select a partition, select a formatting option (if necessary), and then follow the instructions.
diff --git a/education/windows/use-set-up-school-pcs-app.md b/education/windows/use-set-up-school-pcs-app.md
index 72ee15e1ab..8bb431d617 100644
--- a/education/windows/use-set-up-school-pcs-app.md
+++ b/education/windows/use-set-up-school-pcs-app.md
@@ -42,9 +42,7 @@ Set up School PCs makes it easy to set up Windows 10 PCs with Microsoft's recomm
You can watch the video to see how to use the Set up School PCs app, or follow the step-by-step guide.
-
+
You can watch the descriptive audio version here: [Microsoft Education: Use the Set up School PCs app (DA)](https://www.youtube.com/watch?v=qqe_T2LkGsI)
## Tips for success
@@ -102,6 +100,9 @@ You can watch the descriptive audio version here: [Microsoft Education: Use the
## Prerequisites
- [Download the latest Set up School PCs app from the Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4ls40).
+
+ The app supports these languages: Chinese (Simplified), Chinese (Traditional), Danish, Dutch, English (United Kingdom), English (United States), French, German, Italian, Japanese, Korean, Norwegian, Polish, Portuguese (Brazil), Russian, Spanish (Spain), Spanish (Mexico), Swedish, and Turkish.
+
- Install the app on your work PC and make sure you're connected to your school's network.
- You must have Office 365 and Azure Active Directory.
- You must have the Microsoft Store for Education configured.
diff --git a/education/windows/windows-automatic-redeployment.md b/education/windows/windows-automatic-redeployment.md
new file mode 100644
index 0000000000..5bf0ec6cde
--- /dev/null
+++ b/education/windows/windows-automatic-redeployment.md
@@ -0,0 +1,88 @@
+---
+title: Reset devices with Windows Automatic Redeployment
+description: Gives an overview of Windows Automatic Redeployment and how you can enable and use it in your schools.
+keywords: Windows Automatic Redeployment, Windows 10, education
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: edu
+ms.localizationpriority: high
+author: CelesteDG
+ms.author: celested
+ms.date: 10/17/2017
+---
+
+# Reset devices with Windows Automatic Redeployment
+**Applies to:**
+
+- Windows 10, version 1709
+
+IT admins or technical teachers can use Windows Automatic Redeployment to quickly remove personal files, apps, and settings, and reset Windows 10 devices from the lock screen any time and apply original settings and management enrollment (Azure Active Directory and device management) so the devices are ready to use. With Windows Automatic Redeployment, devices are returned to a fully configured or known IT-approved state.
+
+To enable Windows Automatic Redeployment in Windows 10, version 1709 (Fall Creators Update), you must:
+
+1. [Enable the policy for the feature](#enable-windows-automatic-redeployment)
+2. [Trigger a reset for each device](#trigger-windows-automatic-redeployment)
+
+## Enable Windows Automatic Redeployment
+**DisableAutomaticReDeploymentCredentials** is a policy that enables or disables the visibility of the credentials for Windows Automatic Redeployment. It is a policy node in the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-credentialproviders), **CredentialProviders/DisableAutomaticReDeploymentCredentials**. By default, this policy is set to 1 (True). This ensures that Windows Automatic Redeployment isn't triggered by accident.
+
+You can set the policy using one of these methods:
+
+- MDM provider
+
+ - Windows Automatic Redeployment in Intune for Education is coming soon. In a future update of Intune for Education, new tenants will automatically have the Windows Automatic Redeployment setting enabled by default on the **All devices** group as part of initial tenant configuration. You will also be able to manage this setting to target different groups in the admin console.
+ - If you're using an MDM provider other than Intune for Education, check your MDM provider documentation on how to set this policy. If your MDM provider doesn't explicitly support this policy, you can manually set this policy if your MDM provider allows specific OMA-URIs to be manually set.
+
+ For example, in Intune, create a new configuration policy and add an OMA-URI.
+ - OMA-URI: ./Vendor/MSFT/Policy/Config/CredentialProviders/DisableAutomaticReDeploymentCredentials
+ - Data type: Boolean
+ - Value: 1
+
+- Windows Configuration Designer
+
+ You can [use Windows Configuration Designer](https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-create-package) to set the **Runtime settings > Policies > CredentialProviders > DisableAutomaticReDeploymentCredentials** setting and create a provisioning package.
+
+- Set up School PCs app
+
+ Windows Automatic Redeployment in the Set up School PCs app is coming soon. We'll update the documentation once the feature is available on the app. In the meantime, you'll want to make sure you are running Windows 10, version 1709 on the student PCs if you want to use Windows Automatic Redeployment through the Set up School PCs app. You can check the version several ways:
+ - Reach out to your device manufacturer.
+ - If you manage your PCs using Intune or Intune for Education, you can check the OS version by checking the **OS version** info for the device. If you are using another MDM provider, check the documentation for the MDM provider to confirm the OS version.
+ - Log into the PCs, go to the **Settings > System > About** page, look in the **Windows specifications** section and confirm **Version** is set to 1709.
+
+## Trigger Windows Automatic Redeployment
+Windows Automatic Redeployment is a two-step process: trigger it and then authenticate. Once you've done these two steps, you can let the process execute and once it's done, the device is again ready for use.
+
+**To trigger Windows Automatic Redeployment**
+
+1. From the Windows device lock screen, enter the keystroke: **CTRL +  + R**.
+
+ 
+
+ This will open up a custom login screen for Windows Automatic Redeployment. The screen serves two purposes:
+ 1. Confirm/verify that the end user has the right to trigger Windows Automatic Redeployment
+ 2. Notify the user in case a provisioning package, created using Windows Configuration Designer or Set up School PCs, will be used as part of the process.
+
+ 
+
+2. Sign in with the admin account credentials. If you created a provisioning package, plug in the USB drive and trigger Windows Automatic Redeployment.
+
+ Once Windows Automatic Redeployment is triggered, the reset process starts.
+
+ After reset, the device:
+ - Sets the region, language, and keyboard
+ - Connects to Wi-files
+ - Applies the provisioning package, if you created one, and repplies this to the device. This includes re-installing any apps that are part of the provisioning package.
+
+ 
+
+ Once provisioning is complete, the device is again ready for use.
+
+## Related topics
+
+[Set up Windows devices for education](set-up-windows-10.md)
+
+
+
+
+
diff --git a/education/windows/windows-editions-for-education-customers.md b/education/windows/windows-editions-for-education-customers.md
index 1b6b32c8a9..e659291d49 100644
--- a/education/windows/windows-editions-for-education-customers.md
+++ b/education/windows/windows-editions-for-education-customers.md
@@ -25,7 +25,7 @@ Windows 10, version 1607 introduces two editions designed for the unique needs o
## Windows 10 Pro Education
-Windows 10 Pro Education builds on the commercial version of Windows 10 Pro and provides important management controls needed in schools. Windows 10 Pro Education is effectively a variant of Windows 10 Pro that provides education-specific default settings. These default settings disable tips, tricks and suggestions & Windows Store suggestions. More detailed information on these default settings is available in [Manage Windows 10 and Microsoft Store tips, tricks, and suggestions](https://go.microsoft.com/fwlink/?LinkId=822627).
+Windows 10 Pro Education builds on the commercial version of Windows 10 Pro and provides important management controls needed in schools. Windows 10 Pro Education is effectively a variant of Windows 10 Pro that provides education-specific default settings. These default settings disable tips, tricks and suggestions & Microsoft Store suggestions. More detailed information on these default settings is available in [Manage Windows 10 and Microsoft Store tips, tricks, and suggestions](https://go.microsoft.com/fwlink/?LinkId=822627).
For Cortana[1](#footnote1),
- If you're using version 1607, Cortana is removed.
@@ -44,7 +44,7 @@ Customers who deploy Windows 10 Pro are able to configure the product to have si
## Windows 10 Education
-Windows 10 Education builds on Windows 10 Enterprise and provides the enterprise-grade manageability and security desired by many schools. Windows 10 Education is effectively a variant of Windows 10 Enterprise that provides education-specific default settings. These default settings disable tips, tricks and suggestions & Windows Store suggestions. More detailed information on these default settings is available in [Manage Windows 10 and Microsoft Store tips, tricks, and suggestions](https://go.microsoft.com/fwlink/?LinkId=822627).
+Windows 10 Education builds on Windows 10 Enterprise and provides the enterprise-grade manageability and security desired by many schools. Windows 10 Education is effectively a variant of Windows 10 Enterprise that provides education-specific default settings. These default settings disable tips, tricks and suggestions & Microsoft Store suggestions. More detailed information on these default settings is available in [Manage Windows 10 and Microsoft Store tips, tricks, and suggestions](https://go.microsoft.com/fwlink/?LinkId=822627).
For Cortana1,
- If you're using version 1607, Cortana1 is removed.
diff --git a/smb/cloud-mode-business-setup.md b/smb/cloud-mode-business-setup.md
index 60c537b382..56b9a46258 100644
--- a/smb/cloud-mode-business-setup.md
+++ b/smb/cloud-mode-business-setup.md
@@ -18,14 +18,14 @@ author: CelesteDG
**Applies to:**
-- Office 365 Business Premium, Azure AD Premium, Intune, Windows Store for Business, Windows 10
+- Office 365 Business Premium, Azure AD Premium, Intune, Microsoft Store for Business, Windows 10
Are you ready to move your business to the cloud or wondering what it takes to make this happen with Microsoft cloud services and tools?
-In this walkthrough, we'll show you how to deploy and manage a full cloud IT solution for your small to medium business using Office 365 Business Premium, Microsoft Azure AD, Intune, Windows Store for Business, and Windows 10. We'll show you the basics on how to:
+In this walkthrough, we'll show you how to deploy and manage a full cloud IT solution for your small to medium business using Office 365 Business Premium, Microsoft Azure AD, Intune, Microsoft Store for Business, and Windows 10. We'll show you the basics on how to:
- Acquire an Office 365 business domain
- Add Microsoft Intune and Azure Active Directory (AD) Premium licenses to your business tenant
-- Set up Windows Store for Business and manage app deployment and sync with Intune
+- Set up Microsoft Store for Business and manage app deployment and sync with Intune
- Add users and groups in Azure AD and Intune
- Create policies and app deployment rules
- Log in as a user and start using your Windows device
@@ -165,7 +165,7 @@ Microsoft Intune provides mobile device management, app management, and PC manag
-Intune should now be added to your tenant. We'll come back to Intune later when we [Configure Windows Store for Business for app distribution](#17-configure-windows-store-for-business-for-app-distribution).
+Intune should now be added to your tenant. We'll come back to Intune later when we [Configure Microsoft Store for Business for app distribution](#17-configure-windows-store-for-business-for-app-distribution).
### 1.4 Add Azure AD to your domain
Microsoft Azure is an open and flexible cloud platform that enables you to quickly build, deploy, and manage apps across a global network of Microsoft-managed datacenters. In this walkthrough, we won't be using the full power of Azure and we'll primarily use it to create groups that we then use for provisioning through Intune.
@@ -287,10 +287,10 @@ You can read Microsoft Intune management portal and Windows Store for Business.
+In this part of the walkthrough, we'll be working on the Microsoft Intune management portal and Microsoft Store for Business.
**To associate your Store account with Intune and configure synchronization**
@@ -301,33 +301,33 @@ In this part of the walkthrough, we'll be working on the Windows Store for Business using the same tenant account that you used to sign into Intune.
+3. Sign into Microsoft Store for Business using the same tenant account that you used to sign into Intune.
4. Accept the EULA.
5. In the Store portal, select **Settings > Management tools** to go to the management tools page.
-6. In the **Management tools** page, find **Microsoft Intune** on the list and click **Activate** to get Intune ready to use with Windows Store for Business.
+6. In the **Management tools** page, find **Microsoft Intune** on the list and click **Activate** to get Intune ready to use with Microsoft Store for Business.
**Figure 25** - Activate Intune as the Store management tool
7. Go back to the Intune management portal, select **Admin > Mobile Device Management**, expand **Windows**, and then choose **Store for Business**.
-8. In the **Windows Store for Business** page, select **Configure Sync** to sync your Store for Business volume-purchased apps with Intune.
+8. In the **Microsoft Store for Business** page, select **Configure Sync** to sync your Store for Business volume-purchased apps with Intune.
**Figure 26** - Configure Store for Business sync in Intune
-9. In the **Configure Windows Store for Business app sync** dialog box, check **Enable Windows Store for Business sync**. In the **Language** dropdown list, choose the language in which you want apps from the Store to be displayed in the Intune console and then click **OK**.
+9. In the **Configure Microsoft Store for Business app sync** dialog box, check **Enable Microsoft Store for Business sync**. In the **Language** dropdown list, choose the language in which you want apps from the Store to be displayed in the Intune console and then click **OK**.
- **Figure 27** - Enable Windows Store for Business sync in Intune
+ **Figure 27** - Enable Microsoft Store for Business sync in Intune
- The **Windows Store for Business** page will refresh and it will show the details from the sync.
+ The **Microsoft Store for Business** page will refresh and it will show the details from the sync.
**To buy apps from the Store**
-In your Windows Store for Business portal, you can see the list of apps that you own by going to **Manage > Inventory**. You should see the following apps in your inventory:
+In your Microsoft Store for Business portal, you can see the list of apps that you own by going to **Manage > Inventory**. You should see the following apps in your inventory:
- Sway
- OneNote
- PowerPoint Mobile
@@ -336,11 +336,11 @@ In your Intune management portal, select **Apps > Apps > Volume-Purchased Apps** and verify that you can see the same list of apps appear on Intune.
-In the following example, we'll show you how to buy apps through the Windows Store for Business and then make sure the apps appear on Intune.
+In the following example, we'll show you how to buy apps through the Microsoft Store for Business and then make sure the apps appear on Intune.
**Example 1 - Add other apps like Reader and InstaNote**
-1. In the Windows Store for Business portal, click **Shop**, scroll down to the **Made by Microsoft** category, and click **Show all** to see all the Microsoft apps in the list.
+1. In the Microsoft Store for Business portal, click **Shop**, scroll down to the **Made by Microsoft** category, and click **Show all** to see all the Microsoft apps in the list.
**Figure 28** - Shop for Store apps
@@ -364,7 +364,7 @@ In the following example, we'll show you how to buy apps through the Windows Sto
If you need to sync your most recently purchased apps and have it appear in your catalog, you can do this by forcing a sync.
1. In the Intune management portal, select **Admin > Mobile Device Management > Windows > Store for Business**.
-2. In the **Windows Store for Business** page, click **Sync now** to force a sync.
+2. In the **Microsoft Store for Business** page, click **Sync now** to force a sync.
**Figure 30** - Force a sync in Intune
@@ -569,7 +569,7 @@ To learn more about the services and tools mentioned in this walkthrough, and le
- Common admin tasks in Office 365 including email and OneDrive in Manage Office 365
- More info about managing devices, apps, data, troubleshooting, and more in Intune documentation
- Learn more about Windows 10 in Windows 10 guide for IT pros
-- Info about distributing apps to your employees, managing apps, managing settings, and more in Windows Store for Business
+- Info about distributing apps to your employees, managing apps, managing settings, and more in Microsoft Store for Business
### For information workers
Whether it's in the classroom, getting the most out of your devices, or learning some of the cool things you can do, we've got teachers covered. Follow these links for more info:
diff --git a/store-for-business/TOC.md b/store-for-business/TOC.md
index e92eeae78c..ed89a40966 100644
--- a/store-for-business/TOC.md
+++ b/store-for-business/TOC.md
@@ -1,35 +1,35 @@
# [Microsoft Store for Business](index.md)
## [What's new in Microsoft Store for Business and Education](whats-new-microsoft-store-business-education.md)
-## [Sign up and get started](sign-up-windows-store-for-business-overview.md)
-###[Microsoft Store for Business and Microsoft Store for Education overview](windows-store-for-business-overview.md)
-### [Prerequisites for Microsoft Store for Business and Education](prerequisites-windows-store-for-business.md)
-### [Sign up for Microsoft Store for Business or Microsoft Store for Education](sign-up-windows-store-for-business.md)
-### [Roles and permissions in the Microsoft Store for Business and Education](roles-and-permissions-windows-store-for-business.md)
-### [Settings reference: Microsoft Store for Business and Education](settings-reference-windows-store-for-business.md)
+## [Sign up and get started](sign-up-microsoft-store-for-business-overview.md)
+###[Microsoft Store for Business and Microsoft Store for Education overview](microsoft-store-for-business-overview.md)
+### [Prerequisites for Microsoft Store for Business and Education](prerequisites-microsoft-store-for-business.md)
+### [Sign up for Microsoft Store for Business or Microsoft Store for Education](sign-up-microsoft-store-for-business.md)
+### [Roles and permissions in the Microsoft Store for Business and Education](roles-and-permissions-microsoft-store-for-business.md)
+### [Settings reference: Microsoft Store for Business and Education](settings-reference-microsoft-store-for-business.md)
## [Find and acquire apps](find-and-acquire-apps-overview.md)
-### [Apps in the Microsoft Store for Business and Education](apps-in-windows-store-for-business.md)
-### [Acquire apps in the Microsoft Store for Business and Education](acquire-apps-windows-store-for-business.md)
+### [Apps in the Microsoft Store for Business and Education](apps-in-microsoft-store-for-business.md)
+### [Acquire apps in the Microsoft Store for Business and Education](acquire-apps-microsoft-store-for-business.md)
### [Working with line-of-business apps](working-with-line-of-business-apps.md)
-## [Distribute apps to your employees from the Microsoft Store for Business and Education](distribute-apps-to-your-employees-windows-store-for-business.md)
+## [Distribute apps to your employees from the Microsoft Store for Business and Education](distribute-apps-to-your-employees-microsoft-store-for-business.md)
### [Distribute apps using your private store](distribute-apps-from-your-private-store.md)
### [Assign apps to employees](assign-apps-to-employees.md)
### [Distribute apps with a management tool](distribute-apps-with-management-tool.md)
### [Distribute offline apps](distribute-offline-apps.md)
-## [Manage apps and devices](manage-apps-windows-store-for-business-overview.md)
-### [App inventory managemement for Microsoft Store for Business and Education](app-inventory-management-windows-store-for-business.md)
-### [Manage app orders in Microsoft Store for Business and Education](manage-orders-windows-store-for-business.md)
+## [Manage apps and devices](manage-apps-microsoft-store-for-business-overview.md)
+### [App inventory managemement for Microsoft Store for Business and Education](app-inventory-management-microsoft-store-for-business.md)
+### [Manage app orders in Microsoft Store for Business and Education](manage-orders-microsoft-store-for-business.md)
### [Manage access to private store](manage-access-to-private-store.md)
### [Manage private store settings](manage-private-store-settings.md)
-### [Configure MDM provider](configure-mdm-provider-windows-store-for-business.md)
+### [Configure MDM provider](configure-mdm-provider-microsoft-store-for-business.md)
### [Manage Windows device deployment with Windows AutoPilot Deployment](add-profile-to-devices.md)
### [Microsoft Store for Business and Education PowerShell module - preview](microsoft-store-for-business-education-powershell-module.md)
## [Device Guard signing portal](device-guard-signing-portal.md)
### [Add unsigned app to code integrity policy](add-unsigned-app-to-code-integrity-policy.md)
### [Sign code integrity policy with Device Guard signing](sign-code-integrity-policy-with-device-guard-signing.md)
-## [Manage settings in the Microsoft Store for Business and Education](manage-settings-windows-store-for-business.md)
-### [Update Microsoft Store for Business and Microsoft Store for Education account settings](update-windows-store-for-business-account-settings.md)
-### [Manage user accounts in Microsoft Store for Business and Education](manage-users-and-groups-windows-store-for-business.md)
-## [Troubleshoot Microsoft Store for Business](troubleshoot-windows-store-for-business.md)
+## [Manage settings in the Microsoft Store for Business and Education](manage-settings-microsoft-store-for-business.md)
+### [Update Microsoft Store for Business and Microsoft Store for Education account settings](update-microsoft-store-for-business-account-settings.md)
+### [Manage user accounts in Microsoft Store for Business and Education](manage-users-and-groups-microsoft-store-for-business.md)
+## [Troubleshoot Microsoft Store for Business](troubleshoot-microsoft-store-for-business.md)
## [Notifications in Microsoft Store for Business and Education](notifications-microsoft-store-business.md)
## [Change history for Microsoft Store for Business and Education](sfb-change-history.md)
diff --git a/store-for-business/acquire-apps-windows-store-for-business.md b/store-for-business/acquire-apps-microsoft-store-for-business.md
similarity index 100%
rename from store-for-business/acquire-apps-windows-store-for-business.md
rename to store-for-business/acquire-apps-microsoft-store-for-business.md
diff --git a/store-for-business/app-inventory-management-windows-store-for-business.md b/store-for-business/app-inventory-management-microsoft-store-for-business.md
similarity index 92%
rename from store-for-business/app-inventory-management-windows-store-for-business.md
rename to store-for-business/app-inventory-management-microsoft-store-for-business.md
index 9eebbb170e..87e45c504e 100644
--- a/store-for-business/app-inventory-management-windows-store-for-business.md
+++ b/store-for-business/app-inventory-management-microsoft-store-for-business.md
@@ -47,14 +47,14 @@ There are a couple of ways to find specific apps, or groups of apps in your inve
**Search** - Use the Search box to search for an app.
**Refine results** - Use **Refine results** to scope your list of apps by one or more of these app attributes:
-- **License type** - Online or offline licenses. For more info, see [Apps in Microsoft Store for Business](apps-in-windows-store-for-business.md#licensing-model).
+- **License type** - Online or offline licenses. For more info, see [Apps in Microsoft Store for Business](apps-in-microsoft-store-for-business.md#licensing-model).
- **Supported devices** - Lists the devices that apps in your inventory were originally written to support. This list is cumulative for all apps in your inventory.
- **Source** - **Store**, for apps acquired from Store for Business, or LOB, for line-of-business apps.
- **Product type** - Product categories, such as app, or game.
- **Private store** - Whether or not the app is in the private store, or status if the app is being added or removed from private store.
## Manage apps in your inventory
-Each app in the Store for Business has an online, or an offline license. For more information on Store for Business licensing model, see [Apps in the Microsoft Store for Business](apps-in-windows-store-for-business.md#licensing-model). There are different actions you can take depending on the app license type. They're summarized in this table.
+Each app in the Store for Business has an online, or an offline license. For more information on Store for Business licensing model, see [Apps in the Microsoft Store for Business](apps-in-microsoft-store-for-business.md#licensing-model). There are different actions you can take depending on the app license type. They're summarized in this table.
| Action | Online-licensed app | Offline-licensed app |
| ------ | ------------------- | -------------------- |
@@ -79,7 +79,7 @@ Once an app is in your private store, people in your org can install the app on
**To make an app in Apps & software available in your private store**
-1. Sign in to the [Store for Business](https://businessstore.microsoft.com) or [Microsoft Store for Education](https://businessstore.microsoft.com).
+1. Sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com) or [Microsoft Store for Education](https://businessstore.microsoft.com).
2. Click **Manage**, and then choose **Apps & software**.
3. Use **Refine results** to search for online-licensed apps under **License type**.
4. From the list of online-licensed apps, click the ellipses for the app you want, and then choose **Add to private store**.
@@ -89,7 +89,7 @@ Employees can claim apps that admins added to the private store by doing the fol
**To claim an app from the private store**
-1. Sign in to your computer with your Azure Active Directory (AD) credentials, and start the Windows Store app.
+1. Sign in to your computer with your Azure Active Directory (AD) credentials, and start the Microsoft Store app.
2. Click the private store tab.
3. Click the app you want to install, and then click **Install**.
@@ -112,7 +112,7 @@ The app will still be in your inventory, but your employees will not have access
3. Find an app, click the ellipses under **Action**, and then choose **Assign to people**.
4. Type the email address for the employee that you're assigning the app to, and click **Confirm**.
-Employees will receive an email with a link that will install the app on their device. Click the link to start the Windows Store app, and then click **Install**. Also, in the Windows Store app, they can find the app under **My Library**.
+Employees will receive an email with a link that will install the app on their device. Click the link to start the Microsoft Store app, and then click **Install**. Also, in the Microsoft Store app, they can find the app under **My Library**.
## Manage app licenses
@@ -165,7 +165,7 @@ You can download offline-licensed apps from your inventory. You'll need to downl
- App license
- App framework
-For more information about online and offline licenses, see [Apps in the Microsoft Store for Business](apps-in-windows-store-for-business.md#licensing-model).
+For more information about online and offline licenses, see [Apps in the Microsoft Store for Business](apps-in-microsoft-store-for-business.md#licensing-model).
For more information about downloading offline-licensed apps, see [Download offline apps](distribute-offline-apps.md).
diff --git a/store-for-business/apps-in-windows-store-for-business.md b/store-for-business/apps-in-microsoft-store-for-business.md
similarity index 83%
rename from store-for-business/apps-in-windows-store-for-business.md
rename to store-for-business/apps-in-microsoft-store-for-business.md
index 116d6a33fa..7ea30ba8b9 100644
--- a/store-for-business/apps-in-windows-store-for-business.md
+++ b/store-for-business/apps-in-microsoft-store-for-business.md
@@ -40,7 +40,7 @@ Apps that you acquire from Microsoft Store only work on Windows 10-based device
Some apps are free, and some apps charge a price. Currently, you can pay for apps with a credit card. We'll be adding more payment options over time.
-Some apps which are available to consumers in the Windows Store might not be available to organizations in Microsoft Store for Business and Education. App developers can opt-out their apps, and they also need to meet eligibility requirements for Microsoft Store for Business and Education. For more information, see [Organizational licensing options](https://msdn.microsoft.com/windows/uwp/publish/organizational-licensing).
+Some apps which are available to consumers in Microsoft Store might not be available to organizations in Microsoft Store for Business and Education. App developers can opt-out their apps, and they also need to meet eligibility requirements for Microsoft Store for Business and Education. For more information, see [Organizational licensing options](https://msdn.microsoft.com/windows/uwp/publish/organizational-licensing).
Line-of-business (LOB) apps are also supported using Microsoft Store. Admins can invite IT devs and ISVs to be LOB publishers. Apps developed by your LOB publishers that are submitted to Microsoft Store are only available to your organization. Once an administrator accepts an app submitted by one of their LOB publishers, the app can be distributed just like any other app. For more information, see [Working with Line-of-Business apps](working-with-line-of-business-apps.md).
@@ -55,7 +55,7 @@ If an employee makes an in-app purchase, they'll make it with their personal Mic
Microsoft Store supports two options to license apps: online and offline.
### Online licensing
-Online licensing is the default licensing model and is similar to the Windows Store. Online licensed apps require customers and devices to connect to Microsoft Store service to acquire an app and its license. License management is enforced based on the user’s Azure AD identity and maintained by Microsoft Store as well as the management tool. By default app updates are handled by Windows Update.
+Online licensing is the default licensing model and is similar to the model used by Microsoft Store. Online licensed apps require customers and devices to connect to Microsoft Store service to acquire an app and its license. License management is enforced based on the user’s Azure AD identity and maintained by Microsoft Store as well as the management tool. By default app updates are handled by Windows Update.
Distribution options for online-licensed apps include the ability to:
diff --git a/store-for-business/assign-apps-to-employees.md b/store-for-business/assign-apps-to-employees.md
index ff20b5bbab..c15aa18d1c 100644
--- a/store-for-business/assign-apps-to-employees.md
+++ b/store-for-business/assign-apps-to-employees.md
@@ -29,7 +29,7 @@ Admins, Purchasers, and Basic Purchasers can assign online-licensed apps to empl
Click the app, and then click **Assign User**.
4. Type the email address for the person you're assigning the app to, and click **Assign**.
-Employees will receive an email with a link that will install the app on their device. Click the link to start the Windows Store app, and then click **Install**. Also, in the Windows Store app, they can find the app under **My Library**.
+Employees will receive an email with a link that will install the app on their device. Click the link to start Microsoft Store app, and then click **Install**. Also, in Microsoft Store app, they can find the app under **My Library**.
diff --git a/store-for-business/configure-mdm-provider-windows-store-for-business.md b/store-for-business/configure-mdm-provider-microsoft-store-for-business.md
similarity index 100%
rename from store-for-business/configure-mdm-provider-windows-store-for-business.md
rename to store-for-business/configure-mdm-provider-microsoft-store-for-business.md
diff --git a/store-for-business/distribute-apps-from-your-private-store.md b/store-for-business/distribute-apps-from-your-private-store.md
index 73c7ff9a4c..20b8f33ed2 100644
--- a/store-for-business/distribute-apps-from-your-private-store.md
+++ b/store-for-business/distribute-apps-from-your-private-store.md
@@ -18,7 +18,7 @@ ms.localizationpriority: high
- Windows 10
- Windows 10 Mobile
-The private store is a feature in Microsoft Store for Business and Education that organizations receive during the signup process. When admins add apps to the private store, all employees in the organization can view and download the apps. Your private store is available as a tab in the Windows Store, and is usually named for your company or organization. Only apps with online licenses can be added to the private store.
+The private store is a feature in Microsoft Store for Business and Education that organizations receive during the signup process. When admins add apps to the private store, all employees in the organization can view and download the apps. Your private store is available as a tab in Micrsoft Store app, and is usually named for your company or organization. Only apps with online licenses can be added to the private store.
You can make an app available in your private store when you acquire the app, or you can do it later from your inventory. Once the app is in your private store, employees can claim and install the app.
@@ -50,13 +50,13 @@ Employees can claim apps that admins added to the private store by doing the fol
**To claim an app from the private store**
-1. Sign in to your computer with your Azure Active Directory (AD) credentials, and start the Windows Store app.
+1. Sign in to your computer with your Azure Active Directory (AD) credentials, and start Microsoft Store app.
2. Click the **private store** tab.
3. Click the app you want to install, and then click **Install**.
## Related topics
- [Manage access to private store](manage-access-to-private-store.md)
-- [Configure access to Windows Store](/windows/configuration/stop-employees-from-using-the-windows-store)
+- [Configure access to Microsoft Store](/windows/configuration/stop-employees-from-using-the-windows-store)
diff --git a/store-for-business/distribute-apps-to-your-employees-windows-store-for-business.md b/store-for-business/distribute-apps-to-your-employees-microsoft-store-for-business.md
similarity index 100%
rename from store-for-business/distribute-apps-to-your-employees-windows-store-for-business.md
rename to store-for-business/distribute-apps-to-your-employees-microsoft-store-for-business.md
diff --git a/store-for-business/distribute-apps-with-management-tool.md b/store-for-business/distribute-apps-with-management-tool.md
index 7c5ff2adbd..756f2f2087 100644
--- a/store-for-business/distribute-apps-with-management-tool.md
+++ b/store-for-business/distribute-apps-with-management-tool.md
@@ -22,29 +22,24 @@ You can configure a mobile device management (MDM) tool to synchronize your Micr
Your MDM tool needs to be installed and configured in Azure AD, in the same Azure AD directory used with Microsoft Store.
-In Azure AD management portal, find the MDM application, and then add it to your directory. Once the MDM has been configured in Azure AD, you can authorize the tool to work with the Microsoft Store for Business or Microsoft Store for Education. This allows the MDM tool to call Microsoft Store management tool services. For more information, see [Configure MDM provider](configure-mdm-provider-windows-store-for-business.md) and [Manage apps you purchased from the Microsoft Store for Business with Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/manage-apps-you-purchased-from-the-windows-store-for-business-with-microsoft-intune).
+In Azure AD management portal, find the MDM application, and then add it to your directory. Once the MDM has been configured in Azure AD, you can authorize the tool to work with the Microsoft Store for Business or Microsoft Store for Education. This allows the MDM tool to call Microsoft Store management tool services. For more information, see [Configure MDM provider](configure-mdm-provider-microsoft-store-for-business.md) and [Manage apps you purchased from the Microsoft Store for Business with Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/manage-apps-you-purchased-from-the-windows-store-for-business-with-microsoft-intune).
Microsoft Store services provide:
- Services for third-party MDM tools.
-
- Synchronize app purchases and updates.
-
- Synchronize metadata. For offline-licensed apps, also synchronize offline app package and offline licenses.
-
- The ability to download offline-licensed apps from Store for Business.
MDM tool requirements:
- Must be an Azure Active Directory (AD) application to authenticate against the Store for Business services.
-
- Must be configured in Azure AD, and Microsoft Store.
-
- Azure AD identity is required to authorize Microsoft Store services.
## Distribute offline-licensed apps
-If your vendor doesn’t support the ability to synchronize applications from the management tool services, or can't connect to the management tool services, your vendor may support the ability to deploy offline licensed applications by downloading the application and license from the store and then deploying the app through your MDM. For more information on online and offline licensing with Store for Business, see [Apps in the Microsoft Store for Business.](apps-in-windows-store-for-business.md#licensing-model)
+If your vendor doesn’t support the ability to synchronize applications from the management tool services, or can't connect to the management tool services, your vendor may support the ability to deploy offline licensed applications by downloading the application and license from the store and then deploying the app through your MDM. For more information on online and offline licensing with Store for Business, see [Apps in the Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/apps-in-windows-store-for-business#a-href-idlicensing-modelalicensing-model-online-and-offline-licenses).
This diagram shows how you can use a management tool to distribute offline-licensed app to employees in your organization. Once synchronized from Store for Business, management tools can use the Windows Management framework to distribute applications to devices.
@@ -58,5 +53,5 @@ This diagram shows how you can use a management tool to distribute an online-lic
## Related topics
-[Configure MDM Provider](configure-mdm-provider-windows-store-for-business.md)
+[Configure MDM Provider](configure-mdm-provider-microsoft-store-for-business.md)
[Manage apps you purchased from the Microsoft Store for Business and Education with Microsoft Intune](https://technet.microsoft.com/library/mt676514.aspx)
\ No newline at end of file
diff --git a/store-for-business/distribute-offline-apps.md b/store-for-business/distribute-offline-apps.md
index 1d3c0b70b4..c28d9c1fb1 100644
--- a/store-for-business/distribute-offline-apps.md
+++ b/store-for-business/distribute-offline-apps.md
@@ -24,7 +24,7 @@ Offline licensing is a new licensing option for Windows 10 with Microsoft Store
Offline-licensed apps offer an alternative to online apps, and provide additional deployment options. Some reasons to use offline-licensed apps:
-- **You don't have access to Windows Store services** - If your employees don't have access to the internet and Microsoft Store services, downloading offline-licensed apps and deploying them with imaging is an alternative to online-licensed apps.
+- **You don't have access to Microsoft Store services** - If your employees don't have access to the internet and Microsoft Store services, downloading offline-licensed apps and deploying them with imaging is an alternative to online-licensed apps.
- **You use imaging to manage devices in your organization** - Offline-licensed apps can be added to images and deployed with Deployment Image Servicing and Management (DISM), or Windows Imaging and Configuration Designer (ICD).
diff --git a/store-for-business/manage-access-to-private-store.md b/store-for-business/manage-access-to-private-store.md
index e6f9bc8157..07ee5732c9 100644
--- a/store-for-business/manage-access-to-private-store.md
+++ b/store-for-business/manage-access-to-private-store.md
@@ -19,13 +19,13 @@ author: TrudyHa
You can manage access to your private store in Microsoft Store for Business and Microsoft Store for Education.
-You can control the set of apps that are available to your employees and students, and not show the full set of applications that are in Windows Store. Using the private store with the Microsoft Store for Business and Education, admins can curate the set of apps that are available.
+You can control the set of apps that are available to your employees and students, and not show the full set of applications that are in Microsoft Store. Using the private store with the Microsoft Store for Business and Education, admins can curate the set of apps that are available.
-The private store is a feature in Store for Business that organizations receive during the sign up process. When admins add apps to the private store, all employees in the organization can view and download the apps. Your private store is available as a tab in Windows Store, and is usually named for your company or organization. Only apps with online licenses can be added to the private store. Your private store looks something like this:
+The private store is a feature in Store for Business that organizations receive during the sign up process. When admins add apps to the private store, all employees in the organization can view and download the apps. Your private store is available as a tab in Microsoft Store, and is usually named for your company or organization. Only apps with online licenses can be added to the private store. Your private store looks something like this:
-
+
-Organizations can use either an MDM policy, or Group Policy to show only their private store in Windows Store.
+Organizations can use either an MDM policy, or Group Policy to show only their private store in Microsoft Store.
## Show private store only using MDM policy
@@ -41,36 +41,27 @@ For more information on configuring an MDM provider, see [Configure an MDM provi
## Show private store only using Group Policy
-If you're using Microsoft Store and you want employees to only see apps you're managing in your private store, you can use Group Policy to show only the private store. Windows Store app will still be available, but employees can't view or purchase apps. Employees can view and install apps that the admin has added to your organization's private store.
+If you're using Microsoft Store and you want employees to only see apps you're managing in your private store, you can use Group Policy to show only the private store. Microsoft Store app will still be available, but employees can't view or purchase apps. Employees can view and install apps that the admin has added to your organization's private store.
-**Only display the private store within Windows Store app** group policy is supported on the following Windows 10 editions:
+**Only display the private store within Microsoft Store app** group policy is supported on the following Windows 10 editions:
- Enterprise
- Education
-**To show private store only in Windows Store app**
+**To show private store only in Microsoft Store app**
1. Type **gpedit** in the search bar, and then select **Edit group policy (Control panel)** to find and start Group Policy Editor.
2. In the console tree of the snap-in, go to **User Configuration** or **Computer Configuration** > **Administrative Templates** > **Windows Components**, and then click **Store**.
-3. Right-click **Only display the private store within Windows Store app** in the right pane, and click **Edit**.
+3. Right-click **Only display the private store within Microsoft Store app** in the right pane, and click **Edit**.
- This opens the **Only display the private store within the Windows Store app** policy settings.
+ This opens the **Only display the private store within the Microsoft Store app** policy settings.
-4. On the **Only display the private store within the Windows Store app** setting page, click **Enabled**, and then click **OK**.
+4. On the **Only display the private store within the Microsoft Store app** setting page, click **Enabled**, and then click **OK**.
-You can also prevent employees from using Windows Store. For more information, see [Configure access to Windows Store](/windows/configuration/stop-employees-from-using-the-windows-store).
+You can also prevent employees from using Microsoft Store. For more information, see [Configure access to Microsoft Store](/windows/configuration/stop-employees-from-using-the-windows-store).
## Related topics
[Distribute apps using your private store](distribute-apps-from-your-private-store.md)
-[Configure access to Windows Store](/windows/configuration/stop-employees-from-using-the-windows-store)
-
-
-
-
-
-
-
-
-
+[Configure access to Microsoft Store](/windows/configuration/stop-employees-from-using-the-windows-store)
\ No newline at end of file
diff --git a/store-for-business/manage-apps-windows-store-for-business-overview.md b/store-for-business/manage-apps-microsoft-store-for-business-overview.md
similarity index 100%
rename from store-for-business/manage-apps-windows-store-for-business-overview.md
rename to store-for-business/manage-apps-microsoft-store-for-business-overview.md
diff --git a/store-for-business/manage-orders-windows-store-for-business.md b/store-for-business/manage-orders-microsoft-store-for-business.md
similarity index 100%
rename from store-for-business/manage-orders-windows-store-for-business.md
rename to store-for-business/manage-orders-microsoft-store-for-business.md
diff --git a/store-for-business/manage-private-store-settings.md b/store-for-business/manage-private-store-settings.md
index af833aefb3..8ad01a972f 100644
--- a/store-for-business/manage-private-store-settings.md
+++ b/store-for-business/manage-private-store-settings.md
@@ -19,9 +19,9 @@ ms.localizationpriority: high
The private store is a feature in Microsoft Store for Business and Education that organizations receive during the sign up process. When admins add apps to the private store, all people in the organization can view and download the apps. Only online-licensed apps can be distributed from your private store.
-The name of your private store is shown on a tab in Windows Store app, or on [Microsoft Store for Business](https://businessstore.microsoft.com), or [Microsoft Store for Education](https://educationstore.microsoft.com).
+The name of your private store is shown on a tab in Microsoft Store app, or on [Microsoft Store for Business](https://businessstore.microsoft.com), or [Microsoft Store for Education](https://educationstore.microsoft.com).
-
+
You can change the name of your private store in Microsoft Store.
diff --git a/store-for-business/manage-settings-windows-store-for-business.md b/store-for-business/manage-settings-microsoft-store-for-business.md
similarity index 100%
rename from store-for-business/manage-settings-windows-store-for-business.md
rename to store-for-business/manage-settings-microsoft-store-for-business.md
diff --git a/store-for-business/manage-users-and-groups-windows-store-for-business.md b/store-for-business/manage-users-and-groups-microsoft-store-for-business.md
similarity index 100%
rename from store-for-business/manage-users-and-groups-windows-store-for-business.md
rename to store-for-business/manage-users-and-groups-microsoft-store-for-business.md
diff --git a/store-for-business/windows-store-for-business-overview.md b/store-for-business/microsoft-store-for-business-overview.md
similarity index 65%
rename from store-for-business/windows-store-for-business-overview.md
rename to store-for-business/microsoft-store-for-business-overview.md
index 0ec624a13e..27218750d2 100644
--- a/store-for-business/windows-store-for-business-overview.md
+++ b/store-for-business/microsoft-store-for-business-overview.md
@@ -17,47 +17,45 @@ ms.localizationpriority: high
- Windows 10
- Windows 10 Mobile
-Designed for organizations, Microsoft Store for Business and Microsoft Store for Education gives IT decision makers and administrators in businesses or schools a flexible way to find, acquire, manage, and distribute free and paid apps in select markets to Windows 10 devices in volume. IT administrators can manage Windows Store apps and private line-of-business apps in one inventory, plus assign and re-use licenses as needed. You can choose the best distribution method for your organization: directly assign apps to individuals and teams, publish apps to private pages in Windows Store, or connect with management solutions for more options.
+Designed for organizations, Microsoft Store for Business and Microsoft Store for Education give IT decision makers and administrators in businesses or schools a flexible way to find, acquire, manage, and distribute free and paid apps in select markets to Windows 10 devices in volume. IT administrators can manage Microsoft Store apps and private line-of-business apps in one inventory, plus assign and re-use licenses as needed. You can choose the best distribution method for your organization: directly assign apps to individuals and teams, publish apps to private pages in Microsoft Store, or connect with management solutions for more options.
## Features
-Organizations of any size can benefit from using the Microsoft Store:
+Organizations or schools of any size can benefit from using Microsoft Store for Business or Microsoft Store for Education:
-- **Scales to fit the size of your business** - For smaller businesses, with Azure AD accounts or Office 365 accounts and Windows 10 devices, you can quickly have an end-to-end process for acquiring and distributing content using the Store for Business. For larger businesses, all the capabilities of the Store for Business are available to you, or you can integrate the Store for Business with management tools, for greater control over access to apps and app updates. You can use existing work or school accounts.
-- **Bulk app acquisition** - Acquire apps in volume from the Store for Business.
+- **Scales to fit the size of your business** - For smaller businesses, with Azure AD accounts or Office 365 accounts and Windows 10 devices, you can quickly have an end-to-end process for acquiring and distributing content using the Store for Business. For larger businesses, all the capabilities of the Store for Business are available to you, or you can integrate Microsoft Store for Business with management tools, for greater control over access to apps and app updates. You can use existing work or school accounts.
+- **Bulk app acquisition** - Acquire apps in volume from Microsoft Store for Business.
- **Centralized management** – Microsoft Store provides centralized management for inventory, billing, permissions, and order history. You can use Microsoft Store to view, manage and distribute items purchased from:
- **Microsoft Store for Business** – Apps and subscriptions
- **Microsoft Store for Education** – Apps and subscriptions
- **Office 365** – Subscriptions
- **Volume licensing** - Apps purchased with volume licensing
-- **Private store** - Curate a private store for your business that’s easily available from any Windows 10 device. Your private store is available from Windows Store app, or with a browser on the Web. People in your organization can download apps from the private store on Windows 10 devices.
+- **Private store** - Curate a private store for your business that’s easily available from any Windows 10 device. Your private store is available from Microsoft Store on Windows 10, or with a browser on the Web. People in your organization can download apps from your organization's private store on Windows 10 devices.
- **Flexible distribution options** - Flexible options for distributing content and apps to your employee devices:
- - Distribute through Store for Business services. You can assign apps to individual employees, or make apps available to all employees in your private store.
+ - Distribute through Microsoft Store services. You can assign apps to individual employees, or make apps available to all employees in your private store.
- Use a management tool from Microsoft, or a 3rd-party tool for advanced distribution and management functions, or for managing images.
- Offline licensing model allows you to distribute apps without connecting to Store services, and for managing images.
- **Line-of-business apps** - Privately add and distribute your internal line-of-business apps using any of the distribution options.
- **App license management**: Admins can reclaim and reuse app licenses. Online and offline licenses allow you to customize how you decide to deploy apps.
- **Up-to-date apps** - Microsoft Store manages the update process for apps with online licenses. Apps are automatically updated so you are always current with the most recent software updates and product features. Store for Business apps also uninstall cleanly, without leaving behind extra files, for times when you need to switch apps for specific employees.
-- **Office app launcher** Office apps while working with Store for Business.
-- **Find a partner** – Microsoft Store allows businesses to search and find a Microsoft Partner who can assist you with Microsoft solutions for your business.
-
+- **Office app launcher** Office apps while working with Microsoft Store for Business.
+- **Find a partner** – Search and find a Microsoft Partner who can assist you with Microsoft solutions for your business.
## Prerequisites
-You'll need this software to work with the Store for Business.
+You'll need this software to work with Store for Business and Education.
### Required
-- Admins working with Microsoft Store for Business and Education need a browser compatible with Store for Business running on a PC or mobile device. Supported browsers include: Internet Explorer 10 or later, or current versions of Microsoft Edge, Chrome or Firefox. JavaScript must be supported and enabled.
-
-- Employees using apps from Store for Business need Windows 10, version 1511 running on a PC or mobile device.
+- Admins working with Store for Business and Education need a browser compatible with Microsoft Store running on a PC or mobile device. Supported browsers include: Internet Explorer 10 or later, or current versions of Microsoft Edge, Chrome or Firefox. JavaScript must be supported and enabled.
+- Employees using apps from Store for Business and Education need at least Windows 10, version 1511 running on a PC or mobile device.
Microsoft Azure Active Directory (AD) accounts for your employees:
-- Admins need Azure AD accounts to sign up for the Store for Business, and then to sign in, get apps, distribute apps, and manage app licenses.
+- Admins need Azure AD accounts to sign up for Store for Business and Education, and then to sign in, get apps, distribute apps, and manage app licenses. You can sign up for Azure AD accounts as part of signing up for Store for Business and Education.
- Employees need Azure AD account when they access Store for Business content from Windows devices.
- If you use a management tool to distribute and manage online-licensed apps, all employees will need an Azure AD account
- For offline-licensed apps, Azure AD accounts are not required for employees.
-- Admins can add or remove user accounts in the Office 365 admin center, even if you don’t have an Office 365 subscription. You can access the Office 365 admin portal directly from the Microsoft Store for Business and Education.
+- Admins can add or remove user accounts in the Office 365 admin center, even if you don’t have an Office 365 subscription. You can access the Office 365 admin portal directly from the Store for Business and Education.
For more information on Azure AD, see [About Office 365 and Azure Active Directory](https://go.microsoft.com/fwlink/p/?LinkId=708612), and [Intro to Azure: identity and access](https://go.microsoft.com/fwlink/p/?LinkId=708611).
@@ -66,20 +64,19 @@ For more information on Azure AD, see [About Office 365 and Azure Active Directo
While not required, you can use a management tool to distribute and manage apps. Using a management tool allows you to distribute content, scope app availability, and control when app updates are installed. This might make sense for larger organizations that already use a management tool. A couple of things to note about management tools:
- Need to integrate with Windows 10 management framework and Azure AD.
-
- Need to sync with the Store for Business inventory to distribute apps.
-## How does the Store for Business work?
+## How does the Store for Business and Education work?
## Sign up!
-The first step for getting your organization started with the Store for Business is signing up. Sign up using an existing account (the same one you use for Office 365, Dynamics 365, Intune, Azure, etc.) or we’ll quickly create an account for you. You must be a Global Administrator for your organization.
+The first step for getting your organization started with Store for Business and Education is signing up. Sign up using an existing account (the same one you use for Office 365, Dynamics 365, Intune, Azure, etc.) or we’ll quickly create an account for you. You must be a Global Administrator for your organization.
-For more information, see [Sign up for the Store for Business](sign-up-windows-store-for-business.md).
+For more information, see [Sign up for Store for Business and Education](sign-up-microsoft-store-for-business.md).
## Set up
-After your admin signs up for the Store for Business, they can assign roles to other employees in your company. The admin needs Azure AD User Admin permissions to assign Microsoft Store for Business and Education roles. These are the roles and their permissions.
+After your admin signs up for the Store for Business and Education, they can assign roles to other employees in your company or school. The admin needs Azure AD User Admin permissions to assign Microsoft Store for Business and Education roles. These are the roles and their permissions.
| Permission | Account settings | Acquire apps | Distribute apps | Device Guard signing |
| ---------- | ---------------- | ------------ | --------------- | -------------------- |
@@ -89,51 +86,49 @@ After your admin signs up for the Store for Business, they can assign roles to o
| Basic purchaser | | X | X | |
> [!NOTE]
-> Currently, the Basic purchaser role is only available for schools using Microsoft Store for Education. For more information, see
+> Currently, the Basic purchaser role is only available for schools using Microsoft Store for Education. For more information, see [Microsoft Store for Education permissions](https://docs.microsoft.com/education/windows/education-scenarios-store-for-business?toc=/microsoft-store/education/toc.json#manage-domain-settings).
In some cases, admins will need to add Azure Active Directory (AD) accounts for their employees. For more information, see [Manage user accounts and groups](manage-users-and-groups-windows-store-for-business.md).
-Also, if your organization plans to use a management tool, you’ll need to configure your management tool to sync with the Store for Business.
+Also, if your organization plans to use a management tool, you’ll need to configure your management tool to sync with Store for Business and Education.
## Get apps and content
-Once signed in to the Microsoft Store, you can browse and search for all products in the Store for Business catalog. Some apps are free, and some apps charge a price. We're continuing to add more paid apps to the Store for Business. Check back if you don't see the app that you're looking for. Currently, you can pay for apps with a credit card, and some items can be paid for with an invoice. We'll be adding more payment options over time.
+Once signed in to the Microsoft Store, you can browse and search for all products in the Store for Business and Education catalog. Some apps are free,and some apps charge a price. We're continuing to add more paid apps to the Store for Business and Education. Check back if you don't see the app that you're looking for. Currently, you can pay for apps with a credit card, and some items can be paid for with an invoice. We'll be adding more payment options over time.
-**App types** -- These app types are supported in the Microsoft Store for Business:
+**App types** - These app types are supported in the Store for Business and Education:
- Universal Windows Platform apps
- Universal Windows apps, by device: Phone, Surface Hub, IOT devices, HoloLens
-Apps purchased from the Store for Business only work on Windows 10 devices.
+Apps purchased from the Store for Business and Education only work on Windows 10 devices.
-Line-of-business (LOB) apps are also supported via the Business store. You can invite IT developers or ISVs to be LOB publishers for your organization. This allows them to submit apps via the developer center that are only available to your organization. These apps can be distributed using the distribution methods discussed in this topic. For more information, see [Working with Line-of-Business apps](working-with-line-of-business-apps.md).
+Line-of-business (LOB) apps are also supported through Microsoft Store. You can invite IT developers or ISVs to be LOB publishers for your organization. This allows them to submit apps via the developer center that are only available to your organization through Store for Business and Education. These apps can be distributed using the distribution methods discussed in this topic. For more information, see [Working with Line-of-Business apps](working-with-line-of-business-apps.md).
**App licensing model**
-The Business store supports two options to license apps: online and offline. **Online** licensing is the default licensing model and is similar to the Windows Store. Online licensed apps require users and devices to connect to the Store for Business service to acquire an app and its license. **Offline** licensing is a new licensing option for Windows 10. With offline licenses, organizations can cache apps and their licenses to deploy within their network. ISVs or devs can opt-in their apps for offline licensing when they submit them to the developer center.
+ Store for Business and Education supports two license options for apps: online and offline. **Online** licensing is the default licensing model and is similar to the licensing model for Microsoft Store. Online licensed apps require users and devices to connect to Microsoft Store services to acquire an app and its license. **Offline** licensing is a new licensing option for Windows 10. With offline licenses, organizations can cache apps and their licenses to deploy within their network. ISVs or devs can opt in their apps for offline licensing when they submit them to the developer center.
-For more information, see [Apps in the Store for Business](apps-in-windows-store-for-business.md#licensing-model).
+For more information, see [Apps in Microsoft Store for Business](apps-in-microsoft-store-for-business.md#licensing-model).
## Distribute apps and content
-App distribution is handled through two channels, either through the Store for Business, or using a management tool. You can use either or both distribution methods in your organization.
+App distribution is handled through two channels, either through the Microsoft Store for Business, or using a management tool. You can use either, or both distribution methods in your organization.
-**Using the Store for Business** – Distribution options for the Store for Business:
-
-- Email link – After purchasing an app, admins can send employees a link in an email message. Employees can click the link to install the app.
-- Curate private store for all employees – A private store can include content you’ve purchased from the Store, and your line-of-business apps that you’ve submitted to the Store for Business. Apps in your private store are available to all of your employees. They can browse the private store and install apps when needed.
+**Distribute with Store for Business and Education**:
+- Email link – After purchasing an app, Admins can send employees a link in an email message. Employees can click the link to install the app.
+- Curate private store for all employees – A private store can include content you’ve purchased from Microsoft Store for Business, and your line-of-business apps that you’ve submitted to Microsoft Store for Business. Apps in your private store are available to all of your employees. They can browse the private store and install apps when needed.
- To use the options above users must be signed in with an Azure AD account on a Windows 10 device. Licenses are assigned as individuals install apps.
-**Using a management tool** – For larger organizations that might want a greater level of control over how apps are distributed and managed, a management tools provides other distribution options:
-
+**Using a management tool** – For larger organizations that want a greater level of control over how apps are distributed and managed, a management tools provides other distribution options:
- Scoped content distribution – Ability to scope content distribution to specific groups of employees.
- Install apps for employees – Employees are not responsible for installing apps. Management tool installs apps for employees.
Management tools can synchronize content that has been acquired in the Store for Business. If an offline application has been purchased this will also include the app package, license and metadata for the app (like, icons, count, or localized product descriptions). Using the metadata, management tools can enable portals or apps as a destination for employees to acquire apps.
-For more information, see [Distribute apps to your employees from the Store for Business](distribute-apps-to-your-employees-windows-store-for-business.md).
+For more information, see [Distribute apps to your employees from Microsoft Store for Business](distribute-apps-to-your-employees-microsoft-store-for-business.md).
-## Manage Store for Business settings and content
+## Manage Microsoft Store for Business settings and content
Once you are signed up with the Business store and have purchased apps, Admins can manage Store for Business settings and inventory.
@@ -151,11 +146,11 @@ Once you are signed up with the Business store and have purchased apps, Admins c
- Manage app updates for all apps, or customize updates for each app. Online apps will automatically update from the Store. Offline apps can be updated using a management server.
- Download apps for offline installs
-For more information, see [Manage settings in the Store for Business](manage-settings-windows-store-for-business.md) and [Manage apps](manage-apps-windows-store-for-business-overview.md).
+For more information, see [Manage settings in the Store for Business](manage-settings-microsoft-store-for-business.md) and [Manage apps](manage-apps-windows-store-for-business-overview.md).
## Supported markets
-Microsoft Store for Business and Education is currently available in these markets.
+Store for Business and Education is currently available in these markets.
### Support for free and paid products
@@ -377,24 +372,24 @@ This table summarize what customers can purchase, depending on which Microsoft S
## Privacy notice
-Microsoft Store for Business services get names and email addresses of people in your organization from Azure Active Directory. This information is needed for these admin functions:
+Store for Business and Education services get names and email addresses of people in your organization from Azure Active Directory. This information is needed for these admin functions:
- Granting and managing permissions
- Managing app licenses
- Distributing apps to people (names appear in a list that admins can select from)
-Microsoft Store for Business and Education does not save names, or email addresses.
+Store for Business and Education does not save names, or email addresses.
-Your use of Microsoft Store for Business and Education is also governed by the [Microsoft Store for Business and Education Services Agreement](https://businessstore.microsoft.com/servicesagreement).
+Your use of Store for Business and Education is also governed by the [Microsoft Store for Business and Education Services Agreement](https://businessstore.microsoft.com/servicesagreement).
-Information sent to Microsoft Store for Business and Education is subject to the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement/).
+Information sent to Store for Business and Education is subject to the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement/).
-## ISVs and the Store for Business
+## ISVs and Store for Business and Education
-Developers in your organization, or ISVs can create content specific to your organization. In the Store for Business, we call these line-of-business (LOB) apps, and the devs that create them are LOB publishers. The process looks like this:
+Developers in your organization, or ISVs can create content specific to your organization. In Store for Business and Education, we call these line-of-business (LOB) apps, and the devs that create them are LOB publishers. The process looks like this:
- Admin invites devs to be LOB publishers for your organization. These devs can be internal devs, or external ISVs.
- LOB publishers accept the invitation, develop apps, and submits the app to the Windows Dev Center. LOB publishers use Enterprise associations when submitting the app to make the app exclusive to your organization.
-- Admin adds the app to Store for Business inventory.
+- Admin adds the app to Microsoft Store for Business or Microsoft Store for Education inventory.
-Once the app is in inventory, admins can choose how to distribute the app. ISVs creating apps through the dev center can make their apps available in the Store for Business. ISVs can opt-in their apps to make them available for offline licensing. Apps purchased in the Store for Business will work only on Windows 10.
+Once the app is in inventory, admins can choose how to distribute the app. ISVs creating apps through the dev center can make their apps available in Store for Business and Education. ISVs can opt-in their apps to make them available for offline licensing. Apps purchased in Store for Business and Education will work only on Windows 10.
For more information on line-of-business apps, see [Working with Line-of-Business apps](working-with-line-of-business-apps.md).
diff --git a/store-for-business/prerequisites-windows-store-for-business.md b/store-for-business/prerequisites-microsoft-store-for-business.md
similarity index 92%
rename from store-for-business/prerequisites-windows-store-for-business.md
rename to store-for-business/prerequisites-microsoft-store-for-business.md
index a07a501b9e..681d4b4a36 100644
--- a/store-for-business/prerequisites-windows-store-for-business.md
+++ b/store-for-business/prerequisites-microsoft-store-for-business.md
@@ -21,7 +21,6 @@ There are a few prerequisites for using Microsoft Store for Business or Microsof
## Prerequisites
-
You'll need this software to work with Microsoft Store for Business or Education.
### Required
@@ -45,7 +44,7 @@ While not required, you can use a management tool to distribute and manage apps.
## Proxy configuration
-If your organization restricts computers on your network from connecting to the Internet, there is a set of URLs that need to be available for devices to use Microsoft Store. Some of the Microsoft Store features use Windows Store app and Microsoft Store services. Devices using Microsoft Store – either to acquire, install, or update apps – will need access to these URLs. If you use a proxy sever to block traffic, your configuration needs to allow these URLs:
+If your organization restricts computers on your network from connecting to the Internet, there is a set of URLs that need to be available for devices to use Microsoft Store. Some of the Microsoft Store features use Store services. Devices using Microsoft Store – either to acquire, install, or update apps – will need access to these URLs. If you use a proxy sever to block traffic, your configuration needs to allow these URLs:
- login.live.com
- login.windows.net
diff --git a/store-for-business/roles-and-permissions-windows-store-for-business.md b/store-for-business/roles-and-permissions-microsoft-store-for-business.md
similarity index 100%
rename from store-for-business/roles-and-permissions-windows-store-for-business.md
rename to store-for-business/roles-and-permissions-microsoft-store-for-business.md
diff --git a/store-for-business/settings-reference-windows-store-for-business.md b/store-for-business/settings-reference-microsoft-store-for-business.md
similarity index 80%
rename from store-for-business/settings-reference-windows-store-for-business.md
rename to store-for-business/settings-reference-microsoft-store-for-business.md
index 6d5922b831..a0c708802f 100644
--- a/store-for-business/settings-reference-windows-store-for-business.md
+++ b/store-for-business/settings-reference-microsoft-store-for-business.md
@@ -22,14 +22,14 @@ The Microsoft Store for Business and Education has a group of settings that admi
| Setting | Description | Location under **Manage** |
| ------- | ----------- | ------------------------------ |
-| Account information | Manage organization information. For more information, see [Manage settings for the Microsoft Store for Business and Education](update-windows-store-for-business-account-settings.md).| **Billing - Account profile** |
-| Payment options | Manage payment options. For more information, see [Manage settings for the Microsoft Store for Business and Education](update-windows-store-for-business-account-settings.md#payment-options).| **Billing - Payment methods** |
+| Account information | Manage organization information. For more information, see [Manage settings for the Microsoft Store for Business and Education](update-microsoft-store-for-business-account-settings.md).| **Billing - Account profile** |
+| Payment options | Manage payment options. For more information, see [Manage settings for the Microsoft Store for Business and Education](update-microsoft-store-for-business-account-settings.md#payment-options).| **Billing - Payment methods** |
| Private store | Update the name for your private store. The new name will be displayed on a tab in the Store. For more information, see [Manage private store settings](manage-private-store-settings.md). | **Settings - Distribute** |
| Offline licensing | Configure whether or not to make offline-licensed apps available in the Microsoft Store for Business and Education. For more information, see [Distribute offline apps](distribute-offline-apps.md). | **Settings - Shop** |
-| App request | Configure whether or not people in your organization can request apps for admins to purchase. For more information, see [Distribute offline apps](acquire-apps-windows-store-for-business.md). | **Settings - Distribute** |
-| Management tools | Management tools that are synced with Azure AD are listed on this page. You can choose one to use for managing app updates and distribution. For more information, see [Configure MDM provider](configure-mdm-provider-windows-store-for-business.md). | **Settings - Distribute** |
+| App request | Configure whether or not people in your organization can request apps for admins to purchase. For more information, see [Distribute offline apps](acquire-apps-microsoft-store-for-business.md). | **Settings - Distribute** |
+| Management tools | Management tools that are synced with Azure AD are listed on this page. You can choose one to use for managing app updates and distribution. For more information, see [Configure MDM provider](configure-mdm-provider-microsoft-store-for-business.md). | **Settings - Distribute** |
| Device Guard signing | Use the Device Guard signing portal to add unsigned apps to a code integrity policy, or to sign code integrity policies. For more information, see [Device Guard signing portal](device-guard-signing-portal.md). | **Settings - Devices** |
-| Permissions | Manage permissions for your employees. For more information, see [Roles and permissions in the Microsoft Store for Business and Education](roles-and-permissions-windows-store-for-business.md). | **Permissions - Roles** and **Permissions - Blocked basic purchasers** |
+| Permissions | Manage permissions for your employees. For more information, see [Roles and permissions in the Microsoft Store for Business and Education](roles-and-permissions-microsoft-store-for-business.md). | **Permissions - Roles** and **Permissions - Blocked basic purchasers** |
| Line-of-business (LOB) publishers | Invite devs to become LOB publishers for your organization. Existing LOB publishers are listed on the page, and you can deactivate or invite them again. For more information, see [Work with line-of-business apps](working-with-line-of-business-apps.md). | **Permissions - Line-of-business apps** |
diff --git a/store-for-business/sfb-change-history.md b/store-for-business/sfb-change-history.md
index ed0904b3ee..a8f511215c 100644
--- a/store-for-business/sfb-change-history.md
+++ b/store-for-business/sfb-change-history.md
@@ -18,12 +18,20 @@ ms.localizationpriority: high
- Windows 10
- Windows 10 Mobile
+## September 2017
+
+| New or changed topic | Description |
+| --- | --- |
+| [What's New in Microsoft Store for Business and Education](whats-new-microsoft-store-business-education.md) | New |
+| [App requests](https://docs.microsoft.com/microsoft-store/acquire-apps-windows-store-for-business#request-apps) | New |
+| [Settings reference: Microsoft Store for Business and Education](manage-settings-microsoft-store-for-business.md) and [Update Microsoft Store for Business and Microsoft Store for Education account settings](update-windows-store-for-business-account-settings.md) | Updates for UI changes in **Settings**. |
+
## July 2017
| New or changed topic | Description |
| --- | --- |
| [Microsoft Store for Business and Education PowerShell module - preview](microsoft-store-for-business-education-powershell-module.md) | New |
-
+| [Microsoft Store for Business and Education overview - supported markets](https://docs.microsoft.com/en-us/microsoft-store/windows-store-for-business-overview#supported-markets) | Updates for added market support. |
## June 2017
| New or changed topic | Description |
diff --git a/store-for-business/sign-up-windows-store-for-business-overview.md b/store-for-business/sign-up-microsoft-store-for-business-overview.md
similarity index 100%
rename from store-for-business/sign-up-windows-store-for-business-overview.md
rename to store-for-business/sign-up-microsoft-store-for-business-overview.md
diff --git a/store-for-business/sign-up-windows-store-for-business.md b/store-for-business/sign-up-microsoft-store-for-business.md
similarity index 100%
rename from store-for-business/sign-up-windows-store-for-business.md
rename to store-for-business/sign-up-microsoft-store-for-business.md
diff --git a/store-for-business/troubleshoot-windows-store-for-business.md b/store-for-business/troubleshoot-microsoft-store-for-business.md
similarity index 62%
rename from store-for-business/troubleshoot-windows-store-for-business.md
rename to store-for-business/troubleshoot-microsoft-store-for-business.md
index 2443391b42..9e55e0279f 100644
--- a/store-for-business/troubleshoot-windows-store-for-business.md
+++ b/store-for-business/troubleshoot-microsoft-store-for-business.md
@@ -20,13 +20,13 @@ ms.localizationpriority: high
Troubleshooting topics for Microsoft Store for Business.
## Can't find apps in private store
-The private store for your organization is a page in the Windows Store app that contains apps that are private to your organization. After your organization acquires an app, your Store for Business admin can add it to your organization's private store. Your private store usually has a name that is close to the name of your organization or company. If you can't see your private store, there are a couple of things to check:
-- **No apps in the private store** - The private store page is only available in the Windows Store app if there are apps added to your private store. You won't see your private store page with no apps listed on it. If your Store for Business admin has added an app to the private store, and the private store page is still not available, they can check the private store status for the app on the **Inventory** page. If the status is **Add in progress**, wait and check back.
+The private store for your organization is a page in Microsoft Store app that contains apps that are private to your organization. After your organization acquires an app, your Store for Business admin can add it to your organization's private store. Your private store usually has a name that is close to the name of your organization or company. If you can't see your private store, there are a couple of things to check:
+- **No apps in the private store** - The private store page is only available in Microsoft Store on Windows 10 if there are apps added to your private store. You won't see your private store page with no apps listed on it. If your Microsoft Store for Business admin has added an app to the private store, and the private store page is still not available, they can check the private store status for the app on **Product & services - Apps**. If the status under **Private store** is **Add in progress**, wait and check back.
- **Signed in with the wrong account** - If you have multiple accounts that you use in your organization, you might be signed in with the wrong account. Or, you might not be signed in. Use this procedure to sign in with your organization account.
-**To sign in with organization account in Windows Store app**
+**To sign in with organization account in Microsoft Store app**
-1. Click the people icon in Windows Store app, and click **Sign in**.
+1. Click the people icon in Microsoft Store app, and click **Sign in**.
diff --git a/store-for-business/update-windows-store-for-business-account-settings.md b/store-for-business/update-microsoft-store-for-business-account-settings.md
similarity index 82%
rename from store-for-business/update-windows-store-for-business-account-settings.md
rename to store-for-business/update-microsoft-store-for-business-account-settings.md
index 951212afbd..90161eda1e 100644
--- a/store-for-business/update-windows-store-for-business-account-settings.md
+++ b/store-for-business/update-microsoft-store-for-business-account-settings.md
@@ -28,10 +28,10 @@ Before purchasing apps that have a fee, you need to add or update your organizat
We use the Business address to calculate sales tax. If your organization's address has already been entered for other commercial purchases through Microsoft Store, or through other online purchases such as Office 365 or Azure subscriptions, then we’ll use the same address in Microsoft Store for Business and Microsoft Store for Education. If we don’t have an address, we’ll ask you to enter it during your first purchase.
-We need an email address in case we need to contact you about your Microsoft Store for Business and Education account. This email account should reach the admin for your organization’s Office 365 or Azure AD tenant that is used with Microsoft Store.
+We need an email address in case we need to contact you about your Microsoft Store for Business and for Education account. This email account should reach the admin for your organization’s Office 365 or Azure AD tenant that is used with Microsoft Store.
**To update Organization information**
-1. Sign in to the [Store for Business](http://businessstore.microsoft.com) or [Store for Education](https://educationstore.microsoft.com)
+1. Sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com)
2. Click **Manage**, click **Billing**, **Account profile**, and then click **Edit**.
## Organization tax information
@@ -86,7 +86,7 @@ These countries can provide their VAT number or local equivalent in **Payments &
If you qualify for tax-exempt status in your market, start a service request to establish tax exempt status for your organization.
**To start a service request**
-1. Sign in to the [Store for Business](http://businessstore.microsoft.com).
+1. Sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com).
2. Click **Manage**, click **Support**, and then under **Store settings & configuration** click **Create technical support ticket**.
You’ll need this documentation:
@@ -119,14 +119,14 @@ You can purchase apps from Microsoft Store for Business using your credit card.
5. Japan Commercial Bureau (JCB)
> [!NOTE]
-> Not all cards available in all countries. When you add a payment option, Store for Business shows which cards are available in your region.
+> Not all cards available in all countries. When you add a payment option, Microsoft Store for Business shows which cards are available in your region.
**To add a new payment option**
1. Sign in to the [Store for Business](http://businessstore.microsoft.com) or [Store for Education](https://educationstore.microsoft.com).
-2. Click **Manage**, click **Billing**, and then click **Payments methods**.
+2. Click **Manage**, click **Billing**, and then click **Payments methods**.
3. Click **Add a payment options**, and then select the type of credit card that you want to add.
-4. Add information to any required fields, and then click **Next**.
+4. Add information to required fields, and then click **Next**.
Once you click Next, the information you provided will be validated with a test authorization transaction and, if validated, the payment option will be added to your list of available payment options. Otherwise, you will be prompted for additional information or notified if there are any problems.
@@ -135,7 +135,7 @@ Once you click Next, the information you provided will be validated with a tes
**To update a payment option**
-1. Sign in to the [Store for Business](http://businessstore.microsoft.com) or [Store for Education](https://educationstore.microsoft.com).
+1. Sign in to the [Microsoft Store for Business](http://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com).
2. Click **Manage**, click **Billing**, and then click **Payments methods**.
3. Select the payment option that you want to update, and then click **Update**.
4. Enter any updated information in the appropriate fields, and then click **Next**.
@@ -146,17 +146,17 @@ Once you click **Next**, the information you provided will be validated with a
## Offline licensing
-Offline licensing is a new licensing option for Windows 10. With offline licenses, organizations can cache apps and their licenses to deploy within their network. ISVs or devs can opt-in their apps for offline licensing when they submit them to the developer center. Only apps that are opted in to offline licensing will show that they are available for offline licensing in Store for Business. This model means organizations can deploy apps when users or devices do not have connectivity to the Store. For more information on the Store for Business licensing model, see [licensing model](https://technet.microsoft.com/itpro/windows/manage/apps-in-windows-store-for-business#licensing-model).
+Offline licensing is a new licensing option for Windows 10. With offline licenses, organizations can cache apps and their licenses to deploy within their network. ISVs or devs can opt-in their apps for offline licensing when they submit them to the developer center. Only apps that are opted in to offline licensing will show that they are available for offline licensing in Microsoft Store for Business. This model means organizations can deploy apps when users or devices do not have connectivity to the Store. For more information on Microsoft Store for Business licensing model, see [licensing model](https://technet.microsoft.com/itpro/windows/manage/apps-in-windows-store-for-business#licensing-model).
Admins can decide whether or not offline licenses are shown for apps in Microsoft Store.
**To set offline license visibility**
-1. Sign in to the [Store for Business](http://businessstore.microsoft.com) or [Store for Education](https://educationstore.microsoft.com).
+1. Sign in to the [Microsoft Store for Business](http://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com).
2. Click **Manage**, and then click **Settings - Shop**.
3. Under **Shopping experience** turn on or turn off **Show offline apps**,to show availability for offline-licensed apps.
You have the following distribution options for offline-licensed apps:
- Include the app in a provisioning package, and then use it as part of imaging a device.
- Distribute the app through a management tool.
-For more information, see [Distribute apps to your employees from the Store for Business](distribute-apps-with-management-tool.md).
\ No newline at end of file
+For more information, see [Distribute apps to your employees from Microsoft Store for Business](distribute-apps-with-management-tool.md).
\ No newline at end of file
diff --git a/store-for-business/working-with-line-of-business-apps.md b/store-for-business/working-with-line-of-business-apps.md
index 87dc16ae0e..af7a2e13b1 100644
--- a/store-for-business/working-with-line-of-business-apps.md
+++ b/store-for-business/working-with-line-of-business-apps.md
@@ -19,29 +19,23 @@ ms.localizationpriority: high
Your company or school can make line-of-business (LOB) applications available through Microsoft Store for Business or Microsoft Store for Education. These apps are custom to your school or organization – they might be internal apps, or apps specific to your school, business, or industry.
-Developers within your organization, or ISVs that you invite, can become LOB publishers and submit apps to Microsoft Store for your company or school. Once an LOB publisher submits an app for your company, the app is only available to your company. LOB publishers submit apps through the Windows Dev Center using the same process as all apps that are in the Store, and then can be managed or deployed using the same process as any other app that has been acquired through the Store.
+Developers within your organization, or ISVs that you invite, can become LOB publishers and submit apps to Microsoft Store for your company or school. Once an LOB publisher submits an app for your company, the app is only available to your company. LOB publishers submit apps through the Windows Dev Center using the same process as all apps that are in Microsoft Store, and then can be managed or deployed using the same process as any other app that has been acquired through Microsoft Store.
-One advantage of making apps available through Microsoft Store is that the app has been signed by the Store, and uses the standard Store policies. For organizations that can’t submit their application through the Windows Dev Center (for example, those needing additional capabilities or due to compliance purposes), [Sideloading](https://go.microsoft.com/fwlink/p/?LinkId=623433) is also supported in Windows 10.
+One advantage of making apps available through Microsoft Store for Business is that the app has been signed by Microsoft Store, and uses the standard Microsoft Store policies. For organizations that can’t submit their application through the Windows Dev Center (for example, those needing additional capabilities or due to compliance purposes), [Sideloading](https://go.microsoft.com/fwlink/p/?LinkId=623433) is also supported on Windows 10.
## Adding LOB apps to your private store
-Admins and ISVs each own different parts of the process for getting LOB apps created, submitted, and deployed to your employees or students. Admins use the Store for Business portal; ISVs or devs use the Windows Dev center on MSDN.
+Admins and ISVs each own different parts of the process for getting LOB apps created, submitted, and deployed to your employees or students. Admins use Microsoft Store for Business or Microsoft Store for Education portal; ISVs or devs use the Windows Dev center on MSDN.
Here’s what’s involved:
-
-- The Store for Business admin invites a developer or ISV to become an LOB publisher for your company.
-
-- LOB publisher develops and submits app to the Store, tagging the app so it is only available to your company.
-
-- The Store for Business admin accepts the app and can distribute the app to employees in your company.
+- Microsoft Store for Business admin invites a developer or ISV to become an LOB publisher for your company.
+- LOB publisher develops and submits app to Microsoft Store, tagging the app so it is only available to your company.
+- Microsoft Store for Business admin accepts the app and can distribute the app to employees in your company.
You'll need to set up:
-
- Your company needs to be signed up with Microsoft Store for Business or Microsoft Store for Education.
-
- LOB publishers need to have an active developer account. To learn more about account options, see [Ready to sign up](https://go.microsoft.com/fwlink/p/?LinkId=623432).
-
-- LOB publishers need to have an app in the Store, or have an app ready to submit to the Store.
+- LOB publishers need to have an app in Microsoft Store, or have an app ready to submit to the Store.
## Add an LOB publisher (Admin)
@@ -49,7 +43,7 @@ Admins need to invite developer or ISVs to become an LOB publisher.
**To invite a developer to become an LOB publisher**
-1. Sign in to the [Microsoft Store for Business]( https://go.microsoft.com/fwlink/p/?LinkId=623531).
+1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com).
2. Click **Manage**, click **Permissions**, and then choose **Line-of-business publishers**.
3. On the Line-of business publishers page, click **Invite** to send an email invitation to a developer.
>[!Note]
@@ -92,18 +86,14 @@ After an ISV submits the LOB app for your company or school, someone with Micros
**To add the LOB app to your inventory**
-1. Sign in to the Store for Business.
-2. Click **Manage**, click **Apps & Software**, and then choose **New LOB apps**.
+1. Sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com).
+2. Click **Manage**, click **Products & services**, and then choose **New LOB apps**.
3. Click the ellipses under **Action** for the app you want to add to your inventory, and then choose **Add to inventory**.
After you add the app to your inventory, you can choose how to distribute the app. For more information, see:
-
- [Distribute apps to your employees from the Microsoft Store for Business](distribute-apps-to-your-employees-windows-store-for-business.md)
-
- [Distribute apps from your private store](distribute-apps-from-your-private-store.md)
-
- [Assign apps to employees](assign-apps-to-employees.md)
-
- [Distribute offline apps](distribute-offline-apps.md)
diff --git a/windows/access-protection/TOC.md b/windows/access-protection/TOC.md
index 7dbb46c015..acb2519e1d 100644
--- a/windows/access-protection/TOC.md
+++ b/windows/access-protection/TOC.md
@@ -69,7 +69,7 @@
### [Windows 10 credential theft mitigation guide abstract](windows-credential-theft-mitigation-guide-abstract.md)
## [Windows Firewall with Advanced Security](windows-firewall/windows-firewall-with-advanced-security.md)
-### [Isolating Windows Store Apps on Your Network](windows-firewall/isolating-apps-on-your-network.md)
+### [Isolating Microsoft Store Apps on Your Network](windows-firewall/isolating-apps-on-your-network.md)
### [Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012](windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md)
### [Windows Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md)
### [Windows Firewall with Advanced Security Design Guide](windows-firewall/windows-firewall-with-advanced-security-design-guide.md)
diff --git a/windows/access-protection/access-control/microsoft-accounts.md b/windows/access-protection/access-control/microsoft-accounts.md
index 01efb97d0a..3a5b9f595e 100644
--- a/windows/access-protection/access-control/microsoft-accounts.md
+++ b/windows/access-protection/access-control/microsoft-accounts.md
@@ -20,7 +20,7 @@ When a user signs in with a Microsoft account, the device is connected to cloud
## How a Microsoft account works
-The Microsoft account allows users to sign in to websites that support this service by using a single set of credentials. Users' credentials are validated by a Microsoft account authentication server that is associated with a website. The Windows Store is an example of this association. When new users sign in to websites that are enabled to use Microsoft accounts, they are redirected to the nearest authentication server, which asks for a user name and password. Windows uses the Schannel Security Support Provider to open a Transport Level Security/Secure Sockets Layer (TLS/SSL) connection for this function. Users then have the option to use Credential Manager to store their credentials.
+The Microsoft account allows users to sign in to websites that support this service by using a single set of credentials. Users' credentials are validated by a Microsoft account authentication server that is associated with a website. The Microsoft Store is an example of this association. When new users sign in to websites that are enabled to use Microsoft accounts, they are redirected to the nearest authentication server, which asks for a user name and password. Windows uses the Schannel Security Support Provider to open a Transport Level Security/Secure Sockets Layer (TLS/SSL) connection for this function. Users then have the option to use Credential Manager to store their credentials.
When users sign in to websites that are enabled to use a Microsoft account, a time-limited cookie is installed on their computers, which includes a triple DES encrypted ID tag. This encrypted ID tag has been agreed upon between the authentication server and the website. This ID tag is sent to the website, and the website plants another time-limited encrypted HTTP cookie on the user’s computer. When these cookies are valid, users are not required to supply a user name and password. If a user actively signs out of their Microsoft account, these cookies are removed.
@@ -70,13 +70,13 @@ Users can add security information to their Microsoft accounts through the **Acc
Although the Microsoft account was designed to serve consumers, you might find situations where your domain users can benefit by using their personal Microsoft account in your enterprise. The following list describes some advantages.
-- **Download Windows Store apps**:
+- **Download Microsoft Store apps**:
- If your enterprise chooses to distribute software through the Windows Store, your users can use their Microsoft accounts to download and use them on up to five devices running any version of Windows 10, Windows 8.1, Windows 8, or Windows RT.
+ If your enterprise chooses to distribute software through the Microsoft Store, your users can use their Microsoft accounts to download and use them on up to five devices running any version of Windows 10, Windows 8.1, Windows 8, or Windows RT.
- **Single sign-on**:
- Your users can use Microsoft account credentials to sign in to devices running Windows 10, Windows 8.1, Windows 8 or Windows RT. When they do this, Windows works with your Windows Store app to provide authenticated experiences for them. Users can associate a Microsoft account with their sign-in credentials for Windows Store apps or websites, so that these credentials roam across any devices running these supported versions.
+ Your users can use Microsoft account credentials to sign in to devices running Windows 10, Windows 8.1, Windows 8 or Windows RT. When they do this, Windows works with your Microsoft Store app to provide authenticated experiences for them. Users can associate a Microsoft account with their sign-in credentials for Microsoft Store apps or websites, so that these credentials roam across any devices running these supported versions.
- **Personalized settings synchronization**:
@@ -84,7 +84,7 @@ Although the Microsoft account was designed to serve consumers, you might find s
- **App synchronization**:
- Windows Store apps can store user-specific settings so that these settings are available to any device. As with operating system settings, these user-specific app settings are available whenever the user signs in with the same Microsoft account on any device that is running a supported version of Windows and is connected to the cloud. After the user signs in, that device automatically downloads the settings from the cloud and applies them when the app is installed.
+ Microsoft Store apps can store user-specific settings so that these settings are available to any device. As with operating system settings, these user-specific app settings are available whenever the user signs in with the same Microsoft account on any device that is running a supported version of Windows and is connected to the cloud. After the user signs in, that device automatically downloads the settings from the cloud and applies them when the app is installed.
- **Integrated social media services**:
diff --git a/windows/access-protection/hello-for-business/hello-how-it-works.md b/windows/access-protection/hello-for-business/hello-how-it-works.md
index c5d6ce9420..f868232fce 100644
--- a/windows/access-protection/hello-for-business/hello-how-it-works.md
+++ b/windows/access-protection/hello-for-business/hello-how-it-works.md
@@ -71,7 +71,7 @@ Whenever possible, Microsoft recommends the use of TPM hardware. The TPM protect
When a user wants to access protected key material, the authentication process begins with the user entering a PIN or biometric gesture to unlock the device, a process sometimes called releasing the key. Think of it like using a physical key to unlock a door: before you can unlock the door, you need to remove the key from your pocket or purse. The user's PIN unlocks the protector key for the container on the device. When that container is unlocked, applications (and thus the user) can use whatever IDP keys reside inside the container.
-These keys are used to sign requests that are sent to the IDP, requesting access to specified resources. It’s important to understand that although the keys are unlocked, applications cannot use them at will. Applications can use specific APIs to request operations that require key material for particular actions (for example, decrypt an email message or sign in to a website). Access through these APIs doesn’t require explicit validation through a user gesture, and the key material isn’t exposed to the requesting application. Rather, the application asks for authentication, encryption, or decryption, and the Windows Hello layer handles the actual work and returns the results. Where appropriate, an application can request a forced authentication even on an unlocked device. Windows prompts the user to reenter the PIN or perform an authentication gesture, which adds an extra level of protection for sensitive data or actions. For example, you can configure the Windows Store to require reauthentication any time a user purchases an application, even though the same account and PIN or gesture were already used to unlock the device.
+These keys are used to sign requests that are sent to the IDP, requesting access to specified resources. It’s important to understand that although the keys are unlocked, applications cannot use them at will. Applications can use specific APIs to request operations that require key material for particular actions (for example, decrypt an email message or sign in to a website). Access through these APIs doesn’t require explicit validation through a user gesture, and the key material isn’t exposed to the requesting application. Rather, the application asks for authentication, encryption, or decryption, and the Windows Hello layer handles the actual work and returns the results. Where appropriate, an application can request a forced authentication even on an unlocked device. Windows prompts the user to reenter the PIN or perform an authentication gesture, which adds an extra level of protection for sensitive data or actions. For example, you can configure the Microsoft Store to require reauthentication any time a user purchases an application, even though the same account and PIN or gesture were already used to unlock the device.
For example, the authentication process for Azure Active Directory works like this:
diff --git a/windows/access-protection/virtual-smart-cards/virtual-smart-card-overview.md b/windows/access-protection/virtual-smart-cards/virtual-smart-card-overview.md
index 4ff1788ca5..5fbf99a89e 100644
--- a/windows/access-protection/virtual-smart-cards/virtual-smart-card-overview.md
+++ b/windows/access-protection/virtual-smart-cards/virtual-smart-card-overview.md
@@ -68,7 +68,7 @@ To verify authorship of data, a user can sign it by using a private key that is
## New and changed functionality as of Windows 8.1
-Enhancements in Windows 8.1 enabled developers to build Windows Store apps to create and manage virtual smart cards.
+Enhancements in Windows 8.1 enabled developers to build Microsoft Store apps to create and manage virtual smart cards.
The DCOM Interfaces for Trusted Platform Module (TPM) Virtual Smart Card device management protocol provides a Distributed Component Object Model (DCOM) Remote Protocol interface used for creating and destroying virtual smart cards. A virtual smart card is a device that presents a device interface complying with the PC/SC specification for PC-connected interface devices to its host operating system (OS) platform. This protocol does not assume anything about the underlying implementation of virtual smart card devices. In particular, while it is primarily intended for the management of virtual smart cards based on TPMs, it can also be used to manage other types of virtual smart cards.
@@ -92,9 +92,9 @@ Starting with Windows 8.1, application developers can build into their apps the
**What works differently?**
-Starting with Windows 8.1, Windows Store app developers are able to build apps that have the capability to prompt the user to reset or unblock and change a virtual smart card PIN. This places more responsibility on the user to maintain their virtual smart card but it can also provide a more consistent user experience and administration experience in your organization.
+Starting with Windows 8.1, Microsoft Store app developers are able to build apps that have the capability to prompt the user to reset or unblock and change a virtual smart card PIN. This places more responsibility on the user to maintain their virtual smart card but it can also provide a more consistent user experience and administration experience in your organization.
-For more information about developing Windows Store apps with these capabilities, see [Trusted Platform Module Virtual Smart Card Management Protocol](https://msdn.microsoft.com/library/hh880895.aspx).
+For more information about developing Microsoft Store apps with these capabilities, see [Trusted Platform Module Virtual Smart Card Management Protocol](https://msdn.microsoft.com/library/hh880895.aspx).
For more information about managing these capabilities in virtual smart cards, see [Understanding and Evaluating Virtual Smart Cards](virtual-smart-card-understanding-and-evaluating.md).
diff --git a/windows/access-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md b/windows/access-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
index 6dfa73df29..133ed7ba13 100644
--- a/windows/access-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
+++ b/windows/access-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
@@ -40,9 +40,9 @@ Virtual smart cards can also be created and deleted by using APIs. For more info
- [ITPMVirtualSmartCardManagerStatusCallBack](https://msdn.microsoft.com/library/windows/desktop/hh707161(v=vs.85).aspx)
-You can use APIs that were introduced in the Windows.Device.SmartCards namespace in Windows Server 2012 R2 and Windows 8.1 to build Windows Store apps to manage the full lifecycle of virtual smart cards. For information about how to build an app to do this, see [Strong Authentication: Building Apps That Leverage Virtual Smart Cards in Enterprise, BYOD, and Consumer Environments | Build 2013 | Channel 9](http://channel9.msdn.com/events/build/2013/2-041).
+You can use APIs that were introduced in the Windows.Device.SmartCards namespace in Windows Server 2012 R2 and Windows 8.1 to build Microsoft Store apps to manage the full lifecycle of virtual smart cards. For information about how to build an app to do this, see [Strong Authentication: Building Apps That Leverage Virtual Smart Cards in Enterprise, BYOD, and Consumer Environments | Build 2013 | Channel 9](http://channel9.msdn.com/events/build/2013/2-041).
-The following table describes the features that can be developed in a Windows Store app:
+The following table describes the features that can be developed in a Microsoft Store app:
| Feature | Physical Smart Card | Virtual Smart Card |
|----------------------------------------------|---------------------|--------------------|
diff --git a/windows/access-protection/windows-firewall/isolating-apps-on-your-network.md b/windows/access-protection/windows-firewall/isolating-apps-on-your-network.md
index a488a96fe2..182f3bb99e 100644
--- a/windows/access-protection/windows-firewall/isolating-apps-on-your-network.md
+++ b/windows/access-protection/windows-firewall/isolating-apps-on-your-network.md
@@ -1,6 +1,6 @@
---
-title: Isolating Windows Store Apps on Your Network (Windows 10)
-description: Isolating Windows Store Apps on Your Network
+title: Isolating Microsoft Store Apps on Your Network (Windows 10)
+description: Isolating Microsoft Store Apps on Your Network
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
@@ -8,19 +8,19 @@ ms.pagetype: security
author: brianlic-msft
---
-# Isolating Windows Store Apps on Your Network
+# Isolating Microsoft Store Apps on Your Network
**Applies to**
- Windows 10
- Windows Server 2016
-When you add new devices to your network, you may want to customize your Windows Defender Firewall with Advanced Security configuration to isolate the network access of the new Windows Store apps that run on them. Developers who build Windows Store apps can declare certain app capabilities that enable different classes of network access. A developer can decide what kind of network access the app requires and configure this capability for the app. When the app is installed on a device, appropriate firewall rules are automatically created to enable access. You can then customize the firewall configuration to further fine-tune this access if they desire more control over the network access for the app.
+When you add new devices to your network, you may want to customize your Windows Defender Firewall with Advanced Security configuration to isolate the network access of the new Microsoft Store apps that run on them. Developers who build Microsoft Store apps can declare certain app capabilities that enable different classes of network access. A developer can decide what kind of network access the app requires and configure this capability for the app. When the app is installed on a device, appropriate firewall rules are automatically created to enable access. You can then customize the firewall configuration to further fine-tune this access if they desire more control over the network access for the app.
For example, a developer can decide that their app should only connect to trusted local networks (such as at home or work), and not to the Internet. In this way, developers can define the scope of network access for their app. This network isolation prevents an app from accessing a network and a connection type (inbound or outbound) if the connection has not been configured for the app. Then the network administrator can customize the firewall to further restrict the resources that the app can access.
The ability to set and enforce these network boundaries ensures that apps that get compromised can only access networks where they have been explicitly granted access. This significantly reduces the scope of their impact on other apps, the device, and the network. In addition, apps can be isolated and protected from malicious access from the network.
-When creating new Windows Store apps, a developer can define the following network capabilities for their app:
+When creating new Microsoft Store apps, a developer can define the following network capabilities for their app:
- **Home\\Work Networking**
@@ -40,7 +40,7 @@ When creating new Windows Store apps, a developer can define the following netwo
**In this topic**
-To isolate Windows Store apps on your network, you need to use Group Policy to define your network isolation settings and create custom Windows Store app firewall rules.
+To isolate Microsoft Store apps on your network, you need to use Group Policy to define your network isolation settings and create custom Microsoft Store app firewall rules.
- [Prerequisites](#prerequisites)
@@ -52,16 +52,16 @@ To isolate Windows Store apps on your network, you need to use Group Policy to d
- A domain controller is installed on your network, and your devices are joined to the Windows domain.
-- Your Windows Store app is installed on the client device.
+- Your Microsoft Store app is installed on the client device.
-- The Remote Server Administration Tools (RSAT) are installed on your client device. When you perform the following steps from your client device, you can select your Windows Store app when you create Windows Defender Firewall rules.
+- The Remote Server Administration Tools (RSAT) are installed on your client device. When you perform the following steps from your client device, you can select your Microsoft Store app when you create Windows Defender Firewall rules.
>**Note:** You can install the RSAT on your device running Windows 10 from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).
## Step 1: Define your network
-The **Home\\Work Networking** capability enables access to intranet resources. Administrators can use Group Policy settings to define the scope of the intranet. This ensures that Windows Store apps can access intranet resources appropriately.
+The **Home\\Work Networking** capability enables access to intranet resources. Administrators can use Group Policy settings to define the scope of the intranet. This ensures that Microsoft Store apps can access intranet resources appropriately.
A network endpoint is considered part of the **Home\\Work Network** if:
@@ -111,7 +111,7 @@ All other endpoints that do not meet the previously stated criteria are consider
## Step 2: Create custom firewall rules
-Windows Store apps can declare many capabilities in addition to the network capabilities discussed previously. For example, apps can declare capabilities to access user identity, the local file system, and certain hardware devices.
+Microsoft Store apps can declare many capabilities in addition to the network capabilities discussed previously. For example, apps can declare capabilities to access user identity, the local file system, and certain hardware devices.
The following table provides a complete list of the possible app capabilities.
@@ -134,7 +134,7 @@ The following table provides a complete list of the possible app capabilities.
| **Webcam** | webcam| Provides access to the webcam's video feed.|
| **Other devices (represented by GUIDs)** | <GUID>| Includes specialized devices and Windows Portable Devices.|
-You can create a Windows Defender Firewall policy that is scoped to a set of apps that use a specified capability or scoped to a specific Windows Store app.
+You can create a Windows Defender Firewall policy that is scoped to a set of apps that use a specified capability or scoped to a specific Microsoft Store app.
For example, you could create a Windows Defender Firewall policy to block Internet access for any apps on your network that have the Documents Library capability.
@@ -180,7 +180,7 @@ For example, you could create a Windows Defender Firewall policy to block Intern
19. Click **Apply to application packages only**, and then click **OK**.
- >**Important:** You must do this to ensure that the rule applies only to Windows Store apps and not to other apps. Desktop apps declare all capabilities by default, and this rule would apply to them if you do not configure it this way.
+ >**Important:** You must do this to ensure that the rule applies only to Microsoft Store apps and not to other apps. Desktop apps declare all capabilities by default, and this rule would apply to them if you do not configure it this way.
20. Click **OK** to close the **Properties** dialog box.
diff --git a/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security.md b/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security.md
index cb9ac4105d..d21a434151 100644
--- a/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security.md
+++ b/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security.md
@@ -36,7 +36,7 @@ To help address your organizational network security challenges, Windows Defende
| Topic | Description
| - | - |
-| [Isolating Windows Store Apps on Your Network](isolating-apps-on-your-network.md) | You can customize your Windows Defender Firewall configuration to isolate the network access of Windows Store apps that run on devices. |
+| [Isolating Microsoft Store Apps on Your Network](isolating-apps-on-your-network.md) | You can customize your Windows Defender Firewall configuration to isolate the network access of Microsoft Store apps that run on devices. |
| [Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012](securing-end-to-end-ipsec-connections-by-using-ikev2.md) | You can use IKEv2 to help secure your end-to-end IPSec connections. |
| [Windows Defender Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md) | Learn more about using Windows PowerShell to manage the Windows Defender Firewall. |
| [Windows Defender Firewall with Advanced Security Design Guide](windows-firewall-with-advanced-security-design-guide.md) | Learn how to create a design for deploying Windows Defender Firewall with Advanced Security. |
diff --git a/windows/application-management/TOC.md b/windows/application-management/TOC.md
index 35f3b14372..5adf6e1def 100644
--- a/windows/application-management/TOC.md
+++ b/windows/application-management/TOC.md
@@ -1,6 +1,7 @@
# [Manage applications in Windows 10](index.md)
## [Sideload apps](sideload-apps-in-windows-10.md)
## [Remove background task resource restrictions](enterprise-background-activity-controls.md)
+## [Enable or block Windows Mixed Reality apps in the enterprise](manage-windows-mixed-reality.md)
## [Application Virtualization (App-V) for Windows](app-v/appv-for-windows.md)
### [Getting Started with App-V](app-v/appv-getting-started.md)
#### [What's new in App-V for Windows 10, version 1703 and earlier](app-v/appv-about-appv.md)
diff --git a/windows/application-management/change-history-for-application-management.md b/windows/application-management/change-history-for-application-management.md
index 3aca385415..a8a4c9a073 100644
--- a/windows/application-management/change-history-for-application-management.md
+++ b/windows/application-management/change-history-for-application-management.md
@@ -1,20 +1,26 @@
---
-title: Change history for Configure Windows 10 (Windows 10)
+title: Change history for Application management in Windows 10 (Windows 10)
description: This topic lists changes to documentation for configuring Windows 10.
keywords:
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
-ms.localizationpriority: high
+ms.localizationpriority: medium
author: jdeckerms
-ms.date: 09/15/2017
+ms.date: 10/17/2017
---
-# Change history for Configure Windows 10
+# Change history for Application management in Windows 10
This topic lists new and updated topics in the [Configure Windows 10](index.md) documentation for Windows 10 and Windows 10 Mobile.
+## RELEASE: Windows 10, version 1709
+
+The topics in this library have been updated for Windows 10, version 1709 (also known as the Fall Creators Update). The following new topic has been added:
+
+- [Enable or block Windows Mixed Reality apps in the enterprise](manage-windows-mixed-reality.md)
+
## September 2017
| New or changed topic | Description |
| --- | --- |
diff --git a/windows/application-management/index.md b/windows/application-management/index.md
index b42c674d12..e96291a634 100644
--- a/windows/application-management/index.md
+++ b/windows/application-management/index.md
@@ -21,6 +21,7 @@ Learn about managing applications in Windows 10 and Windows 10 Mobile clients.
|---|---|
|[Sideload apps in Windows 10](sideload-apps-in-windows-10.md)| Requirements and instructions for side-loading LOB applications on Windows 10 and Windows 10 Mobile clients|
| [Remove background task resource restrictions](enterprise-background-activity-controls.md) | Windows provides controls to manage which experiences may run in the background. |
+| [Enable or block Windows Mixed Reality apps in the enterprise](manage-windows-mixed-reality.md) | Learn how to enable or block Windows Mixed Reality apps. |
|[App-V](app-v/appv-getting-started.md)| Microsoft Application Virtualization (App-V) for Windows 10 enables organizations to deliver Win32 applications to users as virtual applications|
| [Service Host process refactoring](svchost-service-refactoring.md) | Changes to Service Host grouping in Windows 10 |
|[Per User services in Windows 10](sideload-apps-in-windows-10.md)| Overview of per user services and instructions for viewing and disabling them in Windows 10 and Windows 2016|
diff --git a/windows/application-management/manage-windows-mixed-reality.md b/windows/application-management/manage-windows-mixed-reality.md
new file mode 100644
index 0000000000..69313ce229
--- /dev/null
+++ b/windows/application-management/manage-windows-mixed-reality.md
@@ -0,0 +1,87 @@
+---
+title: Enable or block Windows Mixed Reality apps in the enterprise (Windows 10)
+description: Learn how to enable or block Windows Mixed Reality apps.
+keyboards: ["mr", "mr portal", "mixed reality portal", "mixed reality"]
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.localizationpriority: medium
+author: jdeckerms
+ms.author: jdecker
+ms.date: 10/17/2017
+---
+
+# Enable or block Windows Mixed Reality apps in the enterprise
+
+**Applies to**
+
+- Windows 10
+
+Windows 10, version 1709 (also known as the Fall Creators Update), introduces [Windows Mixed Reality](https://blogs.windows.com/windowsexperience/2017/10/03/the-era-of-windows-mixed-reality-begins-october-17/). Organizations that use Windows Server Update Services (WSUS) must take action to [enable Windows Mixed Reality](#enable). Any organization that wants to prohibit use of Windows Mixed Reality can [block the installation of the Mixed Reality Portal](#block).
+
+
+
+## Enable Windows Mixed Reality in WSUS
+
+To enable users to download the Windows Mixed Reality software, enterprises using WSUS can approve Windows Mixed Reality package by unblocking the following KBs:
+
+- KB4016509
+- KB3180030
+- KB3197985
+
+Enterprises will not be able to install Windows Mixed Reality Feature on Demand (FOD) directly from WSUS. Instead, use one of the following options to install Windows Mixed Reality software:
+
+- Manually install the Mixed Reality software
+- IT admin can create [Side by side feature store (shared folder)](https://technet.microsoft.com/library/jj127275.aspx)
+
+
+
+## Block the Mixed Reality Portal
+
+You can use the [AppLocker configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/applocker-csp) to block the Mixed Reality software.
+
+In the following example, the **Id** can be any generated GUID and the **Name** can be any name you choose. Note that `BinaryName="*"` allows you to block any app executable in the Mixed Reality Portal package. **Binary/VersionRange**, as shown in the example, will block all versions of the Mixed Reality Portal app.
+
+```xml
+
+
+
+ $CmdID$
+
+
+ ./Vendor/MSFT/PolicyManager/My/ApplicationManagement/ApplicationRestrictions
+
+
+ chr
+ text/plain
+
+
+ <RuleCollection Type="Appx" EnforcementMode="Enabled">
+ <FilePublisherRule Id="a9e18c21-ff8f-43cf-b9fc-db40eed693ba" Name="(Default Rule) All signed packaged apps" Description="Allows members of the Everyone group to run packaged apps that are signed." UserOrGroupSid="S-1-1-0" Action="Allow">
+ <Conditions>
+ <FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*">
+ <BinaryVersionRange LowSection="0.0.0.0" HighSection="*" />
+ </FilePublisherCondition>
+ </Conditions>
+ </FilePublisherRule>
+ <FilePublisherRule Id="d26da4e7-0b01-484d-a8d3-d5b5341b2d55" Name="Block Mixed Reality Portal" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
+ <Conditions>
+ <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Windows.HolographicFirstRun" BinaryName="*">
+ <BinaryVersionRange LowSection="*" HighSection="*" />
+ </FilePublisherCondition>
+ </Conditions>
+ </FilePublisherRule>
+ </RuleCollection>>
+
+
+
+
+
+
+
+```
+
+
+## Related topics
+
+- [Mixed reality](https://developer.microsoft.com/windows/mixed-reality/mixed_reality)
\ No newline at end of file
diff --git a/windows/application-management/media/user-service-flag.png b/windows/application-management/media/user-service-flag.png
new file mode 100644
index 0000000000..56e03d1bc5
Binary files /dev/null and b/windows/application-management/media/user-service-flag.png differ
diff --git a/windows/application-management/per-user-services-in-windows.md b/windows/application-management/per-user-services-in-windows.md
index f784c78af2..f1dbb4f189 100644
--- a/windows/application-management/per-user-services-in-windows.md
+++ b/windows/application-management/per-user-services-in-windows.md
@@ -19,10 +19,10 @@ Per-user services are services that are created when a user signs into Windows o
> [!NOTE]
> Per-user services are only in available in Windows Server if you have installed the Desktop Experience. If you are running a Server Core or Nano Server installation, you won't see these services.
-You can configure the template service to create per-user services in a stopped and disabled state by setting the template service's **Startup Type** to **Disabled**.
+You can set the template service's **Startup Type** to **Disabled** to create per-user services in a stopped and disabled state.
> [!IMPORTANT]
-> Carefully test any changes to the template service's Startup Type before deploying in production.
+> Carefully test any changes to the template service's Startup Type before deploying to a production environment.
Use the following information to understand per-user services, change the template service Startup Type, and manage per-user services through Group Policy and security templates.
For more information about disabling system services for Windows Server, see [Guidance on disabling system services on Windows Server with Desktop Experience](https://docs.microsoft.com/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server).
@@ -131,13 +131,17 @@ REG.EXE ADD HKLM\System\CurrentControlSet\Services\WpnUserService /v Start /t RE
### Managing Template Services with regedit.exe
-If you cannot use Group Policy preferences to manage the per-user services, you can edit the registry with regedit.exe. To disable the Template Services change the Startup Type for each service to 4 (disabled), as shown in the following example:
+If you cannot use Group Policy preferences to manage the per-user services, you can edit the registry with regedit.exe. To disable the template services, change the Startup Type for each service to 4 (disabled):
> [!CAUTION]
> We recommend that you do not directly edit the registry unless there is no other alternative. Modifications to the registry are not validated by the Registry Editor or by the Windows operating system before they are applied. As a result, incorrect values can be stored, and this can result in unrecoverable errors in the system. When possible, instead of editing the registry directly, use Group Policy or other Windows tools such as the Microsoft Management Console (MMC) to accomplish tasks. If you must edit the registry, use extreme caution.
+Beginning with Windows 10, version 1709 and Windows Server, version 1709, you can prevent the per-user service from being created by setting **UserServiceFlags** to 0 under the same service configuration in the registry:
+
+
+
### Manage template services by modifying the Windows image
If you're using custom images to deploy Windows, you can modify the Startup Type for the template services as part of the normal imaging process.
diff --git a/windows/client-management/change-history-for-client-management.md b/windows/client-management/change-history-for-client-management.md
index 457e51889a..cc7f5fb34a 100644
--- a/windows/client-management/change-history-for-client-management.md
+++ b/windows/client-management/change-history-for-client-management.md
@@ -16,6 +16,11 @@ ms.date: 06/13/2017
This topic lists new and updated topics in the [Client management](index.md) documentation for Windows 10 and Windows 10 Mobile.
+## RELEASE: Windows 10, version 1709
+
+The topics in this library have been updated for Windows 10, version 1709 (also known as the Fall Creators Update).
+
+
## July 2017
| New or changed topic | Description |
diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md
index d8a901623a..6b56d24b8f 100644
--- a/windows/client-management/connect-to-remote-aadj-pc.md
+++ b/windows/client-management/connect-to-remote-aadj-pc.md
@@ -8,6 +8,8 @@ ms.sitesec: library
ms.pagetype: devices
author: jdeckerms
ms.localizationpriority: medium
+ms.author: jdecker
+ms.date: 10/17/2017
---
# Connect to remote Azure Active Directory-joined PC
@@ -33,7 +35,13 @@ From its release, Windows 10 has supported remote connections to PCs that are jo
3. If the user who joined the PC to Azure AD is the only one who is going to connect remotely, no additional configuration is needed. To allow additional users to connect to the PC, you must allow remote connections for the local **Authenticated Users** group. Click **Select Users**.
>[!NOTE]
- >You cannot specify individual Azure AD accounts for remote connections.
+ >You can specify individual Azure AD accounts for remote connections by having the user sign in to the remote device at least once and then running the following PowerShell cmdlet:
+ >
+ >`net localgroup "Remote Desktop Users" /add "AzureAD\FirstnameLastname"`
+ >
+ >In Windows 10, version 1709, the user does not have to sign in to the remote device first.
+ >
+ >In Windows 10, version 1709, you can add other Azure AD users to the **Administrators** group on a device in **Settings** and restrict remote credentials to **Administrators**. If there is a problem connecting remotely, make sure that both devices are joined to Azure AD and that TPM is functioning properly on both devices.
4. Enter **Authenticated Users**, then click **Check Names**. If the **Name Not Found** window opens, click **Locations** and select this PC.
diff --git a/windows/client-management/group-policies-for-enterprise-and-education-editions.md b/windows/client-management/group-policies-for-enterprise-and-education-editions.md
index ff39d3cc04..f884fd5a2e 100644
--- a/windows/client-management/group-policies-for-enterprise-and-education-editions.md
+++ b/windows/client-management/group-policies-for-enterprise-and-education-editions.md
@@ -27,7 +27,7 @@ In Windows 10, version 1607, the following Group Policy settings apply only to W
| **Force a specific default lock screen image** | Computer Configuration > Administrative Templates > Control Panel > Personalization | For more info, see [Windows spotlight on the lock screen](/windows/configuration/windows-spotlight) |
| **Start layout** | User Configuration\Administrative Templates\Start Menu and Taskbar | In Windows 10, version 1703, this policy setting can be applied to Windows 10 Pro. For more info, see [Manage Windows 10 Start layout options and policies](/windows/configuration/windows-10-start-layout-options-and-policies) |
| **Turn off the Store application** | Computer Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application
User Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application | For more info, see [Knowledge Base article# 3135657](https://support.microsoft.com/kb/3135657). |
-| **Only display the private store within the Windows Store app** | Computer Configuration > Administrative Templates > Windows Components > Store > Only display the private store within the Windows Store app
User Configuration > Administrative Templates > Windows Components > Store > Only display the private store within the Windows Store app | For more info, see [Manage access to private store](/microsoft-store/manage-access-to-private-store) |
+| **Only display the private store within the Microsoft Store app** | Computer Configuration > Administrative Templates > Windows Components > Store > Only display the private store within the Microsoft Store app
User Configuration > Administrative Templates > Windows Components > Store > Only display the private store within the Microsoft Store app | For more info, see [Manage access to private store](/microsoft-store/manage-access-to-private-store) |
| **Don't search the web or display web results** | Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results | For more info, see [Cortana integration in your enterprise](/windows/configuration/cortana-at-work/cortana-at-work-overview) |
diff --git a/windows/client-management/join-windows-10-mobile-to-azure-active-directory.md b/windows/client-management/join-windows-10-mobile-to-azure-active-directory.md
index 3536562d23..588cc4a26f 100644
--- a/windows/client-management/join-windows-10-mobile-to-azure-active-directory.md
+++ b/windows/client-management/join-windows-10-mobile-to-azure-active-directory.md
@@ -34,7 +34,7 @@ When a device running Windows 10 Mobile is joined to Azure AD, the device can e
- Enable enterprise roaming of settings. (Not currently supported but on roadmap)
-- Use Windows Store for Business to target applications to users.
+- Use Microsoft Store for Business to target applications to users.
## Are you upgrading current devices to Windows 10 Mobile?
@@ -58,7 +58,7 @@ Even though Azure AD Join on Windows 10 Mobile provides the best overall experi
- You can add access to Azure AD-backed resources on the device without resetting the device.
-However, neither of these methods provides SSO in the Windows Store or SSO to resources on-premises, and does not provide the ability to roam settings based on the Azure AD account using enterprise roaming. [Learn about enterprise state roaming in Azure AD.](https://go.microsoft.com/fwlink/p/?LinkId=734996)
+However, neither of these methods provides SSO in the Microsoft Store or SSO to resources on-premises, and does not provide the ability to roam settings based on the Azure AD account using enterprise roaming. [Learn about enterprise state roaming in Azure AD.](https://go.microsoft.com/fwlink/p/?LinkId=734996)
Using **Settings** > **Accounts** > **Your email and accounts** > **Add work or school account**, users can add their Azure AD account to the device. Alternatively, a work account can be added when the user signs in to an application like Mail, Word, etc. If you [enable auto-enrollment in your MDM settings](https://go.microsoft.com/fwlink/p/?LinkID=691615), the device will automatically be enrolled in MDM.
@@ -188,10 +188,10 @@ To see the Notebooks that your Azure AD account has access to, tap **More Notebo
-## Use Windows Store for Business
+## Use Microsoft Store for Business
-[Microsoft Store for Business](/microsoft-store/index) allows you to specify applications to be available to your users in the Windows Store application. These applications show up on a tab titled for your company. Applications approved in the Microsoft Store for Business portal can be installed by users.
+[Microsoft Store for Business](/microsoft-store/index) allows you to specify applications to be available to your users in the Microsoft Store application. These applications show up on a tab titled for your company. Applications approved in the Microsoft Store for Business portal can be installed by users.
diff --git a/windows/client-management/manage-corporate-devices.md b/windows/client-management/manage-corporate-devices.md
index 78ca7c8d39..f946781086 100644
--- a/windows/client-management/manage-corporate-devices.md
+++ b/windows/client-management/manage-corporate-devices.md
@@ -27,7 +27,7 @@ You can use the same management tools to manage all device types running Windows
| --- | --- |
| [Manage Windows 10 in your organization - transitioning to modern management](manage-windows-10-in-your-organization-modern-management.md) | Strategies for deploying and managing Windows 10, including deploying Windows 10 in a mixed environment |
| [Connect to remote Azure Active Directory-joined PC](connect-to-remote-aadj-pc.md) | How to use Remote Desktop Connection to connect to an Azure AD-joined PC |
-| [Manage Windows 10 and Windows Store tips, tricks, and suggestions](/windows/configuration/manage-tips-and-suggestions) | Options to manage user experiences to provide a consistent and predictable experience for employees |
+| [Manage Windows 10 and Microsoft Store tips, tricks, and suggestions](/windows/configuration/manage-tips-and-suggestions) | Options to manage user experiences to provide a consistent and predictable experience for employees |
| [New policies for Windows 10](new-policies-for-windows-10.md) | New Group Policy settings added in Windows 10 |
| [Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education](group-policies-for-enterprise-and-education-editions.md) | Group Policy settings that apply only to Windows 10 Enterprise and Windows 10 Education |
| [Changes to Group Policy settings for Start in Windows 10](/windows/configuration/changes-to-start-policies-in-windows-10) | Changes to the Group Policy settings that you use to manage Start |
diff --git a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md
index 396ee16956..34b1af8c9f 100644
--- a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md
+++ b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md
@@ -38,7 +38,7 @@ Windows 10 offers a range of management options, as shown in the following diagr
-As indicated in the diagram, Microsoft continues to provide support for deep manageability and security through technologies like Group Policy, Active Directory, and System Center Configuration Manager. It also delivers a “mobile-first, cloud-first” approach of simplified, modern management using cloud-based device management solutions such as Microsoft Enterprise Mobility + Security (EMS). Future Windows innovations, delivered through Windows as a Service, are complemented by cloud services like Microsoft Intune, Azure Active Directory, Azure Information Protection, Office 365, and the Windows Store for Business.
+As indicated in the diagram, Microsoft continues to provide support for deep manageability and security through technologies like Group Policy, Active Directory, and System Center Configuration Manager. It also delivers a “mobile-first, cloud-first” approach of simplified, modern management using cloud-based device management solutions such as Microsoft Enterprise Mobility + Security (EMS). Future Windows innovations, delivered through Windows as a Service, are complemented by cloud services like Microsoft Intune, Azure Active Directory, Azure Information Protection, Office 365, and the Microsoft Store for Business.
## Deployment and Provisioning
diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md
index 2737a54616..5ab0e0ff0b 100644
--- a/windows/client-management/mdm/applocker-csp.md
+++ b/windows/client-management/mdm/applocker-csp.md
@@ -33,7 +33,7 @@ Defines the root node for the AppLocker configuration service provider.
**ApplicationLaunchRestrictions**
Defines restrictions for applications.
-> **Note**
+> [!NOTE]
> When you create a list of allowed apps, all [inbox apps](#inboxappsandcomponents) are also blocked, and you must include them in your list of allowed apps. Don't forget to add the inbox apps for Phone, Messaging, Settings, Start, Email and accounts, Work and school, and other apps that you need.
>
> In Windows 10 Mobile, when you create a list of allowed apps, the [settings app that rely on splash apps](#settingssplashapps) are blocked. To unblock these apps, you must include them in your list of allowed apps.
@@ -120,7 +120,7 @@ In addition, each **Grouping** node contains one or more of the following nodes:
StoreApps
-
Defines restrictions for running apps from the Windows Store.
+
Defines restrictions for running apps from the Microsoft Store.
Supported operations are Get, Add, Delete, and Replace.
@@ -571,6 +571,10 @@ The following list shows the apps that may be included in the inbox.
906beeda-b7e6-4ddc-ba8d-ad5031223ef9
906beeda-b7e6-4ddc-ba8d-ad5031223ef9
+
+
Mixed Reality Portal
+
+
Microsoft.Windows.HolographicFirstRun
Money
1e0440f1-7abf-4b9a-863d-177970eefb5e
@@ -856,6 +860,47 @@ The following example blocks the usage of the map application.
```
+The following example disables the Mixed Reality Portal. In the example, the **Id** can be any generated GUID and the **Name** can be any name you choose. Note that `BinaryName="*"` allows you to block any app executable in the Mixed Reality Portal package. **Binary/VersionRange**, as shown in the example, will block all versions of the Mixed Reality Portal app.
+
+```xml
+
+
+
+ $CmdID$
+
+
+ ./Vendor/MSFT/PolicyManager/My/ApplicationManagement/ApplicationRestrictions
+
+
+ chr
+ text/plain
+
+
+ <RuleCollection Type="Appx" EnforcementMode="Enabled">
+ <FilePublisherRule Id="a9e18c21-ff8f-43cf-b9fc-db40eed693ba" Name="(Default Rule) All signed packaged apps" Description="Allows members of the Everyone group to run packaged apps that are signed." UserOrGroupSid="S-1-1-0" Action="Allow">
+ <Conditions>
+ <FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*">
+ <BinaryVersionRange LowSection="0.0.0.0" HighSection="*" />
+ </FilePublisherCondition>
+ </Conditions>
+ </FilePublisherRule>
+ <FilePublisherRule Id="d26da4e7-0b01-484d-a8d3-d5b5341b2d55" Name="Block Mixed Reality Portal" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
+ <Conditions>
+ <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Windows.HolographicFirstRun" BinaryName="*">
+ <BinaryVersionRange LowSection="*" HighSection="*" />
+ </FilePublisherCondition>
+ </Conditions>
+ </FilePublisherRule>
+ </RuleCollection>>
+
+
+
+
+
+
+
+```
+
The following example for Windows 10 Mobile denies all apps and allows the following apps:
- [settings app that rely on splash apps](#settingssplashapps)
diff --git a/windows/client-management/mdm/device-update-management.md b/windows/client-management/mdm/device-update-management.md
index 1edda04b19..68de7f9bb2 100644
--- a/windows/client-management/mdm/device-update-management.md
+++ b/windows/client-management/mdm/device-update-management.md
@@ -230,11 +230,11 @@ The following diagram shows the Update policies in a tree format.
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Windows Store.
+
Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft.
-
Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Windows Store
+
Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Microsoft
-
Enabling this policy will disable that functionality, and may cause connection to public services such as the Windows Store to stop working.
+
Enabling this policy will disable that functionality, and may cause connection to public services such as the Microsoft to stop working.
The following list shows the supported values:
diff --git a/windows/client-management/mdm/enterprise-app-management.md b/windows/client-management/mdm/enterprise-app-management.md
index fd6c08650e..f210212445 100644
--- a/windows/client-management/mdm/enterprise-app-management.md
+++ b/windows/client-management/mdm/enterprise-app-management.md
@@ -31,8 +31,8 @@ Windows 10 offers the ability for management servers to:
Windows 10 lets you inventory all apps deployed to a user and all apps for all users of a device on Windows 10 for desktop editions. The [EnterpriseModernAppManagement](enterprisemodernappmanagement-csp.md) configuration service provider (CSP) inventories packaged apps and does not include traditional Win32 apps installed via MSI or executables. When the apps are inventoried they are separated based on the following app classifications:
-- Store - Apps that are from the Windows Store. Apps can be directly installed from the Store or delivered with the enterprise from the Store for Business
-- nonStore - Apps that were not acquired from the Windows Store.
+- Store - Apps that are from the Microsoft Store. Apps can be directly installed from the Store or delivered with the enterprise from the Store for Business
+- nonStore - Apps that were not acquired from the Microsoft Store.
- System - Apps that are part of the OS. You cannot uninstall these apps. This classification is read-only and can only be inventoried.
These classifications are represented as nodes in the EnterpriseModernAppManagement CSP.
@@ -151,9 +151,9 @@ There are two basic types of apps you can deploy: Store apps and enterprise sign
### Unlock the device for non-Store apps
-To deploy app that are not from the Windows Store, you must configure the ApplicationManagement/AllowAllTrustedApps policy. This policy allows the installation of non-Store apps on the device provided that there is a chain to a certificate on the device. The app can be signed with a root certificate on the device (such as Symantec Enterprise), an enterprise owned root certificate, or a peer trust certificate deployed on the device. For more information about deploying user license, see [Deploy an offline license to a user](#deploy-an-offline-license-to-a-user).
+To deploy app that are not from the Microsoft Store, you must configure the ApplicationManagement/AllowAllTrustedApps policy. This policy allows the installation of non-Store apps on the device provided that there is a chain to a certificate on the device. The app can be signed with a root certificate on the device (such as Symantec Enterprise), an enterprise owned root certificate, or a peer trust certificate deployed on the device. For more information about deploying user license, see [Deploy an offline license to a user](#deploy-an-offline-license-to-a-user).
-The AllowAllTrustedApps policy enables the installation apps that are trusted by a certificate in the Trusted People on the device or a root certificate in the Trusted Root of the device. The policy is not configured by default, which means only apps from the Windows Store can be installed. If the management server implicitly sets the value to off, the setting is disabled in the settings panel on the device.
+The AllowAllTrustedApps policy enables the installation apps that are trusted by a certificate in the Trusted People on the device or a root certificate in the Trusted Root of the device. The policy is not configured by default, which means only apps from the Microsoft Store can be installed. If the management server implicitly sets the value to off, the setting is disabled in the settings panel on the device.
For more information about the AllowAllTrustedApps policy, see [Policy CSP](policy-configuration-service-provider.md).
@@ -189,7 +189,7 @@ Here are some examples.
Development of apps on Windows 10 no longer requires a special license. You can enable debugging and deployment of non-packaged apps using ApplicationManagement/AllowDeveloperUnlock policy in Policy CSP.
-AllowDeveloperUnlock policy enables the development mode on the device. The AllowDeveloperUnlock is not configured by default, which means only Windows Store apps can be installed. If the management server explicitly sets the value to off, the setting is disabled in the settings panel on the device.
+AllowDeveloperUnlock policy enables the development mode on the device. The AllowDeveloperUnlock is not configured by default, which means only Microsoft Store apps can be installed. If the management server explicitly sets the value to off, the setting is disabled in the settings panel on the device.
Deployment of apps to Windows 10 for desktop editions requires that there is a chain to a certificate on the device. The app can be signed with a root certificate on the device (such as Symantec Enterprise), an enterprise owned root certificate, or a peer trust certificate deployed on the device. Deployment to Windows 10 Mobile does not validate whether the non-Store apps have a valid root of trust on the device.
@@ -225,19 +225,19 @@ Here is an example.
## Install your apps
-You can install apps to a specific user or to all users of a device. Apps are installed directly from the Windows Store or in some cases from a host location, such as a local disk, UNC path, or HTTPS location. Use the AppInstallation node of the [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) to install apps.
+You can install apps to a specific user or to all users of a device. Apps are installed directly from the Microsoft Store or in some cases from a host location, such as a local disk, UNC path, or HTTPS location. Use the AppInstallation node of the [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) to install apps.
### Deploy apps to user from the Store
-To deploy an app to a user directly from the Windows Store, the management server performs an Add and Exec commands on the AppInstallation node of the EnterpriseModernAppManagement CSP. This is only supported in the user context and not supported in the device context.
+To deploy an app to a user directly from the Microsoft Store, the management server performs an Add and Exec commands on the AppInstallation node of the EnterpriseModernAppManagement CSP. This is only supported in the user context and not supported in the device context.
-If you purchased an app from the Store for Business and the app is specified for an online license, the app and license must be acquired directly from the Windows Store.
+If you purchased an app from the Store for Business and the app is specified for an online license, the app and license must be acquired directly from the Microsoft Store.
Here are the requirements for this scenario:
- The app is assigned to a user Azure Active Directory (AAD) identity in the Store for Business. You can do this directly in the Store for Business or through a management server.
-- The device requires connectivity to the Windows Store.
-- Windows Store services must be enabled on the device. Note that the UI for the Windows Store can be disabled by the enterprise admin.
+- The device requires connectivity to the Microsoft Store.
+- Microsoft Store services must be enabled on the device. Note that the UI for the Microsoft Store can be disabled by the enterprise admin.
- The user must be signed in with their AAD identity.
Here are some examples.
@@ -303,7 +303,7 @@ Here are the requirements for this scenario:
- The location of the app can be a local files system (C:\\StagedApps\\app1.appx), a UNC path (\\\\server\\share\\app1.apx), or an HTTPS location (https://contoso.com/app1.appx\_
- The user must have permission to access the content location. For HTTPs, you can use server authentication or certificate authentication using a certificate associated with the enrollment. HTTP locations are supported, but not recommended because of lack of authentication requirements.
-- The device does not need to have connectivity to the Windows Store, store services, or the have the Windows Store UI be enabled.
+- The device does not need to have connectivity to the Microsoft Store, store services, or the have the Microsoft Store UI be enabled.
- The user must be logged in, but association with AAD identity is not required.
> **Note** You must unlock the device to deploy nonStore apps or you must deploy the app license before deploying the offline apps. For details, see [Deploy an offline license to a user](#deploy-an-offline-license-to-a-user).
@@ -420,7 +420,7 @@ Here are the requirements for this scenario:
- The location of the app can be the local files system (C:\\StagedApps\\app1.appx), a UNC path (\\\\server\\share\\app1.apx), or an HTTPS location (https://contoso.com/app1.appx\_
- The user must have permission to access the content location. For HTTPs, you can use server authentication or certificate authentication using a certificate associated with the enrollment. HTTP locations are supported, but not recommended because of lack of authentication requirements.
-- The device does not need to have connectivity to the Windows Store, or store services enabled.
+- The device does not need to have connectivity to the Microsoft Store, or store services enabled.
- The device does not need any AAD identity or domain membership.
- For nonStore app, your device must be unlocked.
- For Store offline apps, the required licenses must be deployed prior to deploying the apps.
@@ -584,8 +584,8 @@ The Data field value of 0 (zero) indicates sucess, otherwise it is an error code
You can uninstall apps from users from Windows 10 devices. To uninstall an app, you delete it from the AppManagement node of the CSP. Within the AppManagement node, packages are organized based on their origin according to the following nodes:
-- AppStore - These apps are for the Windows Store. Apps can be directly installed from the store or delivered to the enterprise from the Store for Business.
-- nonStore - These apps that were not acquired from the Windows Store.
+- AppStore - These apps are for the Microsoft Store. Apps can be directly installed from the store or delivered to the enterprise from the Store for Business.
+- nonStore - These apps that were not acquired from the Microsoft Store.
- System - These apps are part of the OS. You cannot uninstall these apps.
To uninstall an app, you delete it under the origin node, package family name, and package full name. To uninstall a XAP, use the product ID in place of the package family nane and package full name.
@@ -717,7 +717,7 @@ Apps installed on a device can be updated using the management server. Apps can
### Update apps directly from the store
-To update an app from Windows Store, the device requires contact with the store services.
+To update an app from Microsoft Store, the device requires contact with the store services.
Here is an example of an update scan.
@@ -760,7 +760,7 @@ A provisioned app automatically updates when an app update is sent to the user.
You can prevent specific apps from being automatically updated. This allows you to turn on auto-updates for apps, with specific apps excluded as defined by the IT admin.
-Turning off updates only applies to updates from the Windows Store at the device level. This feature is not available at a user level. You can still update an app if the offline packages is pushed from hosted install location.
+Turning off updates only applies to updates from the Microsoft Store at the device level. This feature is not available at a user level. You can still update an app if the offline packages is pushed from hosted install location.
Here is an example.
@@ -821,7 +821,7 @@ Here is an example.
### Restrict AppData to the system volume
-In Windows 10 Mobile IT administrators can set a policy to restrict user application data for a Windows Store app to the system volume, regardless of where the package is installed or moved.
+In Windows 10 Mobile IT administrators can set a policy to restrict user application data for a Microsoft Store app to the system volume, regardless of where the package is installed or moved.
> **Note** The feature is only for Windows 10 Mobile.
diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md
index f8a14b5289..42aced1bad 100644
--- a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md
+++ b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md
@@ -68,8 +68,8 @@ The following image shows the EnterpriseModernAppManagement configuration servic
- PackageDetails - returns all inventory attributes of the package. This includes all information from PackageNames parameter, but does not validate RequiresReinstall.
- RequiredReinstall - Validates the app status of the apps in the inventory query to determine if they require a reinstallation. This attribute may impact system performance depending on the number of apps installed. Requiring reinstall occurs when resource package updates or when the app is in a tampered state.
- Source - specifies the app classification that aligns to the existing inventory nodes. You can use a specific filter or if no filter is specified then all sources will be returned. If no value is specified, all classifications are returned. Valid values are:
- - AppStore - This classification is for apps that were acquired from Windows Store. These were apps directly installed from Windows Store or enterprise apps from Microsoft Store for Business.
- - nonStore - This classification is for apps that were not acquired from the Windows Store.
+ - AppStore - This classification is for apps that were acquired from Microsoft Store. These were apps directly installed from Microsoft Store or enterprise apps from Microsoft Store for Business.
+ - nonStore - This classification is for apps that were not acquired from the Microsoft Store.
- System - Apps that are part of the OS. You cannot uninstall these apps. This classification is read-only and can only be inventoried.
- PackageTypeFilter - Specifies one or multiple types of packages you can use to query the user or device. Multiple values must be separated by |. Valid values are:
@@ -163,7 +163,7 @@ The following image shows the EnterpriseModernAppManagement configuration servic
````
**AppManagement/nonStore**
-
Used to manage enterprise apps or developer apps that were not acquired from the Windows Store.
+
Used to manage enterprise apps or developer apps that were not acquired from the Microsoft Store.
Supported operation is Get.
@@ -173,7 +173,7 @@ The following image shows the EnterpriseModernAppManagement configuration servic
Supported operation is Get.
**AppManagement/AppStore**
-
Required. Used for managing apps from the Windows Store.
+
Required. Used for managing apps from the Microsoft Store.
Supported operations are Get and Delete.
@@ -372,7 +372,7 @@ The following image shows the EnterpriseModernAppManagement configuration servic
**AppInstallation/*PackageFamilyName*/StoreInstall**
-
Required. Command to perform an install of an app and a license from the Windows Store.
+
Required. Command to perform an install of an app and a license from the Microsoft Store.
Supported operation is Execute, Add, Delete, and Get.
@@ -438,7 +438,7 @@ The following image shows the EnterpriseModernAppManagement configuration servic
Added in Windows 10, version 1511. Required. Category of license that is used to classify various license sources. Valid value:
- Unknown - unknown license category
-- Retail - license sold through retail channels, typically from the Windows Store
+- Retail - license sold through retail channels, typically from the Microsoft Store
- Enterprise - license sold through the enterprise sales channel, typically from the Store for Business
- OEM - license issued to an OEM
- Developer - developer license, typically installed during the app development or side-loading scernarios.
diff --git a/windows/client-management/mdm/firewall-csp.md b/windows/client-management/mdm/firewall-csp.md
index ea9ebb3cb7..99740e166c 100644
--- a/windows/client-management/mdm/firewall-csp.md
+++ b/windows/client-management/mdm/firewall-csp.md
@@ -193,7 +193,7 @@ The following diagram shows the Firewall configuration service provider in tree
This App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of a Windows Store application.
+
This App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of a Microsoft Store application.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
**FirewallRules/_FirewallRuleName_/App/FilePath**
diff --git a/windows/client-management/mdm/firewall-ddf-file.md b/windows/client-management/mdm/firewall-ddf-file.md
index 7a8de5174f..72944197b3 100644
--- a/windows/client-management/mdm/firewall-ddf-file.md
+++ b/windows/client-management/mdm/firewall-ddf-file.md
@@ -1341,7 +1341,7 @@ ServiceName
- PackageFamilyName - This App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of a Windows Store application.
+ PackageFamilyName - This App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of a Microsoft Store application.
diff --git a/windows/client-management/mdm/management-tool-for-windows-store-for-business.md b/windows/client-management/mdm/management-tool-for-windows-store-for-business.md
index 02d281e49f..90364628ea 100644
--- a/windows/client-management/mdm/management-tool-for-windows-store-for-business.md
+++ b/windows/client-management/mdm/management-tool-for-windows-store-for-business.md
@@ -21,8 +21,8 @@ Here's the list of the available capabilities:
- Support for enterprise identities – Enables end users within an organization to use the identity that has been provided to them within the organization. This enables an organization to retain control of the application and eliminates the need for an organization to maintain another set of identities for their users.
- Bulk acquisition support of applications – Enables an IT administrator to acquire applications in bulk. IT departments can now take control over the procurement and distribution of applications. Previously, users acquire applications manually.
-- License reclaim and re-use – Enables an enterprise to retain value in their purchases by allowing the ability to un-assign access to an application, and then reassign the application to another user. In Windows Store today, when a user with a Microsoft account leaves the organization he retains ownership of the application.
-- Flexible distribution models for Windows Store apps – Allows the enterprise to integrate with an organization's infrastructure the processes to distribute applications to devices that are connected to Store for Business services and to devices without connectivity to the Store for Business services.
+- License reclaim and re-use – Enables an enterprise to retain value in their purchases by allowing the ability to un-assign access to an application, and then reassign the application to another user. In Microsoft Store today, when a user with a Microsoft account leaves the organization he retains ownership of the application.
+- Flexible distribution models for Microsoft Store apps – Allows the enterprise to integrate with an organization's infrastructure the processes to distribute applications to devices that are connected to Store for Business services and to devices without connectivity to the Store for Business services.
- Custom Line of Business app support –Enables management and distribution of enterprise applications through the Store for Business.
- Support for Windows desktop and mobile devices - The Store for Business supports both desktop and mobile devices.
@@ -45,7 +45,7 @@ The Store for Business provides services that enable a management tool to synchr
Licensing models
Offline vs. Online
-
Online-licensed applications require connectivity to the Windows Store. Users require an Azure Active Directory identity and rely on the store services on the device to be able to acquire an application from the store. It is similar to how applications are acquired from the Windows Store using a Microsoft account. Assigning or reclaiming seats for an application require a call to the Store for Business services.
+
Online-licensed applications require connectivity to the Microsoft Store. Users require an Azure Active Directory identity and rely on the store services on the device to be able to acquire an application from the store. It is similar to how applications are acquired from the Microsoft Store using a Microsoft account. Assigning or reclaiming seats for an application require a call to the Store for Business services.
Offline-licensed applications enable an organization to use the application for imaging and for devices that may not have connectivity to the store or may not have Azure Active Directory. Offline-licensed application do not require connectivity to the store, however it can be updated directly from the store if the device has connectivity and the app update policies allow updates to be distributed via the store.
diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
index 37f467ad7c..e9c457174a 100644
--- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
@@ -1162,7 +1162,7 @@ The software version information from **DevDetail/SwV** does not match the versi
To workaround this issue, remove the Windows Phone 8.1 publisher rule and add the specific product ID for each Silverlight app you want to allow to the allowed app list.
-- Some apps (specifically those that are published in Windows Store as AppX Bundles) are blocked from installing even when they are included in the app list.
+- Some apps (specifically those that are published in Microsoft Store as AppX Bundles) are blocked from installing even when they are included in the app list.
No workaround is available at this time. An OS update to fix this issue is coming soon.
diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md
index 6f5802427e..a5815c7d3e 100644
--- a/windows/client-management/mdm/policy-csp-applicationmanagement.md
+++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md
@@ -92,7 +92,7 @@ ms.date: 09/29/2017
-
Specifies whether non Windows Store apps are allowed.
+
Specifies whether non Microsoft Store apps are allowed.
The following list shows the supported values:
@@ -141,7 +141,7 @@ ms.date: 09/29/2017
-
Specifies whether automatic update of apps from Windows Store are allowed.
+
Specifies whether automatic update of apps from Microsoft Store are allowed.
The following list shows the supported values:
@@ -448,7 +448,7 @@ ms.date: 09/29/2017
-
Added in Windows 10, version 1607. Boolean value that disables the launch of all apps from Windows Store that came pre-installed or were downloaded.
+
Added in Windows 10, version 1607. Boolean value that disables the launch of all apps from Microsoft Store that came pre-installed or were downloaded.
The following list shows the supported values:
diff --git a/windows/client-management/mdm/policy-csp-privacy.md b/windows/client-management/mdm/policy-csp-privacy.md
index 79333d939d..f839be65ee 100644
--- a/windows/client-management/mdm/policy-csp-privacy.md
+++ b/windows/client-management/mdm/policy-csp-privacy.md
@@ -1050,7 +1050,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
@@ -1091,7 +1091,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
@@ -1132,7 +1132,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the camera privacy setting for the listed apps. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the camera privacy setting for the listed apps. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
@@ -1222,7 +1222,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
@@ -1263,7 +1263,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
@@ -1304,7 +1304,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the contacts privacy setting for the listed apps. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the contacts privacy setting for the listed apps. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
@@ -1394,7 +1394,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
@@ -1435,7 +1435,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
@@ -1476,7 +1476,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the email privacy setting for the listed apps. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the email privacy setting for the listed apps. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
@@ -1566,7 +1566,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
@@ -1607,7 +1607,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
@@ -1648,7 +1648,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the location privacy setting for the listed apps. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the location privacy setting for the listed apps. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
@@ -1738,7 +1738,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
@@ -1779,7 +1779,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are not allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
@@ -1820,7 +1820,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the messaging privacy setting for the listed apps. This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the messaging privacy setting for the listed apps. This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
@@ -1910,7 +1910,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
@@ -1951,7 +1951,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
@@ -1992,7 +1992,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the microphone privacy setting for the listed apps. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the microphone privacy setting for the listed apps. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
@@ -2082,7 +2082,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
@@ -2123,7 +2123,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
@@ -2164,7 +2164,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the motion privacy setting for the listed apps. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the motion privacy setting for the listed apps. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
@@ -2254,7 +2254,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
@@ -2295,7 +2295,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
@@ -2336,7 +2336,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the notifications privacy setting for the listed apps. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the notifications privacy setting for the listed apps. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
@@ -2426,7 +2426,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
@@ -2467,7 +2467,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are not allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
@@ -2508,7 +2508,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the phone call privacy setting for the listed apps. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the phone call privacy setting for the listed apps. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
@@ -2598,7 +2598,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
@@ -2639,7 +2639,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
@@ -2680,7 +2680,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the radios privacy setting for the listed apps. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the radios privacy setting for the listed apps. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
@@ -2762,7 +2762,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
+
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
@@ -2803,7 +2803,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
+
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
@@ -2844,7 +2844,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the tasks privacy setting for the listed apps. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
+
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the tasks privacy setting for the listed apps. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
@@ -2934,7 +2934,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
@@ -2975,7 +2975,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
@@ -3016,7 +3016,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
@@ -3106,7 +3106,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to diagnostic information about other running apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps.
+
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to diagnostic information about other running apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps.
@@ -3147,7 +3147,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to diagnostic information about other running apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps.
+
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to diagnostic information about other running apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps.
@@ -3188,7 +3188,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'get diagnostic info' privacy setting for the listed apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps.
+
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'get diagnostic info' privacy setting for the listed apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps.
@@ -3280,7 +3280,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are able to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps.
+
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are able to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps.
@@ -3321,7 +3321,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied the ability to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps.
+
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied the ability to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps.
@@ -3362,7 +3362,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the background apps privacy setting for the listed apps. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps.
+
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the background apps privacy setting for the listed apps. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps.
@@ -3452,7 +3452,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
@@ -3493,7 +3493,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
@@ -3534,7 +3534,7 @@ The following list shows the supported values:
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'sync with devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'sync with devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md
index e525611653..e05d775dd4 100644
--- a/windows/client-management/mdm/policy-csp-system.md
+++ b/windows/client-management/mdm/policy-csp-system.md
@@ -633,7 +633,7 @@ ADMX Info:
Added in Windows 10, version 1703. Allows IT Admins to prevent apps and features from working with files on OneDrive. If you enable this policy setting:
* Users cannot access OneDrive from the OneDrive app or file picker.
-* Windows Store apps cannot access OneDrive using the WinRT API.
+* Microsoft Store apps cannot access OneDrive using the WinRT API.
* OneDrive does not appear in the navigation pane in File Explorer.
* OneDrive files are not kept in sync with the cloud.
* Users cannot automatically upload photos and videos from the camera roll folder.
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index 1d27aafdd8..63d53d42c4 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -537,11 +537,11 @@ This policy is accessible through the Update setting in the user interface or Gr
-
Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Windows Store.
+
Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Store.
-
Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Windows Store
+
Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Microsoft Store
-
Enabling this policy will disable that functionality, and may cause connection to public services such as the Windows Store to stop working.
+
Enabling this policy will disable that functionality, and may cause connection to public services such as the Microsoft Store to stop working.
The following list shows the supported values:
diff --git a/windows/client-management/mdm/policy-ddf-file.md b/windows/client-management/mdm/policy-ddf-file.md
index 3e242783d4..3049402086 100644
--- a/windows/client-management/mdm/policy-ddf-file.md
+++ b/windows/client-management/mdm/policy-ddf-file.md
@@ -19470,7 +19470,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.
@@ -19494,7 +19494,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.
@@ -19518,7 +19518,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the cellular data access setting for the listed apps. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the cellular data access setting for the listed apps. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.
@@ -31512,7 +31512,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
@@ -31536,7 +31536,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
@@ -31560,7 +31560,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the camera privacy setting for the listed apps. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the camera privacy setting for the listed apps. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
@@ -31608,7 +31608,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
@@ -31632,7 +31632,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
@@ -31656,7 +31656,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the contacts privacy setting for the listed apps. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the contacts privacy setting for the listed apps. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
@@ -31704,7 +31704,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
@@ -31728,7 +31728,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
@@ -31752,7 +31752,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the email privacy setting for the listed apps. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the email privacy setting for the listed apps. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
@@ -31800,7 +31800,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
@@ -31824,7 +31824,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
@@ -31848,7 +31848,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the location privacy setting for the listed apps. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the location privacy setting for the listed apps. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
@@ -31896,7 +31896,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
@@ -31920,7 +31920,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are not allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
@@ -31944,7 +31944,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the messaging privacy setting for the listed apps. This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the messaging privacy setting for the listed apps. This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
@@ -31992,7 +31992,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
@@ -32016,7 +32016,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
@@ -32040,7 +32040,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the microphone privacy setting for the listed apps. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the microphone privacy setting for the listed apps. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
@@ -32088,7 +32088,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
@@ -32112,7 +32112,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
@@ -32136,7 +32136,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the motion privacy setting for the listed apps. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the motion privacy setting for the listed apps. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
@@ -32184,7 +32184,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
@@ -32208,7 +32208,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
@@ -32232,7 +32232,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the notifications privacy setting for the listed apps. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the notifications privacy setting for the listed apps. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
@@ -32280,7 +32280,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
@@ -32304,7 +32304,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are not allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
@@ -32328,7 +32328,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the phone call privacy setting for the listed apps. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the phone call privacy setting for the listed apps. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
@@ -32376,7 +32376,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
@@ -32400,7 +32400,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
@@ -32424,7 +32424,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the radios privacy setting for the listed apps. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the radios privacy setting for the listed apps. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
@@ -32472,7 +32472,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
@@ -32496,7 +32496,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
@@ -32520,7 +32520,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the tasks privacy setting for the listed apps. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the tasks privacy setting for the listed apps. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
@@ -32568,7 +32568,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
@@ -32592,7 +32592,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
@@ -32616,7 +32616,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
@@ -32856,7 +32856,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will be allowed to communicate with unpaired wireless devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will be allowed to communicate with unpaired wireless devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
@@ -32880,7 +32880,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not be allowed to communicate with unpaired wireless devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not be allowed to communicate with unpaired wireless devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
@@ -32904,7 +32904,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'Communicate with unpaired wireless devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'Communicate with unpaired wireless devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
@@ -35902,7 +35902,7 @@ The options are:
- This policy setting lets you prevent apps and features from working with files on OneDrive. If you enable this policy setting: users can’t access OneDrive from the OneDrive app and file picker; Windows Store apps can’t access OneDrive using the WinRT API; OneDrive doesn’t appear in the navigation pane in File Explorer; OneDrive files aren’t kept in sync with the cloud; Users can’t automatically upload photos and videos from the camera roll folder. If you disable or do not configure this policy setting, apps and features can work with OneDrive file storage.
+ This policy setting lets you prevent apps and features from working with files on OneDrive. If you enable this policy setting: users can’t access OneDrive from the OneDrive app and file picker; Microsoft Store apps can’t access OneDrive using the WinRT API; OneDrive doesn’t appear in the navigation pane in File Explorer; OneDrive files aren’t kept in sync with the cloud; Users can’t automatically upload photos and videos from the camera roll folder. If you disable or do not configure this policy setting, apps and features can work with OneDrive file storage.
@@ -41148,7 +41148,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.
@@ -41172,7 +41172,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.
@@ -41196,7 +41196,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the cellular data access setting for the listed apps. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the cellular data access setting for the listed apps. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.
@@ -53941,7 +53941,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
@@ -53965,7 +53965,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
@@ -53989,7 +53989,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the camera privacy setting for the listed apps. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the camera privacy setting for the listed apps. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
@@ -54036,7 +54036,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
@@ -54060,7 +54060,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
@@ -54084,7 +54084,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the contacts privacy setting for the listed apps. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the contacts privacy setting for the listed apps. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
@@ -54131,7 +54131,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
@@ -54155,7 +54155,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
@@ -54179,7 +54179,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the email privacy setting for the listed apps. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the email privacy setting for the listed apps. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
@@ -54226,7 +54226,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
@@ -54250,7 +54250,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
@@ -54274,7 +54274,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the location privacy setting for the listed apps. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the location privacy setting for the listed apps. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
@@ -54321,7 +54321,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
@@ -54345,7 +54345,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are not allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
@@ -54369,7 +54369,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the messaging privacy setting for the listed apps. This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the messaging privacy setting for the listed apps. This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
@@ -54416,7 +54416,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
@@ -54440,7 +54440,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
@@ -54464,7 +54464,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the microphone privacy setting for the listed apps. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the microphone privacy setting for the listed apps. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
@@ -54511,7 +54511,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
@@ -54535,7 +54535,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
@@ -54559,7 +54559,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the motion privacy setting for the listed apps. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the motion privacy setting for the listed apps. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
@@ -54606,7 +54606,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
@@ -54630,7 +54630,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
@@ -54654,7 +54654,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the notifications privacy setting for the listed apps. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the notifications privacy setting for the listed apps. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
@@ -54701,7 +54701,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
@@ -54725,7 +54725,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are not allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
@@ -54749,7 +54749,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the phone call privacy setting for the listed apps. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the phone call privacy setting for the listed apps. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
@@ -54796,7 +54796,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
@@ -54820,7 +54820,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
@@ -54844,7 +54844,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the radios privacy setting for the listed apps. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the radios privacy setting for the listed apps. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
@@ -54891,7 +54891,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
@@ -54915,7 +54915,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
@@ -54939,7 +54939,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the tasks privacy setting for the listed apps. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the tasks privacy setting for the listed apps. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
@@ -54986,7 +54986,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
@@ -55010,7 +55010,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
@@ -55034,7 +55034,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
@@ -55271,7 +55271,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will be allowed to communicate with unpaired wireless devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will be allowed to communicate with unpaired wireless devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
@@ -55295,7 +55295,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not be allowed to communicate with unpaired wireless devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not be allowed to communicate with unpaired wireless devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
@@ -55319,7 +55319,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'Communicate with unpaired wireless devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'Communicate with unpaired wireless devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
@@ -58356,7 +58356,7 @@ The options are:
- This policy setting lets you prevent apps and features from working with files on OneDrive. If you enable this policy setting: users can’t access OneDrive from the OneDrive app and file picker; Windows Store apps can’t access OneDrive using the WinRT API; OneDrive doesn’t appear in the navigation pane in File Explorer; OneDrive files aren’t kept in sync with the cloud; Users can’t automatically upload photos and videos from the camera roll folder. If you disable or do not configure this policy setting, apps and features can work with OneDrive file storage.
+ This policy setting lets you prevent apps and features from working with files on OneDrive. If you enable this policy setting: users can’t access OneDrive from the OneDrive app and file picker; Microsoft Store apps can’t access OneDrive using the WinRT API; OneDrive doesn’t appear in the navigation pane in File Explorer; OneDrive files aren’t kept in sync with the cloud; Users can’t automatically upload photos and videos from the camera roll folder. If you disable or do not configure this policy setting, apps and features can work with OneDrive file storage.0
diff --git a/windows/client-management/mdm/push-notification-windows-mdm.md b/windows/client-management/mdm/push-notification-windows-mdm.md
index d2734f6e16..4fbc202163 100644
--- a/windows/client-management/mdm/push-notification-windows-mdm.md
+++ b/windows/client-management/mdm/push-notification-windows-mdm.md
@@ -46,7 +46,7 @@ Note the following restrictions related to push notifications and WNS:
## Get WNS credentials and PFN for MDM push notification
-To get a PFN and WNS credentials, you must create an Windows Store app.
+To get a PFN and WNS credentials, you must create an Microsoft Store app.
1. Go to the Windows [Dashboard](https://dev.windows.com/en-US/dashboard) and sign in with your developer account.
@@ -69,7 +69,7 @@ To get a PFN and WNS credentials, you must create an Windows Store app.
7. In the **Application Registration Portal** page, you will see the properties for the app that you created, such as:
- Application Id
- Application Secrets
- - Windows Store Package SID, Application Identity, and Publisher.
+ - Microsoft Store Package SID, Application Identity, and Publisher.
8. Click **Save**.
diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md
index aa98ff54c0..ede7194396 100644
--- a/windows/client-management/mdm/vpnv2-csp.md
+++ b/windows/client-management/mdm/vpnv2-csp.md
@@ -64,7 +64,7 @@ App identity, which is either an app’s package family name or file path. The t
**VPNv2/***ProfileName***/AppTriggerList/***appTriggerRowId***/App/Type**
Returns the type of **App/Id**. This value can be either of the following:
-- PackageFamilyName - When this is returned, the App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of the Windows Store application.
+- PackageFamilyName - When this is returned, the App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of the Microsoft Store application.
- FilePath - When this is returned, the App/Id value represents the full file path of the app. For example, `C:\Windows\System\Notepad.exe`.
Value type is chr. Supported operation is Get.
@@ -183,7 +183,7 @@ App identity for the app-based traffic filter.
The value for this node can be one of the following:
-- PackageFamilyName - This App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of a Windows Store application.
+- PackageFamilyName - This App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of a Microsoft Store application.
- FilePath - This App/Id value represents the full file path of the app. For example, `C:\Windows\System\Notepad.exe`.
- SYSTEM – This value enables Kernel Drivers to send traffic through VPN (for example, PING or SMB).
@@ -393,7 +393,7 @@ Added in Windows 10, version 1607. Comma Separated list of EKUs for the VPN Cli
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
**VPNv2/***ProfileName***/PluginProfile**
-Nodes under the PluginProfile are required when using a Windows Store based VPN plugin.
+Nodes under the PluginProfile are required when using a Microsoft Store based VPN plugin.
**VPNv2/***ProfileName***/PluginProfile/ServerUrlList**
Required for plug-in profiles. Comma separated list of servers in URL, hostname, or IP format.
diff --git a/windows/client-management/windows-10-mobile-and-mdm.md b/windows/client-management/windows-10-mobile-and-mdm.md
index 390d23a40e..2672e10bc4 100644
--- a/windows/client-management/windows-10-mobile-and-mdm.md
+++ b/windows/client-management/windows-10-mobile-and-mdm.md
@@ -40,7 +40,7 @@ Windows 10 includes comprehensive MDM capabilities that can be managed by Micros
The built-in MDM client is common to all editions of the Windows 10 operating system, including desktop, mobile, and Internet of Things (IoT). The client provides a single interface through which you can manage any device that runs Windows 10. The client has two important roles: device enrollment in an MDM system and device management.
Organizations typically have two scenarios to consider when it comes to device deployment: Bring Your Own (BYO) personal devices and Choose Your Own (CYO) company-owned devices. In both cases, the device must be enrolled in an MDM system, which would configure it with settings appropriate for the organization and the employee.
-Windows 10 Mobile device management capabilities support both personal devices used in the BYO scenario and corporate devices used in the CYO scenario. The operating system offers a flexible approach to registering devices with directory services and MDM systems. IT organizations can provision comprehensive device-configuration profiles based on their business needs to control and protect mobile business data. Apps can be provisioned easily to personal or corporate devices through the Windows Store for Business, or by using their MDM system, which can also work with the Windows Store for Business for public store apps.
+Windows 10 Mobile device management capabilities support both personal devices used in the BYO scenario and corporate devices used in the CYO scenario. The operating system offers a flexible approach to registering devices with directory services and MDM systems. IT organizations can provision comprehensive device-configuration profiles based on their business needs to control and protect mobile business data. Apps can be provisioned easily to personal or corporate devices through the Microsoft Store for Business, or by using their MDM system, which can also work with the Microsoft Store for Business for public store apps.
Knowing who owns the device and what the employee will use it for are the major factors in determining your management strategy and which controls your organization should put in place. Whether personal devices, corporate devices, or a mixture of the two, deployment processes and configuration policies may differ.
For **personal devices**, companies need to be able to manage corporate apps and data on the device without impeding the employee’s ability to personalize it to meet their individual needs. The employee owns the device and corporate policy allows them to use it for both business and personal purposes, with the ability to add personal apps at their discretion. The main concern with personal devices is how organizations can prevent corporate data from being compromised, while still keeping personal data private and under the sole control of the employee. This requires that the device be able to support separation of apps and data with strict control of business and personal data traffic.
@@ -200,8 +200,8 @@ For more information about health attestation in Windows 10 Mobile, see the [Win
**Windows Update for Business**
Microsoft designed Windows Update for Business to provide IT administrators with additional Windows Update-centric management capabilities, such as the ability to deploy updates to groups of devices and to define maintenance windows for installing updates.
-**Windows Store for Business**
-The Windows Store for Business is the place where IT administrators can find, acquire, manage, and distribute apps to Windows 10 devices. This includes both internal line-of-business (LOB) apps, as well as commercially available third-party apps.
+**Microsoft Store for Business**
+The Microsoft Store for Business is the place where IT administrators can find, acquire, manage, and distribute apps to Windows 10 devices. This includes both internal line-of-business (LOB) apps, as well as commercially available third-party apps.
## Configure
@@ -216,7 +216,7 @@ Not all MDM systems support every setting described in this guide. Some support
Enforcing what accounts employees can use on a corporate device is important for avoiding data leaks and protecting privacy. Limiting the device to just one account controlled by the organization will reduce the risk of a data breach. However, you can choose to allow employees to add a personal Microsoft Account or other consumer email accounts.
-- **Allow Microsoft Account** Specifies whether users are allowed to add a Microsoft Account to the device and use this account to authenticate to cloud services, such as purchasing apps in Windows Store, Xbox, or Groove.
+- **Allow Microsoft Account** Specifies whether users are allowed to add a Microsoft Account to the device and use this account to authenticate to cloud services, such as purchasing apps in Microsoft Store, Xbox, or Groove.
- **Allow Adding Non-Microsoft Accounts** Specifies whether users are allowed to add email accounts other than Microsoft accounts.
### Email accounts
@@ -304,7 +304,7 @@ In addition to SCEP certificate management, Windows 10 Mobile supports deploymen
Get more detailed information about MDM certificate management in the [Client Certificate Install CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn920023(v=vs.85).aspx) and [Install digital certificates on Windows 10 Mobile](/windows/access-protection/installing-digital-certificates-on-windows-10-mobile).
Use the Allow Manual Root Certificate Installation setting to prevent users from manually installing root and intermediate CA certificates intentionally or accidently.
->**Note:** To diagnose certificate-related issues on Windows 10 Mobile devices, use the free Certificates app in Windows Store. This Windows 10 Mobile app can help you:
+>**Note:** To diagnose certificate-related issues on Windows 10 Mobile devices, use the free Certificates app in Microsoft Store. This Windows 10 Mobile app can help you:
- View a summary of all personal certificates
- View the details of individual certificates
- View the certificates used for VPN, Wi-Fi, and email authentication
@@ -403,7 +403,7 @@ For more details on proxy settings, see [CM_ProxyEntries CSP](https://msdn.micro
*Applies to: Corporate and personal devices*
-Organizations often use a VPN to control access to apps and resources on their company’s intranet. In addition to native Microsoft Point to Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP), and Internet Key Exchange Protocol version 2 (IKEv2) VPNs, Windows 10 Mobile supports SSL VPN connections, which require a downloadable plugin from the Windows Store and are specific to the VPN vendor of your choice. These plugins work like apps and can be installed directly from the Windows Store using your MDM system (see App Management).
+Organizations often use a VPN to control access to apps and resources on their company’s intranet. In addition to native Microsoft Point to Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP), and Internet Key Exchange Protocol version 2 (IKEv2) VPNs, Windows 10 Mobile supports SSL VPN connections, which require a downloadable plugin from the Microsoft Store and are specific to the VPN vendor of your choice. These plugins work like apps and can be installed directly from the Microsoft Store using your MDM system (see App Management).
You can create and provision multiple VPN connection profiles and then deploy them to managed devices that run Windows 10 Mobile.
To create a VPN profile that uses native Windows 10 Mobile VPN protocols (such as IKEv2, PPTP, or L2TP), you can use the following settings:
@@ -421,11 +421,11 @@ To create a VPN profile that uses native Windows 10 Mobile VPN protocols (such a
>**Note:** The easiest way to create a profile for a single sign-on experience with an EAP configuration XML is through the rasphone tool on a Windows 10 PC. Once you run the rasphone.exe, the configuration wizard will walk you through the necessary steps. For step-by-step instructions on creating the EAP configuration XML blob, see EAP configuration. You can use the resulting XML blob in the MDM system to create the VPN profile on Windows 10 Mobile phone. If you have multiple certificates on the devices, you may want to configure filtering conditions for automatic certificate selection, so the employee does not need to select an authentication certificate every time the VPN is turned on. See this article for details. Windows 10 for PCs and Windows 10 Mobile have the same VPN client.
-Windows Store–based VPN plugins for the VPN connection allow you to create a VPN plugin profile with the following attributes:
+Microsoft Store–based VPN plugins for the VPN connection allow you to create a VPN plugin profile with the following attributes:
- **VPN server** A comma-separated list of VPN servers; you can specify the servers with a URL, fully qualified host name, or IP address
- **Custom configuration** An HTML-encoded XML blob for SSL–VPN plugin–specific configuration information (e.g., authentication information) that the plugin provider requires
-- **Windows Store VPN plugin family name** Specifies the Windows Store package family name for the Windows Store–based VPN plugin
+- **Microsoft Store VPN plugin family name** Specifies the Microsoft Store package family name for the Microsoft Store–based VPN plugin
In addition, you can specify per VPN Profile:
@@ -491,36 +491,36 @@ Windows 10 makes it possible to develop apps that work seamlessly across multipl
For compatibility with existing apps, Windows Phone 8.1 apps still run on Windows 10 Mobile devices, easing the migration to the newest platform. Microsoft recommend migrating your apps to UWP to take full advantage of the improvements in Windows 10 Mobile. In addition, bridges have been developed to easily and quickly update existing Windows Phone 8.1 (Silverlight) and iOS apps to the UWP.
-Microsoft also made it easier for organizations to license and purchase UWP apps via Windows Store for Business and deploy them to employee devices using the Windows Store, or an MDM system, that can be integrated with the Windows Store for Business. Putting apps into the hands of mobile workers is critical, but you also need an efficient way to ensure those apps comply with corporate policies for data security.
+Microsoft also made it easier for organizations to license and purchase UWP apps via Microsoft Store for Business and deploy them to employee devices using the Microsoft Store, or an MDM system, that can be integrated with the Microsoft Store for Business. Putting apps into the hands of mobile workers is critical, but you also need an efficient way to ensure those apps comply with corporate policies for data security.
To learn more about Universal Windows apps, see the [Guide to Universal Windows Platform (UWP) apps](https://msdn.microsoft.com/en-us/library/windows/apps/dn894631.aspx) for additional information, or take this [Quick Start Challenge: Universal Windows Apps in Visual Studio](https://mva.microsoft.com/en-US/training-courses/quick-start-challenge-universal-windows-apps-in-visual-studio-14477?l=Be2FMfgmB_505192797). Also, see [Porting apps to Windows 10](https://msdn.microsoft.com/en-us/windows/uwp/porting/index).
-### Windows Store for Business: Sourcing the right app
+### Microsoft Store for Business: Sourcing the right app
*Applies to: Corporate and personal devices*
-The first step in app management is to obtain the apps your users need. You can develop your own apps or source your apps from the Windows Store. With Windows Phone 8.1, an MSA was needed to acquire and install apps from the Windows Store. With the Windows Store for Business, Microsoft enables organizations to acquire apps for employees from a private store with the Windows Store, without the need for MSAs on Windows 10 devices.
+The first step in app management is to obtain the apps your users need. You can develop your own apps or source your apps from the Microsoft Store. With Windows Phone 8.1, an MSA was needed to acquire and install apps from the Microsoft Store. With the Microsoft Store for Business, Microsoft enables organizations to acquire apps for employees from a private store with the Microsoft Store, without the need for MSAs on Windows 10 devices.
-Windows Store for Business is a web portal that allows IT administrators to find, acquire, manage, and distribute apps to Windows 10 devices.
+Microsoft Store for Business is a web portal that allows IT administrators to find, acquire, manage, and distribute apps to Windows 10 devices.
-Azure AD authenticated managers have access to Windows Store for Business functionality and settings, and store managers can create a private category of apps that are specific and private to their organization. (You can get more details about what specific Azure AD accounts have access to Windows Store for Business here). Windows Store for Business enables organizations to purchase app licenses for their organization and make apps available to their employees. In addition to commercially available apps, your developers can publish line-of-business (LOB) apps to Windows Store for Business by request. You can also integrate their Windows Store for Business subscriptions with their MDM systems, so the MDM system can distribute and manage apps from Windows Store for Business.
+Azure AD authenticated managers have access to Microsoft Store for Business functionality and settings, and store managers can create a private category of apps that are specific and private to their organization. (You can get more details about what specific Azure AD accounts have access to Microsoft Store for Business here). Microsoft Store for Business enables organizations to purchase app licenses for their organization and make apps available to their employees. In addition to commercially available apps, your developers can publish line-of-business (LOB) apps to Microsoft Store for Business by request. You can also integrate their Microsoft Store for Business subscriptions with their MDM systems, so the MDM system can distribute and manage apps from Microsoft Store for Business.
-Windows Store for Business supports app distribution under two licensing models: online and offline.
+Microsoft Store for Business supports app distribution under two licensing models: online and offline.
The online model (store-managed) is the recommended method, and supports both personal device and corporate device management scenarios. To install online apps, the device must have Internet access at the time of installation. On corporate devices, an employee can be authenticated with an Azure AD account to install online apps. On personal devices, an employee must register their device with Azure AD to be able to install corporate licensed online apps.
Corporate device users will find company licensed apps in the Store app on their phone in a private catalog. When an MDM system is associated with the Store for Business, IT administrators can present Store apps within the MDM system app catalog where users can find and install their desired apps. IT administrators can also push required apps directly to employee devices without the employee’s intervention.
Employees with personal devices can install apps licensed by their organization using the Store app on their device. They can use either the Azure AD account or Microsoft Account within the Store app if they wish to purchase personal apps. If you allow employees with corporate devices to add a secondary Microsoft Account (MSA), the Store app on the device provides a unified method for installing personal and corporate apps.
-Online licensed apps do not need to be transferred or downloaded from the Windows Store to the MDM system to be distributed and managed. When an employee chooses a company-owned app, it will automatically be installed from the cloud. Also, apps will be automatically updated when a new version is available or can be removed if needed. When an app is removed from a device by the MDM system or the user, Windows Store for Business reclaims the license so it can be used for another user or on another device.
+Online licensed apps do not need to be transferred or downloaded from the Microsoft Store to the MDM system to be distributed and managed. When an employee chooses a company-owned app, it will automatically be installed from the cloud. Also, apps will be automatically updated when a new version is available or can be removed if needed. When an app is removed from a device by the MDM system or the user, Microsoft Store for Business reclaims the license so it can be used for another user or on another device.
-To distribute an app offline (organization-managed), the app must be downloaded from the Windows Store for Business. This can be accomplished in the Windows Store for Business portal by an authorized administrator. Offline licensing requires the app developer to opt-in to the licensing model, as the Windows Store is no longer able to track licenses for the developer. If the app developer doesn’t allow download of the app from Windows Store, then you must obtain the files directly from the developer or use the online licensing method.
+To distribute an app offline (organization-managed), the app must be downloaded from the Microsoft Store for Business. This can be accomplished in the Microsoft Store for Business portal by an authorized administrator. Offline licensing requires the app developer to opt-in to the licensing model, as the Microsoft Store is no longer able to track licenses for the developer. If the app developer doesn’t allow download of the app from Microsoft Store, then you must obtain the files directly from the developer or use the online licensing method.
-To install acquired Windows Store or LOB apps offline on a Windows 10 Mobile device, IT administrators can use an MDM system. The MDM system distributes the app packages that you downloaded from Windows Store (also called sideloading) to Windows 10 Mobile devices. Support for offline app distribution depends on the MDM system you are using, so consult your MDM vendor documentation for details. You can fully automate the app deployment process so that no user intervention is required.
+To install acquired Microsoft Store or LOB apps offline on a Windows 10 Mobile device, IT administrators can use an MDM system. The MDM system distributes the app packages that you downloaded from Microsoft Store (also called sideloading) to Windows 10 Mobile devices. Support for offline app distribution depends on the MDM system you are using, so consult your MDM vendor documentation for details. You can fully automate the app deployment process so that no user intervention is required.
-Windows Store apps or LOB apps that have been uploaded to the Windows Store for Business are automatically trusted on all Windows devices, as they are cryptographically signed with Windows Store certificates. LOB apps that are uploaded to the Windows Store for Business are private to your organization and are never visible to other companies or consumers. If you do not want to upload your LOB apps, you have to establish trust for the app on your devices. To establish this trust, you’ll need to generate a signing certificate with your Public Key Infrastructure and add your chain of trust to the trusted certificates on the device (see the certificates section). You can install up to 20 self-signed LOB apps per device with Windows 10 Mobile. To install more than 20 apps on a device, you can purchase a signing certificate from a trusted public Certificate Authority, or upgrade your devices to Windows 10 Mobile Enterprise edition.
+Microsoft Store apps or LOB apps that have been uploaded to the Microsoft Store for Business are automatically trusted on all Windows devices, as they are cryptographically signed with Microsoft Store certificates. LOB apps that are uploaded to the Microsoft Store for Business are private to your organization and are never visible to other companies or consumers. If you do not want to upload your LOB apps, you have to establish trust for the app on your devices. To establish this trust, you’ll need to generate a signing certificate with your Public Key Infrastructure and add your chain of trust to the trusted certificates on the device (see the certificates section). You can install up to 20 self-signed LOB apps per device with Windows 10 Mobile. To install more than 20 apps on a device, you can purchase a signing certificate from a trusted public Certificate Authority, or upgrade your devices to Windows 10 Mobile Enterprise edition.
-Learn more about the [Windows Store for Business](/microsoft-store/index).
+Learn more about the [Microsoft Store for Business](/microsoft-store/index).
### Managing apps
@@ -528,19 +528,19 @@ Learn more about the [Windows Store for Business](/microsoft-store/index).
IT administrators can control which apps are allowed to be installed on Windows 10 Mobile devices and how they should be kept up-to-date.
-Windows 10 Mobile includes AppLocker, which enables administrators to create allow or disallow (sometimes also called whitelist/blacklist) lists of apps from the Windows Store. This capability extends to built-in apps, as well, such as Xbox, Groove, text messaging, email, and calendar, etc. The ability to allow or deny apps helps to ensure that people use their mobile devices for their intended purposes. However, it is not always an easy approach to find a balance between what employees need or request and security concerns. Creating allow or disallow lists also requires keeping up with the changing app landscape in the Windows Store.
+Windows 10 Mobile includes AppLocker, which enables administrators to create allow or disallow (sometimes also called whitelist/blacklist) lists of apps from the Microsoft Store. This capability extends to built-in apps, as well, such as Xbox, Groove, text messaging, email, and calendar, etc. The ability to allow or deny apps helps to ensure that people use their mobile devices for their intended purposes. However, it is not always an easy approach to find a balance between what employees need or request and security concerns. Creating allow or disallow lists also requires keeping up with the changing app landscape in the Microsoft Store.
For more details, see [AppLocker CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn920019(v=vs.85).aspx).
In addition to controlling which apps are allowed, IT professionals can also implement additional app management settings on Windows 10 Mobile, using an MDM.
- **Allow All Trusted Apps** Whether users can sideload apps on the device.
-- **Allow App Store Auto Update** Whether automatic updates of apps from Windows Store are allowed.
+- **Allow App Store Auto Update** Whether automatic updates of apps from Microsoft Store are allowed.
- **Allow Developer Unlock** Whether developer unlock is allowed.
- **Allow Shared User App Data** Whether multiple users of the same app can share data.
-- **Allow Store** Whether Windows Store app is allowed to run. This will completely block the user from installing apps from the Store, but will still allow app distribution through an MDM system.
+- **Allow Store** Whether Microsoft Store app is allowed to run. This will completely block the user from installing apps from the Store, but will still allow app distribution through an MDM system.
- **Application Restrictions** An XML blob that defines the app restrictions for a device. The XML blob can contain an app allow or deny list. You can allow or deny apps based on their app ID or publisher. See AppLocker above.
-- **Disable Store Originated Apps** Disables the launch of all apps from Windows Store that came pre-installed or were downloaded before the policy was applied.
+- **Disable Store Originated Apps** Disables the launch of all apps from Microsoft Store that came pre-installed or were downloaded before the policy was applied.
- **Require Private Store Only** Whether the private store is exclusively available to users in the Store app on the device. If enabled, only the private store is available. If disabled, the retail catalog and private store are both available.
- **Restrict App Data to System Volume** Whether app data is allowed only on the system drive or can be stored on an SD card.
- **Restrict App to System Volume** Whether app installation is allowed only to the system drive or can be installed on an SD card.
@@ -1035,7 +1035,7 @@ The remote assistance features in Windows 10 Mobile help resolve issues that use
These remote management features help organizations reduce the IT effort required to manage devices. They also help users quickly regain use of their device should they misplace it or forget the device password.
->**Remote control software** Microsoft does not provide build-in remote control software, but works with partners to deliver these capabilities and services. With version 1607, remote assistant and control applications are available in the Windows Store.
+>**Remote control software** Microsoft does not provide build-in remote control software, but works with partners to deliver these capabilities and services. With version 1607, remote assistant and control applications are available in the Microsoft Store.
## Retire
@@ -1065,7 +1065,7 @@ A better option than wiping the entire device is to use Windows Information Prot
- [Mobile device management](https://go.microsoft.com/fwlink/p/?LinkId=734050)
- [Enterprise Mobility + Security](https://go.microsoft.com/fwlink/p/?LinkId=723984)
- [Overview of Mobile Device Management for Office 365](https://go.microsoft.com/fwlink/p/?LinkId=734052)
-- [Windows Store for Business](https://go.microsoft.com/fwlink/p/?LinkId=722910)
+- [Microsoft Store for Business](https://go.microsoft.com/fwlink/p/?LinkId=722910)
## Revision History
diff --git a/windows/configuration/TOC.md b/windows/configuration/TOC.md
index 14b763459a..dbace94aff 100644
--- a/windows/configuration/TOC.md
+++ b/windows/configuration/TOC.md
@@ -9,7 +9,10 @@
### [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md)
### [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md)
### [Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md)
-### [Lock down Windows 10 to specific apps (AppLocker)](lock-down-windows-10-to-specific-apps.md)
+### [Create a Windows 10 kiosk that runs multiple apps](lock-down-windows-10-to-specific-apps.md)
+#### [Troubleshoot multi-app kiosk](multi-app-kiosk-troubleshoot.md)
+#### [Use AppLocker to create a Windows 10 kiosk that runs multiple apps](lock-down-windows-10-applocker.md)
+#### [Multi-app kiosk XML reference](multi-app-kiosk-xml.md)
## [Configure Windows 10 Mobile devices](mobile-devices/configure-mobile.md)
### [Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md)
### [Use Windows Configuration Designer to configure Windows 10 Mobile devices](mobile-devices/provisioning-configure-mobile.md)
@@ -48,7 +51,7 @@
### [Set up and test custom voice commands in Cortana for your organization](cortana-at-work/cortana-at-work-voice-commands.md)
### [Use Group Policy and mobile device management (MDM) settings to configure Cortana in your organization](cortana-at-work/cortana-at-work-policy-settings.md)
### [Send feedback about Cortana at work back to Microsoft](cortana-at-work/cortana-at-work-feedback.md)
-## [Configure access to Microsoft Store](stop-employees-from-using-the-windows-store.md)
+## [Configure access to Microsoft Store](stop-employees-from-using-microsoft-store.md)
## [Provisioning packages for Windows 10](provisioning-packages/provisioning-packages.md)
### [How provisioning works in Windows 10](provisioning-packages/provisioning-how-it-works.md)
### [Introduction to configuration service providers (CSPs)](provisioning-packages/how-it-pros-can-use-configuration-service-providers.md)
@@ -70,6 +73,8 @@
#### [AutomaticTime](wcd/wcd-automatictime.md)
#### [Browser](wcd/wcd-browser.md)
#### [CallAndMessagingEnhancement](wcd/wcd-callandmessagingenhancement.md)
+#### [Calling](wcd/wcd-calling.md)
+#### [CellCore](wcd/wcd-cellcore.md)
#### [Cellular](wcd/wcd-cellular.md)
#### [Certificates](wcd/wcd-certificates.md)
#### [CleanPC](wcd/wcd-cleanpc.md)
@@ -79,6 +84,7 @@
#### [DesktopBackgroundAndColors](wcd/wcd-desktopbackgroundandcolors.md)
#### [DeveloperSetup](wcd/wcd-developersetup.md)
#### [DeviceFormFactor](wcd/wcd-deviceformfactor.md)
+#### [DeviceInfo](wcd/wcd-deviceinfo.md)
#### [DeviceManagement](wcd/wcd-devicemanagement.md)
#### [DMClient](wcd/wcd-dmclient.md)
#### [EditionUpgrade](wcd/wcd-editionupgrade.md)
@@ -86,6 +92,7 @@
#### [FirewallConfiguration](wcd/wcd-firewallconfiguration.md)
#### [FirstExperience](wcd/wcd-firstexperience.md)
#### [Folders](wcd/wcd-folders.md)
+#### [HotSpot](wcd/wcd-hotspot.md)
#### [InitialSetup](wcd/wcd-initialsetup.md)
#### [InternetExplorer](wcd/wcd-internetexplorer.md)
#### [Licensing](wcd/wcd-licensing.md)
@@ -109,11 +116,13 @@
#### [StartupBackgroundTasks](wcd/wcd-startupbackgroundtasks.md)
#### [SurfaceHubManagement](wcd/wcd-surfacehubmanagement.md)
#### [TabletMode](wcd/wcd-tabletmode.md)
-#### [TakeATest](wcd/wcd-takeatest.md)
+#### [TakeATest](wcd/wcd-takeatest.md)
+#### [TextInput](wcd/wcd-textinput.md)
#### [Theme](wcd/wcd-theme.md)
#### [UnifiedWriteFilter](wcd/wcd-unifiedwritefilter.md)
#### [UniversalAppInstall](wcd/wcd-universalappinstall.md)
#### [UniversalAppUninstall](wcd/wcd-universalappuninstall.md)
+#### [UsbErrorsOEMOverride](wcd/wcd-usberrorsoemoverride.md)
#### [WeakCharger](wcd/wcd-weakcharger.md)
#### [WindowsTeamSettings](wcd/wcd-windowsteamsettings.md)
#### [WLAN](wcd/wcd-wlan.md)
diff --git a/windows/configuration/change-history-for-configure-windows-10.md b/windows/configuration/change-history-for-configure-windows-10.md
index a3cedc09a0..c2e471b57b 100644
--- a/windows/configuration/change-history-for-configure-windows-10.md
+++ b/windows/configuration/change-history-for-configure-windows-10.md
@@ -15,18 +15,29 @@ ms.date: 09/25/2017
This topic lists new and updated topics in the [Configure Windows 10](index.md) documentation for Windows 10 and Windows 10 Mobile.
+
+## RELEASE: Windows 10, version 1709
+
+The topics in this library have been updated for Windows 10, version 1709 (also known as the Fall Creators Update). The following new topics have been added:
+
+- [Create a Windows 10 kiosk that runs multiple apps](lock-down-windows-10-to-specific-apps.md)
+- [Multi-app kiosk XML reference](multi-app-kiosk-xml.md)
+
## September 2017
|New or changed topic | Description|
|--- | ---|
|[Beginning your General Data Protection Regulation (GDPR) journey for Windows 10](gdpr-win10-whitepaper.md)|New conceptual info about Windows 10 and the upcoming GDPR-compliance requirements.|
|[Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) | Added that Windows Spotlight can be managed by the Experience/AllowWindowsSpotlight MDM policy. |
+
+
## August 2017
|New or changed topic | Description|
|--- | ---|
|[Windows Configuration Designer provisioning settings (reference)](wcd/wcd.md) | New section; reference content from [Windows Provisioning settings reference](https://msdn.microsoft.com/library/windows/hardware/dn965990.aspx) is being relocated here from MSDN. |
+
## July 2017
| New or changed topic | Description |
| --- | --- |
diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md
index d910aee65f..66b8ca5cc0 100644
--- a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md
+++ b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md
@@ -8,6 +8,8 @@ ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerms
ms.localizationpriority: high
+ms.author: jdecker
+ms.date: 10/05/2017
---
# Customize Windows 10 Start and taskbar with Group Policy
diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md b/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
index c4a13cef3a..18f215ad22 100644
--- a/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
+++ b/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
@@ -100,7 +100,7 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L
- **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
- - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select...** and choosing the certificate you want to use to sign the package.
+ - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Browse** and choosing the certificate you want to use to sign the package.
12. Click **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows Imaging and Configuration Designer (ICD) uses the project folder as the output location.
diff --git a/windows/configuration/images/multiappassignedaccesssettings.png b/windows/configuration/images/multiappassignedaccesssettings.png
new file mode 100644
index 0000000000..86e2e0a451
Binary files /dev/null and b/windows/configuration/images/multiappassignedaccesssettings.png differ
diff --git a/windows/configuration/images/profile-config.png b/windows/configuration/images/profile-config.png
new file mode 100644
index 0000000000..30a7468dcf
Binary files /dev/null and b/windows/configuration/images/profile-config.png differ
diff --git a/windows/configuration/images/sample-start.png b/windows/configuration/images/sample-start.png
new file mode 100644
index 0000000000..8ef9cc928c
Binary files /dev/null and b/windows/configuration/images/sample-start.png differ
diff --git a/windows/configuration/kiosk-shared-pc.md b/windows/configuration/kiosk-shared-pc.md
index 21d8d0d394..420e550a78 100644
--- a/windows/configuration/kiosk-shared-pc.md
+++ b/windows/configuration/kiosk-shared-pc.md
@@ -20,4 +20,4 @@ Some desktop devices in an enterprise serve a special purpose, such as a common
| [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md) | Windows 10, version 1607, introduced *shared PC mode*, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. |
| [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) | You can configure a device running Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education as a kiosk device, so that users can only interact with a single application that you select. |
| [Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md) | You can choose almost any Windows app for assigned access; however, some apps may not provide a good user experience. This topic provides guidelines to help you choose an approprate app for a kiosk device. |
-| [Lock down Windows 10 to specific apps (AppLocker)](lock-down-windows-10-to-specific-apps.md) | Learn how to configure a device running Windows 10 Enterprise or Windows 10 Education so that users can only run a few specific apps. The result is similar to a kiosk device, but with multiple apps available. For example, you might set up a library computer so that users can search the catalog and browse the Internet, but can't run any other apps or change computer settings. |
\ No newline at end of file
+| [Create a Windows 10 kiosk that runs multiple apps](lock-down-windows-10-to-specific-apps.md) | Learn how to configure a device running Windows 10 Enterprise or Windows 10 Education so that users can only run a few specific apps. The result is similar to a kiosk device, but with multiple apps available. For example, you might set up a library computer so that users can search the catalog and browse the Internet, but can't run any other apps or change computer settings. |
\ No newline at end of file
diff --git a/windows/configuration/lock-down-windows-10-applocker.md b/windows/configuration/lock-down-windows-10-applocker.md
new file mode 100644
index 0000000000..d4422e7212
--- /dev/null
+++ b/windows/configuration/lock-down-windows-10-applocker.md
@@ -0,0 +1,121 @@
+---
+title: Use AppLocker to create a Windows 10 kiosk that runs multiple apps (Windows 10)
+description: Learn how to use AppLocker to configure a kiosk device running Windows 10 Enterprise or Windows 10 Education so that users can only run a few specific apps.
+ms.assetid: 14DDDC96-88C7-4181-8415-B371F25726C8
+keywords: ["lockdown", "app restrictions", "applocker"]
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: edu, security
+author: jdeckerms
+ms.localizationpriority: high
+ms.date: 10/05/2017
+ms.author: jdecker
+---
+
+# Use AppLocker to create a Windows 10 kiosk that runs multiple apps
+
+
+**Applies to**
+
+- Windows 10
+
+Learn how to configure a device running Windows 10 Enterprise or Windows 10 Education, version 1703 and earlier, so that users can only run a few specific apps. The result is similar to [a kiosk device](set-up-a-device-for-anyone-to-use.md), but with multiple apps available. For example, you might set up a library computer so that users can search the catalog and browse the Internet, but can't run any other apps or change computer settings.
+
+>[!NOTE]
+>For devices running Windows 10, version 1709, we recommend the [multi-app kiosk method](lock-down-windows-10-to-specific-apps.md).
+
+You can restrict users to a specific set of apps on a device running Windows 10 Enterprise or Windows 10 Education by using [AppLocker](/windows/device-security/applocker/applocker-overview). AppLocker rules specify which apps are allowed to run on the device.
+
+AppLocker rules are organized into collections based on file format. If no AppLocker rules for a specific rule collection exist, all files with that file format are allowed to run. However, when an AppLocker rule for a specific rule collection is created, only the files explicitly allowed in a rule are permitted to run. For more information, see [How AppLocker works](/windows/device-security/applocker/how-applocker-works-techref).
+
+This topic describes how to lock down apps on a local device. You can also use AppLocker to set rules for applications in a domain by using Group Policy.
+
+
+
+## Install apps
+
+
+First, install the desired apps on the device for the target user account(s). This works for both Store and Win32. For Store apps, you must log on as that user for the app to install. For Win32 you can install an app for all users without logging on to the particular account.
+
+## Use AppLocker to set rules for apps
+
+
+After you install the desired apps, set up AppLocker rules to only allow specific apps, and block everything else.
+
+1. Run Local Security Policy (secpol.msc) as an administrator.
+
+2. Go to **Security Settings** > **Application Control Policies** > **AppLocker**, and select **Configure rule enforcement**.
+
+ 
+
+3. Check **Configured** under **Executable rules**, and then click **OK**.
+
+4. Right-click **Executable Rules** and then click **Automatically generate rules**.
+
+ 
+
+5. Select the folder that contains the apps that you want to permit, or select C:\\ to analyze all apps.
+
+6. Type a name to identify this set of rules, and then click **Next**.
+
+7. On the **Rule Preferences** page, click **Next**. Be patient, it might take awhile to generate the rules.
+
+8. On the **Review Rules** page, click **Create**. The wizard will now create a set of rules allowing the installed set of apps.
+
+9. Read the message and click **Yes**.
+
+ 
+
+10. (optional) If you want a rule to apply to a specific set of users, right-click on the rule and select **Properties**. Then use the dialog to choose a different user or group of users.
+
+11. (optional) If rules were generated for apps that should not be run, you can delete them by right-clicking on the rule and selecting **Delete**.
+
+12. Before AppLocker will enforce rules, the **Application Identity** service must be turned on. To force the Application Identity service to automatically start on reset, open a command prompt and run:
+
+ ``` syntax
+ sc config appidsvc start=auto
+ ```
+
+13. Restart the device.
+
+## Other settings to lock down
+
+
+In addition to specifying the apps that users can run, you should also restrict some settings and functions on the device. For a more secure experience, we recommend that you make the following configuration changes to the device:
+
+- Remove **All apps**.
+
+ Go to **Group Policy Editor** > **User Configuration** > **Administrative Templates\\Start Menu and Taskbar\\Remove All Programs list from the Start menu**.
+
+- Hide **Ease of access** feature on the logon screen.
+
+ Go to **Control Panel** > **Ease of Access** > **Ease of Access Center**, and turn off all accessibility tools.
+
+- Disable the hardware power button.
+
+ Go to **Power Options** > **Choose what the power button does**, change the setting to **Do nothing**, and then **Save changes**.
+
+- Disable the camera.
+
+ Go to **Settings** > **Privacy** > **Camera**, and turn off **Let apps use my camera**.
+
+- Turn off app notifications on the lock screen.
+
+ Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen**.
+
+- Disable removable media.
+
+ Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Device Installation\\Device Installation Restrictions**. Review the policy settings available in **Device Installation Restrictions** for the settings applicable to your situation.
+
+ **Note**
+ To prevent this policy from affecting a member of the Administrators group, in **Device Installation Restrictions**, enable **Allow administrators to override Device Installation Restriction policies**.
+
+
+
+To learn more about locking down features, see [Customizations for Windows 10 Enterprise](https://go.microsoft.com/fwlink/p/?LinkId=691442).
+
+## Customize Start screen layout for the device (recommended)
+
+
+Configure the Start menu on the device to only show tiles for the permitted apps. You will make the changes manually, export the layout to an .xml file, and then apply that file to devices to prevent users from making changes. For instructions, see [Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md).
\ No newline at end of file
diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md
index 445d25bf22..cb4884a6d9 100644
--- a/windows/configuration/lock-down-windows-10-to-specific-apps.md
+++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md
@@ -1,6 +1,6 @@
---
-title: Lock down Windows 10 to specific apps (Windows 10)
-description: Learn how to configure a device running Windows 10 Enterprise or Windows 10 Education so that users can only run a few specific apps.
+title: Create a Windows 10 kiosk that runs multiple apps (Windows 10)
+description: Learn how to configure a kiosk device running Windows 10 so that users can only run a few specific apps.
ms.assetid: 14DDDC96-88C7-4181-8415-B371F25726C8
keywords: ["lockdown", "app restrictions", "applocker"]
ms.prod: w10
@@ -9,120 +9,605 @@ ms.sitesec: library
ms.pagetype: edu, security
author: jdeckerms
ms.localizationpriority: high
+ms.date: 10/05/2017
+ms.author: jdecker
---
-# Lock down Windows 10 to specific apps
+# Create a Windows 10 kiosk that runs multiple apps
**Applies to**
- Windows 10
->For more info about the features and functionality that are supported in each edition of Windows, see [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare).
+A [kiosk device](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) typically runs a single app, and users are prevented from accessing any features or functions on the device outside of the kiosk app. In Windows 10, version 1709, the [AssignedAccess configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) has been expanded to make it easy for administrators to create kiosks that run more than one app. You can configure multi-app kiosks using a provisioning package.
-Learn how to configure a device running Windows 10 Enterprise or Windows 10 Education so that users can only run a few specific apps. The result is similar to [a kiosk device](set-up-a-device-for-anyone-to-use.md), but with multiple apps available. For example, you might set up a library computer so that users can search the catalog and browse the Internet, but can't run any other apps or change computer settings.
+>[!NOTE]
+>For devices running versions of Windows 10 earlier than version 1709, you can [create AppLocker rules](lock-down-windows-10-applocker.md) to configure a multi-app kiosk.
-You can restrict users to a specific set of apps on a device running Windows 10 Enterprise or Windows 10 Education by using [AppLocker](/windows/device-security/applocker/applocker-overview). AppLocker rules specify which apps are allowed to run on the device.
+The benefit of a multi-app kiosk, or fixed-purpose device, is to provide an easy-to-understand experience for individuals by putting in front of them only the things they need to use, and removing from their view the things they don’t need to access.
-AppLocker rules are organized into collections based on file format. If no AppLocker rules for a specific rule collection exist, all files with that file format are allowed to run. However, when an AppLocker rule for a specific rule collection is created, only the files explicitly allowed in a rule are permitted to run. For more information, see [How AppLocker works](/windows/device-security/applocker/how-applocker-works-techref).
-
-This topic describes how to lock down apps on a local device. You can also use AppLocker to set rules for applications in a domain by using Group Policy.
-
-
-
-## Install apps
+>[!WARNING]
+>The assigned access feature is intended for corporate-owned fixed-purpose devices, like kiosks. When the multi-app assigned access configuration is applied on the device, certain policies are enforced system-wide, and will impact other users on the device. Deleting the multi-app configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all the enforced policies (such as Start layout). A factory reset is needed to clear all the policies enforced via assigned access.
-First, install the desired apps on the device for the target user account(s). This works for both Store and Win32. For Store apps, you must log on as that user for the app to install. For Win32 you can install an app for all users without logging on to the particular account.
+Process:
+1. [Create XML file](#create-xml-file)
+2. [Add XML file to provisioning package](#add-xml)
+3. [Apply provisioning package to device](#apply-ppkg)
-## Use AppLocker to set rules for apps
+If you don't want to use a provisioning package, you can deploy the configuration XML file using [mobile device management (MDM)](#alternate-methods) or you can configure assigned access using the [MDM Bridge WMI Provider](#bridge).
+
+## Prerequisites
+
+- Windows Configuration Designer (Windows 10, version 1709)
+- The kiosk device must be running Windows 10 (S, Pro, Enterprise, or Education), version 1709
-After you install the desired apps, set up AppLocker rules to only allow specific apps, and block everything else.
+## Create XML file
-1. Run Local Security Policy (secpol.msc) as an administrator.
+Let's start by looking at the basic structure of the XML file.
-2. Go to **Security Settings** > **Application Control Policies** > **AppLocker**, and select **Configure rule enforcement**.
+- A configuration xml can define multiple *profiles*. Each profile has a unique **Id** and defines a set of applications that are allowed to run, whether the taskbar is visible, and can include a custom Start layout.
- 
+- A configuration xml can have multiple *config* sections. Each config section associates a non-admin user account to a default profile **Id**.
-3. Check **Configured** under **Executable rules**, and then click **OK**.
+- Multiple config sections can be associated to the same profile.
-4. Right-click **Executable Rules** and then click **Automatically generate rules**.
+- A profile has no effect if it’s not associated to a config section.
- 
+ 
+
+You can start your file by pasting the following XML (or any other examples in this topic) into a XML editor, and saving the file as *filename*.xml. Each section of this XML is explained in this topic.
-5. Select the folder that contains the apps that you want to permit, or select C:\\ to analyze all apps.
+```xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
-6. Type a name to identify this set of rules, and then click **Next**.
+### Profile
-7. On the **Rule Preferences** page, click **Next**. Be patient, it might take awhile to generate the rules.
+A profile section in the XML has the following entries:
-8. On the **Review Rules** page, click **Create**. The wizard will now create a set of rules allowing the installed set of apps.
+- [**Id**](#id)
-9. Read the message and click **Yes**.
+- [**AllowedApps**](#allowedapps)
- 
+- [**StartLayout**](#startlayout)
-10. (optional) If you want a rule to apply to a specific set of users, right-click on the rule and select **Properties**. Then use the dialog to choose a different user or group of users.
-
-11. (optional) If rules were generated for apps that should not be run, you can delete them by right-clicking on the rule and selecting **Delete**.
-
-12. Before AppLocker will enforce rules, the **Application Identity** service must be turned on. To force the Application Identity service to automatically start on reset, open a command prompt and run:
-
- ``` syntax
- sc config appidsvc start=auto
- ```
-
-13. Restart the device.
-
-## Other settings to lock down
+- [**Taskbar**](#taskbar)
-In addition to specifying the apps that users can run, you should also restrict some settings and functions on the device. For a more secure experience, we recommend that you make the following configuration changes to the device:
+#### Id
-- Remove **All apps**.
+The profile **Id** is a GUID attribute to uniquely identify the profile. You can create a GUID using a GUID generator. The GUID just needs to be unique within this XML file.
- Go to **Group Policy Editor** > **User Configuration** > **Administrative Templates\\Start Menu and Taskbar\\Remove All Programs list from the Start menu**.
+```xml
+
+ …
+
+```
-- Hide **Ease of access** feature on the logon screen.
+#### AllowedApps
- Go to **Control Panel** > **Ease of Access** > **Ease of Access Center**, and turn off all accessibility tools.
+**AllowedApps** is a list of applications that are allowed to run. Apps can be Universal Windows Platform (UWP) apps or Classic Windows desktop apps.
-- Disable the hardware power button.
+Based on the purpose of the kiosk device, define the list of applications that are allowed to run. This list can contain both UWP apps and desktop apps. When the mult-app kiosk configuration is applied to a device, AppLocker rules will be generated to allow the apps that are listed in the configuration.
- Go to **Power Options** > **Choose what the power button does**, change the setting to **Do nothing**, and then **Save changes**.
+>[!NOTE]
+>You cannot manage AppLocker rules that are generated by the multi-app kiosk configuration in [MMC snap-ins](https://technet.microsoft.com/library/hh994629.aspx#BKMK_Using_Snapins). Avoid applying AppLocker rules to devices running the multi-app kiosk configuration.
-- Disable the camera.
+- For UWP apps, you need to provide the App User Model ID (AUMID). [Learn how to get the AUMID](https://go.microsoft.com/fwlink/p/?LinkId=614867), or [get the AUMID from the Start Layout XML](#startlayout).
+- For desktop apps, you need to specify the full path of the executable, which can contain one or more system environment variables in the form of %variableName% (i.e. %systemroot%, %windir%).
- Go to **Settings** > **Privacy** > **Camera**, and turn off **Let apps use my camera**.
+Here are the predefined assigned access AppLocker rules for **UWP apps**:
-- Turn off app notifications on the lock screen.
+1. Default rule is to allow all users to launch the signed package apps.
+2. The package app deny list is generated at runtime when the assigned access user signs in. Based on the installed/provisioned package apps available for the user account, assigned access generates the deny list. This list will exclude the default allowed inbox package apps which are critical for the system to function, and then exclude the allowed packages that enterprises defined in the assigned access configuration. If there are multiple apps within the same package, all these apps will be excluded. This deny list will be used to prevent the user from accessing the apps which are currently available for the user but not in the allowed list.
- Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen**.
+ >[!NOTE]
+ >Multi-app kiosk mode doesn’t block the enterprise or the users from installing UWP apps. When a new UWP app is installed during the current assigned access user session, this app will not be in the deny list. When the user signs out and signs in again, the app will be included in the deny list. If this is an enterprise-deployed line-of-business app and you want to allow it to run, update the assigned access configuration to include it in the allowed app list.
-- Disable removable media.
+Here are the predefined assigned access AppLocker rules for **desktop apps**:
- Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Device Installation\\Device Installation Restrictions**. Review the policy settings available in **Device Installation Restrictions** for the settings applicable to your situation.
+1. Default rule is to allow all users to launch the desktop programs signed with Microsoft Certificate in order for the system to boot and function. The rule also allows the admin user group to launch all desktop programs.
+2. There is a predefined inbox desktop app deny list for the assigned access user account, and this deny list is adjusted based on the desktop app allow list that you defined in the multi-app configuration.
+3. Enterprise-defined allowed desktop apps are added in the AppLocker allow list.
- **Note**
- To prevent this policy from affecting a member of the Administrators group, in **Device Installation Restrictions**, enable **Allow administrators to override Device Installation Restriction policies**.
+The following example allows Groove Music, Movies & TV, Photos, Weather, Calculator, Paint, and Notepad apps to run on the device.
-
+```xml
+
+
+
+
+
+
+
+
+
+
+
+```
-To learn more about locking down features, see [Customizations for Windows 10 Enterprise](https://go.microsoft.com/fwlink/p/?LinkId=691442).
+#### StartLayout
-## Customize Start screen layout for the device (recommended)
+After you define the list of allowed applications, you can customize the Start layout for your kiosk experience. You can choose to pin all the allowed apps on the Start screen or just a subset, depending on whether you want the end user to directly access them on the Start screen.
+
+The easiest way to create a customized Start layout to apply to other Windows 10 devices is to set up the Start screen on a test device and then export the layout. For detailed steps, see [Customize and export Start layout](customize-and-export-start-layout.md).
+
+A few things to note here:
+
+- The test device on which you customize the Start layout should have the same OS version that is installed on the device where you plan to deploy the multi-app assigned access configuration.
+- Since the multi-app assigned access experience is intended for fixed-purpose devices, to ensure the device experiences are consistent and predictable, use the *full* Start layout option instead of the *partial* Start layout.
+- There are no apps pinned on the taskbar in the multi-app mode, and it is not supported to configure Taskbar layout using the `` tag in a layout modification XML as part of the assigned access configuration.
+- The following example uses DesktopApplicationLinkPath to pin the desktop app to start. When the desktop app doesn’t have a shortcut link on the target device, [learn how to provision .lnk files using Windows Configuration Designer](#lnk-files).
+
+This example pins Groove Music, Movies & TV, Photos, Weather, Calculator, Paint, and Notepad apps on Start.
+
+```xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ]]>
+
+```
+
+>[!NOTE]
+>If an app is not installed for the user but is included in the Start layout XML, the app will not be shown on the Start screen.
-Configure the Start menu on the device to only show tiles for the permitted apps. You will make the changes manually, export the layout to an .xml file, and then apply that file to devices to prevent users from making changes. For instructions, see [Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md).
+
+
+#### Taskbar
+
+Define whether you want to have the taskbar present in the kiosk device. For tablet-based or touch-enabled all-in-one kiosks, when you don’t attach a keyboard and mouse, you can hide the taskbar as part of the multi-app experience if you want.
+
+The following example exposes the taskbar to the end user:
+
+```xml
+
+```
+
+The following example hides the taskbar:
+
+```xml
+
+```
+
+>[!NOTE]
+>This is different from the **Automatically hide the taskbar** option in tablet mode, which shows the taskbar when swiping up from or moving the mouse pointer down to the bottom of the screen. Setting **ShowTaskbar** as **false** will always keep the taskbar hidden.
+
+### Configs
+
+Under **Configs**, define which user account will be associated with the profile. When this user account signs in on the device, the associated assigned access profile will be enforced, including the allowed apps, Start layout, and taskbar configuration, as well as other local group policies or mobile device management (MDM) policies set as part of the multi-app experience.
+
+The full multi-app assigned access experience can only work for non-admin users. It’s not supported to associate an admin user with the assigned access profile; doing this in the XML file will result in unexpected/unsupported experiences when this admin user signs in.
-
-
+The account can be local, domain, or Azure Active Directory (Azure AD). Groups are not supported.
+- Local account can be entered as `machinename\account` or `.\account` or just `account`.
+- Domain account should be entered as `domain\account`.
+- Azure AD account must be specified in this format: `AzureAD\{email address}`. **AzureAD** must be provided AS IS (consider it’s a fixed domain name), then follow with the Azure AD email address, e.g. **AzureAD\someone@contoso.onmicrosoft.com**.
+
+>[!WARNING]
+>Assigned access can be configured via WMI or CSP to run its applications under a domain user or service account, rather than a local account. However, use of domain user or service accounts introduces risks that an attacker subverting the assigned access application might gain access to sensitive domain resources that have been inadvertently left accessible to any domain account. We recommend that customers proceed with caution when using domain accounts with assigned access, and consider the domain resources potentially exposed by the decision to do so.
+
+
+Before applying the multi-app configuration, make sure the specified user account is available on the device, otherwise it will fail.
+
+>[!NOTE]
+>For both domain and Azure AD accounts, it’s not required that target account is explicitly added to the device. As long as the device is AD-joined or Azure AD-joined, the account can be discovered in the domain forest or tenant that the device is joined to. For local accounts, it is required that the account exist before you configure the account for assigned access.
+
+
+```xml
+
+
+ MultiAppKioskUser
+
+
+
+```
+
+
+
+
+## Add XML file to provisioning package
+
+Before you add the XML file to a provisioning package, you can [validate your configuration XML against the XSD](multi-app-kiosk-xml.md#xsd-for-assignedaccess-configuration-xml).
+
+Use the Windows Configuration Designer tool to create a provisioning package. [Learn how to install Windows Configuration Designer.](provisioning-packages/provisioning-install-icd.md)
+
+>[!IMPORTANT]
+>When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
+
+1. Open Windows Configuration Designer (by default, %systemdrive%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe).
+
+2. Choose **Advanced provisioning**.
+
+3. Name your project, and click **Next**.
+
+4. Choose **All Windows desktop editions** and click **Next**.
+
+5. On **New project**, click **Finish**. The workspace for your package opens.
+
+6. Expand **Runtime settings** > **AssignedAccess** > **MultiAppAssignedAccessSettings**.
+
+7. In the center pane, click **Browse** to locate and select the assigned access configuration XML file that you created.
+
+ 
+
+8. (**Optional**: If you want to apply the provisioning package after device initial setup and there is an admin user already available on the kiosk device, skip this step.) Create an admin user account in **Runtime settings** > **Accounts** > **Users**. Provide a **UserName** and **Password**, and select **UserGroup** as **Administrators**. With this account, you can view the provisioning status and logs if needed.
+
+8. (**Optional**: If you already have a non-admin account on the kiosk device, skip this step.) Create a local standard user account in **Runtime settings** > **Accounts** > **Users**. Make sure the **UserName** is the same as the account that you specify in the configuration XML. Select **UserGroup** as **Standard Users**.
+
+8. On the **File** menu, select **Save.**
+
+9. On the **Export** menu, select **Provisioning package**.
+
+10. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.**
+
+11. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing.
+
+ - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
+
+ - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Browse** and choosing the certificate you want to use to sign the package.
+
+12. Click **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows Imaging and Configuration Designer (ICD) uses the project folder as the output location.
+
+ Optionally, you can click **Browse** to change the default output location.
+
+13. Click **Next**.
+
+14. Click **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status.
+
+ If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
+
+15. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
+
+ If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
+
+ - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
+ - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
+
+15. Copy the provisioning package to the root directory of a USB drive.
+
+
+## Apply provisioning package to device
+
+Provisioning packages can be applied to a device during the first-run experience (out-of-box experience or "OOBE") and after ("runtime").
+
+
+### During initial setup, from a USB drive
+
+1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.
+
+ 
+
+2. Insert the USB drive. Windows Setup will recognize the drive and ask if you want to set up the device. Select **Set up**.
+
+ 
+
+3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**.
+
+ 
+
+4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**.
+
+ 
+
+5. Select **Yes, add it**.
+
+ 
+
+
+
+### After setup, from a USB drive, network folder, or SharePoint site
+
+1. Sign in with an admin account.
+2. Insert the USB drive to a desktop computer, navigate to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package to install.
+
+>[!NOTE]
+>if your provisioning package doesn’t include the assigned access user account creation, make sure the account you specified in the multi-app configuration XML exists on the device.
+
+
+
+
+
+### Validate provisioning
+
+- Go to **Settings** > **Accounts** > **Access work or school**, and then click **Add or remove a provisioning package**. You should see a list of packages that were applied to the device, including the one you applied for the multi-app configuration.
+- Optionally, run Event Viewer (eventvwr.exe) and look through logs under **Applications and Services Logs** > **Microsoft** > **Windows** > **Provisioning-Diagnostics-Provider** > **Admin**.
+
+
+
+## Use MDM to deploy the multi-app configuration
+
+
+Multi-app kiosk mode is enabled by the [AssignedAccess configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp). Your MDM policy can contain the assigned access configuration XML.
+
+If your device is enrolled with a MDM server which supports applying the assigned access configuration, you can use it to apply the setting remotely.
+
+The OMA-URI for multi-app policy is `./Device/Vendor/MSFT/AssignedAccess/Configuration`.
+
+
+
+## Use MDM Bridge WMI Provider to configure assigned access
+
+Environments that use WMI can use the [MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/desktop/dn905224.aspx) to configure the MDM_AssignedAccess class. See [PowerShell Scripting with WMI Bridge Provider](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/using-powershell-scripting-with-the-wmi-bridge-provider) for more details about using a PowerShell script to configure AssignedAccess.
+
+Here’s an example to set AssignedAccess configuration:
+
+1. Download the [psexec tool](https://technet.microsoft.com/sysinternals/bb897553.aspx).
+2. Run `psexec.exe -i -s cmd.exe`.
+3. In the command prompt launched by psexec.exe, enter `powershell.exe` to open PowerShell.
+4. Execute the following script:
+
+```ps
+$nameSpaceName="root\cimv2\mdm\dmmap"
+$className="MDM_AssignedAccess"
+$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
+$obj.Configuration = @"
+<?xml version="1.0" encoding="utf-8" ?>
+<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config">
+ <Profiles>
+ <Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}">
+ <AllAppsList>
+ <AllowedApps>
+ <App AppUserModelId="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" />
+ <App AppUserModelId="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" />
+ <App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
+ <App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
+ <App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
+ <App DesktopAppPath="%windir%\system32\mspaint.exe" />
+ <App DesktopAppPath="C:\Windows\System32\notepad.exe" />
+ </AllowedApps>
+ </AllAppsList>
+ <StartLayout>
+ <![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification">
+ <LayoutOptions StartTileGroupCellWidth="6" />
+ <DefaultLayoutOverride>
+ <StartLayoutCollection>
+ <defaultlayout:StartLayout GroupCellWidth="6">
+ <start:Group Name="Group1">
+ <start:Tile Size="4x4" Column="0" Row="0" AppUserModelID="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" />
+ <start:Tile Size="2x2" Column="4" Row="2" AppUserModelID="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" />
+ <start:Tile Size="2x2" Column="4" Row="0" AppUserModelID="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
+ <start:Tile Size="2x2" Column="4" Row="4" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
+ <start:Tile Size="4x2" Column="0" Row="4" AppUserModelID="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
+ </start:Group>
+ <start:Group Name="Group2">
+ <start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk" />
+ <start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk" />
+ </start:Group>
+ </defaultlayout:StartLayout>
+ </StartLayoutCollection>
+ </DefaultLayoutOverride>
+ </LayoutModificationTemplate>
+ ]]>
+ </StartLayout>
+ <Taskbar ShowTaskbar="true"/>
+ </Profile>
+ </Profiles>
+ <Configs>
+ <Config>
+ <Account>MultiAppKioskUser</Account>
+ <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
+ </Config>
+ </Configs>
+</AssignedAccessConfiguration>
+"@
+
+Set-CimInstance -CimInstance $obj
+```
+
+
+## Validate multi-app kiosk configuration
+
+Sign in with the assigned access user account you specified in the configuration to check out the multi-app experience.
+
+>[!NOTE]
+>The setting will take effect the next time the assigned access user signs in. If that user account is signed in when you apply the configuration, make sure the user signs out and signs back in to validate the experience.
+
+The following sections explain what to expect on a multi-app kiosk.
+
+### App launching and switching experience
+
+In the multi-app mode, to maximize the user productivity and streamline the experience, an app will be always launched in full screen when the users click the tile on the Start. The users can minimize and close the app, but cannot resize the app window.
+
+The users can switch apps just as they do today in Windows. They can use the Task View button, Alt + Tab hotkey, and the swipe in from the left gesture to view all the open apps in task view. They can click the Windows button to show Start, from which they can open apps, and they can switch to an opened app by clicking it on the taskbar.
+
+### Start changes
+
+When the assigned access user signs in, you should see a restricted Start experience:
+- Start gets launched in full screen and prevents the end user from accessing the desktop.
+- Start shows the layout aligned with what you defined in the multi-app configuration XML.
+- Start prevents the end user from changing the tile layout.
+ - The user cannot resize, reposition, and unpin the tiles.
+ - The user cannot pin additional tiles on the start.
+- Start hides **All Apps** list.
+- Start hides all the folders on Start (including File Explorer, Settings, Documents, Downloads, Music, Pictures, Videos, HomeGroup, Network, and Personal folders).
+- Only **User** and **Power** buttons are available. (You can control whether to show the **User/Power** buttons using [existing policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start).)
+- Start hides **Change account settings** option under **User** button.
+
+### Taskbar changes
+
+If the applied multi-app configuration enables taskbar, when the assigned access user signs in, you should see a restricted Taskbar experience:
+- Disables context menu of Start button (Quick Link)
+- Disables context menu of taskbar
+- Prevents the end user from changing the taskbar
+- Disables Cortana and Search Windows
+- Hides notification icons and system icons, e.g. Action Center, People, Windows Ink Workspace
+- Allows the end user to view the status of the network connection and power state, but disables the flyout of **Network/Power** to prevent end user from changing the settings
+
+### Blocked hotkeys
+
+The multi-app mode blocks the following hotkeys, which are not relevant for the lockdown experience.
+
+| Hotkey | Action |
+| --- | --- |
+| Windows logo key + A | Open Action center |
+| Windows logo key + Shift + C | Open Cortana in listening mode |
+| Windows logo key + D | Display and hide the desktop |
+| Windows logo key + Alt + D | Display and hide the date and time on the desktop |
+| Windows logo key + E | Open File Explorer |
+| Windows logo key + F | Open Feedback Hub |
+| Windows logo key + G | Open Game bar when a game is open |
+| Windows logo key + I | Open Settings |
+| Windows logo key + J | Set focus to a Windows tip when one is available. |
+| Windows logo key + O | Lock device orientation |
+| Windows logo key + Q | Open search |
+| Windows logo key + R | Open the Run dialog box |
+| Windows logo key + S | Open search |
+| Windows logo key + X | Open the Quick Link menu |
+| Windows logo key + comma (,) | Temporarily peek at the desktop |
+| Windows logo key + Ctrl + F | Search for PCs (if you're on a network) |
+
+
+
+### Locked-down Ctrl+Alt+Del screen
+
+The multi-app mode removes options (e.g. **Change a password**, **Task Manager**, **Network**) in the Ctrl+Alt+Del screen to ensure the users cannot access the functionalities that are not allowed in the lockdown experience.
+
+### Auto-trigger touch keyboard
+
+In the multi-app mode, the touch keyboard will be automatically triggered when there is an input needed and no physical keyboard is attached on touch-enabled devices. You don’t need to configure any other setting to enforce this behavior.
+
+## Considerations for Windows Mixed Reality immersive headsets
+
+
+With the advent of [mixed reality devices (video link)](https://www.youtube.com/watch?v=u0jqNioU2Lo), you might want to create a kiosk that can run mixed reality apps.
+
+To create a multi-app kiosk that can run mixed reality apps, you must include the following apps in the [AllowedApps list](#allowedapps):
+
+```xml
+
+
+
+```
+
+These are in addition to any mixed reality apps that you allow.
+
+**Before your kiosk user signs in:** An admin user must sign in to the PC, connect a mixed reality device, and complete the guided setup for the Mixed Reality Portal. The first time that the Mixed Reality Portal is set up, some files and content are downloaded. A kiosk user would not have permissions to download and so their setup of the Mixed Reality Portal would fail.
+
+After the admin has completed setup, the kiosk account can sign in and repeat the setup. The admin user may want to complete the kiosk user setup before providing the PC to employees or customers.
+
+There is a difference between the mixed reality experiences for a kiosk user and other users. Typically, when a user connects a mixed reality device, they begin in the [Mixed Reality home](https://developer.microsoft.com/windows/mixed-reality/navigating_the_windows_mixed_reality_home). The Mixed Reality home is a shell that runs in "silent" mode when the PC is configured as a kiosk. When a kiosk user connects a mixed reality device, they will see only a blank display in the device, and will not have access to the features and functionality available in the home. To run a mixed reality app, the kiosk user must launch the app from the PC Start screen.
+
+
+## Policies set by multi-app kiosk configuration
+
+It is not recommended to set policies enforced in assigned access multi-app mode to different values using other channels, as the multi-app mode has been optimized to provide a locked-down experience.
+
+When the multi-app assigned access configuration is applied on the device, certain policies are enforced system-wide, and will impact other users on the device.
+
+
+### Group Policy
+
+The following local policies affect all **non-administrator** users on the system, regardless whether the user is configured as an assigned access user or not. This includes local users, domain users, and Azure Active Directory users.
+
+| Setting | Value |
+| --- | --- |
+Remove access to the context menus for the task bar | Enabled
+Clear history of recently opened documents on exit | Enabled
+Prevent users from customizing their Start Screen | Enabled
+Prevent users from uninstalling applications from Start | Enabled
+Remove All Programs list from the Start menu | Enabled
+Remove Run menu from Start Menu | Enabled
+Disable showing balloon notifications as toast | Enabled
+Do not allow pinning items in Jump Lists | Enabled
+Do not allow pinning programs to the Taskbar | Enabled
+Do not display or track items in Jump Lists from remote locations | Enabled
+Remove Notifications and Action Center | Enabled
+Lock all taskbar settings | Enabled
+Lock the Taskbar | Enabled
+Prevent users from adding or removing toolbars | Enabled
+Prevent users from resizing the taskbar | Enabled
+Remove frequent programs list from the Start Menu | Enabled
+Remove Pinned programs from the taskbar | Enabled
+Remove the Security and Maintenance icon | Enabled
+Turn off all balloon notifications | Enabled
+Turn off feature advertisement balloon notifications | Enabled
+Turn off toast notifications | Enabled
+Remove Task Manager | Enabled
+Remove Change Password option in Security Options UI | Enabled
+Remove Sign Out option in Security Options UI | Enabled
+Remove All Programs list from the Start Menu | Enabled – Remove and disable setting
+Prevent access to drives from My Computer | Enabled - Restrict all drivers**Note:** Users can browse the directory structure in File Explorer, but they cannot open folders and access the contents. Also, they cannot use the **Run** dialog box or the **Map Network Drive** dialog box to view the directories on these drives. The icons representing the specified drives still appear in File Explorer, but if users double-click the icons, a message appears expalining that a setting prevents the action. This setting does not prevent users from using programs to access local and network drives. It does not prevent users from using the Disk Management snap-in to view and change drive characteristics.
+
+
+
+
+
+### MDM policy
+
+
+Some of the MDM policies based on the [Policy configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) affect all users on the system (i.e. system-wide).
+
+Setting | Value | System-wide
+ --- | --- | ---
+[Experience/AllowCortana](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowcortana) | 0 - Not allowed | Yes
+[Start/AllowPinnedFolderSettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldersettings) | 0 - Shortcut is hidden and disables the setting in the Settings app | Yes
+Start/HidePeopleBar | 1 - True (hide) | No
+[Start/HideChangeAccountSettings](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-start#start-hidechangeaccountsettings) | 1 - True (hide) | Yes
+[WindowsInkWorkspace/AllowWindowsInkWorkspace](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-windowsinkworkspace#windowsinkworkspace-allowwindowsinkworkspace) | 0 - Access to ink workspace is disabled and the feature is turned off | Yes
+[Start/StartLayout](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-startlayout) | Configuration dependent | No
+[WindowsLogon/DontDisplayNetworkSelectionUI](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-windowslogon#windowslogon-dontdisplaynetworkselectionui) | <Enabled/> | Yes
+
+
+## Provision .lnk files using Windows Configuration Designer
+
+First, create your desktop app's shortcut file by installing the app on a test device. Right-click the installed application, and choose **Send to** > **Desktop (create shortcut)**. Rename the shortcut to `.lnk`
+
+Next, create a batch file with two commands. If the desktop app is already installed on the target device, skip the first command for MSI install.
+
+```
+msiexec /I ".msi" /qn /norestart
+copy .lnk "%AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\.lnk"
+```
+
+In Windows Configuration Designer, under **ProvisioningCommands** > **DeviceContext**:
+
+- Under **CommandFiles**, upload your batch file, your .lnk file, and your desktop app installation file
+- Under **CommandLine**, enter cmd /c *FileName*.bat
+
diff --git a/windows/configuration/lock-down-windows-10.md b/windows/configuration/lock-down-windows-10.md
deleted file mode 100644
index 0bcecb6b1a..0000000000
--- a/windows/configuration/lock-down-windows-10.md
+++ /dev/null
@@ -1,15 +0,0 @@
----
-title: Lock down Windows 10 (Windows 10)
-description: Windows 10 provides a number of features and methods to help you lock down specific parts of a Windows 10 device.
-ms.assetid: 955BCD92-0A1A-4C48-98A8-30D7FAF2067D
-keywords: lockdown
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security, mobile
-author: jdeckerms
-ms.localizationpriority: high
----
-
-# Lock down Windows 10
-
diff --git a/windows/configuration/multi-app-kiosk-troubleshoot.md b/windows/configuration/multi-app-kiosk-troubleshoot.md
new file mode 100644
index 0000000000..6885f2b2f7
--- /dev/null
+++ b/windows/configuration/multi-app-kiosk-troubleshoot.md
@@ -0,0 +1,49 @@
+---
+title: Troubleshoot multi-app kiosk (Windows 10)
+description: Tips for troubleshooting multi-app kiosk configuration.
+ms.assetid: 14DDDC96-88C7-4181-8415-B371F25726C8
+keywords: ["lockdown", "app restrictions"]
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: edu, security
+author: jdeckerms
+ms.localizationpriority: medium
+ms.date: 10/05/2017
+ms.author: jdecker
+---
+
+# Troubleshoot multi-app kiosk
+
+
+**Applies to**
+
+- Windows 10
+
+## Unexpected results
+
+For example:
+- Start is not launched in full-screen
+- Blocked hotkeys are allowed
+- Task Manager, Cortana, or Settings can be launched
+- Start layout has more apps than expected
+
+**Troubleshooting steps**
+
+1. [Verify that the provisioning package is applied successfully](lock-down-windows-10-to-specific-apps.md#validate-provisioning).
+2. Verify that the account (config) is mapped to a profile in the configuration XML file.
+3. Verify that the configuration XML file is authored and formatted correctly. Correct any configuration errors, then create and apply a new provisioning package. Sign out and sign in again to check the new configuration.
+
+
+## Apps configured in AllowedList are blocked
+
+1. Ensure the account is mapped to the correct profile and that the apps are specific for that profile.
+2. Check the EventViewer logs for Applocker and AppxDeployment (under **Application and Services Logs\Microsoft\Windows**).
+
+
+## Start layout not as expected
+
+- Make sure the Start layout is authored correctly. Ensure that the attributes **Size**, **Row**, and **Column** are specified for each application and are valid.
+- Check if the apps included in the Start layout are installed for the assigned access user.
+- Check if the shortcut exists on the target device, if a desktop app is missing on Start.
+
diff --git a/windows/configuration/multi-app-kiosk-xml.md b/windows/configuration/multi-app-kiosk-xml.md
new file mode 100644
index 0000000000..d355221ba5
--- /dev/null
+++ b/windows/configuration/multi-app-kiosk-xml.md
@@ -0,0 +1,175 @@
+---
+title: Multi-app kiosk XML reference (Windows 10)
+description: XML and XSD for multi-app kiosk device configuration.
+ms.assetid: 14DDDC96-88C7-4181-8415-B371F25726C8
+keywords: ["lockdown", "app restrictions", "applocker"]
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: edu, security
+author: jdeckerms
+ms.localizationpriority: medium
+ms.date: 10/05/2017
+ms.author: jdecker
+---
+
+# Multi-app kiosk XML reference
+
+
+**Applies to**
+
+- Windows 10
+
+## Full XML sample
+
+```xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ]]>
+
+
+
+
+
+
+ MultiAppKioskUser
+
+
+
+
+```
+
+## XSD for AssignedAccess configuration XML
+
+```xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
\ No newline at end of file
diff --git a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md
index e818979df8..a2f8ee5eb5 100644
--- a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md
+++ b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md
@@ -7,6 +7,8 @@ ms.mktglfcycl: deploy
ms.sitesec: library
author: jdeckerms
ms.localizationpriority: high
+ms.author: jdecker
+ms.date: 10/05/2017
---
# Provision PCs with apps
@@ -21,6 +23,9 @@ In Windows 10, version 1703, you can install multiple Universal Windows Platform
When you add an app in a Windows Configuration Designer wizard, the appropriate settings are displayed based on the app that you select. For instructions on adding an app using the advanced editor in Windows Configuration Designer, see [Add an app using advanced editor](#adv).
+>[!IMPORTANT]
+>If you plan to use Intune to manage your devices, we recommend using Intune to install Office 365 ProPlus 2016 apps (Access, Excel, OneDrive for Business, OneNote, Outlook, PowerPoint, Publisher, Skype for Business, Word, Project Online Desktop Cilent, and Visio Pro for Office 365 ProPlus). Apps that are installed using a provisioning package cannot be managed or modified using Intune. [Learn how to assign Office 365 ProPlus 2016 apps using Microsoft Intune.](https://docs.microsoft.com/intune/apps-add-office365)
+
## Settings for UWP apps
- **License Path**: Specify the license file if it is an app from the Microsoft Store. This is optional if you have a certificate for the app.
diff --git a/windows/configuration/provisioning-packages/provisioning-apply-package.md b/windows/configuration/provisioning-packages/provisioning-apply-package.md
index baa60ac6fd..82ce22b422 100644
--- a/windows/configuration/provisioning-packages/provisioning-apply-package.md
+++ b/windows/configuration/provisioning-packages/provisioning-apply-package.md
@@ -23,6 +23,9 @@ Provisioning packages can be applied to a device during the first-run experience
## Desktop editions
+>[!NOTE]
+>In Windows 10, version 1709, you can interrupt a long-running provisioning process by pressing ESC.
+
### During initial setup, from a USB drive
1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.
diff --git a/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md b/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
index 99ceb249ab..e26d7208df 100644
--- a/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
+++ b/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
@@ -21,7 +21,7 @@ ms.localizationpriority: high
A single-use or *kiosk* device is easy to set up in Windows 10 for desktop editions.
-- Use the [Provision kiosk devices wizard](#wizard) in Windows Configuration Designer (Windows 10, version 1607 or later) to create a provisioning package that configures a kiosk device running either a Universal Windows app or a Classic Windows application (Windows 10 Enterprise or Education only).
+- Use the [Provision kiosk devices wizard](#wizard) in Windows Configuration Designer (Windows 10, version 1607 or later) to create a provisioning package that configures a kiosk device running either a Universal Windows app or a Classic Windows application (Windows 10 Enterprise or Education only). In Windows 10, version 1709, you can use the [Provision kiosk devices wizard](#wizard) to configure a kiosk device running a Universal Windows app for Windows 10 Pro.
or
@@ -85,8 +85,8 @@ Using assigned access, Windows 10 runs the designated Universal Windows app abo
| Method | Account type | Windows 10 edition |
| --- | --- | --- |
| [Use Settings on the PC](#set-up-assigned-access-in-pc-settings) | Local standard | Pro, Enterprise, Education |
-| [Apply a mobile device management (MDM) policy](#set-up-assigned-access-in-mdm) | All (domain, local standard, local administrator, etc) | Enterprise, Education |
-| [Create a provisioning package using Windows Configuration Designer](#wizard) | All (domain, local standard, local administrator, etc) | Enterprise, Education |
+| [Apply a mobile device management (MDM) policy](#set-up-assigned-access-in-mdm) | All (domain, local standard, local administrator, etc) | Pro (1709 only), Enterprise, Education |
+| [Create a provisioning package using Windows Configuration Designer](#wizard) | All (domain, local standard, local administrator, etc) | Pro (1709 only), Enterprise, Education |
| [Run a PowerShell script](#set-up-assigned-access-using-windows-powershell) | Local standard | Pro, Enterprise, Education |
diff --git a/windows/configuration/stop-employees-from-using-the-windows-store.md b/windows/configuration/stop-employees-from-using-microsoft-store.md
similarity index 100%
rename from windows/configuration/stop-employees-from-using-the-windows-store.md
rename to windows/configuration/stop-employees-from-using-microsoft-store.md
diff --git a/windows/configuration/wcd/wcd-applicationmanagement.md b/windows/configuration/wcd/wcd-applicationmanagement.md
index af27cea5f0..3a1b160d46 100644
--- a/windows/configuration/wcd/wcd-applicationmanagement.md
+++ b/windows/configuration/wcd/wcd-applicationmanagement.md
@@ -7,13 +7,16 @@ ms.sitesec: library
author: jdeckerMS
ms.localizationpriority: medium
ms.author: jdecker
-ms.date: 08/21/2017
+ms.date: 10/17/2017
---
# ApplicationManagement (Windows Configuration Designer reference)
Use these settings to manage app installation and management.
+>[!NOTE]
+>ApplicationManagement settings are not available in Windows 10, version 1709.
+
## Applies to
| Settings | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
diff --git a/windows/configuration/wcd/wcd-assignedaccess.md b/windows/configuration/wcd/wcd-assignedaccess.md
index 201fc633e1..9c310df802 100644
--- a/windows/configuration/wcd/wcd-assignedaccess.md
+++ b/windows/configuration/wcd/wcd-assignedaccess.md
@@ -7,7 +7,7 @@ ms.sitesec: library
author: jdeckerMS
ms.localizationpriority: medium
ms.author: jdecker
-ms.date: 08/21/2017
+ms.date: 10/17/2017
---
# AssignedAccess (Windows Configuration Designer reference)
@@ -19,6 +19,7 @@ Use this setting to configure single use (kiosk) devices.
| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | :---: | :---: | :---: | :---: | :---: |
| [AssignedAccessSettings](#assignedaccesssettings) | X | | | X | |
+| [MultiAppAssignedAccessSettings](#multiappassignedaccesssettings) | X | | | | |
## AssignedAccessSettings
@@ -30,6 +31,18 @@ Enter the account and the application you want to use for Assigned access, using
```
"Account":"domain\user", "AUMID":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"
```
+
+## MultiAppAssignedAccessSettings
+
+>[!NOTE]
+>MultiAppAssignedAccessSettings is supported on Windows 10, version 1709 only.
+
+Use this setting to configure a kiosk device that runs more than one app.
+
+1. [Create an assigned access configuration XML file for multiple apps.](../lock-down-windows-10-to-specific-apps.md)
+2. In Windows Configuration Designer, select **MultiAppAssignedAccessSettings**.
+3. Browse to and select the assigned access configuration XML file.
+
## Related topics
- [AssignedAccess configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/assignedaccess-csp)
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-callandmessagingenhancement.md b/windows/configuration/wcd/wcd-callandmessagingenhancement.md
index f3905fe8bc..0ccf7992cb 100644
--- a/windows/configuration/wcd/wcd-callandmessagingenhancement.md
+++ b/windows/configuration/wcd/wcd-callandmessagingenhancement.md
@@ -7,13 +7,16 @@ ms.sitesec: library
author: jdeckerMS
ms.localizationpriority: medium
ms.author: jdecker
-ms.date: 08/21/2017
+ms.date: 10/17/2017
---
# CallAndMessagingEnhancement (Windows Configuration Designer reference)
Use to configure call origin and blocking apps.
+>[!IMPORTANT]
+>These settings are intended to be used only by manufacturers, mobile operators, and solution providers when configuring devices, and are not intended for use by administrators in the enterprise.
+
## Applies to
| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
diff --git a/windows/configuration/wcd/wcd-calling.md b/windows/configuration/wcd/wcd-calling.md
new file mode 100644
index 0000000000..0b1d46a821
--- /dev/null
+++ b/windows/configuration/wcd/wcd-calling.md
@@ -0,0 +1,146 @@
+---
+title: Calling (Windows 10)
+description: This section describes the Calling settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+ms.localizationpriority: medium
+ms.author: jdecker
+ms.date: 10/17/2017
+---
+
+# Calling (Windows Configuration Designer reference)
+
+Use to configure settings for Calling.
+
+>[!IMPORTANT]
+>These settings are intended to be used only by manufacturers, mobile operators, and solution providers when configuring devices, and are not intended for use by administrators in the enterprise.
+
+## Applies to
+
+| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| All settings | | X | | | |
+
+
+## Branding
+
+See [Branding for phone calls](https://docs.microsoft.com/windows-hardware/customize/mobile/mcsf/branding-for-phone-calls).
+
+## PartnerAppSupport
+
+See [Dialer codes to launch diagnostic applications](https://docs.microsoft.com/windows-hardware/customize/mobile/mcsf/dialer-codes-to-launch-diagnostic-applications).
+
+## PerSimSettings
+
+Use to configure settings for each subscriber identification module (SIM) card. Enter the Integrated Circuit Card Identifier (ICCID) for the SIM card, click Add, and then configure the folowing settings.
+
+### Critical
+
+Setting | Description
+--- | ---
+MOSimFallbackVoicemailNumber | Partners who do not have the voicemail numbers on the device SIM can configure the voicemail number for their devices. If the voicemail number is not on the SIM and the registry key is not set, the default voicemail will not be set and the user will need to set the number. Set MOSimFallbackVoicemailNumber to the voicemail number that you want to use for the phone.
+SimOverrideVoicemailNumber | Mobile operators can override the voicemail number on the UICC with a different voicemail number that is configured in the registry. Set SimOverrideVoicemailNumber to a string that contains the digits of the voicemail number to use instead of the voicemail number on the UICC.
+
+
+### General
+
+Setting | Description
+--- | ---
+AllowVideoConferencing | Set as **True** to enable the ability to conference video calls.
+DefaultCallerIdSetting | Configure the default setting for caller ID. Select between `No one`, `Only contacts`, `Every one`, and `Network default`. If set to `Network default`, set `ShowCallerIdNetworkDefaultSetting` to **True**.
+DefaultEnableVideoCalling | Set as **True** to enable LTE video calling as the default setting.
+IgnoreMWINotifications | Set as **True** to configure the voicemail system so the phone ignores message waiting indicator (MWI) notifications.
+IgnoreUssdExclusions | Set as **True** to ignore Unstructured Supplementary Service Data (USSD) exclusions.
+ResetCallForwarding | When set to **True**, user is provided with an option to retry call forwarding settings query.
+ShowCallerIdNetworkDefaultSetting | Indicates whether the network default setting can be allowed for outgoing caller ID.
+ShowVideoCallingSwitch | Use to specify whether to show the video capability sharing switch on the mobile device's Settings screen.
+SupressVideoCallingChargesDialog | Configure the phone settings CPL to supress the video calling charges dialog.
+UssdExclusionList | List used to exclude predefined USSD entries, allowing the number to be sent as standard DTMF tones instead. Set UssdExclusionList to the list of desired exclusions, separated by semicolons. For example, setting the value to 66;330 will override 66 and 330. Leading zeros are specified by using F. For example, to override code 079, set the value to F79. If you set UssdExclusionList, you must set IgnoreUssdExclusions as well. Otherwise, the list will be ignored. See [List of USSD codes](#list-of-ussd-codes) for values.
+WiFiCallingOperatorName | Enter the operator name to be shown when the phone is using WiFi calling. If you don't set a value for WiFiCallingOperatorName, the device will always display **SIMServiceProviderName Wi-Fi**, where *SIMServiceProviderName* is a string that corresponds to the SPN for the SIM on the device. If the service provider name in the SIM is not set, only **Wi-Fi** will be displayed.
+
+
+
+## PhoneSettings
+
+Setting | Description
+--- | ---
+AssistedDialSetting | Turn off the international assist feature that helps users with the country codes needed for dialing international phone numbers.
+CallIDMatch | Sets the number of digits that the OS will try to match against contacts for Caller ID. For any country/region that doesn't exist in the default mapping table, mobile operators can use this legacy CallIDMatch setting to specify the minimum number of digits to use for matching caller ID.
+ContinuousDTMFEnabled | Enable DTMF tone duration for as long as the user presses a dialpad key.
+DisableVoicemailPhoneNumberDisplay | Disable the display of the voicemail phone number below the Voicemail label in call progress dialog.
+HideCallForwarding | Partners can hide the user option to turn on call forwarding. By default, users can decide whether to turn on call forwarding. Partners can hide this user option so that call forwarding is permanently disabled.
+ShowLongTones | Partners can make a user option visible that makes it possible to toggle between short and long DTMF tones, instead of the default continuous tones. By default, the phone supports Dual-Tone Multi-frequency (DTMF) with continuous tones. Partners can make a user option visible that makes it possible to toggle between short and long tones instead.
+UseOKForUssdDialogs | OEMs can change the button label in USSD dialogs from **Close** (the default) to **OK**.
+VoLTEAudioQualityString | Partners can add a string to the call progress screen to indicate if the active call is a high quality voice over LTE (VoLTE). Set the value of VoLTEAudioQualityString to the string that you want to display in the call progress screen to indicate that the call is a VoLTE call. This string is combined with the PLMN so if the string is "VoLTE", the resulting string is "PLMN_String VoLTE". For example, the string displayed in the call progress screen can be "Litware VoLTE" if the PLMN_String is "Litware". The value you specify for VoLTEAudioQualityString must exceed 10 characters.
+
+
+## SupplementaryServiceCodeOverrides
+
+See [Dialer codes for supplementary services](https://docs.microsoft.com/windows-hardware/customize/mobile/mcsf/dialer-codes-for-supplementary-services).
+
+## VoicemailRegistrationTable
+
+Configure these settings to customize visual voicemail in the Windows 10 Mobile UI. For settings and values, see [Visual voicemail](https://docs.microsoft.com/windows-hardware/customize/mobile/mcsf/visual-voicemail).
+
+
+## List of USSD codes
+
+
+Codes | Description | DWORD Value
+--- | --- | ---
+04 | CHANGEPIN | 000000F4
+042 | CHANGEPIN2 | 00000F42
+05 | UNBLOCKPIN | 000000F5
+052 | UNBLOCKPIN2 | 00000F52
+03 | SSCHANGEPASSWORD | 000000F3
+75 | EMLPPBASE | 00000075
+750 | EMLPPLEVEL0 | 00000750
+751 | EMLPPLEVEL1 | 00000751
+752 | EMLPPLEVEL2 | 00000752
+753 | EMLPPLEVEL3 | 00000753
+754 | EMLPPLEVEL4 | 00000754
+66 | CALLDEFLECT | 00000066
+30 | CALLIDCLIP | 00000030
+31 | CALLIDCLIR | 00000031
+76 | CALLIDCOLP | 00000076
+77 | CALLIDCOLR | 00000077
+21 | FWDUNCONDITIONAL | 00000021
+67 | FWDBUSY | 00000067
+61 | FWDNOREPLY | 00000061
+62 | FWDNOTREACHABLE | 00000062
+002 | FWDALL | 00000FF2
+004 | FWDALLCONDITIONAL | 00000FF4
+43 | CALLWAITING | 00000043
+360 | UUSALL | 00000360
+361 | UUSSERVICE1 | 00000361
+362 | UUSSERVICE2 | 00000362
+363 | UUSSERVICE3 | 00000363
+33 | BARROUT | 00000033
+331 | BARROUTINTL | 00000331
+332 | BARROUTINTLEXTOHOME | 00000332
+35 | BARRIN | 00000035
+351 | BARRINROAM | 00000351
+330 | BARRALL | 00000330
+333 | BARRALLOUT | 00000333
+353 | BARRALLIN | 00000353
+354 | BARRINCOMINGINTERMEDIATE | 00000354
+96 | CALLTRANSFER | 00000096
+37 | CALLCOMPLETEBUSY | 00000037
+070 | PNP0 | 00000F70
+071 | PNP1 | 00000F71
+072 | PNP2 | 00000F72
+073 | PNP3 | 00000F73
+074 | PNP4 | 00000F74
+075 | PNP5 | 00000F75
+076 | PNP6 | 00000F76
+077 | PNP7 | 00000F77
+078 | PNP8 | 00000F78
+079 | PNP9 | 00000F79
+300 | CALLCNAP | 00000300
+591 | MSP1 | 00000591
+592 | MSP2 | 00000592
+593 | MSP3 | 00000593
+594 | MSP4 | 00000594
+
diff --git a/windows/configuration/wcd/wcd-cellcore.md b/windows/configuration/wcd/wcd-cellcore.md
new file mode 100644
index 0000000000..57347d1878
--- /dev/null
+++ b/windows/configuration/wcd/wcd-cellcore.md
@@ -0,0 +1,436 @@
+---
+title: CellCore (Windows 10)
+description: This section describes the CellCore settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+ms.localizationpriority: medium
+ms.author: jdecker
+ms.date: 10/17/2017
+---
+
+# CellCore (Windows Configuration Designer reference)
+
+Use to configure settings for cellular data.
+
+>[!IMPORTANT]
+>These settings are intended to be used only by manufacturers, mobile operators, and solution providers when configuring devices, and are not intended for use by administrators in the enterprise.
+
+## Applies to
+
+ Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core
+ --- | :---: | :---: | :---: | :---: | :---:
+ PerDevice: [CellConfigurations](#cellconfigurations) | | X | | |
+ PerDevice: [CellData](#celldata) CellularFailover | X | X | | |
+ PerDevice: [CellData](#celldata) MaxNumberOfPDPContexts | | X | | |
+ PerDevice: [CellData](#celldata) ModemProfiles | | X | | |
+ PerDevice: [CellData](#celldata) PersistAtImaging | | X | | |
+ PerDevice: [CellUX](#cellux) | | X | | |
+ PerDevice: [CGDual](#cgdual) | | X | | |
+ PerDevice: [eSim](#esim) | X | X | | |
+ PerDevice: [External](#external) | | X | | |
+ PerDevice: [General](#general) | | X | | |
+ PerDevice: [RCS](#rcs) | | X | | |
+ PerDevice: [SMS](#sms) | X | X | | |
+ PerDevice: [UIX](#uix) | | X | | |
+ PerDevice: [UTK](#utk) | | X | | |
+ PerlMSI: [CellData](#celldata2) | | X | | |
+ PerIMSI: [CellUX](#cellux2) | | X | | |
+ PerIMSI: [General](#general2) | | X | | |
+ PerIMSI: [RCS](#rcs2) | | X | | |
+ PerIMSI: [SMS](#sms2) | X | X | | |
+ PerIMSI: [UTK](#utk2) | | X | | |
+ PerIMSI: [VoLTE](#volte) | | X | | |
+
+
+## PerDevice
+
+### CellConfigurations
+
+
+
+1. In **CellConfiguration** > **PropertyGroups**, enter a name for the property group.
+2. Select the **PropertyGroups** you just created in the **Available customizations** pane and then enter a **PropertyName**.
+3. Select the **PropertyName** you just created in the **Available customizations** pane, and then select one of the following data types for the property:
+ - Binary
+ - Boolean
+ - Integer
+ - String
+4. The data type that you selected is added in **Available customizations**. Select it to enter a value for the property.
+
+### CellData
+
+Setting | Description
+--- | ---
+CellularFailover | Allow or disallow cellular data failover when in limited Wi-Fi connectivity. By default, if the phone is connected to a Wi-Fi network and the data connection to a site is unsuccessful due to limited Wi-Fi connectivity, the phone will complete the connection to the site using available cellular data networks (when possible) to provide an optimal user experience. When the customization is enabled, a user option to use or not use cellular data for limited Wi-Fi connectivity becomes visible in the **Settings** > **cellular+SIM** screen. This option is automatically set to **don’t use cellular data** when the customization is enabled.
+MaxNumberOfPDPContexts | Set a maximum value (1 through 4, inclusive, or 0x1 through 0x4 hexadecimal) for the number of simultaneous packet data protocol (PDP) contexts for 3GPP connections. By default, the OS enforces a maximum of four (4) simultaneous packet data protocol (PDP) contexts for 3GPP connections, and one (1) PDP context for 3GPP2 connections. You can set a different maximum value if required by their mobile operator. The same maximums apply for both roaming and non-roaming scenarios. This maximum does not include packet contexts used internally by the modem.
+ModemProfiles > LTEAttachGuids | Set the value for LTEAttachGuid to the OemConnectionId GUID used for the LTE attach profile in the modem. The value is a GUID in the string format *XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX*.
+PersistAtImaging > DisableAoAc | Enable or disable Always-on/Always-connected (AoAc) on the WWAN adapter.
+
+
+### CellUX
+
+Setting | Description
+--- | ---
+APNAuthTypeDefault | Select between **Pap** and **Chap** for default APN authentication type.
+APNIPTypeIfHidden | Select between **IPV4**, **IPV6**, **IPV4V6**, and **IPV4V6XLAT** for default APN IP type.
+Critical > ShowVoLTEToggle | Select **Yes** to show the VoLTE toggle in the **Settings** > **Cellular+SIM** > **SIM** settings page. Select **No** to hide the toggle.
+Disable2GByDefault | Select **Yes** to disable 2G by default. Select **No** to enable 2G.
+Disabled2GNoticeDescription | Enter text to customize the notification for disabled 2G.
+GenericWifiCallingErrorMessage | Enter text to customize the generic error message when a Wi-Fi calling error occurs.
+Hide3GPP2ModeSelection | Select **Yes** to hide the **CDMA** option in the network **Mode** selection drop-down menu. Select **No** to show the **CDMA** option.
+Hide3GPP2Selection | For 3GPP2 or CDMA phones, select **Yes** to hide the **Network Type** drop-down menu in the **SIM** settings screen. Select **No** to show **Network Type**.
+Hide3GPPNetworks | For 3GPP or GSM phones, select **Yes** to hide the **Network Type** drop-down menu in the **SIM settings** screen. Select **No** to show **Network Type**.
+HideAPN | Select **Yes** to hide the **add internet APN** button in the **SIM settings** screen. Select **No** to show **add internet APN**.
+HideAPNAuthType | Select **Yes** to hide the APN authentication selector. Select **No** to show the APN authentication selector.
+HideAPNIPType | Select **Yes** to hide the **IP type** list in the **internet APN** settings screen. Select **No** to show **IP type**.
+HideDisabled2GNotice | Select **Yes** to hide the notification for disabled 2G. Select **No** to show the notification for disabled 2G.
+HideHighestSpeed | Select **Yes** to hide the **Highest connection speed** drop-down menu on the **Settings** > **Cellular+SIM** > **SIM** settings page. Select **No** to show **Highest connection speed**.
+HideHighestSpeed2G | Select **Yes** to hide the 2G option on the **Highest connection speed** drop-down menu on the **Settings** > **Cellular+SIM** > **SIM** settings page. Select **No** to show the 2G option.
+HideHighestSpeed3GOnly | Select **Yes** to hide the 3G option on the **Highest connection speed** drop-down menu on the **Settings** > **Cellular+SIM** > **SIM** settings page. Select **No** to show the 3G option.
+HideHighestSpeed4G | Select **Yes** to hide the 4G option on the **Highest connection speed** drop-down menu on the **Settings** > **Cellular+SIM** > **SIM** settings page. Select **No** to show the 4G option.
+HideHighestSpeed4G3GOnly | Select **Yes** to hide the 4G or 3G Only option on the **Highest connection speed** drop-down menu on the **Settings** > **Cellular+SIM** > **SIM** settings page. Select **No** to show the 4G or 3G Only option.
+HideHighestSpeed4GOnly | Select **Yes** to hide the 4G Only option on the **Highest connection speed** drop-down menu on the **Settings** > **Cellular+SIM** > **SIM** settings page. Select **No** to show the 4G Only option.
+HideLTEAttachAPN | Select **Yes** to hide the **LTE attach APN** button on the **Settings** > **Cellular+SIM** > **SIM** settings page. Select **No** to show the **LTE attach APN** button.
+HideMMSAPN | Select **Yes** to hide the **add mms apn** button on the **Settings** > **Cellular+SIM** > **SIM** settings page. Select **No** to show the **add mms apn** button.
+HideMMSAPNAuthType | Select **Yes** to hide the APN authentication type selector on the MMS APN page. Select **No** to show APN authentication selector.
+HideMMSAPNIPType | Select **Yes** to hide the APN IP type selector on the MMS APN page. Select **No** to show the APN IP type selector.
+HideModeSelection | Select **Yes** to hide the **Network Mode selection** drop-down menu on the **Settings** > **Cellular+SIM** > **SIM** settings page. Select **No** to show the **Network Mode selection**.
+HidePersoUnlock | Select **Yes** to hide the Perso unlock UI. Select **No** to show the Perso unlock UI.
+HighestSpeed2G | You can customize the listed names of the connection speeds with their own character codes. To modify "2G" to another character code, change the value of HighestSpeed2G. Although there is no limit to the number of characters you can use, if the character code is too long, it will be truncated in the UI.
+HighestSpeed3G | You can customize the listed names of the connection speeds with their own character codes. To modify "3G" to another character code, change the value of HighestSpeed3G. Although there is no limit to the number of characters you can use, if the character code is too long, it will be truncated in the UI.
+HighestSpeed3GOnly | You can customize the listed names of the connection speeds with their own character codes. To modify "3G Only" to another character code, change the value of HighestSpeed3GOnly. Although there is no limit to the number of characters you can use, if the character code is too long, it will be truncated in the UI.
+HighestSpeed3GPreferred | You can customize the listed names of the connection speeds with their own character codes. To modify "3G Preferred" to another character code, change the value of HighestSpeed3GPreferred. Although there is no limit to the number of characters you can use, if the character code is too long, it will be truncated in the UI.
+HighestSpeed4G | You can customize the listed names of the connection speeds with their own character codes. To modify "4G" to another character code, change the value of HighestSpeed4G. Although there is no limit to the number of characters you can use, if the character code is too long, it will be truncated in the UI.
+HighestSpeed4G3GOnly | You can customize the listed names of the connection speeds with their own character codes. To modify "4G or 3G Only" to another character code, change the value of HighestSpeed4G3GOnly. Although there is no limit to the number of characters you can use, if the character code is too long, it will be truncated in the UI.
+HighestSpeed4GOnly | You can customize the listed names of the connection speeds with their own character codes. To modify "4G Only" to another character code, change the value of HighestSpeed4GOnly. Although there is no limit to the number of characters you can use, if the character code is too long, it will be truncated in the UI.
+HighestSpeedTitle | You can customize the **Highest connection speed** drop-down label in the **Settings** > **Cellular+SIM** > **SIM** settings page. To change the Highest connection speed drop-down label, set HighestSpeedTitle to another string. For example, you can set this to "Preferred connection speed".
+IsATTSpecific | Control the roaming text for AT&T devices. AT&T requires the phone to show a particular roaming text to meet their legal and marketing guidelines. By default, if the user chooses **roam** under **Data roaming options** in the **Settings** > **Cellular+SIM** screen, they will see the following text: *Depending on your service agreement, you might pay more when using data roaming.* If you set IsATTSpecific to **Yes**, the following roaming text will be displayed instead: *International data roaming charges apply for data usage outside the United States, Puerto Rico, and United States Virgin Islands. Don’t allow roaming to avoid international data roaming charges.*
+LTEAttachGUID | Set the value for LTEAttachGuid to the OemConnectionId GUID used for the LTE attach profile in the modem. The value is a GUID in the string format *XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX*.
+MMSAPNAuthTypeDefault | Select between **Pap** and **Chap** for default MMS APN authentication type.
+MMSAPNIPTypeIfHidden | Select between **IPV4**, **IPV6**, **IPV4V6**, and **IPV4V6XLAT** for default MMS APN IP type.
+ShowExtendedRejectCodes | When a reject code is sent by the network, partners can specify that extended error messages should be displayed instead of the standard simple error messages. This customization is only intended for use when required by the mobile operator’s network. The short versions of the extended reject message are shown in the following screens:- Phone tile in Start- Call History screen- Dialer- Call Progress screen- Incoming Call screen- As the status string under Settings > cellular+SIMThe long version of the extended reject message is shown under the Active Network label in **Settings** > **cellular+SIM**. Select **Yes** to show the extended error message. Select **No** to hide the extended error message. See [Error messages for reject codes](#errorreject) to see the versions of the message.
+ShowHighestSpeed3GPreferred | Select **Yes** to show the **3G Preferred** option in the **Highest connection speed** drop-down menu. Select **No** to hide **3G Preferred**.
+ShowManualAvoidance | Select **Yes** to show the **Switch to next network manually** button in SIM settings when Mode Selection is CDMA on a C+G dual SIM phone. Select **No** to hide the **Switch to next network manually** button
+ShowPreferredPLMNPage | Select **Yes** to show the preferred public land mobile network (PLMN) page in SIM settings.
+ShowSpecificWifiCallingError | Select **Yes** to show a specific error message based on operator requirements.
+ShowViewAPN | Select **Yes** to show the **View Internet APN** button in **Settings** > **cellular+SIM**.
+ShowWifiCallingEmergencyCallWarning | Select **Yes** to show Wi-Fi emergency call warning.
+ShowWifiCallingError | Select **Yes** to show Wi-Fi calling error message.
+SuppressDePersoUI | Select **Yes** to hide the perso unlock UI.
+
+
+### CGDual
+
+Use **CGDual** > **RestrictToGlobalMode** to configure settings for global mode on C+G Dual SIM phones. When the device registration changes, if the value for this setting is set, the OS changes the preferred system type to the default preferred system type for world mode. If the phone is not camped on any network, the OS assumes the phone is on the home network and changes the network registration preference to default mode.
+
+Select from the following:
+
+- RestrictToGlobalMode_Disabled: the phone is not restricted to global mode.
+- RestrictToGlobalMobe_Home: when a slot is registered at home and supports global mode, the mode selection is restricted to global mode.
+- RestrictToGlobalMode_Always: if a slot supports global mode and this value is selected, the mode selection is restricted to global mode.
+
+### eSim
+
+Configure **FwUpdate** > **AllowedAppIdList** to whitelist apps that are allowed to update the firmware. Obtain the app IDs from the card vendor.
+
+### External
+
+Setting | Description
+--- | ---
+CallSupplementaryService > OTASPNonStandardDialString | Enter a list of all desired non-standard OTASP dial strings.
+CarrierSpecific > FallBackMode | Select between **GWCSFB** and **1xCSFB** for fallback mode.
+CarrierSpecific > VZW > ActSeq | Enables activation for 4G VZW card. Do not configure this setting for non-VZW devices.
+EnableLTESnrReporting | Select between **Use only RSRP** and **Use both RSRP and ECNO** to check if SNR needs to be used for LTE Signal Quality calculations.
+EnableUMTSEcnoReporting | Select between **Use only RSSI** and **Use both RSSI and SNR** to check if SNR needs to be used for UMTS Signal Quality calculations.
+ImageOnly > ERI > AlgorithmMBB0 | Select between **Sprint** and **Verizon** to specify the ERI algorithm in MBB for subscription 0.
+ImageOnly > ERI > AlgorithmMBB1 | Select between **Sprint** and **Verizon** to specify the ERI algorithm in MBB for subscription 1.
+ImageOnly > ERI > AlgorithmWmRil | Select between **Sprint** and **Verizon** to specify the ERI-based notification algorithm.
+ImageOnly > ERI > DataFileNameWmRil | Specify the location of the ERI file on the device; for example, `C:\Windows\System32\SPCS_en.eri`. *SPCS_en.eri* is a placeholder. Obtain the ERI file name from the mobile operator and replace this filename with it.
+ImageOnly > ERI > EnabledWmRil | Enable or disable ERI-based notifications.
+ImageOnly > ERI > ERIDataFileNameMBB0 | Specify the ERI data file name with international roaming list for Verizon in MBB for subscription 0.
+ImageOnly > ERI > ERIDataFileNameMBB1 | Specify the ERI data file name with international roaming list for Verizon in MBB for subscription 1.
+ImageOnly > ERI > ERISprintIntlRoamDataFileNameMBB0 | Specify the ERI data file name with international roaming list for Sprint in MBB for subscription 0.
+ImageOnly > ERI > ERISprintIntlRoamDataFileNameMBB1 | Specify the ERI data file name with international roaming list for Sprint in MBB for subscription 1.
+ImageOnly > ERI > SprintInternationalERIValuesWmRil | Specify the international ERI values for Sprint as `to 4A,7C,7D,7E,9D,9E,9F,C1,C2,C3,C4,C5,C6,E4,E5,E6,E7,E8.`.
+ImageOnly > MTU > DormancyTimeout0 | Enter the number of milliseconds to wait after dormancy hint before telling the modem to make the air interface dormant for subscription 0. Minimum value is 1703, and maximum value is 5000.
+ImageOnly > MTU > DormancyTimeout1 | Enter the number of milliseconds to wait after dormancy hint before telling the modem to make the air interface dormant for subscription 1. Minimum value is 1703, and maximum value is 5000.
+ImageOnly > MTU > MTUDataSize | Customize the TCP maximum segment size (MSS) by setting the maximum transmission unit (MTU) data size if the MSS does not meet the requirements of the mobile operator network. For TCP, the default maximum transmission unit (MTU) is set to 1500 bytes, which makes the maximum segment size (MSS) 1460 bytes. In general, this value should not be changed, as the user experience will degrade if low values are set. However, if the MSS does not meet the requirements of the mobile operator network, OEMs can customize it by setting the MTU data size. This customization configures the MTU, so the size should be set to the required MSS size plus 40 bytes.
+ImageOnly > MTU > RoamingMTUDataSize | Customize the TCP maximum segment size (MSS) for roaming by setting the maximum transmission unit (MTU) data size if the MSS does not meet the requirements of the mobile operator network. For TCP, the default maximum transmission unit (MTU) is set to 1500 bytes, which makes the maximum segment size (MSS) 1460 bytes. In general, this value should not be changed, as the user experience will degrade if low values are set. However, if the MSS does not meet the requirements of the mobile operator network, OEMs can customize it for roaming by setting the MTU data size. This customization configures the MTU, so the size should be set to the required MSS size plus 40 bytes.
+ImageOnly > SuppressNwPSDetach | Configure whether to suppress reporting of network-initiated PS detach (appear attached to OS) until deregistered.
+SignalBarMapping Table | You can modify the percentage values used for the signal strength in the status bar per filter. For details, see [Custom percentages for signal strength bars](https://docs.microsoft.com/windows-hardware/customize/mobile/mcsf/custom-percentages-for-signal-strength-bars).
+SRVCCAutoToggleWmRil | Configure whether to link SRVCC to VOLTE on/off.
+
+
+
+### General
+
+Setting | Description
+--- | ---
+atomicRoamingTableSettings3GPP | If you enable 3GPP roaming, configure the following settings:- **Exceptions** maps the SerialNumber key to the Exceptions value. The wildcard, $(SerialNumber), is a 3-digit decimal serial number (000 through 999) represented as a string. The wildcard is used as a regvalue under the "Exceptions" subkey. Multiple reg values in this form may be configured or customized by the OEM, all placed under the same subkey (Exceptions). The data in the regvalue is a string representing an MCC-MNC pair, such as "410510" where 410 is the MCC and 510 is the MNC.- **HomePLMN** maps the SerialNumber key to the HomePLMN value. The wildcard, $(SerialNumber), is a 3-digit decimal serial number (000 through 999) represented as a string. The wildcard is used as a regvalue under the "HomePLMN" subkey. Multiple reg values in this form may be configured or customized by the OEM, all placed under the same subkey (HomePLMN). The data in the regvalue is a string representing an MCC-MNC pair, such as "410510" where 410 is the MCC and 510 is the MNC.- **TargetImsi** maps the SerialNubmer key to the TargetIMSI value. The wildcard, $(SerialNumber), is a 3-digit decimal serial number (000 through 999) represented as a string. The wildcard is used as a regvalue under the "TargetImsi" subkey. Multiple reg values in this form may be configured or customized by the OEM, all placed under the same subkey (TargetImsi). The data in the regvalue is a string representing an MCC-MNC pair, such as "410510" where 410 is the MCC and 510 is the MNC.
+atomicRoamingTableSettings3GPP2 | If you enable 3GPP2 roaming, configure the following settings:- **Home** maps the SerialNumber key to the Home value. The wildcard, $(SerialNumber), is a 3-digit decimal serial number (000 through 999) represented as a string. The wildcard is used as a regvalue under the "Home" subkey. Multiple reg values in this form may be configured or customized by the OEM, all placed under the same subkey (Home). The data in the regvalue is a DWORD representing the Roaming Indicator. - **Roaming** maps the SerialNumber key to the Roaming value. The wildcard, $(SerialNumber), is a 3-digit decimal serial number (000 through 999) represented as a string. The wildcard is used as a regvalue under the "Roaming" subkey. Multiple reg values in this form may be configured or customized by the OEM, all placed under the same subkey (Roaming). The data in the regvalue is a DWORD representing the Roaming Indicator.
+AvoidStayingInManualSelection | You can enable permanent automatic mode for mobile networks that require the cellular settings to revert to automatic network selection after the user has manually selected another network when roaming or out of range of the home network.
+CardAllowList | Define the list of SIM cards allowed in the first slot of a C+G dual SIM phone. This setting is used only if **CardLock** is set to allow it. If **CardLock** is not set, this list is ignored. To configure the list of SIM cards allowed in the first slot, set the value for CardAllowList to a comma-separated MCC:MNC list. You can also use wild cards, represented by an asterisk, to accept any value. For example, you can set the value to `310:410,311:*,404:012,310:70`.
+CardBlockList | Define the list of SIM cards that are not allowed in the first slot of a C+G dual SIM phone. This setting is used only if **CardLock** is set to allow it. If **CardLock** is not set, this list is ignored. To configure the list of SIM cards that are not allowed in the first slot, set the value for CardBlockList to a comma separated MCC:MNC list. You can also use wild cards, represented by an asterisk, to accept any value. For example, you can set the value to `310:410,311:*,404:012,310:70`.
+CardLock | Used to enforce either the card allow list or both the card allow and block lists on a C+G dual SIM phone.
+DefaultSlotAffinity | Set the data connection preference for:- **SlotAffinityForInternetData_Automatic**: data connection preference is automatically set- **SlotAffinityForInternetData_Slot0**: sets the data connection preference to Slot 0. The data connection cannot be edited by the user.- **SlotAffinityForInternetData_Slot1**: Sets the data connection preference to Slot 1. The data connection cannot be edited by the user.
+DisableLTESupportWhenRoaming | Set to **Yes** to disable LTE support when roaming.
+DisableSystemTypeSupport | Enter the system types to be removed.
+DTMFOffTime | Sets the length of time, in milliseconds (between 64 and 1000 inclusive), of the pause between DTMF digits. For example, a value of 120 specifies 0.12 seconds.
+DTMFOnTime | Sets the length of time, in milliseconds (between 64 and 1000 inclusive), to generate the DTMF tone when a key is pressed. For example, a value of 120 specifies 0.12 seconds.
+ExcludedSystemTypesByDefault | Set the default value for **Highest connection speed** in the **Settings** > **Cellular & SIM** > **SIM** screen by specifying the bitmask for any combination of radio technology to be excluded from the default value. The connection speed that has not been excluded will show up as the highest connection speed. On dual SIM phones that only support up to 3G connection speeds, the **Highest connection speed** option is replaced by a 3G on/off toggle based on the per-device setting. Enter the binary setting to exclude 4G (`10000`) or 3G (`01000`).
+ExcludedSystemTypesPerOperator | Exclude specified system types from SIM cards that match the MCC:MNC pairs listed in **OperatorListForExcludedSystemTypes**. This setting is used only for China. Set the value to match the system type to be excluded. For more information about the RIL system types, see [RILSYSTEMTYPE](https://msdn.microsoft.com/library/windows/hardware/dn931143.aspx). For example, a value of 0x8 specifies RIL_SYSTEMTYPE_UMTS (3G) while 0x10 specifies RIL_SYSTEMTYPE_LTE (4G). To exclude more than one system type, perform a bitwise OR operation on the radio technologies you want to exclude. For example, a bitwise OR operation on RIL_SYSTEMTYPE_LTE (4G) and RIL_SYSTEMTYPE_UMTS (3G) results in the value 11000 (binary) or 0x18 (hexadecimal). In this case, the ExcludedSystemTypesPerOperator value must be set to 0x18 to limit the matching MCC:MNC pairs to 2G.
+LTEEnabled | Select **Yes** to enable LTE, and **No** to disable LTE.
+LTEForced | Select **Yes** to force LTE.
+ManualNetworkSelectionTimeout | Set the default network selection timeout value, in a range of 1-600 seconds. By default, the OS allows the phone to attempt registration on the manually selected network for 60 seconds (or 1 minute) before it switches back to automatic mode. This value is the amount of time that the OS will wait for the modem to register on the manually selected network. If the time lapses and the modem was not able to register on the network that was manually selected by the user, the OS will either switch back to the automatic network selection mode if Permanent automatic mode is enabled, and the user has manually selected a network or the modem was turned on, or display a dialog that notifies the user that the phone was unable to connect to the manually selected network after the phone was turned on or after airplane mode was turned off.
+NetworkSuffix | To meet branding requirements for some mobile operators, you can add a suffix to the network name that is displayed on the phone. For example, you can change from ABC to ABC 3G when under 3G coverage. This feature can be applied for any radio access technology (RAT). For TD-SCDMA RAT, a 3G suffix is always appended by default, but partners can also customize this the same way as with any other RAT. In the setting name, set SYSTEMTYPE to the network type that you want to append the network name to and click **Add**:- system type 4: 2G (GSM)- system type 8: 3G (UMTS)- system type 16: LTE- system type 32: 3G (TS-SCDMA)Select the system type that you added, and enter the network name and suffix that you want displayed.
+NitzFiltering | For mobile networks that can receive Network Identity and Time Zone (NITZ) information from multiple sources, partners can set the phone to ignore the time received from an LTE network. Time received from a CDMA network is not affected. Set the value of NitzFiltering to `0x10`.
+OperatorListForExcludedSystemTypes | Enter a comma-separated list of MCC and MNC (MCC:MNC) for which system types should be restricted. For mobile operators that require more control over the system types that their phones use to connect to the mobile operators' networks, OEMs can specify the MCC and MNC of other specific operators that the main mobile operator wishes to limit. If the UICC's MCC and MNC matches any of the pairs that OEMs can specify for the operator, a specified RIL system type will be removed from the UICC regardless of its app types, slot position, or executor mapping. This setting is used only for China. OEMs should not use this setting unless required by the mobile operator. Set the value of the OperatorListForExcludedSystemTypes setting a comma separated list of MCC:MNC pairs for which the system types should be restricted. For example, the value can be set to 310:026,310:030 to restrict operators with an MCC:MNC of 310:026 and 310:030.
+OperatorPreferredForFasterRadio | Set Issuer Identification Number (IIN) or partial ICCID of preferred operator for the faster radio. For mobile operators that require more control over the system types that their phones use to connect to the mobile operators' networks, OEMs can map a partial ICCID or an Industry Identification Number (IIN) to the faster radio regardless of which SIM card is chosen for data connectivity. This setting is used only for China. OEMs should not use this setting unless required by the mobile operator. To map a partial ICCID or an IIN to the faster radio regardless of which SIM card is chosen for data connectivity, set the value of OperatorPreferredForFasterRadio to match the IIN or the ICCID, up to 7 digits, of the preferred operator.
+PreferredDataProviderList | OEMs can set a list of MCC/MNC pairs for the purchase order (PO) carrier or primary operator. For mobile operators that require it, OEMs can set a list of MCC/MNC pairs for the purchase order (PO) carrier or primary operator so that it can be set as the default data line for phones that have a dual SIM. When the PO SIM is inserted into the phone, the OS picks the PO SIM as the data line and shows a notification to the user that the SIM has been selected for Internet data. If two PO SIMs are inserted, the OS will choose the first PO SIM that was detected as the default data line and the mobile operator action required dialogue (ARD) is shown. If two non-PO SIMs are inserted, the user is prompted to choose the SIM to use as the default data line. Note OEMs should not set this customization unless required by the mobile operator. To enumerate the MCC/MNC value pairs to use for data connections, set the value for **PreferredDataProviderList**. The value must be a comma-separated list of preferred MCC:MNC values. For example, the value can be 301:026,310:030 and so on.
+Slot2DisableAppsList | Disable specified apps from slot 2 on a C+G dual SIM phone. To disable a list of specified apps from Slot 2, set Slot2DisableAppsList to a comma-separated list of values representing the apps. For example, `4,6`.
+Slot2ExcludedSystemTypes | Exclude specified system types from SIM cards inserted in Slot 2. For mobile operators that require more control over the system types that their phones use to connect to the mobile operators' networks, OEMs can restrict the second slot in a dual-SIM phone regardless of what apps or executor mapping the second slot is associated with. Note This setting is used only for China. OEMs should not use this setting unless required by the mobile operator. To allow an operator to simply restrict the second slot in a dual SIM phone regardless of what apps or executor mapping the second slot is associated with, set the value of Slot2ExcludedSystemTypes to the system types to be excluded from the SIM cards inserted in Slot 2. For example, a value of 0x8 specifies RIL_SYSTEMTYPE_UMTS (3G) while 0x10 specifies RIL_SYSTEMTYPE_LTE (4G). To exclude more than one system type, perform a bitwise OR operation on the radio technologies you want to exclude. For example, a bitwise OR operation on RIL_SYSTEMTYPE_LTE (4G) and RIL_SYSTEMTYPE_UMTS (3G) results in the value 11000 (binary) or 0x18 (hexadecimal). In this case, any SIM inserted in Slot 2 will be limited to 2G. For more information about the RIL system types, see [RILSYSTEMTYPE](https://msdn.microsoft.com/library/windows/hardware/dn931143.aspx).
+SuggestDataRoamingARD | Use to show the data roaming suggestion dialog when roaming and the data roaming setting is set to no roaming.
+SuggestGlobalModeARD | Define whether Global Mode is suggested on a C+G dual SIM phone.
+SuggestGlobalModeTimeout | To specify the number of seconds to wait for network registration before suggesting global mode, set SuggestGlobalModeTimeout to a value between 1 and 600, inclusive. For example, to set the timeout to 60 seconds, set the value to 60 (decimal) or 0x3C (hexadecimal).
+
+### RCS
+
+Setting | Description
+--- | ---
+SystemEnabled | Select **Yes** to specify that the system is RCS-enabled.
+UserEnabled | Select **Yes** to show the user setting if RCS is enabled on the device.
+
+### SMS
+
+Setting | Description
+--- | ---
+AckExpirySeconds | Set the value, in seconds, for how long to wait for a client ACK before trying to deliver.
+DefaultMCC | Set the default mobile country code (MCC).
+Encodings > GSM7BitEncodingPage | Enter the code page value for the 7-bit GSM default alphabet encoding. Values:- Code page value: 55000 (Setting value: 0xD6D8)(Code page: default alphabet)- Code page value: 55001 (Setting value: 0xD6D9)(Code page: GSM with single shift for Spanish)- Code page value: 55002 (Setting value: 0xD6DA)(Code page: GSM with single shift for Portuguese)- Code page value: 55003 (Setting value: 0xD6DB)(Code page: GSM with single shift for Turkish)- Code page value: 55004 (Setting value: 0xD6DC)(Code page: SMS Greek Reduction)
+Encodings > GSM8BitEncodingPage | Enter the code page value for GSM 8-bit encoding (OEM set). OEM-created code page IDs should be in the range 55050–55099. For more information, see [Add encoding extension tables for SMS]https://docs.microsoft.com/windows-hardware/customize/mobile/mcsf/add-encoding-extension-tables-for-sms).
+Encodings > OctetEncodingPage | Set the octet (binary) encoding.
+Encodings > SendUDHNLSS | Set the 7 bit GSM shift table encoding.
+Encodings > UseASCII | Set the 7 bit ASCII encoding. Used only for CDMA carriers that use 7-bit ASCII encoding instead of GSM 7-bit encoding.
+Encodings > UseKeyboardLangague | Set whether to use the keyboard language (Portuguese, Spanish, or Turkish) based encoding (set shift table based on keyboard language).
+IncompleteMsgDeliverySeconds | Set the value, in seconds, for long to wait for all parts of multisegment Sprint messages for concatenation.
+MessageExpirySeconds | Partners can set the expiration time before the phone deletes the received parts of a long SMS message. For example, if the phone is waiting for a three-part SMS message and the first part has been received, the first part will be deleted when the time expires and the other part of the message has not arrived. If the second part of the message arrives before the time expires, the first and second parts of the message will be deleted if the last part does not arrive after the time expires. The expiration time is reset whenever the next part of the long message is received. Set MessageExpirySeconds to the number seconds that the phone should wait before deleting the received parts of a long SMS messages. This value should be in hexadecimal and must be prefixed with 0x. The default value is 0x15180, which is equivalent to 1 day or 86,400 seconds.
+SmsFragmentLimit | Partners can specify a maximum length for SMS messages. This requires setting both the maximum number of SMS fragments per SMS message, from 1 to 255, and the maximum size in bytes of each SMS fragment, from 16 to 140 bytes. Use SmsFragmentLimit to set the maximum number of bytes in the user data body of an SMS message. You must set the value between 16 (0x10) and 140 (0x8C). You must also use SmsPageLimit to set the maximum number of segments in a concatenated SMS message.
+SmsPageLimit | Partners can specify a maximum length for SMS messages. This requires setting both the maximum number of SMS fragments per SMS message, from 1 to 255, and the maximum size in bytes of each SMS fragment, from 16 to 140 bytes. Use SmsPageLimit to set the maximum number of segments in a concatenated SMS message. You must set the value to 255 (0xFF) or smaller. You must also use SmsFragmentLimit to set the maximum number of bytes in the body of the SMS message.
+SprintFragmentInfoInBody | Partners can enable the messaging client to allow users to enter more than 160 characters per message. Messages longer than 160 characters are sent as multiple SMS messages that contain a tag at the beginning of the message in the form "(1/2)", where the first number represents the segment or part number and the second number represents the total number of segments or parts. Multiple messages are limited to 6 total segments. When enabled, the user cannot enter more characters after the 6 total segments limit is reached. Any message received with tags at the beginning is recombined with its corresponding segments and shown as one composite message.
+Type3GPP > ErrorHandling > ErrorType | Enter a name for ERRORCODE3GPP, and click **Add**. Configure the error type that you added as **Transient Failure** or **Permanent Failure**.
+Type3GPP > ErrorHandling > FriendlyErrorClass | Enter a name for ERRORCODE3GPP, and click **Add**. Configure the error class that you added as **generic error**, **invalid recepient address**, or **network connectivity trouble**.
+Type3GPP > IMS > SmsUse16BitReferenceNumbers | Configure whether to use 8-bit or 16-bit message ID (reference number) in the UDH.
+Type3GPP2 > ErrorHandling > FriendlyErrorClass | Enter a name for ERRORCODE3GPP2, and click **Add**. Configure the error class that you added as **generic error**, **invalid recepient address**, or **network connectivity trouble**.
+Type3GPP2 > ErrorHandling > UseReservedAsPermanent | Set the 3GPP2 permanent error type.
+
+### UIX
+
+Setting | Description
+--- | ---
+SIM1ToUIM1 | Used to show UIM1 as an alternate string instead of SIM1 for the first SIM on C+G dual SIM phones.
+SIMToSIMUIM | Partners can change the string "SIM" to "SIM/UIM" to accommodate scenarios such as Dual Mode cards of SIM cards on the phone. This can provide a better user experience for users in some markets. Enabling this customization changes all "SIM" strings to "SIM/UIM".
+
+
+
+### UTK
+
+Setting | Description
+--- | ---
+UIDefaultDuration | Specifies the default time, in milliseconds, that the DISPLAY TEXT, GET INKEY, PLAY TONE, or SELECT ITEM dialog should be displayed. The default value is 60000 milliseconds (60 seconds). The valid value range is 1-120000.
+UIGetInputDuration | Specifies the default time, in milliseconds, that the GET INPUT dialog should be displayed. The default value is 120000 milliseconds (120 seconds). The valid value range is 1-120000.
+
+
+
+
+## PerlMSI
+
+Enter an IMSI, click **Add**, and then select the IMSI that you added to configure the following settings.
+
+
+### CellData
+
+Setting | Description
+--- | ---
+MaxNumberOfPDPContexts | OEMs can set a maximum value for the number of simultaneous packet data protocol (PDP) contexts for 3GPP connections. By default, the OS enforces a maximum of four (4) simultaneous packet data protocol (PDP) contexts for 3GPP connections, and one (1) PDP context for 3GPP2 connections. OEMs can set a different maximum value if required by their mobile operator. The same maximums apply for both roaming and non-roaming scenarios. This maximum does not include packet contexts used internally by the modem.
+
+
+
+### CellUX
+
+Setting | Description
+--- | ---
+APNIPTypeIfHidden | Used to set the default IP type shown in the **IP type** listbox on the **internet APN** settings screen.
+Critical > ShowVoLTERoaming | Use to show the IMS roaming control in the cellular settings page
+Critical > ShowVoLTEToggle | Show or hide VoLTE toggle.
+Critical > SwitchIMS | Switch IMS on or off with a toggle. OEMs can configure the default settings and toggle for IMS services to meet mobile operator requirements. Users can later manually change the default values for these settings if they choose to do so.
+Critical > SwitchSMSOverIMS | Switch SMS over IMS on or off when VoLTE is toggled.
+Critical > SwitchVideoOverIMS | Use to switch video over IMS when VoLTE is switched.
+Critical > SwitchVoiceOverIMS | Switch voice over IMS when VoLTE is toggled.
+Critical > SwitchXCAP | Use to switch the XML Configuration Access Protocol (XCAP) when VoLTE is enabled.
+Critical > VoLTERoamingOffDescription | Use to customize the description string that appears under IMS roaming control when IMS roaming is turned off. The string must not be longer than 127 characters.
+Critical > VoLTERoamingOnDescription | Use to customize the description string that appears under IMS roaming control when IMS roaming is turned on. The string must not be longer than 127 characters.
+Critical > VoLTERoamingSettingDisableDuringCall | Use to specify whether to grey out VoLTE roaming settings during an active VoLTE call.
+Critical > VoLTERoamingTitle | Use to customize the description string for the IMS roaming control. The string must not be longer than 127 characters.
+Critical > VoLTESectionTitle | Use to customize the section title for the IMS settings. he string must not be longer than 127 characters.
+Critical > VoLTESettingDisableDuringCall | Use to specify whether to grey out VoLTE-related settings during an active VoLTE call.
+Critical > VoLTEToggleDescription | Use to customize the VoLTE toggle description. To customize the VoLTE toggle description, set VoLTEToggleDescription to the name of the resource-only .dll file, specifying the string offset. For example: @DisplayStrings.dll,-101.
+Critical > VoLTEToggleSettingDisableDuringCall | Use to specify whether to grey out the VoLTE toggle during an active VoLTE call.
+Critical > VoLTEToggleTitle | Use to customize the VoLTE toggle label. To customize the VoLTE toggle label, set VoLTEToggleTitle to the name of the resource-only .dll file, specifying the string offset. For example: @DisplayStrings.dll,-102.
+Critical > WFCSettingDisableDuringCall | Use to specify whether to grey out the Wi-Fi calling settings during an active VoLTE call.
+Disable2GByDefault | Select **Yes** to disable 2G by default. Select **No** to enable 2G.
+Disabled2GNoticeDescription | Enter text to customize the notification for disabled 2G.
+GenericWifiCallingErrorMessage | Enter text to customize the generic error message when a Wi-Fi calling error occurs.
+Hide3GPP2ModeSelection | Select **Yes** to hide the **CDMA** option in the network **Mode** selection drop-down menu. Select **No** to show the **CDMA** option.
+Hide3GPP2Selection | For 3GPP2 or CDMA phones, select **Yes** to hide the **Network Type** drop-down menu in the **SIM** settings screen. Select **No** to show **Network Type**.
+Hide3GPPNetworks | For 3GPP or GSM phones, select **Yes** to hide the **Network Type** drop-down menu in the **SIM settings** screen. Select **No** to show **Network Type**.
+HideAPN | Select **Yes** to hide the **add internet APN** button in the **SIM settings** screen. Select **No** to show **add internet APN**.
+HideAPNIPType | Select **Yes** to hide the **IP type** list in the **internet APN** settings screen. Select **No** to show **IP type**.
+HideDisabled2GNotice | Select **Yes** to hide the notification for disabled 2G. Select **No** to show the notification for disabled 2G.
+HideHighestSpeed | Select **Yes** to hide the **Highest connection speed** drop-down menu on the **Settings** > **Cellular+SIM** > **SIM** settings page. Select **No** to show **Highest connection speed**.
+HideHighestSpeed2G | Select **Yes** to hide the 2G option on the **Highest connection speed** drop-down menu on the **Settings** > **Cellular+SIM** > **SIM** settings page. Select **No** to show the 2G option.
+HideHighestSpeed3GOnly | Select **Yes** to hide the 3G option on the **Highest connection speed** drop-down menu on the **Settings** > **Cellular+SIM** > **SIM** settings page. Select **No** to show the 3G option.
+HideHighestSpeed4G | Select **Yes** to hide the 4G option on the **Highest connection speed** drop-down menu on the **Settings** > **Cellular+SIM** > **SIM** settings page. Select **No** to show the 4G option.
+HideHighestSpeed4G3GOnly | Select **Yes** to hide the 4G or 3G Only option on the **Highest connection speed** drop-down menu on the **Settings** > **Cellular+SIM** > **SIM** settings page. Select **No** to show the 4G or 3G Only option.
+HideHighestSpeed4GOnly | Select **Yes** to hide the 4G Only option on the **Highest connection speed** drop-down menu on the **Settings** > **Cellular+SIM** > **SIM** settings page. Select **No** to show the 4G Only option.
+HideLTEAttachAPN | Select **Yes** to hide the **LTE attach APN** button on the **Settings** > **Cellular+SIM** > **SIM** settings page. Select **No** to show the **LTE attach APN** button.
+HideMMSAPN | Select **Yes** to hide the **add mms apn** button on the **Settings** > **Cellular+SIM** > **SIM** settings page. Select **No** to show the **add mms apn** button.
+HideMMSAPNIPType | Select **Yes** to hide the APN IP type selector on the MMS APN page. Select **No** to show the APN IP type selector.
+HideModeSelection | Select **Yes** to hide the **Network Mode selection** drop-down menu on the **Settings** > **Cellular+SIM** > **SIM** settings page. Select **No** to show the **Network Mode selection**.
+HidePersoUnlock | Select **Yes** to hide the Perso unlock UI. Select **No** to show the Perso unlock UI.
+HighestSpeed2G | You can customize the listed names of the connection speeds with their own character codes. To modify "2G" to another character code, change the value of HighestSpeed2G. Although there is no limit to the number of characters you can use, if the character code is too long, it will be truncated in the UI.
+HighestSpeed3G | You can customize the listed names of the connection speeds with their own character codes. To modify "3G" to another character code, change the value of HighestSpeed3G. Although there is no limit to the number of characters you can use, if the character code is too long, it will be truncated in the UI.
+HighestSpeed3GOnly | You can customize the listed names of the connection speeds with their own character codes. To modify "3G Only" to another character code, change the value of HighestSpeed3GOnly. Although there is no limit to the number of characters you can use, if the character code is too long, it will be truncated in the UI.
+HighestSpeed3GPreferred | You can customize the listed names of the connection speeds with their own character codes. To modify "3G Preferred" to another character code, change the value of HighestSpeed3GPreferred. Although there is no limit to the number of characters you can use, if the character code is too long, it will be truncated in the UI.
+HighestSpeed4G | You can customize the listed names of the connection speeds with their own character codes. To modify "4G" to another character code, change the value of HighestSpeed4G. Although there is no limit to the number of characters you can use, if the character code is too long, it will be truncated in the UI.
+HighestSpeed4G3GOnly | You can customize the listed names of the connection speeds with their own character codes. To modify "4G or 3G Only" to another character code, change the value of HighestSpeed4G3GOnly. Although there is no limit to the number of characters you can use, if the character code is too long, it will be truncated in the UI.
+HighestSpeed4GOnly | You can customize the listed names of the connection speeds with their own character codes. To modify "4G Only" to another character code, change the value of HighestSpeed4GOnly. Although there is no limit to the number of characters you can use, if the character code is too long, it will be truncated in the UI.
+HighestSpeedTitle | You can customize the **Highest connection speed** drop-down label in the **Settings** > **Cellular+SIM** > **SIM** settings page. To change the Highest connection speed drop-down label, set HighestSpeedTitle to another string. For example, you can set this to "Preferred connection speed".
+IsATTSpecific | Control the roaming text for AT&T devices. AT&T requires the phone to show a particular roaming text to meet their legal and marketing guidelines. By default, if the user chooses **roam** under **Data roaming options** in the **Settings** > **Cellular+SIM** screen, they will see the following text: *Depending on your service agreement, you might pay more when using data roaming.* If you set IsATTSpecific to **Yes**, the following roaming text will be displayed instead: *International data roaming charges apply for data usage outside the United States, Puerto Rico, and United States Virgin Islands. Don’t allow roaming to avoid international data roaming charges.*
+LTEAttachGUID | Set the value for LTEAttachGuid to the OemConnectionId GUID used for the LTE attach profile in the modem. The value is a GUID in the string format *XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX*.
+MMSAPNIPTypeIfHidden | Select between **IPV4**, **IPV6**, **IPV4V6**, and **IPV4V6XLAT** for default MMS APN IP type.
+ShowExtendedRejectCodes | When a reject code is sent by the network, partners can specify that extended error messages should be displayed instead of the standard simple error messages. This customization is only intended for use when required by the mobile operator’s network. The short versions of the extended reject message are shown in the following screens:- Phone tile in Start- Call History screen- Dialer- Call Progress screen- Incoming Call screen- As the status string under Settings > cellular+SIMThe long version of the extended reject message is shown under the Active Network label in **Settings** > **cellular+SIM**. Select **Yes** to show the extended error message. Select **No** to hide the extended error message. See [Error messages for reject codes](#errorreject) to see the versions of the message.
+ShowHighestSpeed3GPreferred | Select **Yes** to show the **3G Preferred** option in the **Highest connection speed** drop-down menu. Select **No** to hide **3G Preferred**.
+ShowManualAvoidance | Select **Yes** to show the **Switch to next network manually** button in SIM settings when Mode Selection is CDMA on a C+G dual SIM phone. Select **No** to hide the **Switch to next network manually** button
+ShowPreferredPLMNPage | Select **Yes** to show the preferred public land mobile network (PLMN) page in SIM settings.
+ShowSpecificWifiCallingError | Select **Yes** to show a specific error message based on operator requirements.
+ShowViewAPN | Select **Yes** to show the **View Internet APN** button in **Settings** > **cellular+SIM**.
+ShowWifiCallingEmergencyCallWarning | Select **Yes** to show Wi-Fi emergency call warning.
+ShowWifiCallingError | Select **Yes** to show Wi-Fi calling error message.
+
+
+
+
+
+### General
+
+Setting | Description
+--- | ---
+atomicRoamingTableSettings3GPP | If you enable 3GPP roaming, configure the following settings:- **Exceptions** maps the SerialNumber key to the Exceptions value. The wildcard, $(SerialNumber), is a 3-digit decimal serial number (000 through 999) represented as a string. The wildcard is used as a regvalue under the "Exceptions" subkey. Multiple reg values in this form may be configured or customized by the OEM, all placed under the same subkey (Exceptions). The data in the regvalue is a string representing an MCC-MNC pair, such as "410510" where 410 is the MCC and 510 is the MNC.- **HomePLMN** maps the SerialNumber key to the HomePLMN value. The wildcard, $(SerialNumber), is a 3-digit decimal serial number (000 through 999) represented as a string. The wildcard is used as a regvalue under the "HomePLMN" subkey. Multiple reg values in this form may be configured or customized by the OEM, all placed under the same subkey (HomePLMN). The data in the regvalue is a string representing an MCC-MNC pair, such as "410510" where 410 is the MCC and 510 is the MNC.- **TargetImsi** maps the SerialNubmer key to the TargetIMSI value. The wildcard, $(SerialNumber), is a 3-digit decimal serial number (000 through 999) represented as a string. The wildcard is used as a regvalue under the "TargetImsi" subkey. Multiple reg values in this form may be configured or customized by the OEM, all placed under the same subkey (TargetImsi). The data in the regvalue is a string representing an MCC-MNC pair, such as "410510" where 410 is the MCC and 510 is the MNC.
+atomicRoamingTableSettings3GPP2 | If you enable 3GPP2 roaming, configure the following settings:- **Home** maps the SerialNumber key to the Home value. The wildcard, $(SerialNumber), is a 3-digit decimal serial number (000 through 999) represented as a string. The wildcard is used as a regvalue under the "Home" subkey. Multiple reg values in this form may be configured or customized by the OEM, all placed under the same subkey (Home). The data in the regvalue is a DWORD representing the Roaming Indicator. - **Roaming** maps the SerialNumber key to the Roaming value. The wildcard, $(SerialNumber), is a 3-digit decimal serial number (000 through 999) represented as a string. The wildcard is used as a regvalue under the "Roaming" subkey. Multiple reg values in this form may be configured or customized by the OEM, all placed under the same subkey (Roaming). The data in the regvalue is a DWORD representing the Roaming Indicator.
+AvoidStayingInManualSelection | You can enable permanent automatic mode for mobile networks that require the cellular settings to revert to automatic network selection after the user has manually selected another network when roaming or out of range of the home network.
+CardAllowList | Define the list of SIM cards allowed in the first slot of a C+G dual SIM phone. This setting is used only if **CardLock** is set to allow it. If **CardLock** is not set, this list is ignored. To configure the list of SIM cards allowed in the first slot, set the value for CardAllowList to a comma-separated MCC:MNC list. You can also use wild cards, represented by an asterisk (*), to accept any value. For example, you can set the value to `310:410,311:*,404:012,310:70`.
+CardBlockList | Define the list of SIM cards that are not allowed in the first slot of a C+G dual SIM phone. This setting is used only if **CardLock** is set to allow it. If **CardLock** is not set, this list is ignored. To configure the list of SIM cards that are not allowed in the first slot, set the value for CardBlockList to a comma separated MCC:MNC list. You can also use wild cards, represented by an asterisk (*), to accept any value. For example, you can set the value to `310:410,311:*,404:012,310:70`.
+CardLock | Used to enforce either the card allow list or both the card allow and block lists on a C+G dual SIM phone.
+Critical > MultivariantProvisionedSPN | Used to change the default friendly SIM names in dual SIM phones. By default, the OS displays SIM 1 or SIM 2 as the default friendly name for the SIM in slot 1 or slot 2 if the service provider name (SPN) or mobile operator name has not been set. Partners can use this setting to change the default name read from the SIM to define the SPN for SIM cards that do not contain this information or to generate the default friendly name for the SIM. The OS uses the default value as the display name for the SIM or SPN in the Start screen and other parts of the UI including the SIM settings screen. For dual SIM phones that contain SIMs from the same mobile operator, the names that appear in the UI may be similar. See [Values for MultivariantProvisionedSPN](#spn).
+Critical > SimNameWithoutMSISDNENabled | Use this setting to remove the trailing MSISDN digits from the service provider name (SPN) in the phone UI. By default, the OS appends the trailing MSISDN digits to the service provider name (SPN) in the phone UI, including on the phone and messaging apps. If required by mobile operators, OEMs can use the SimNameWithoutMSISDNEnabled setting to remove the trailing MSISDN digits. However, you must use this setting together with **MultivariantProvisionedSPN** to suppress the MSISDN digits.
+DisableLTESupportWhenRoaming | Set to **Yes** to disable LTE support when roaming.
+ExcludedSystemTypesByDefault | Set the default value for **Highest connection speed** in the **Settings** > **Cellular & SIM** > **SIM** screen by specifying the bitmask for any combination of radio technology to be excluded from the default value. The connection speed that has not been excluded will show up as the highest connection speed. On dual SIM phones that only support up to 3G connection speeds, the **Highest connection speed** option is replaced by a 3G on/off toggle based on the per-device setting. Enter the binary setting to exclude 4G (`10000`) or 3G (`01000`).
+LTEEnabled | Select **Yes** to enable LTE, and **No** to disable LTE.
+LTEForced | Select **Yes** to force LTE.
+NetworkSuffix | To meet branding requirements for some mobile operators, you can add a suffix to the network name that is displayed on the phone. For example, you can change from ABC to ABC 3G when under 3G coverage. This feature can be applied for any radio access technology (RAT). For TD-SCDMA RAT, a 3G suffix is always appended by default, but partners can also customize this the same way as with any other RAT. In the setting name, set SYSTEMTYPE to the network type that you want to append the network name to and click **Add**:- system type 4: 2G (GSM)- system type 8: 3G (UMTS)- system type 16: LTE- system type 32: 3G (TS-SCDMA)Select the system type that you added, and enter the network name and suffix that you want displayed.
+NitzFiltering | For mobile networks that can receive Network Identity and Time Zone (NITZ) information from multiple sources, partners can set the phone to ignore the time received from an LTE network. Time received from a CDMA network is not affected. Set the value of NitzFiltering to `0x10`.
+OperatorListForExcludedSystemTypes | Enter a comma-separated list of MCC and MNC (MCC:MNC) for which system types should be restricted. For mobile operators that require more control over the system types that their phones use to connect to the mobile operators' networks, OEMs can specify the MCC and MNC of other specific operators that the main mobile operator wishes to limit. If the UICC's MCC and MNC matches any of the pairs that OEMs can specify for the operator, a specified RIL system type will be removed from the UICC regardless of its app types, slot position, or executor mapping. This setting is used only for China. OEMs should not use this setting unless required by the mobile operator. Set the value of the OperatorListForExcludedSystemTypes setting a comma separated list of MCC:MNC pairs for which the system types should be restricted. For example, the value can be set to 310:026,310:030 to restrict operators with an MCC:MNC of 310:026 and 310:030.
+OperatorPreferredForFasterRadio | Set Issuer Identification Number (IIN) or partial ICCID of preferred operator for the faster radio. For mobile operators that require more control over the system types that their phones use to connect to the mobile operators' networks, OEMs can map a partial ICCID or an Industry Identification Number (IIN) to the faster radio regardless of which SIM card is chosen for data connectivity. This setting is used only for China. OEMs should not use this setting unless required by the mobile operator. To map a partial ICCID or an IIN to the faster radio regardless of which SIM card is chosen for data connectivity, set the value of OperatorPreferredForFasterRadio to match the IIN or the ICCID, up to 7 digits, of the preferred operator.
+SuggestDataRoamingARD | Use to show the data roaming suggestion dialog when roaming and the data roaming setting is set to no roaming.
+
+
+
+
+
+
+
+### RCS
+
+See descriptions in Windows Configuration Designer.
+
+
+
+
+### SMS
+
+Setting | Description
+--- | ---
+AckExpirySeconds | Set the value, in seconds, for how long to wait for a client ACK before trying to deliver.
+DefaultMCC | Set the default mobile country code (MCC).
+Encodings > GSM7BitEncodingPage | Enter the code page value for the 7-bit GSM default alphabet encoding. Values:- Code page value: 55000 (Setting value: 0xD6D8)(Code page: default alphabet)- Code page value: 55001 (Setting value: 0xD6D9)(Code page: GSM with single shift for Spanish)- Code page value: 55002 (Setting value: 0xD6DA)(Code page: GSM with single shift for Portuguese)- Code page value: 55003 (Setting value: 0xD6DB)(Code page: GSM with single shift for Turkish)- Code page value: 55004 (Setting value: 0xD6DC)(Code page: SMS Greek Reduction)
+Encodings > GSM8BitEncodingPage | Enter the code page value for GSM 8-bit encoding (OEM set). OEM-created code page IDs should be in the range 55050–55099. For more information, see [Add encoding extension tables for SMS]https://docs.microsoft.com/windows-hardware/customize/mobile/mcsf/add-encoding-extension-tables-for-sms).
+Encodings > OctetEncodingPage | Set the octet (binary) encoding.
+Encodings > SendUDHNLSS | Set the 7 bit GSM shift table encoding.
+Encodings > UseASCII | Set the 7 bit ASCII encoding. Used only for CDMA carriers that use 7-bit ASCII encoding instead of GSM 7-bit encoding.
+Encodings > UseKeyboardLangague | Set whether to use the keyboard language (Portuguese, Spanish, or Turkish) based encoding (set shift table based on keyboard language).
+IncompleteMsgDeliverySeconds | Set the value, in seconds, for long to wait for all parts of multisegment Sprint messages for concatenation.
+MessageExpirySeconds | Partners can set the expiration time before the phone deletes the received parts of a long SMS message. For example, if the phone is waiting for a three-part SMS message and the first part has been received, the first part will be deleted when the time expires and the other part of the message has not arrived. If the second part of the message arrives before the time expires, the first and second parts of the message will be deleted if the last part does not arrive after the time expires. The expiration time is reset whenever the next part of the long message is received. Set MessageExpirySeconds to the number seconds that the phone should wait before deleting the received parts of a long SMS messages. This value should be in hexadecimal and must be prefixed with 0x. The default value is 0x15180, which is equivalent to 1 day or 86,400 seconds.
+SmsFragmentLimit | Partners can specify a maximum length for SMS messages. This requires setting both the maximum number of SMS fragments per SMS message, from 1 to 255, and the maximum size in bytes of each SMS fragment, from 16 to 140 bytes. Use SmsFragmentLimit to set the maximum number of bytes in the user data body of an SMS message. You must set the value between 16 (0x10) and 140 (0x8C). You must also use SmsPageLimit to set the maximum number of segments in a concatenated SMS message.
+SmsPageLimit | Partners can specify a maximum length for SMS messages. This requires setting both the maximum number of SMS fragments per SMS message, from 1 to 255, and the maximum size in bytes of each SMS fragment, from 16 to 140 bytes. Use SmsPageLimit to set the maximum number of segments in a concatenated SMS message. You must set the value to 255 (0xFF) or smaller. You must also use SmsFragmentLimit to set the maximum number of bytes in the body of the SMS message.
+SprintFragmentInfoInBody | Partners can enable the messaging client to allow users to enter more than 160 characters per message. Messages longer than 160 characters are sent as multiple SMS messages that contain a tag at the beginning of the message in the form "(1/2)", where the first number represents the segment or part number and the second number represents the total number of segments or parts. Multiple messages are limited to 6 total segments. When enabled, the user cannot enter more characters after the 6 total segments limit is reached. Any message received with tags at the beginning is recombined with its corresponding segments and shown as one composite message.
+Type3GPP > ErrorHandling > ErrorType | Enter a name for ERRORCODE3GPP, and click **Add**. Configure the error type that you added as **Transient Failure** or **Permanent Failure**.
+Type3GPP > ErrorHandling > FriendlyErrorClass | Enter a name for ERRORCODE3GPP, and click **Add**. Configure the error class that you added as **generic error**, **invalid recepient address**, or **network connectivity trouble**.
+Type3GPP > IMS > SmsUse16BitReferenceNumbers | Configure whether to use 8-bit or 16-bit message ID (reference number) in the UDH.
+Type3GPP2 > ErrorHandling > FriendlyErrorClass | Enter a name for ERRORCODE3GPP2, and click **Add**. Configure the error class that you added as **generic error**, **invalid recepient address**, or **network connectivity trouble**.
+Type3GPP2 > ErrorHandling > UseReservedAsPermanent | Set the 3GPP2 permanent error type.
+
+
+
+### UTK
+
+Setting | Description
+--- | ---
+UIDefaultDuration | Specifies the default time, in milliseconds, that the DISPLAY TEXT, GET INKEY, PLAY TONE, or SELECT ITEM dialog should be displayed. The default value is 60000 milliseconds (60 seconds). The valid value range is 1-120000.
+UIGetInputDuration | Specifies the default time, in milliseconds, that the GET INPUT dialog should be displayed. The default value is 120000 milliseconds (120 seconds). The valid value range is 1-120000.
+
+
+### VoLTE
+
+Setting | Description
+--- | ---
+IMSOMADMServices | Allows configuration of OMA DM Services Mask. The value is mapped directly to RIL_IMS_NW_ENABLED_FLAGS on the modem side. To configure the OMA DM services mask, set the IMSOMADMServices setting to one of the following values:- None, Flag: 0, Bitmask: 00000- OMA DM, Flag: 1, Bitmask: 00001- Voice, Flag: 2, Bitmask: 00010- Video, Flag: 4, Bitmask: 00100- EAB presence, Flag: 8, Bitmask: 01000- Enable all services, Flag: 15, Bitmask: 10000
+IMSServices | Identifies which IMS services are enabled (if any). The value is any combination of flags 1 (IMS), 2 (SMS over IMS), 4 (Voice over IMS) and 8 (Video Over IMS). Set the value for the IMSServices setting to any combination of the following flags or bitmasks:- IMS, Flag: 1, Bitmask: 0001- SMS over IMS, Flag: 2, Bitmask: 0010- Voice over IMS, Flag: 4, Bitmask: 0100Video over IMS, Flag: 8, Bitmask: 1000
+
+
+
+## Error messages for reject codes
+
+
+Reject code | Extended error message | Short error message
+--- | --- | ---
+2 (The SIM card hasn't been activated or has been deactivated) | SIM not set up MM#2 | Invalid SIM
+3 (The SIM card fails authentication or one of the identity check procedures. This can also happen due to a duplication of the TMSI across different MSCs.) | Can't verify SIM MM#3 | Invalid SIM
+6 (The device has been put on a block list, such as when the phone has been stolen or the IMEI is restricted.) | Phone not allowed MM#6 | No service
+
+
+## Values for MultivariantProvisionedSPN
+
+Set the MultivariantProvisionedSPN value to the name of the SPN or mobile operator.
+
+The following table shows the scenarios supported by this customization:
+
+>[!NOTE]
+>In the Default SIM name column:
+>
+>- The " " in MultivariantProvisionedSPN" "1234 means that there is a space between the mobile operator name or SPN and the last 4 digits of the MSISDN.
+>- MultivariantProvisionedSPN means the value that you set for the MultivariantProvisionedSPN setting.
+>- SIM 1 or SIM 2 is the default friendly name for the SIM in slot 1 or slot 2.
+
+
+Multivariant setting set?|SPN provisioned?|MSISDN (last 4 digits: 1234, for example) provisioned?|Default SIM name
+Yes|Yes|Yes|*MultivariantProvisionedSPN*1234 or *MultivariantProvisionedSPN*" "1234
+Yes|No|No|*MultivariantProvisionedSPN* (up to 16 characters)
+Yes|Yes|No|*MultivariantProvisionedSPN* (up to 16 characters)
+Yes|No|Yes|*MultivariantProvisionedSPN*1234 or *MultivariantProvisionedSPN*" "1234
+No|Yes|Yes|If SPN string >= 12: *SPN*1234If SPN string < 12: *SPN*" "1234
+No|No|No|*SIM 1* or *SIM 2*
+No|Yes|No|SPN (up to 16 characters)
+No|No|Yes|*SIM 1* or *SIM 2*
+
diff --git a/windows/configuration/wcd/wcd-cellular.md b/windows/configuration/wcd/wcd-cellular.md
index 7ea42d279d..15ff4cbc51 100644
--- a/windows/configuration/wcd/wcd-cellular.md
+++ b/windows/configuration/wcd/wcd-cellular.md
@@ -7,21 +7,22 @@ ms.sitesec: library
author: jdeckerMS
ms.localizationpriority: medium
ms.author: jdecker
-ms.date: 08/21/2017
+ms.date: 10/17/2017
---
# Cellular (Windows Configuration Designer reference)
Use to configure settings for cellular connections.
+>[!IMPORTANT]
+>These settings are intended to be used only by manufacturers, mobile operators, and solution providers when configuring devices, and are not intended for use by administrators in the enterprise.
+
## Applies to
| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | :---: | :---: | :---: | :---: | :---: |
-| [AccountExperienceURL](#accountexperienceurl) | X | | | | |
-| [AppID](#appid) | X | | | | |
-| [NetworkBlockList](#networkblocklist) | X | | | | |
-| [SIMBlockList](#simblocklist) | X | | | | |
+| All settings | X | | | | |
+
To begin, enter a SIM integrated circuit card identifier (**SimIccid**), and click **Add**. In the **Customizations** pane, select the SimIccid that you just entered and configure the following settings for it.
@@ -34,10 +35,27 @@ Enter the URL for the mobile operator's web page.
Enter the AppID for the mobile operator's app in Microsoft Store.
+## BrandingIcon
+
+Browse to and select an .ico file.
+
+## BrandingIconPath
+
+Enter the destination path for the BrandingIcon .ico file.
+
+## BrandingName
+
+Enter the service provider name for the mobile operator.
+
## NetworkBlockList
Enter a comma-separated list of mobile country code (MCC) and mobile network code (MCC) pairs (MCC:MNC).
## SIMBlockList
-Enter a comma-separated list of mobile country code (MCC) and mobile network code (MCC) pairs (MCC:MNC).
\ No newline at end of file
+Enter a comma-separated list of mobile country code (MCC) and mobile network code (MCC) pairs (MCC:MNC).
+
+
+## UseBrandingNameOnRoaming
+
+Select an option for displaying the BrandingName when the device is roaming.
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-connections.md b/windows/configuration/wcd/wcd-connections.md
index 98fdd61592..a996e19cfc 100644
--- a/windows/configuration/wcd/wcd-connections.md
+++ b/windows/configuration/wcd/wcd-connections.md
@@ -7,7 +7,7 @@ ms.sitesec: library
author: jdeckerMS
ms.localizationpriority: medium
ms.author: jdecker
-ms.date: 08/21/2017
+ms.date: 10/17/2017
---
# Connections (Windows Configuration Designer reference)
@@ -18,10 +18,8 @@ Use to configure settings related to various types of phone connections.
| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | :---: | :---: | :---: | :---: | :---: |
-| [Cellular](#cellular) | X | X | X | X | |
-| [EnterpriseAPN](#enterpriseapn) | X | X | X | X | |
-| [Policies](#policies) | X | X | X | X | |
-| [Proxies](#proxies) | X | X | X | X | |
+| All settings | X | X | X | X | |
+
For each setting group:
1. In **Available customizations**, select the setting group (such as **Cellular**), enter a friendly name for the connection, and then click **Add**.
@@ -36,6 +34,10 @@ See [CM_CellularEntries configuration service provider (CSP)](https://msdn.micro
See [Configure cellular settings for tablets and PCs](https://docs.microsoft.com/windows/configuration/provisioning-apn) and
[EnterpriseAPN CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterpriseapn-csp) for settings and values.
+## General
+
+Use **General > DataRoam** to set the default value for the **Default roaming options** option in the **Settings > cellular + SIM** area on the device. Select between **DoNotRoam**, **DomesticRoaming**, or **InternationalRoaming**.
+
## Policies
See [CMPolicy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/cmpolicy-csp) for settings and values.
diff --git a/windows/configuration/wcd/wcd-desktopbackgroundandcolors.md b/windows/configuration/wcd/wcd-desktopbackgroundandcolors.md
index 6f954aec14..097f2e9273 100644
--- a/windows/configuration/wcd/wcd-desktopbackgroundandcolors.md
+++ b/windows/configuration/wcd/wcd-desktopbackgroundandcolors.md
@@ -1,5 +1,5 @@
---
-title: DesktopBackgrounAndColors (Windows 10)
+title: DesktopBackgroundAndColors (Windows 10)
description: This section describes the DesktopBackgrounAndColors settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
ms.prod: w10
ms.mktglfcycl: deploy
@@ -10,7 +10,7 @@ ms.author: jdecker
ms.date: 08/21/2017
---
-# DesktopBackgrounAndColors (Windows Configuration Designer reference)
+# DesktopBackgroundAndColors (Windows Configuration Designer reference)
Do not use. Instead, use the [Personalization settings](wcd-personalization.md).
diff --git a/windows/configuration/wcd/wcd-deviceinfo.md b/windows/configuration/wcd/wcd-deviceinfo.md
new file mode 100644
index 0000000000..28e15ade95
--- /dev/null
+++ b/windows/configuration/wcd/wcd-deviceinfo.md
@@ -0,0 +1,64 @@
+---
+title: DeviceInfo (Windows 10)
+description: This section describes the DeviceInfo settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+ms.localizationpriority: medium
+ms.author: jdecker
+ms.date: 10/17/2017
+---
+
+# DeviceInfo (Windows Configuration Designer reference)
+
+Use to configure settings for DeviceInfo.
+
+>[!IMPORTANT]
+>These settings are intended to be used only by manufacturers, mobile operators, and solution providers when configuring devices, and are not intended for use by administrators in the enterprise.
+
+## Applies to
+
+| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| All settings | | X | | | |
+
+
+## PhoneMobileOperatorDisplayName
+
+Enter a friendly name for the mobile operator. This string is displayed in the support section of the **Settings > About** screen and in the ringtone list.
+
+## PhoneMobileOperatorName
+
+This setting is used for targeting phone updates. It must contain a code specified by Microsoft that corresponds to the mobile operator. These codes are provided in [Registry values for mobile operator IDs](https://msdn.microsoft.com/library/windows/hardware/dn772250.aspx). For open market phones, in which the mobile operator is not known, use the codes in [Registry values for carrier-unlocked phones](https://msdn.microsoft.com/library/windows/hardware/dn772248.aspx) instead.
+
+This string is not visible to the user.
+
+This setting must not be changed over time even if the user switches SIMs or mobile operators, as updates are always targeted based on the first mobile operator associated with the phone.
+
+The [PhoneManufacturer](https://msdn.microsoft.com/library/windows/hardware/mt138328.aspx), [PhoneManufacturerModelName](https://msdn.microsoft.com/library/windows/hardware/mt138336.aspx), and PhoneMobileOperatorName should create a unique Phone-Operator-Pairing (POP).
+
+
+
+## PhoneOEMSupportLink
+
+This should be a functional link that starts with http://. The link should be a URL that redirects to the mobile version of the web page. The content in the webpage should reflow to the screen width. This can be achieved by adding the CSS Tag `"@-ms-viewport { width: device-width; }"`.
+
+The default is an empty string (""), which means that a support link will not be displayed to the user.
+
+This setting varies by OEM.
+
+
+## PhoneSupportLink
+
+This should be a functional link that starts with http://. The link should be a URL that redirects to the mobile version of the web page. The content in the webpage should reflow to the screen width. This can be achieved by adding the CSS Tag `"@-ms-viewport { width: device-width; }"`.
+
+The default is an empty string (""), which means that a support link will not be displayed to the user.
+
+This setting varies by OEM.
+
+
+## PhoneSupportPhoneNumber
+
+Use to specify the OEM or mobile operator's support contact phone number. The country code is not required. This string is displayed in the About screen in Settings. This setting also corresponds to the Genuine Windows Phone Certificates (GWPC) support number.
+
diff --git a/windows/configuration/wcd/wcd-devicemanagement.md b/windows/configuration/wcd/wcd-devicemanagement.md
index 297225f5a1..a37c32bee6 100644
--- a/windows/configuration/wcd/wcd-devicemanagement.md
+++ b/windows/configuration/wcd/wcd-devicemanagement.md
@@ -12,7 +12,7 @@ ms.date: 08/21/2017
# DeviceManagement (Windows Configuration Designer reference)
-Use to...
+Use to configure device management settings.
## Applies to
diff --git a/windows/configuration/wcd/wcd-hotspot.md b/windows/configuration/wcd/wcd-hotspot.md
new file mode 100644
index 0000000000..cea5973633
--- /dev/null
+++ b/windows/configuration/wcd/wcd-hotspot.md
@@ -0,0 +1,116 @@
+---
+title: HotSpot (Windows 10)
+description: This section describes the HotSpot settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+ms.localizationpriority: medium
+ms.author: jdecker
+ms.date: 10/17/2017
+---
+
+# HotSpot (Windows Configuration Designer reference)
+
+Use HotSpot settings to configure Internet sharing.
+
+## Applies to
+
+| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| All settings | | X | | | |
+
+>[!NOTE]
+>Although the HotSpot settings are available in advanced editing for multiple editions, the settings are only supported on devices running Windows 10 Mobile.
+
+## DedicatedConnections
+
+(Optional) Set DedicatedConnections to a semicolon-separated list of connections.
+
+Specifies the list of Connection Manager cellular connections that Internet sharing will use as public connections.
+
+By default, any available connection will be used as a public connection. However, this node allows a mobile operator to specify one or more connection names to use as public connections.
+
+Specified connections will be mapped, by policy, to the Internet sharing service. All attempts to enumerate Connection Manager connections for the Internet sharing service will return only the mapped connections.
+
+The mapping policy will also include the connection specified in the TetheringNAIConnection value as well.
+
+ If the specified connections do not exist, Internet sharing will not start because it will not have any cellular connections available to share.
+
+
+
+## Enabled
+
+Specify **True** to enable Internet sharing on the device or **False** to disable Internet sharing.
+
+If Enabled is initially set to **True**, the feature is turned off and the internet sharing screen is removed from Settings so that the user cannot access it. Configuration changes or connection sharing state changes will not be possible.
+
+When Enabled is set to **False**, the internet sharing screen is added to Settings, although sharing is turned off by default until the user turns it on.
+
+
+## MaxBluetoothUsers
+
+(Optional) Specify the maximum number of simultaneous Bluetooth users that can be connected to a device while sharing over Bluetooth. Set MaxBluetoothUsers to an integer value between 1 and 7 inclusive. The default value is 7.
+
+
+## MaxUsers
+
+(Optional) Specify the maximum number of simultaneous users that can be connected to a device while sharing. Set MaxUsers to an integer value between 1 and 8 inclusive. The default value is 5.
+
+
+## MOAppLink
+
+(Optional) Enter an application link that points to a pre-installed application, provided by the mobile operator. that will help a user to subscribe to the mobile operator's Internet sharing service when Internet sharing is not provisioned or entitlement fails.
+
+Set MOAppLink to a valid app ID. The general format for the link is *app://MOappGUID*. For example, if your app ID is `12345678-9012-3456-7890-123456789012`, you must set the value to `app://12345678-9012-3456-7890-123456789012`.
+
+
+## MOHelpMessage
+
+(Optional) Enter a reference to a localized string, provided by the mobile operator, that is displayed when Internet sharing is not enabled due to entitlement failure. The node takes a language-neutral registry value string, which has the following form:
+
+```
+@,-
+```
+
+Where `` is the resource dll that contains the string and `` is the string identifier. For more information on language-neutral string resource registry values, see [Using Registry String Redirection](https://msdn.microsoft.com/library/windows/desktop/dd374120.aspx).
+
+## MOHelpNumber
+
+(Optional) Enter a mobile operator–specified phone number that is displayed to the user when the Internet sharing service fails to start. The user interface displays a message informing the user that they can call the specified number for help.
+
+
+
+## MOInfoLink
+
+(Optional) Enter a mobile operator–specified HTTP link that is displayed to the user when Internet sharing is disabled or the device is not entitled. The user interface displays a message informing the user that they can visit the specified link for more information about how to enable the feature.
+
+## PeerlessTimeout
+
+(Optional) Enter the time-out period, in minutes, after which Internet sharing should automatically turn off if there are no active clients.
+
+Set PeerlessTimeout to any value between 1 and 120 inclusive. A value of 0 is not supported. The default value is 5 minutes.
+
+## PublicConnectionTimeout
+
+(Optional) Enter the time-out value, in minutes, after which Internet sharing is automatically turned off if a cellular connection is not available.
+
+Set PublicConnectionTimeout to any value between 1 and 60 inclusive. The default value is 20 minutes. A value of 0 is not supported.
+
+
+## TetheringNAIConnection
+
+(Optional) Specify the CDMA TetheringNAI Connection Manager cellular connection that Internet sharing will use as a public connection. Set TetheringNAIConnection to the CDMA TetheringNAI Connection Manager cellular connection.
+
+If a CDMA mobile operator requires using a Tethering NAI during Internet sharing, they must configure a TetheringNAI connection and then specify the connection in this node.
+
+Specified connections will be mapped, by policy, to the Internet sharing service. All attempts to enumerate Connection Manager connections for the Internet sharing service will return only the mapped connections.The mapping policy will also include the connection specified in the TetheringNAIConnection value as well.
+
+If the specified connections do not exist, Internet sharing will not start because it will not have any cellular connections available to share.
+
+>[!NOTE]
+>CDMA phones are limited to one active data connection at a time. This means any application or service (such as e-mail or MMS) that is bound to another connection may not work while Internet sharing is turned on.
+
+
+
+
diff --git a/windows/configuration/wcd/wcd-messaging.md b/windows/configuration/wcd/wcd-messaging.md
index 871e87042c..2f2ab14958 100644
--- a/windows/configuration/wcd/wcd-messaging.md
+++ b/windows/configuration/wcd/wcd-messaging.md
@@ -7,12 +7,18 @@ ms.sitesec: library
author: jdeckerMS
ms.localizationpriority: medium
ms.author: jdecker
-ms.date: 08/21/2017
+ms.date: 10/17/2017
---
# Messaging (Windows Configuration Designer reference)
-Use for settings related to Messaging.
+Use for settings related to Messaging and Commercial Mobile Alert System (CMAS).
+
+>[!IMPORTANT]
+>These settings are intended to be used only by manufacturers, mobile operators, and solution providers when configuring devices, and are not intended for use by administrators in the enterprise.
+
+>[!NOTE]
+>CMAS is now known as Wireless Emergency Alerts (WEA).
## Applies to
@@ -20,16 +26,70 @@ Use for settings related to Messaging.
| --- | :---: | :---: | :---: | :---: | :---: |
| All settings | | X | | | |
-## GlobalSettings > ShowSendingStatus
+## GlobalSettings
+
+### DisplayCmasLifo
+
+Use this setting to change the order in which CMAS alert messages are displayed, from the default first in/first out (FIFO) message order to last in/first out (LIFO) message order.
+
+If the phone receives at least one CMAS alert message which has not been acknowledged by the user, and another CMAS alert message arrives on the phone, partners can configure the order in which the newly received alert messages are displayed on the phone regardless of the service category of the alert. Users will not be able to change the message order once it has been set.
+
+If partners do not specify a value for this customization, the default FIFO display order is used. Users will be able to acknowledge the messages in the reverse order they were received.
+
+When configured as **True**, you set a LIFO message order. When configured as **False**, you set a FIFO message order.
+
+### EnableCustomLineSetupDialog
+
+Enable this setting to allow custom line setup dialogs in the Messaging app.
+
+### ShowSendingStatus
+
+>[!NOTE]
+>This setting is removed in Windows 10, version 1709.
Set **ShowSendingStatus** to **True** to display the sending status for SMS/MMS messages.
-## PerSimSettings > _ICCID
+### VoicemailIntercept
-Use to configure settings for each subscriber identification module (SIM) card.
+Partners can define a filter that intercepts an incoming SMS message and triggers visual voicemail synchronization. The filtered message does not appear in the user’s conversation list.
+
+A visual voicemail sync is triggered by an incoming SMS message if the following conditions are met:
+
+- The message sender value starts with the string specified in the SyncSender setting. The length of the specified values must be greater than 3 characters but less than 75 characters.
+
+- The body of the message starts with the string specified in the SyncPrefix setting. The length of the specified values must be greater than 3 characters but less than 75 characters.
+
+- Visual voicemail is configured and enabled. For more information, see [Visual voicemail](https://msdn.microsoft.com/library/windows/hardware/dn790032.aspx).
+
+>[!NOTE]
+>These settings are atomic, so both SyncSender and SyncPrefix must be set.
+>
+>The SyncSender and SyncPrefix values vary for each mobile operator, so you must work with your mobile operators to obtain the correct or required values.
+
+Setting | Description
+--- | ---
+SyncPrefix | Specify a value for SyncPrefix that is greater than 3 characters but less than 75 characters in length. For networks that support it, this value can be the keyword for the SMS notification.
+SyncSender | Specify a value for SyncSender that is greater than 3 characters but less than 75 characters in length. For networks that support it, this value can be a short code of the mailbox server that sends a standard SMS notification.
+
+
+
+## PerSimSettings
+
+Use to configure settings for each subscriber identification module (SIM) card. Enter the Integrated Circuit Card Identifier (ICCID) for the SIM card, click **Add**, and then configure the folowing settings.
+
+### AllowMmsIfDataIsOff
+
+Setting | Description
+--- | ---
+AllowMmsIfDataIsOff | **True** allows MMS if data is off
+AllowMmsIfDataIsOffSupported | **True** shows the toggle for allowing MMS if data is turned off
+AllowMmsIfDataIsOffWhileRoaming | **True** allows MMS if data is off while roaming
### AllowSelectAllContacts
+>[!NOTE]
+>This setting is removed in Windows 10, version 1709.
+
Set to **True** to show the select all contacts/unselect all menu option to allow users to easily select multiple recipients for an SMS or MMS message. This menu option provides users with an easier way to add multiple recipients and may also meet a mandatory requirement for some mobile operator networks.
Windows 10 Mobile supports the following select multiple recipients features:
@@ -55,31 +115,106 @@ Specify whether MMS messages are automatically downloaded.
| AutomaticallyDownload | **True** sets the **Automatically download MMS** toggle to **On** |
| ShowAutomaticallyDownloadMMSToggle | **True** shows the **Automatically download MMS** toggle, and **False** hides the toggle |
+
### DefaultContentLocationUrl
+>[!NOTE]
+>This setting is removed in Windows 10, version 1709.
+
For networks that require it, you can specify the default GET path within the MMSC to use when the GET URL is missing from the WAP push MMS notification.
Set **DefaultContentLocationUrl** to specify the default GET path within the MMSC.
### ErrorCodeEnabled
+>[!NOTE]
+>This setting is removed in Windows 10, version 1709.
+
You can choose to display additional content in the conversation view when an SMS or MMS message fails to send. This content includes a specific error code in decimal format that the user can report to technical support. Common errors also include a friendly string to help the user self-diagnose and fix the problem.
Set to **True** to display the error message with an explanation of the problem and the decimal-format error codes. When set to **False**, the full error message is not displayed.
+### EmergencyAlertOptions
-### ImsiAuthenticationToken
+Configure settings for CMAS alerts.
+
+Setting | Description
+--- | ---
+CmasAMBERAlertEnabled | **True** enables the device to receive AMBER alerts
+CmasExtremeAlertEnabled | **True** enables the device to receive extreme alerts
+CmasSevereAlertEnabled | **True** enables the device to receive severe alerts
+EmOperatorEnabled | Select which Emergency Alerts Settings page is displayed from dropdown menu
+SevereAlertDependentOnExtremeAlert | When set as **True**, the CMAS-Extreme alert option must be on to modify CMAS-Severe alert option
+
+
+### General
+
+Setting | Description
+--- | ---
+AllowSelectAllContacts | Set to **True** to show the **select all contacts/unselect all** menu option to allow users to easily select multiple recipients for an SMS or MMS message. This menu option provides users with an easier way to add multiple recipients and may also meet a mandatory requirement for some mobile operator networks. Windows 10 Mobile supports the following select multiple recipients features:- A multi-select chooser, which enables users to choose multiple contacts.- A **select all contacts/unselect all** menu option, which enables users to select or unselect all their contacts. This option is not shown by default and must be enabled by the OEM.
+AllowSMStoSMTPAddress | Allow SMS to SMTP address.
+AssistedDialingMcc | By setting AssistedDialingMcc and AssistedDialingMnc, international assisted dialing will be enabled for SMS if the user setting for international assisted dialing is enabled. Enter the Mobile Country Code (MCC) to use for sending SMS.
+AssistedDialingMnc | By setting AssistedDialingMcc and AssistedDialingMnc, international assisted dialing will be enabled for SMS if the user setting for international assisted dialing is enabled. Enter the Mobile Network Code (MNC) to use for sending SMS.
+AssistedDialingPlusCodeSupportOverride | For devices that support IMS over SMS, you can override support for the assisted dialing plus (+) code for SMS by setting AssistedDialingPlusCodeSupportOverride. If enabled, the OS will not convert the plus (+) code to the proper assisted number when the user turns on the dialing assist option.
+AutoRetryDownload | You can configure the messaging app to automatically retry downloading an MMS message if the initial download attempt fails. When this customization is enabled, the download is retried 3 times at 20-, 40-, and 60-second intervals.
+BroadcastChannels | You can specify one or more ports from which the device will accept cellular broadcast messages. Set the BroadcastChannels value to the port number(s) that can accept cellular broadcast messages. If you specify the same port that Windows 10 Mobile already recognizes as an Emergency Alert port (a CMAS or ETWS port number) and a cell broadcast message is received on that port, the user will only receive the message once. The message that is received will be displayed as an Emergency Alert message.
+ConvertLongSMStoMMS | For networks that do support MMS and do not support segmentation of SMS messages, you can specify an automatic switch from SMS to MMS for long messages.
+DefaultContentLocationUrl | For networks that require it, you can specify the default GET path within the MMSC to use when the GET URL is missing from the WAP push MMS notification. Set DefaultContentLocationUrl to specify the default GET path within the MMSC.
+ErrorCodeEnabled | You can choose to display additional content in the conversation view when an SMS or MMS message fails to send. This content includes a specific error code in decimal format that the user can report to technical support. Common errors also include a friendly string to help the user self-diagnose and fix the problem. Set to **True** to display the error message with an explanation of the problem and the decimal-format error codes. When set to **False**, the full error message is not displayed.
+HideMediumSIPopups | By default, when a service indication message is received with a signal-medium or signal-high setting, the phone interrupts and shows the user prompt for these messages. However, you can hide the user prompts for signal-medium messages.
+ImsiAuthenticationToken | Configure whether MMS messages include the IMSI in the GET and POST header. Set ImsiAuthenticationToken to the token used as the header for authentication. The string value should match the IMSI provided by the UICC.
+LimitRecipients | Set the maximum number of recipients to which a single SMS or MMS message can be sent. Enter a number between 1 and 500 to limit the maximum number of recipients.
+MaxRetryCount | You can specify the number of times that the phone can retry sending the failed MMS message and photo before the user receives a notification that the photo could not be sent. Specify MaxRetryCount to specify the number of times the MMS transport will attempt resending the MMS message. This value has a maximum limit of 3.
+MMSLimitAttachments | You can specify the maximum number of attachments for MMS messages, from 1 to 20. The default is 5.
+RetrySize | For MMS messages that have photo attachments and that fail to send, you can choose to automatically resize the photo and attempt to resend the message. Specify the maximum size to use to resize the photo in KB. Minimum is 0xA (10 KB).
+SetCacheControlNoTransform | When set, proxies and transcoders are instructed not to change the HTTP header and the content should not be modified. A value of 1 or 0x1 adds support for the HTTP header Cache-Control No-Transform directive. When the SetCacheControlNoTransform``Value is set to 0 or 0x0 or when the setting is not set, the default HTTP header Cache-Control No-Cache directive is used.
+ShowRequiredMonthlyTest | **True** enables devices to receive CMAS Required Monthly Test (RMT) messages and have these show up on the device. **False** disables devices from receiving CMAS RMT messages.
+SmscPanelDisabled | **True** disables the short message service center (SMSC) panel.
+SMStoSMTPShortCode | Use to configure SMS messages to be sent to email addresses and phone numbers. `0` disables sending SMS messages to SMTP addresses. `1` enables sending SMS messages to SMTP addresses.
+TargetVideoFormat | You can specify the transcoding to use for video files sent as attachments in MMS messages. Set TargetVideoFormat to one of the following values to configure the default transcoding for video files sent as attachments in MMS messages:- 0 or 0x0 Sets the transcoding to H.264 + AAC + MP4. This is the default set by the OS.- 1 or 0x1 Sets the transcoding to H.264 + AAC + 3GP.- 2 or 0x2 Sets the transcoding to H.263 + AMR.NB + 3GP.- 3 or 0x3 Sets the transcoding to MPEG4 + AMR.NB + 3GP.
+UAProf | You can specify a user agent profile to use on the phone for MMS messages. The user agent profile XML file details a phone’s hardware specifications and media capabilities so that an MMS application server (MMSC) can return supported optimized media content to the phone. The user agent profile XML file is generally stored on the MMSC. There are two ways to correlate a user agent profile with a given phone:- You can take the user agent string of the phone that is sent with MMS requests and use it as a hash to map to the user agent profile on the MMSC. The user agent string cannot be modified.- Alternatively, you can directly set the URI of the user agent profile on the phone.Set UAProf to the full URI of your user agent profile file. Optionally, you can also specify the custom user agent property name for MMS that is sent in the header by setting UAProfToken to either `x-wap-profile` or `profile`.
+UAProfToken | You can specify a user agent profile to use on the phone for MMS messages. The user agent profile XML file details a phone’s hardware specifications and media capabilities so that an MMS application server (MMSC) can return supported optimized media content to the phone. The user agent profile XML file is generally stored on the MMSC.
+UseDefaultAddress | By default, the MMS transport sends an acknowledgement to the provisioned MMS application server (MMSC). However, on some networks, the correct server to use is sent as a URL in the MMS message. In that case, a registry key must be set, or else the acknowledgement will not be received and the server will continue to send duplicate messages. **True** enables some networks to correctly acknowledge MMS messages. **False** disables the feature.
+UserAgentString | Set UserAgentString to the new user agent string for MMS in its entirely. By default, this string has the format WindowsPhoneMMS/MicrosoftMMSVersionNumber WindowsPhoneOS/OSVersion-buildNumber OEM-deviceName, in which the italicized text is replaced with the appropriate values for the phone.
+UseUTF8ForUnspecifiedCharset | Some incoming MMS messages may not specify a character encoding. To properly decode MMS messages that do not specify a character encoding, you can set UTF-8 to decode the message.
+WapPushTechnology | For networks that require non-standard handling of single-segment incoming MMS WAP Push notifications, you can specify that MMS messages may have some of their content truncated and that they may require special handling to reconstruct truncated field values. `1` or `0x1` enables MMS messages to have some of their content truncated. `0` or `0x0` disables MMS messages from being truncated
+
+## ImsiAuthenticationToken
+
+>[!NOTE]
+>This setting is removed in Windows 10, version 1709.
Configure whether MMS messages include the IMSI in the GET and POST header.
Set **ImsiAuthenticationToken** to the token used as the header for authentication. The string value should match the IMSI provided by the UICC.
+
+### LatAlertOptions
+
+Enable `LatLocalAlertEnabled` to enable support for LAT-Alert Local Alerts for devices sold in Chile. For more information, see [Emergency notifications](https://docs.microsoft.com/windows-hardware/customize/mobile/mcsf/emergency-notifications).
+
### MaxRetryCount
+>[!NOTE]
+>This setting is removed in Windows 10, version 1709.
+
You can specify the number of times that the phone can retry sending the failed MMS message and photo before the user receives a notification that the photo could not be sent.
Specify MaxRetryCount to specify the number of times the MMS transport will attempt resending the MMS message. This value has a maximum limit of 3.
+### MMSGroupText
+
+Set options for group messages sent to multiple people.
+
+Setting | Description
+--- | ---
+MMSGroupText | **True** enables group messages to multiple people sent as MMS.
+ShowMMSGroupTextUI | **True** shows the toggle for group text in messaging settings.
+ShowMmsGroupTextWarning | **True** shows the warning that alerts users of possible additional charges before sending a group text as MMS.
+
+### NIAlertOptions
+
+Enable `NI2AlertEnabled` to enable support for the Netherlands Announcements for devices sold in the Netherlands. For more information, see [Emergency notifications](https://docs.microsoft.com/windows-hardware/customize/mobile/mcsf/emergency-notifications).
### RcsOptions
@@ -103,8 +238,18 @@ Set options related to MMS message notifications. You can specify whether users
| RequestDeliveryReportIsSupported | **True** shows the toggle for MMS delivery confirmation, and **False** hides the toggle. |
+### SMSDeliveryNotify
+
+Setting | Description
+--- | ---
+DeliveryNotifySupported | Set to **True** to enable SMS delivery confirmation.
+SMSDeliveryNotify | Set to **True** to toggle SMS delivery confirmation.
+
### TargetVideoFormat
+>[!NOTE]
+>This setting is removed in Windows 10, version 1709.
+
You can specify the transcoding to use for video files sent as attachments in MMS messages.
Set TargetVideoFormat to one of the following values to configure the default transcoding for video files sent as attachments in MMS messages:
@@ -119,6 +264,9 @@ Set TargetVideoFormat to one of the following values to configure the default tr
### UAProf
+>[!NOTE]
+>This setting is removed in Windows 10, version 1709.
+
You can specify a user agent profile to use on the phone for MMS messages. The user agent profile XML file details a phone’s hardware specifications and media capabilities so that an MMS application server (MMSC) can return supported optimized media content to the phone. The user agent profile XML file is generally stored on the MMSC.
There are two ways to correlate a user agent profile with a given phone:
@@ -130,6 +278,9 @@ Set **UAProf** to the full URI of your user agent profile file. Optionally, you
### UAProfToken
+>[!NOTE]
+>This setting is removed in Windows 10, version 1709.
+
You can specify a user agent profile to use on the phone for MMS messages. The user agent profile XML file details a phone’s hardware specifications and media capabilities so that an MMS application server (MMSC) can return supported optimized media content to the phone. The user agent profile XML file is generally stored on the MMSC.
Optionally, in addition to specifying **UAProf**, you can also specify the custom user agent property name for MMS that is sent in the header by setting **UAProfToken** to either `x-wap-profile` or `profile`.
@@ -137,6 +288,9 @@ Optionally, in addition to specifying **UAProf**, you can also specify the custo
### UserAgentString
+>[!NOTE]
+>This setting is removed in Windows 10, version 1709.
+
Set **UserAgentString** to the new user agent string for MMS in its entirely.
By default, this string has the format WindowsPhoneMMS/MicrosoftMMSVersionNumber WindowsPhoneOS/OSVersion-buildNumber OEM-deviceName, in which the italicized text is replaced with the appropriate values for the phone.
@@ -147,16 +301,17 @@ By default, this string has the format WindowsPhoneMMS/MicrosoftMMSVersionNumber
| Setting | Description |
| --- | --- |
| ADDR | Specify the absolute MMSC URL. The possible values to configure the ADDR parameter are:- A Uniform Resource Identifier (URI)- An IPv4 address represented in decimal format with dots as delimiters- A fully qualified Internet domain name |
-| APPID | Set to `w4` |
+| APPID | Set to `w4`. |
| MS | (optional) Specify the maximum size of MMS, in KB. If the value is not a number, or is less than or equal to 10, it will be ignored and outgoing MMS will not be resized. |
| NAME | (optional) Enter user–readable application identity. This parameter is also used to define part of the registry path for the APPLICATION parameters. The possible values to configure the **NAME** parameter are:- Character string containing the name- no value specifiedIf no value is specified, the registry location will default to . If **NAME** is greater than 40 characters, it will be truncated to 40 characters. |
| TONAPID | Specify the network access point identification name (NAPID) defined in the provisioning file. This parameter takes a string value. It is only possible to refer to network access points defined within the same provisioning file (except if the INTERNET attribute is set in the NAPDEF characteristic). For more information about the NAPDEF characteristic, see [NAPDEF configuration service provider](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/napdef-csp). |
| TOPROXY | Specify one logical proxy with a matching PROXY-ID. It is only possible to refer to proxies defined within the same provisioning file. Only one proxy can be listed. The TO-PROXY value must be set to the value of the PROXY ID in PXLOGICAL that defines the MMS specific-proxy. |
-
-
### WapPushTechnology
+>[!NOTE]
+>These settings are removed in Windows 10, version 1709.
+
For networks that require non-standard handling of single-segment incoming MMS WAP Push notifications, you can specify that MMS messages may have some of their content truncated and that they may require special handling to reconstruct truncated field values.
| Value | Description |
@@ -167,5 +322,4 @@ For networks that require non-standard handling of single-segment incoming MMS W
## Related topics
-
-- [w4 APPLICATION CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/w4-application-csp)
\ No newline at end of file
+ - [Customizations for SMS and MMS](https://docs.microsoft.com/windows-hardware/customize/mobile/mcsf/customizations-for-sms-and-mms)
diff --git a/windows/configuration/wcd/wcd-modemconfigurations.md b/windows/configuration/wcd/wcd-modemconfigurations.md
index 98bae12f8b..eb663dfd65 100644
--- a/windows/configuration/wcd/wcd-modemconfigurations.md
+++ b/windows/configuration/wcd/wcd-modemconfigurations.md
@@ -7,12 +7,12 @@ ms.sitesec: library
author: jdeckerMS
ms.localizationpriority: medium
ms.author: jdecker
-ms.date: 08/21/2017
+ms.date: 10/17/2017
---
# ModemConfiguration (Windows Configuration Designer reference)
-Documentation not available at this time.
+ModemConfiguration settings are removed in Windows 10, version 1709.
## Applies to
diff --git a/windows/configuration/wcd/wcd-policies.md b/windows/configuration/wcd/wcd-policies.md
index f672b70b05..2cef9b94d5 100644
--- a/windows/configuration/wcd/wcd-policies.md
+++ b/windows/configuration/wcd/wcd-policies.md
@@ -7,7 +7,7 @@ ms.sitesec: library
author: jdeckerMS
ms.localizationpriority: medium
ms.author: jdecker
-ms.date: 08/21/2017
+ms.date: 10/17/2017
---
# Policies (Windows Configuration Designer reference)
@@ -43,8 +43,8 @@ This section describes the **Policies** settings that you can configure in [prov
| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [AllowAllTrustedApps](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-allowalltrustedapps) | Whether non-Windows Store apps are allowed | X | X | | | |
-| [AllowAppStoreAutoUpdate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-allowappstoreautoupdate) | Whether automatic update of apps from Windows Store is allowed | X | X | | | |
+| [AllowAllTrustedApps](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-allowalltrustedapps) | Whether non-Microsoft Store apps are allowed | X | X | | | |
+| [AllowAppStoreAutoUpdate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-allowappstoreautoupdate) | Whether automatic update of apps from Microsoft Store is allowed | X | X | | | |
| [AllowDeveloperUnlock](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-allowdeveloperunlock) | Whether developer unlock of device is allowed | X | X | X | X | X |
| [AllowGameDVR](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-allowgamedvr) |Whether DVR and broadcasting is allowed | X | | | | |
| [AllowSharedUserAppData](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-allowshareduserappdata) | Whether multiple users of the same app can share data | X | X | | | |
@@ -76,9 +76,9 @@ This section describes the **Policies** settings that you can configure in [prov
| --- | --- | :---: | :---: | :---: | :---: | :---: |
| [AllowAdvertising](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#bluetooth-allowadvertising) | Whether the device can send out Bluetooth advertisements | X | X | X | X | X |
| [AllowDiscoverableMode](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#bluetooth-allowdiscoverablemode) | Whether other Bluetooth-enabled devices can discover the device | X | X | X | X | X |
-| [AllowPrepairing](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#bluetooth-allowprepairing) | Whether to allow specific bundled Bluetooth peripherals to automatically pair with the host device | X | X | X | X | X |
-| [LocalDeviceName](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#bluetooth-localdevicename) | Set the local Bluetooth device name | X | X | X | X | X |
-| [ServicesAllowedList](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#bluetooth-servicesallowedlist) | Set a list of allowable services and profiles | X | X | | | |
+| [AllowPrepairing](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#bluetooth-allowprepairing) | Whether to allow specific bundled Bluetooth peripherals to automatically pair with the host device | X | X | X | | X |
+| [LocalDeviceName](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#bluetooth-localdevicename) | Set the local Bluetooth device name | X | X | X | | X |
+| [ServicesAllowedList](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#bluetooth-servicesallowedlist) | Set a list of allowable services and profiles | X | X | | X | |
## Browser
@@ -104,7 +104,7 @@ This section describes the **Policies** settings that you can configure in [prov
| [ConfigureAdditionalSearchEngines](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-configureadditionalsearchengines) | Allows you to add up to 5 addtional search engines for MDM-enrolled devices. | X | X | X | | |
| [DisableLockdownOfStartPages](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-disablelockdownofstartpages) | Specify whether the lockdown on the Start pages is disabled. | X | | | | |
| [EnterpriseModeSiteList](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-enterprisemodesitelist) | Allow the user to specify a URL of an enterprise site list. | X | | | | |
-| EnterpriseSiteListServiceUrl | This policy (introduced in Windows 10, version 1507) was deprecated in Windows 10, version 1511 by [Browser/EnterpriseModeSiteList](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-enterprisemodesitelist). | X | | | | |
+| [EnterpriseSiteListServiceUrl](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-enterprisesitelistserviceurl) | This policy (introduced in Windows 10, version 1507) was deprecated in Windows 10, version 1511 by [Browser/EnterpriseModeSiteList](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-enterprisemodesitelist). | X | | | | |
| [FirstRunURL](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-firstrunurl) | Specify the URL that Microsoft Edge will use when it is opened for the first time. | | X | | | |
| [HomePages](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-homepages) | Specify your Start pages for MDM-enrolled devices. | X | | | | |
| [PreventAccessToAboutFlagsInMicrosoftEdge](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-preventaccesstoaboutflagsinmicrosoftedge) | Specify whether users can access the **about:flags** page, which is used to change developer settings and to enable experimental features. | X | X | X | | |
@@ -130,7 +130,7 @@ This section describes the **Policies** settings that you can configure in [prov
| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [AllowBluetooth](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#connectivity-allowbluetooth) | Allow the user to enable Bluetooth or restrict access. | X | X | X | | |
+| [AllowBluetooth](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#connectivity-allowbluetooth) | Allow the user to enable Bluetooth or restrict access. | X | X | X | X | |
| [AllowCellularData](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#connectivity-allowcellulardata) | Allow the cellular data channel on the device. | X | X | X | | |
| [AllowCellularDataRoaming](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#connectivity-allowcellulardataroaming) | Allow or disallow cellular data roaming on the device. | X | X | X | | |
| [AllowConnectedDevices](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#connectivity-allowconnecteddevices) | Allows IT admins the ability to disable the Connected Devices Platform component. | X | X | X | | |
@@ -141,6 +141,12 @@ This section describes the **Policies** settings that you can configure in [prov
| HideCellularConnectionMode | Hide the checkbox that lets the user change the connection mode. | X | X | X | | |
| HideCellularRoamingOption | Hide the dropdown menu that lets the user change the roaming preferences. | X | X | X | | |
+## CredentialProviders
+
+| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: | :---: |
+[DisableAutomaticReDeploymentCredentials](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-credentialproviders) | This setting disables the visibility of the credential provider that triggers the PC refresh on a device. This policy does not actually trigger the refresh. The admin user is required to authenticate to trigger the refresh on the target device. The Windows 10 Automatic ReDeployment feature allows admin to reset devices to a known good managed state while preserving the management enrollment. After the automatic redeployment is triggered the devices are for ready for use by information workers or students. | X | | | | |
+
## Cryptography
| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
@@ -200,6 +206,11 @@ This section describes the **Policies** settings that you can configure in [prov
| [DOMonthlyUploadDataCap](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-domonthlyuploaddatacap) | Specify the maximum total bytes in GB that Delivery Optimization is allowed to upload to Internet peers in each calendar month. | X | | | | |
| [DOPercentageMaxDownloadBandwidth](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-dopercentagemaxdownloadbandwidth) | Specify the maximum download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. | X | | | | |
+## DeviceGuard
+
+| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: | :---: |
+[EnableVirtualizationBasedSecurity](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceguard) | Turns on virtualization based security(VBS) at the next reboot. virtualization based security uses the Windows Hypervisor to provide support for security services. | X | | | | |
## DeviceLock
@@ -238,18 +249,24 @@ This section describes the **Policies** settings that you can configure in [prov
| [AllowManualMDMUnenrollment](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowmanualmdmunenrollment) | Specify whether the user is allowed to delete the workplace account. | X | X | | | |
| [AllowScreenCapture](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowscreencapture) | Specify whether screen capture is allowed. | | X | | | |
| [AllowSIMErrorDialogPromptWhenNoSIM](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowsimerrordialogpromptwhennosim) | Specify whether to display a dialog prompt when no SIM card is detected. | | X | | | |
-| [AllowSyncMySettings](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowsyncmysettings) | Allow or disallow all Windows sync settings on the device. | X | | | | |
+| [AllowSyncMySettings](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowsyncmysettings) | Allow or disallow all Windows sync settings on the device. | X | X | | | |
| [AllowTailoredExperiencesWithDiagnosticData](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowtailoredexperienceswithdiagnosticdata) | Prevent Windows from using diagnostic data to provide customized experiences to the user. | X | | | | |
| [AllowTaskSwitcher](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowtaskswitcher) | Allow or disallow task switching on the device. | | X | | | |
| [AllowThirdPartySuggestionsInWindowsSpotlight](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowthirdpartysuggestionsinwindowsspotlight) | Specify whether to allow app and content suggestions from third-party software publishers in Windows Spotlight. | X | | | | |
| [AllowVoiceRecording](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowvoicerecording) | Specify whether voice recording is allowed for apps. | | X | | | |
-| [AllowWindowsConsumerFeatures](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowwindowsconsumerfeatures) | Turn on experiences that are typically for consumers only, such as Start suggetions, membership notifications, post-OOBE app install, and redirect tiles. | X | | | | |
+| [AllowWindowsConsumerFeatures](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowwindowsconsumerfeatures) | Turn on experiences that are typically for consumers only, such as Start suggetions, membership notifications, post-OOBE app install, and redirect tiles. | X | | | | |
| [AllowWindowsSpotlight](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowwindowsspotlight) |Specify whether to turn off all Windows Spotlight features at once. | X | | | | |
| [AllowWindowsSpotlightOnActionCenter](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowwindowsspotlightonactioncenter) | Prevent Windows Spotlight notifications from being displayed in the Action Center. | X | | | | |
| [AllowWindowsSpotlightWindowsWelcomeExperience](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowwindowsspotlightwindowswelcomeexperience) | Turn off the Windows Spotlight Windows welcome experience feature. | X | | | | |
| [AllowWindowsTips](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowwindowstips) | Enable or disable Windows Tips. | X | | | | |
| [ConfigureWindowsSpotlightOnLockScreen](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-configurewindowsspotlightonlockscreen) | Specify whether Spotlight should be used on the user's lock screen. | X | | | | |
+## ExploitGuard
+
+| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: | :---: |
+| [ExploitProtectionSettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) | See the [explanation of ExploitProtectionSettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) in the Policy CSP for instructions. In the **ExploitProtectionSettings** field, you can enter a path (local, UNC, or URI) to the mitigation options config, or you can enter the XML for the config. | X | X | | | |
+
## Games
@@ -310,27 +327,29 @@ This section describes the **Policies** settings that you can configure in [prov
| [AllowDataSense](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#settings-allowdatasense) | Allow the user to change Data Sense settings. | | X | | | |
| [AllowVPN](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#settings-allowvpn) | Allow the user to change VPN settings. | | X | | | |
| [ConfigureTaskbarCalendar](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#settings-configuretaskbarcalendar) | Configure the default setting for showing additional calendars (besides the default calendar for the locale) in the taskbar clock and calendar flyout. | X | | | | |
+[PageVisiblityList](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-settings#settings-pagevisibilitylist) | Allows IT admins to prevent specific pages in the System Settings app from being visible or accessible. Pages are identified by a shortened version of their already [published URIs](https://docs.microsoft.com/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference), which is the URI minus the "ms-settings:" prefix. For example, if the URI for a settings page is "ms-settings:foo", the page identifier used in the policy will be just "foo". Multiple page identifiers are separated by semicolons. | X | | | | |
## Start
| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| AllowPinnedFolderDocuments | Control the visibility of the Documents shortcut on the Start menu. | X | | | | |
-| AllowPinnedFolderDownloads | Control the visibility of the Downloadds shortcut on the Start menu. | X | | | | |
-| AllowPinnedFolderFileExplorer | Control the visibility of the File Explorer shortcut on the Start menu. | X | | | | |
-| AllowPinnedFolderHomeGroup | Control the visibility of the Home Group shortcut on the Start menu. | X | | | | |
-| AllowPinnedFolderMusic | Control the visibility of the Music shortcut on the Start menu. | X | | | | |
-| AllowPinnedFolderNetwork | Control the visibility of the Network shortcut on the Start menu. | X | | | | |
-| AllowPinnedFolderPersonalFolder | Control the visibility of the Personal Folder shortcut on the Start menu. | X | | | | |
-| AllowPinnedFolderPictures | Control the visibility of the Pictures shortcut on the Start menu. | X | | | | |
-| AllowPinnedFolderSettings | Control the visibility of the Settings shortcut on the Start menu. | X | | | | |
-| AllowPinnedFolderVideos |Control the visibility of the Videos shortcut on the Start menu. | X | | | | |
+| [AllowPinnedFolderDocuments](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderdocuments) | Control the visibility of the Documents shortcut on the Start menu. | X | | | | |
+| [AllowPinnedFolderDownloads](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderdownloads) | Control the visibility of the Downloadds shortcut on the Start menu. | X | | | | |
+| [AllowPinnedFolderFileExplorer](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderfileexplorer) | Control the visibility of the File Explorer shortcut on the Start menu. | X | | | | |
+| [AllowPinnedFolderHomeGroup](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderhomegroup) | Control the visibility of the Home Group shortcut on the Start menu. | X | | | | |
+| [AllowPinnedFolderMusic](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldermusic) | Control the visibility of the Music shortcut on the Start menu. | X | | | | |
+| [AllowPinnedFolderNetwork](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldernetwork) | Control the visibility of the Network shortcut on the Start menu. | X | | | | |
+| [AllowPinnedFolderPersonalFolder](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderpersonalfolder) | Control the visibility of the Personal Folder shortcut on the Start menu. | X | | | | |
+| [AllowPinnedFolderPictures](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderpictures) | Control the visibility of the Pictures shortcut on the Start menu. | X | | | | |
+| [AllowPinnedFolderSettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldersettings) | Control the visibility of the Settings shortcut on the Start menu. | X | | | | |
+| [AllowPinnedFolderVideos](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldervideos) |Control the visibility of the Videos shortcut on the Start menu. | X | | | | |
| [ForceStartSize](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-forcestartsize) | Force the size of the Start screen. | X | | | | |
| [HideAppList](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideapplist) | Collapse or remove the all apps list. | X | | | | |
| [HideChangeAccountSettings](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidechangeaccountsettings) | Hide **Change account settings** from appearing in the user tile. | X | | | | |
| [HideFrequentlyUsedApps](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidefrequentlyusedapps) | Hide **Most used** section of Start. | X | | | | |
| [HideHibernate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidehibernate) | Prevent **Hibernate** option from appearing in the Power button. | X | | | | |
| [HideLock](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidelock) | Prevent **Lock** from appearing in the user tile. | X | | | | |
+| HidePeopleBar | Remove the people icon from the taskbar, as well as the corresponding settings toggle. It also prevents users from pinning people to the taskbar. | X | | | | |
| [HidePowerButton](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidepowerbutton) | Hide the **Power** button. | X | | | | |
| [HideRecentJumplists](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderecentjumplists) | Hide jumplists of recently opened items. | X | | | | |
| [HideRecentlyAddedApps](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderecentlyaddedapps) | Hide **Recently added** section of Start. | X | | | | |
@@ -356,6 +375,7 @@ This section describes the **Policies** settings that you can configure in [prov
| [AllowTelemetry](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowtelemetry) | Allow the device to send diagnostic and useage telemetry data. | X | X | | | |
| [AllowUserToResetPhone](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowusertoresetphone) | Allow the user to factory reset the phone. | X | X | | | |
| [DisableOneDriveFileSync](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-disableonedrivefilesync) | Prevent apps and features from working with files on OneDrive. | X | | | | |
+| [LimitEnhancedDiagnosticDataWindowsAnalytics](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-limitenhanceddiagnosticdatawindowsanalytics) | This policy setting, in combination with the System/AllowTelemetry policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services. To enable this behavior you must enable this policy setting, and set Allow Telemetry to level 2 (Enhanced). When you configure these policy settings, a basic level of diagnostic data plus additional events that are required for Windows Analytics are sent to Microsoft. These events are documented in [Windows 10, version 1703 basic level Windows diagnostic events and fields](https://go.microsoft.com/fwlink/?linkid=847594). Enabling enhanced diagnostic data in the System/AllowTelemetry policy in combination with not configuring this policy will also send the required events for Windows Analytics, plus additional enhanced level telemetry data. This setting has no effect on computers configured to send full, basic or security level diagnostic data to Microsoft. If you disable or do not configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the System/AllowTelemetry policy. | X | X | | | |
## TextInput
@@ -390,25 +410,35 @@ This section describes the **Policies** settings that you can configure in [prov
| --- | --- | :---: | :---: | :---: | :---: | :---: |
| [ActiveHoursEnd](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-activehoursend) | Use with **Update/ActiveHoursStart** to manage the range of active hours where update rboots are not scheduled. | X | X | X | X | X |
| [ActiveHoursMaxRange](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-activehoursmaxrange) | Specify the maximum active hours range. | X | X | X | X | X |
-| [ActiveHoursStart](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-activehoursstart) | Use with **Update/ActiveHoursEnd** to manage the range of active hours where update rboots are not scheduled. | X | X | X | X | X |
+| [ActiveHoursStart](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-activehoursstart) | Use with **Update/ActiveHoursEnd** to manage the range of active hours where update reboots are not scheduled. | X | X | X | X | X |
| [AllowautoUpdate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allowautoupdate) | Configure automatic update behavior to scan, download, and install updates. | X | X | X | X | X |
+| [AllowAutoWindowsUpdateDownloadOverMeteredNetwork](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowautowindowsupdatedownloadovermeterednetwork)| Option to download updates automatically over metered connections (off by default). Enter `0` for not allowed, or `1` for allowed. | X | X | X | X | X |
| [AllowMUUpdateService](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allowmuupdateservice) | Manage whether to scan for app updates from Microsoft Update. | X | X | X | X | X |
| [AllowNonMicrosoftSignedUpdate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allownonmicrosoftsignedupdate) | Manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. | X | X | X | X | X |
-| [AllowUpdateService](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allowupdateservice) | Specify whether the device can use Microsoft Update, Windows Server Update Services (WSUS), or Windows Store. | X | X | X | X | X |
-| AutoRestartDeadlinePeriodInDays | Specify number of days (between 2 and 30) after which a forced restart will occur outside of active hours when restart is pending. | X | X | X | X | X |
+| [AllowUpdateService](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allowupdateservice) | Specify whether the device can use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Store. | X | X | X | X | X |
+| [AutoRestartDeadlinePeriodInDays](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-autorestartdeadlineperiodindays) | Specify number of days (between 2 and 30) after which a forced restart will occur outside of active hours when restart is pending. | X | X | X | X | X |
| [AutoRestartNotificationSchedule](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-autorestartnotificationschedule) | Specify the period for auto-restart reminder notifications. | X | X | X | X | X |
| [AutoRestartRequiredNotificationDismissal](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-autorestartrequirednotificationdismissal) | Specify the method by which the auto-restart required notification is dismissed. | X | X | X | X | X |
| [BranchReadinessLevel](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-branchreadinesslevel) | Select which branch a device receives their updates from. | X | X | X | X | X |
| [DeferFeatureUpdatesPeriodInDays](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-deferfeatureupdatesperiodindays) | Defer Feature Updates for the specified number of days. | X | X | X | X | X |
| [DeferQualityUpdatesPeriodInDays](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-deferqualityupdatesperiodindays) | Defer Quality Updates for the specified number of days. | X | X | X | X | X |
+| [DeferUpdatePeriod](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-deferupdateperiod) | Specify update delays for up to 4 weeks. | X | X | X | X | X |
+| [DeferUpgradePeriod](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-deferupgradeperiod) |Specify upgrade delays for up to 8 months. | X | X | X | X | X |
| [DetectionFrequency](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-detectionfrequency) | Specify the frequency to scan for updates, from every 1-22 hours. | X | X | X | X | X |
+| [DisableDualScan](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-disabledualscan) | Do not allow update deferral policies to cause scans against Windows Update. | X | X | X | X | X |
| [EngagedRestartDeadline](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-engagedrestartdeadline) | Specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. | X | X | X | X | X |
| [EngagedRestartSnoozeSchedule](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-engagedrestartsnoozeschedule) | Specify the number of days a user can snooze Engaged restart reminder notifications. | X | X | X | X | X |
| [EngagedRestartTransitionSchedule](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-engagedrestarttransitionschedule) | Specify the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. | X | X | X | X | X |
| [FillEmptyContentUrls](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-fillemptycontenturls) | Allow Windows Update Agent to determine the download URL when it is missing from the metadata. | X | X | X | X | X |
+| ManagePreviewBuilds | Use to enable or disable preview builds. | X | X | X | X | X |
| PhoneUpdateRestrictions | Deprecated | | X | | | |
| [RequireDeferUpgrade](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-requiredeferupgrade) | Configure device to receive updates from Current Branch for Business (CBB). | X | X | X | X | X |
| [ScheduledInstallDay](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-scheduledinstallday) | Schedule the day for update installation. | X | X | X | X | X |
+| [ScheduledInstallEveryWeek](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstalleveryweek) | To schedule update installation every week, set the value as `1`. | X | X | X | X | X |
+| [ScheduledInstallFirstWeek](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstallfirstweek) | To schedule update installation the first week of the month, see the value as `1`. | X | X | X | X | X |
+| [ScheduledInstallFourthWeek](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstallfourthweek) | To schedule update installation the fourth week of the month, see the value as `1`. | X | X | X | X | X |
+| [ScheduledInstallSecondWeek](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstallsecondweek) | To schedule update installation the second week of the month, see the value as `1`. | X | X | X | X | X |
+| [ScheduledInstallThirdWeek](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstallthirdweek) | To schedule update installation the third week of the month, see the value as `1`. | X | X | X | X | X |
| [ScheduledInstallTime](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-scheduledinstalltime) | Schedule the time for update installation. | X | X | X | X | X |
| [ScheduleImminentRestartWarning](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-scheduleimminentrestartwarning) | Specify the period for auto-restart imminent warning notifications. | X | X | X | X | X ||
| [ScheduleRestartWarning](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-schedulerestartwarning) | Specify the period for auto-restart warning reminder notifications. | X | X | X | X | X |
diff --git a/windows/configuration/wcd/wcd-textinput.md b/windows/configuration/wcd/wcd-textinput.md
new file mode 100644
index 0000000000..f6f910591d
--- /dev/null
+++ b/windows/configuration/wcd/wcd-textinput.md
@@ -0,0 +1,206 @@
+---
+title: TextInput (Windows 10)
+description: This section describes the TextInput settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+ms.localizationpriority: medium
+ms.author: jdecker
+ms.date: 10/17/2017
+---
+
+# TextInput (Windows Configuration Designer reference)
+
+Use TextInput settings to configure text intelligence and keyboard for mobile devices.
+
+## Applies to
+
+| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| Intelligence > DisablePredictions | | X | | | |
+| PreEnabledKeyboard | | X | | | |
+
+## Intelligence
+
+Set **DisablePredictions** to the locale or alternative input language that must have the text intelligence features disabled. For example, to disable text correction and suggestions for English (UK), set the value of **DisablePredictions** to `en-gb`.
+
+## PreEnabledKeyboard
+
+In addition to the automatically-enabled default keyboard, OEMs may choose to pre-enable more keyboards for a particular market.
+
+During phone bring-up, OEMs must set the boot locale, or default locale, for the phone. During first boot, Windows Phone reads the locale setting and automatically enables a default keyboard based on the locale to keyboard mapping table in Set languages and locales.
+
+The mapping works for almost all regions and additional customizations are not needed unless specified in the pre-enabled keyboard column in Set languages and locales. If an OEM chooses to pre-enable more keyboards for a particular market, they can do so by specifying the setting. Pre-enabled keyboards will automatically be enabled during boot. Microsoft recommends that partners limit the number of pre-enabled keyboards to those languages that correspond to the languages spoken within the market.
+
+
+PreEnabledKeyboard must be entered once for each keyboard you want to pre-enable. As shown below, the format to specify a particular keyboard must be: Locale code.Locale value. See the following table for more information on the locale codes and values that you can use. The setting Value must be set to 1 to enable the keyboard.
+
+The following table shows the values that you can use for the Locale code.Locale value part of the setting name.
+
+>[!NOTE]
+>The keyboards for some locales require additional language model files: am-ET, bn-IN, gu-IN, hi-IN, ja-JP, kn-IN, ko-KR, ml-IN, mr-IN, my-MM, or-IN, pa-IN, si-LK, ta-IN, te-IN, zh-TW, zh-CN, and zh-HK.
+
+
+Name | Locale code | Keyboard layout value
+--- | --- | ---
+Afrikaans (South Africa) | af-ZA | 1
+Albanian | sq-AL | 1
+Amharic | am-ET | 1
+Arabic | ar-SA | 1
+Armenian | hy-AM | 1
+Assamese - INSCRIPT | as-IN | 1
+Azerbaijani (Cyrillic) | az-Cyrl-AZ | 1
+Azerbaijani (Latin) | az-Latn-AZ | 1
+Bangla (Bangladesh) - 49 key | bn-BD | 1
+Bangla (India) - INSCRIPT |bn-IN|1
+Bangla (India) - Phonetic|bn-IN|2
+Bashkir|ba-RU|1
+Basque|eu-ES|1
+Belarusian|be-BY|1
+Bosnian (Cyrillic)|bs-Cyrl-BA|1
+Bosnian (Latin)|bs-Latn-BA|1
+Bulgarian|bg-BG|1
+Catalan|ca-ES|1
+Central Kurdish|ku-Arab-IQ|1
+Cherokee|chr-Cher-US|1
+Chinese Simplified QWERTY|zh-CN|1
+Chinese Simplified - 12-key|zh-CN|2
+Chinese Simplified - Handwriting|zh-CN|3
+Chinese Simplified - Stroke|zh-CN|4
+Chinese Traditional (Hong Kong SAR) - Cangjie|zh-HK|1
+Chinese Traditional (Hong Kong SAR) - Quick|zh-HK|2
+Chinese Traditional (Hong Kong SAR) - Stroke|zh-HK|3
+Chinese Traditional (Taiwan) - BoPoMoFo|zh-TW|1
+Chinese Traditional (Taiwan) - Handwriting|zh-TW|2
+Croatian|hr-HR|1
+Czech|cs-CZ|1
+Danish|da-DK|1
+Divehi|dv-MV|1
+Dutch (Belgium)|nl-BE|1
+Dutch (Netherlands)|nl-NL|1
+Dzongkha|dz-BT|1
+English (Australia)|en-AU|1
+English (Canada)|en-CA|1
+English (India)|en-IN|1
+English (Ireland)|en-IE|1
+English (United Kingdom)|en-GB|1
+English (United States)|en-US|1
+Estonian|et-EE|1
+Faroese|fo-FO|1
+Filipino|fil-PH|1
+Finnish|fi-FI|1
+French (Belgium)|fr-BE|1
+French (Canada)|fr-CA|1
+French (France)|fr-FR|1
+French (Switzerland)|fr-CH|1
+Galician|gl-ES|1
+Georgian|ka-GE|1
+German (Germany)|de-DE|1
+German (Switzerland)|de-CH|1
+Greek|el-GR|1
+Greenlandic|kl-GL|1
+Guarani|gn-PY|1
+Gujarati - INSCRIPT|gu-IN|1
+Gujarati - Phonetic|gu-IN|2
+Hausa|ha-Latn-NG|1
+Hebrew|he-IL|1
+Hindi - 37-key|hi-IN|1
+Hindi - INSCRIPT|hi-IN|3
+Hindi - Phonetic|hi-IN|2
+Hinglish|hi-Latn|1
+Hungarian|hu-HU|1
+Icelandic|is-IS|1
+Igbo|ig-NG|1
+Indonesian|id-ID|1
+Inuktitut - Latin|iu-Latn-CA|1
+Irish|ga-IE|1
+Italian|it-IT|1
+Japanese - 12-key|ja-JP|1
+Japanese - QWERTY|ja-JP|2
+Kannada - INSCRIPT|kn-IN|1
+Kannada - Phonetic|kn-IN|2
+Kazakh|kk-KZ|1
+Khmer|km-KH|1
+Kinyarwanda|rw-RW|1
+Kiswahili|sw-KE|1
+Konkani|kok-IN|1
+Korean - 12-key Chunjiin|ko-KR|2
+Korean - 12-key Naratgeul|ko-KR|3
+Korean - 12-key Sky|ko-KR|4
+Korean - QWERTY|ko-KR|1
+Kyrgyz|ky-KG|1
+Lao|lo-LA|1
+Latvian|lv-LV|1
+Lithuanian|lt-LT|1
+Luxembourgish|lb-LU|1
+Macedonian|mk-MK|1
+Malay (Brunei Darussalam)|ms-BN|1
+Malay (Malaysia)|ms-MY|1
+Malayalam - INSCRIPT|ml-IN|1
+Malayalam - Phonetic|ml-IN|2
+Maltese|mt-MT|1
+Maori|mi-NZ|1
+Marathi - INSCRIPT|mr-IN|1
+Marathi - Phonetic|mr-IN|2
+Mongolian - Cyrillic|mn-MN|1
+Mongolian - Traditional Mongolian|mn-Mong-CN|1
+Myanmar|my-MM|1
+Nepali|ne-NP|1
+Norwegian - Bokmal|nb-NO|1
+Norwegian - Nynorsk|ny-NO|1
+Odia - INSCRIPT|or-IN|1
+Odia - Phonetic|or-IN|2
+Pashto|ps-AF|1
+Persian|fa-IR|1
+Polish|pl-PL|1
+Portuguese (Brazil)|pt-BR|1
+Portuguese (Portugal)|pt-PT|1
+Punjabi - INSCRIPT|pa-IN|1
+Punjabi - Phonetic|pa-IN|2
+Romanian|ro-RO|1
+Romansh|rm-CH|1
+Russian|ru-RU|1
+Sakha|sah-RU|1
+Sami, Northern (Norway)|se-NO|1
+Sami, Northern (Sweden)|se-NO|1
+Scottish Gaelic|gd-GB|1
+Serbian - Cyrillic|sr-Cyrl-RS|1
+Serbian - Latin|sr-Latn-RS|1
+Sesotho sa Leboa|nso-ZA|1
+Setswana|tn-ZA|1
+Sinhala|si-LK|1
+Slovak|sk-SK|1
+Slovenian|sl-SI|1
+Sorbian, Upper|hsb-DE|1
+Spanish (Mexico)|es-MX|1
+Spanish (Spain)|es-ES|1
+Swedish|sv-SE|1
+Syriac|syr-SY|1
+Tajik|tg-Cyrl-TJ|1
+Tamazight (Central Atlas) - Tifinagh|tzm-Tfng-MA|1
+Tamazight (Central Atlas) - Latin|tzm-Latn-DZ|1
+Tamil - INSCRIPT|ta-IN|1
+Tamil - Phonetic|ta-IN|2
+Tatar|tt-RU|1
+Telugu - INSCRIPT|te-IN|1
+Telugu - Phonetic|te-IN|2
+Thai|th-TH|1
+Tibetan|bo-CN|1
+Turkish|tr-TR|1
+Turkmen|tk-TM|1
+Ukrainian|uk-UA|1
+Urdu|ur-PK|1
+Uyghur|ug-CN|1
+Uzbek - Cyrillic|uz-Cyrl-UZ|1
+Uzbek - Latin|uz-Latn-UZ|1
+Valencian|ca-ES-valencia|1
+Vietnamese - QWERTY|vi-VN|1
+Vietnamese - TELEX|vi-VN|2
+Vietnamese - VNI|vi-VN|3
+Welsh|cy-GB|1
+Wolof|N/A|1
+Xhosa|xh-ZA|1
+Yoruba|yo-NG|1
+Zulu|zu-ZA|1
+
diff --git a/windows/configuration/wcd/wcd-universalappinstall.md b/windows/configuration/wcd/wcd-universalappinstall.md
index 50f88c2fdc..e5fde4a704 100644
--- a/windows/configuration/wcd/wcd-universalappinstall.md
+++ b/windows/configuration/wcd/wcd-universalappinstall.md
@@ -7,7 +7,7 @@ ms.sitesec: library
author: jdeckerMS
ms.localizationpriority: medium
ms.author: jdecker
-ms.date: 08/21/2017
+ms.date: 10/17/2017
---
# UniversalAppInstall (reference)
@@ -24,6 +24,7 @@ Use UniversalAppInstall settings to install Windows apps from the Microsoft Stor
| --- | :---: | :---: | :---: | :---: | :---: |
| [DeviceContextApp](#devicecontextapp) | X | | X | | |
| [DeviceContextAppLicense](#devicecontextapplicense) | X | | X | | |
+| [StoreInstall](#storeinstall) | X | X | X | X | X |
| [UserContextApp](#usercontextapp) | X | X | X | X | X |
| [UserContextAppLicense](#usercontextapplicense) | X | X | X | X | X |
@@ -55,6 +56,19 @@ Use to specify the license file for the provisioned app.
2. Select the LicenseProductId in the Available Customizations pane, and then browse to and select the app license file.
+## StoreInstall
+
+Use to install an app from the Microsoft Store for Business.
+
+1. Enter a package family name, and then click **Add**.
+2. Configure the following required settings for the app package.
+
+Setting | Description
+--- | ---
+Flags | Description not available at this time.
+ProductID | Enter the product ID. [Learn how to find the product ID.](https://docs.microsoft.com/microsoft-store/microsoft-store-for-business-education-powershell-module#view-items-in-products-and-services)
+SkuID | Enter the SKU ID. [Learn how to find the SKU ID.](https://docs.microsoft.com/microsoft-store/microsoft-store-for-business-education-powershell-module#view-items-in-products-and-services)
+
## UserContextApp
Use to add a new user context app.
diff --git a/windows/configuration/wcd/wcd-universalappuninstall.md b/windows/configuration/wcd/wcd-universalappuninstall.md
index 70cd723052..3c2049687f 100644
--- a/windows/configuration/wcd/wcd-universalappuninstall.md
+++ b/windows/configuration/wcd/wcd-universalappuninstall.md
@@ -7,7 +7,7 @@ ms.sitesec: library
author: jdeckerMS
ms.localizationpriority: medium
ms.author: jdecker
-ms.date: 08/21/2017
+ms.date: 10/17/2017
---
# UniversalAppUninstall (reference)
diff --git a/windows/configuration/wcd/wcd.md b/windows/configuration/wcd/wcd.md
index 080f9e469f..c5ab2a15e7 100644
--- a/windows/configuration/wcd/wcd.md
+++ b/windows/configuration/wcd/wcd.md
@@ -7,7 +7,7 @@ ms.sitesec: library
author: jdeckerMS
ms.localizationpriority: medium
ms.author: jdecker
-ms.date: 08/21/2017
+ms.date: 10/17/2017
---
# Windows Configuration Designer provisioning settings (reference)
@@ -20,11 +20,13 @@ This section describes the settings that you can configure in [provisioning pack
| --- | :---: | :---: | :---: | :---: | :---: |
| [Accounts](wcd-accounts.md) | X | X | X | X | X |
| [ADMXIngestion](wcd-admxingestion.md) | X | | | | |
-| [ApplicationManagement](wcd-applicationmanagement.md) | X | X | X | X | X |
-| [AssignedAccess](wcd-assignedaccess.md) | X | X | | X | |
+| [ApplicationManagement](wcd-applicationmanagement.md) | | | | | X |
+| [AssignedAccess](wcd-assignedaccess.md) | X | | | X | |
| [AutomaticTime](wcd-automatictime.md) | | X | | | |
| [Browser](wcd-browser.md) | X | X | X | X | |
| [CallAndMessagingEnhancement](wcd-callandmessagingenhancement.md) | | X | | | |
+| [Calling](wcd-calling.md) | | X | | | |
+| [CellCore](wcd-cellcore.md) | X | X | | | |
| [Cellular](wcd-cellular.md) | X | | | | |
| [Certificates](wcd-certificates.md) | X | X | X | X | X |
| [CleanPC](wcd-cleanpc.md) | X | | | | |
@@ -34,6 +36,7 @@ This section describes the settings that you can configure in [provisioning pack
| [DesktopBackgroundAndColors](wcd-desktopbackgroundandcolors.md) | X | | | | |
| [DeveloperSetup](wcd-developersetup.md) | | | | X | |
| [DeviceFormFactor](wcd-deviceformfactor.md) | X | X | X | X | |
+| [DeviceInfo](wcd-deviceinfo.md) | | X | | | |
| [DeviceManagement](wcd-devicemanagement.md) | X | X | X | X | |
| [DMClient](wcd-dmclient.md) | X | X | X | X | X |
| [EditionUpgrade](wcd-editionupgrade.md) | X | X | X | X | |
@@ -41,6 +44,7 @@ This section describes the settings that you can configure in [provisioning pack
| [FirewallConfiguration](wcd-firewallconfiguration.md) | | | | | X |
| [FirstExperience](wcd-firstexperience.md) | | | | X | |
| [Folders](wcd-folders.md) |X | X | X | X | |
+| [HotSpot](wcd-hotspot.md) | X | X | X | X | X |
| [InitialSetup](wcd-initialsetup.md) | | X | | | |
| [InternetExplorer](wcd-internetexplorer.md) | | X | | | |
| [Licensing](wcd-licensing.md) | X | | | | |
@@ -65,6 +69,7 @@ This section describes the settings that you can configure in [provisioning pack
| [SurfaceHubManagement](wcd-surfacehubmanagement.md) | | | X | | |
| [TabletMode](wcd-tabletmode.md) |X | X | X | X | |
| [TakeATest](wcd-takeatest.md) | X | | | | |
+| [TextInput](wcd-textinput.md) | | X | | | |
| [Theme](wcd-theme.md) | | X | | | |
| [UnifiedWriteFilter](wcd-unifiedwritefilter.md) | X | | | | |
| [UniversalAppInstall](wcd-universalappinstall.md) | X | X | X | X | X |
diff --git a/windows/deployment/TOC.md b/windows/deployment/TOC.md
index 5055de6869..807a840ec7 100644
--- a/windows/deployment/TOC.md
+++ b/windows/deployment/TOC.md
@@ -213,7 +213,7 @@
#### [Configure Windows Update for Business](update/waas-configure-wufb.md)
#### [Integrate Windows Update for Business with management solutions](update/waas-integrate-wufb.md)
#### [Walkthrough: use Group Policy to configure Windows Update for Business](update/waas-wufb-group-policy.md)
-#### [Walkthrough: use Intune to configure Windows Update for Business](update/waas-wufb-intune.md)
+#### [Walkthrough: use Intune to configure Windows Update for Business](https://docs.microsoft.com/intune/windows-update-for-business-configure)
### [Deploy Windows 10 updates using Windows Server Update Services](update/waas-manage-updates-wsus.md)
### [Deploy Windows 10 updates using System Center Configuration Manager](update/waas-manage-updates-configuration-manager.md)
### [Manage device restarts after updates](update/waas-restart.md)
@@ -240,6 +240,11 @@
### [Monitor Windows Updates with Update Compliance](update/update-compliance-monitor.md)
#### [Get started with Update Compliance](update/update-compliance-get-started.md)
#### [Use Update Compliance](update/update-compliance-using.md)
+##### [Need Attention! report](update/update-compliance-need-attention.md)
+##### [Security Update Status report](update/update-compliance-security-update-status.md)
+##### [Feature Update Status report](update/update-compliance-feature-update-status.md)
+##### [Windows Defender AV Status report](update/update-compliance-wd-av-status.md)
+##### [Update Compliance Perspectives](update/update-compliance-perspectives.md)
### [Device Health](update/device-health-monitor.md)
#### [Get started with Device Health](update/device-health-get-started.md)
#### [Using Device Health](update/device-health-using.md)
diff --git a/windows/deployment/update/images/uc-10.png b/windows/deployment/update/images/uc-10.png
index 3ab72d10d2..ea065590b9 100644
Binary files a/windows/deployment/update/images/uc-10.png and b/windows/deployment/update/images/uc-10.png differ
diff --git a/windows/deployment/update/images/uc-emptyworkspacetile.PNG b/windows/deployment/update/images/uc-emptyworkspacetile.PNG
new file mode 100644
index 0000000000..24c37d4279
Binary files /dev/null and b/windows/deployment/update/images/uc-emptyworkspacetile.PNG differ
diff --git a/windows/deployment/update/images/uc-featureupdatestatus.PNG b/windows/deployment/update/images/uc-featureupdatestatus.PNG
new file mode 100644
index 0000000000..ae6a38502f
Binary files /dev/null and b/windows/deployment/update/images/uc-featureupdatestatus.PNG differ
diff --git a/windows/deployment/update/images/uc-filledworkspacetile.PNG b/windows/deployment/update/images/uc-filledworkspacetile.PNG
new file mode 100644
index 0000000000..5bce136cd1
Binary files /dev/null and b/windows/deployment/update/images/uc-filledworkspacetile.PNG differ
diff --git a/windows/deployment/update/images/uc-filledworkspaceview.PNG b/windows/deployment/update/images/uc-filledworkspaceview.PNG
new file mode 100644
index 0000000000..7456db62c0
Binary files /dev/null and b/windows/deployment/update/images/uc-filledworkspaceview.PNG differ
diff --git a/windows/deployment/update/images/uc-needattentionoverview.PNG b/windows/deployment/update/images/uc-needattentionoverview.PNG
new file mode 100644
index 0000000000..50b6d04699
Binary files /dev/null and b/windows/deployment/update/images/uc-needattentionoverview.PNG differ
diff --git a/windows/deployment/update/images/uc-overviewblade.PNG b/windows/deployment/update/images/uc-overviewblade.PNG
new file mode 100644
index 0000000000..dca364daf6
Binary files /dev/null and b/windows/deployment/update/images/uc-overviewblade.PNG differ
diff --git a/windows/deployment/update/images/uc-perspectiveupdatedeploymentstatus.png b/windows/deployment/update/images/uc-perspectiveupdatedeploymentstatus.png
new file mode 100644
index 0000000000..f52087a4a7
Binary files /dev/null and b/windows/deployment/update/images/uc-perspectiveupdatedeploymentstatus.png differ
diff --git a/windows/deployment/update/images/uc-securityupdatestatus.PNG b/windows/deployment/update/images/uc-securityupdatestatus.PNG
new file mode 100644
index 0000000000..776df89dc3
Binary files /dev/null and b/windows/deployment/update/images/uc-securityupdatestatus.PNG differ
diff --git a/windows/deployment/update/images/uc-windowsdefenderavstatus.PNG b/windows/deployment/update/images/uc-windowsdefenderavstatus.PNG
new file mode 100644
index 0000000000..e3f6990348
Binary files /dev/null and b/windows/deployment/update/images/uc-windowsdefenderavstatus.PNG differ
diff --git a/windows/deployment/update/images/waas-wipfb-policy1.png b/windows/deployment/update/images/waas-wipfb-policy1.png
new file mode 100644
index 0000000000..1fc89ecd2f
Binary files /dev/null and b/windows/deployment/update/images/waas-wipfb-policy1.png differ
diff --git a/windows/deployment/update/update-compliance-feature-update-status.md b/windows/deployment/update/update-compliance-feature-update-status.md
new file mode 100644
index 0000000000..f24384cba3
--- /dev/null
+++ b/windows/deployment/update/update-compliance-feature-update-status.md
@@ -0,0 +1,28 @@
+---
+title: Update Compliance - Feature Update Status report
+description: an overview of the Feature Update Status report
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: deploy
+author: DaniHalfin
+ms.author: daniha
+ms.date: 10/17/2017
+---
+
+# Feature Update Status
+
+
+
+The Feature Update Status section provides information about the status of [feature updates](waas-quick-start.md#definitions) across all devices. This section tile in the [Overview Blade](update-compliance-using.md#overview-blade) gives a percentage of devices that are on the latest applicable feature update; [Servicing Channel](waas-overview.md#servicing-channels) is considered in determining applicability. Within this section three **Deployment Status** tiles make up a blade, each charged with tracking the deployment for a different Servicing Channel.
+
+To effectively track deployment, **Deployment Status Blades** are divided into each Servicing Channel chosen for the device. This is because Deployment for each channel will happen at different periods in time and feature updates are targeted separately for each channel. Within each Deployment Status tile, devices are aggregated on their feature update distribution, and the columns list the states each device is in.
+
+Refer to the following list for what each state means:
+* **Installed** devices are devices that have completed installation for the given update.
+* When a device is counted as **In Progress**, it has begun the feature update installation.
+* Devices that are **scheduled next 7 days** are all devices that were deferred from installing the Feature update using [Windows Update for Business Settings](waas-manage-updates-wufb.md) and are set to begin installation in the next 7 days.
+* Devices that have failed the given feature update installation are counted as **Update failed**.
+* If a device should be, in some way, progressing toward this security update, but its status cannot be inferred, it will count as **Status Unknown**. Devices not using Windows Update are the most likely devices to fall into this category.
+
+Clicking on any row will navigate to the query relevant to that feature update. These queries are attached to [Perspectives](update-compliance-perspectives.md) that contain detailed deployment data for that update.
diff --git a/windows/deployment/update/update-compliance-get-started.md b/windows/deployment/update/update-compliance-get-started.md
index 8e3da008da..41369d98ef 100644
--- a/windows/deployment/update/update-compliance-get-started.md
+++ b/windows/deployment/update/update-compliance-get-started.md
@@ -6,7 +6,9 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: deploy
-author: jaimeo
+author: DaniHalfin
+ms.author: daniha
+ms.date: 10/17/2017
---
# Get started with Update Compliance
@@ -14,9 +16,9 @@ author: jaimeo
This topic explains the steps necessary to configure your environment for Windows Analytics: Update Compliance.
Steps are provided in sections that follow the recommended setup process:
-1. Ensure that [prerequisites](#update-compliance-prerequisites) are met.
-2. [Add Update Compliance](#add-update-compliance-to-microsoft-operations-management-suite) to Microsoft Operations Management Suite.
-3. [Deploy your Commercial ID](#deploy-your-commercial-id-to-your-windows-10-devices) to your organization’s devices.
+1. Ensure that [prerequisites](#update-compliance-prerequisites) are met.
+2. [Add Update Compliance](#add-update-compliance-to-microsoft-operations-management-suite) to Microsoft Operations Management Suite.
+3. [Deploy your Commercial ID](#deploy-your-commercial-id-to-your-windows-10-devices) to your organization’s devices.
## Update Compliance prerequisites
@@ -34,7 +36,7 @@ Update Compliance has the following requirements:
4. To use Windows Defender Antivirus Assessment, devices must be protected by Windows Defender AV (and not a 3rd party AV program), and must have enabled [cloud-delivered protection](/windows/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus). See the [Troublehsoot Windows Defender Antivirus reporting](/windows/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md) topic for help on ensuring the configuration is correct.
- For endpoints running Windows 10, version 1607 or earlier, [Windows telemetry must also be set to **Enhanced**](https://docs.microsoft.com/en-us/windows/configuration/configure-windows-telemetry-in-your-organization#enhanced-level).
+ For endpoints running Windows 10, version 1607 or earlier, [Windows telemetry must also be set to **Enhanced**](https://docs.microsoft.com/en-us/windows/configuration/configure-windows-telemetry-in-your-organization#enhanced-level), to be compatible with Windows Defender Antivirus.
See the [Windows Defender Antivirus in Windows 10](/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) content library for more information on enabling, configuring, and validating Windows Defender AV.
@@ -43,63 +45,37 @@ Update Compliance has the following requirements:
Update Compliance is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud-based servicing for monitoring and automating your on-premise and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/).
-If you are already using OMS, you’ll find Update Compliance in the Solutions Gallery. Select the **Update Compliance** tile in the gallery and then click **Add** on the solution's details page. Update Compliance is now visible in your workspace. While you're in the Solutions Gallery, you should consider installing the [Upgrade Readiness](../upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md) and [Device Health](device-health-monitor.md) solutions as well, if you haven't already.
+If you are already using OMS, skip to step **6** to add Update Compliance to your workspace.
If you are not yet using OMS, use the following steps to subscribe to OMS Update Compliance:
-1. Go to [Operations Management Suite](https://www.microsoft.com/en-us/cloud-platform/operations-management-suite) on Microsoft.com and click **Sign in**.
-
-
- [](images/uc-02.png)
-
-
-2. Sign in to Operations Management Suite (OMS). You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory (Azure AD), use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS.
-
-
- [](images/uc-03.png)
-
-
-3. Create a new OMS workspace.
-
-
- [](images/uc-04.png)
-
-4. Enter a name for the workspace, select the workspace region, and provide the email address that you want associated with this workspace. Click **Create**.
-
-
- [](images/uc-05.png)
-
-
-5. If your organization already has an Azure subscription, you can link it to your workspace. Note that you may need to request access from your organization’s Azure administrator. If your organization does not have an Azure subscription, create a new one or select the default OMS Azure subscription from the list. If you do not yet have an Azure subscription, follow [this guide](https://blogs.technet.microsoft.com/upgradeanalytics/2016/11/08/linking-operations-management-suite-workspaces-to-microsoft-azure/) to create and link an Azure subscription to an OMS workspace.
-
-
- [](images/uc-06.png)
-
-
-6. To add the Update Compliance solution to your workspace, go to the Solutions Gallery. While you have this dialog open, you should also consider adding the [Upgrade Readiness](../upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md) and [Device Health](device-health-monitor.md) solutions as well, if you haven't already. To do so, just select the check boxes for those solutions.
-
-
- [](images/uc-07.png)
-
-
-7. Select the **Update Compliance** tile in the gallery and then select **Add** on the solution’s details page. You might need to scroll to find **Update Compliance**. The solution is now visible in your workspace.
-
-
- [](images/uc-08.png)
-
-
-8. Click the **Update Compliance** tile to configure the solution. The **Settings Dashboard** opens.
-
-
- [](images/uc-09.png)
-
-
-9. Click **Subscribe** to subscribe to OMS Update Compliance. You will then need to distribute your Commercial ID across all your organization’s devices. More information on the Commercial ID is provided below.
-
-
- [](images/uc-10.png)
-
-
+1. Go to [Operations Management Suite](https://www.microsoft.com/en-us/cloud-platform/operations-management-suite) on Microsoft.com and click **Sign in**.
+ 
+
+2. Sign in to Operations Management Suite (OMS). You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory (Azure AD), use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS.
+ 
+
+3. Create a new OMS workspace.
+ 
+
+4. Enter a name for the workspace, select the workspace region, and provide the email address that you want associated with this workspace. Click **Create**.
+ ](images/uc-05.png)
+
+5. If your organization already has an Azure subscription, you can link it to your workspace. Note that you may need to request access from your organization’s Azure administrator. If your organization does not have an Azure subscription, create a new one or select the default OMS Azure subscription from the list. If you do not yet have an Azure subscription, follow [this guide](https://blogs.technet.microsoft.com/upgradeanalytics/2016/11/08/linking-operations-management-suite-workspaces-to-microsoft-azure/) to create and link an Azure subscription to an OMS workspace.
+ 
+
+6. To add the Update Compliance solution to your workspace, go to the Solutions Gallery. While you have this dialog open, you should also consider adding the [Upgrade Readiness](../upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md) and [Device Health](device-health-monitor.md) solutions as well, if you haven't already. To do so, just select the check boxes for those solutions.
+ 
+
+7. Select the **Update Compliance** tile in the gallery and then select **Add** on the solution’s details page. You might need to scroll to find **Update Compliance**. The solution is now visible in your workspace.
+ 
+
+8. Click the **Update Compliance** tile to configure the solution. The **Settings Dashboard** opens.
+ 
+
+9. Click **Subscribe** to subscribe to OMS Update Compliance. You will then need to distribute your Commercial ID across all your organization’s devices. More information on the Commercial ID is provided below.
+ 
+
After you are subscribed to OMS Update Compliance and your devices have a Commercial ID, you will begin receiving data. It will typically take 24 hours for the first data to begin appearing. The following section explains how to deploy your Commercial ID to your Windows 10 devices.
>[!NOTE]
diff --git a/windows/deployment/update/update-compliance-monitor.md b/windows/deployment/update/update-compliance-monitor.md
index 2619584ebd..95e64fcee6 100644
--- a/windows/deployment/update/update-compliance-monitor.md
+++ b/windows/deployment/update/update-compliance-monitor.md
@@ -6,7 +6,9 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: deploy
-author: greg-lindsay
+author: DaniHalfin
+ms.author: daniha
+ms.date: 10/17/2017
---
# Monitor Windows Updates and Windows Defender Antivirus with Update Compliance
@@ -15,7 +17,7 @@ author: greg-lindsay
With Windows 10, organizations need to change the way they approach monitoring and deploying updates. Update Compliance is a powerful set of tools that enable organizations to monitor and track all important aspects of the new servicing strategy from Microsoft: [Windows as a Service](waas-overview.md).
-Update Compliance is a solution built within Operations Management Suite (OMS), a cloud-based monitoring and automation service which has a flexible servicing subscription based off data usage/retention. For more information about OMS, see [Operations Management Suite overview](http://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/).
+Update Compliance is a solution built within Operations Management Suite (OMS), a cloud-based monitoring and automation service which has a flexible servicing subscription based off data usage/retention. For more information about OMS, see [Operations Management Suite overview](http://azure.microsoft.com/documentation/articles/operations-management-suite-overview/).
Update Compliance uses the Windows telemetry that is part of all Windows 10 devices. It collects system data including update installation progress, Windows Update for Business (WUfB) configuration data, Windows Defender Antivirus data, and other update-specific information, and then sends this data privately to a secure cloud to be stored for analysis and usage within the solution.
@@ -52,7 +54,7 @@ These steps are illustrated in following diagram:
>[!NOTE]
->This process assumes that Windows telemetry is enabled and you [have assigned your Commercial ID to devices](update-compliance-get-started#deploy-your-commercial-id-to-your-windows-10-devices.
+>This process assumes that Windows telemetry is enabled and you [have assigned your Commercial ID to devices](update-compliance-get-started.md#deploy-your-commercial-id-to-your-windows-10-devices).
diff --git a/windows/deployment/update/update-compliance-need-attention.md b/windows/deployment/update/update-compliance-need-attention.md
new file mode 100644
index 0000000000..5aefff3779
--- /dev/null
+++ b/windows/deployment/update/update-compliance-need-attention.md
@@ -0,0 +1,38 @@
+---
+title: Update Compliance - Need Attention! report
+description: an overview of the Update Compliance Need Attention! report
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: deploy
+author: DaniHalfin
+ms.author: daniha
+ms.date: 10/17/2017
+---
+
+# Need Attention!
+
+
+
+The “Need Attention!” section provides a breakdown of all device issues detected by Update Compliance. The summary tile for this section counts the number of devices that have issues, while the blades within break down the issues encountered. Finally, a [list of queries](#list-of-queries) blade is shown within this section that contains queries that provide values but do not fit within any other main section.
+
+>[!NOTE]
+>The summary tile counts the number of devices that have issues, while the blades within the section break down the issues encountered. A single device can have more than one issue, so these numbers may not add up.
+
+The different issues are broken down by Device Issues and Update Issues, which are iterated below:
+
+## Device Issues
+
+* **Missing multiple security updates:** This issue occurs when a device is behind by two or more security updates. These devices may be more vulnerable and should be investigated and updated.
+* **Out of support OS Version:** This issue occurs when a device has fallen out of support due to the version of Windows 10 it is running. When a device has fallen out of support, it will no longer be serviced, and may be vulnerable. These devices should be updated to a supported version of Windows 10.
+
+## Update Issues
+
+* **Failed:** This issue occurs when an error halts the process of downloading and applying an update on a device. Some of these errors may be transient, but should be investigated further to be sure.
+* **Progress stalled:** This issue occurs when an update is in progress, but has not completed over a period of 10 days.
+
+Clicking on any of the issues will navigate you to the Log Search view with all devices that have the given issue.
+
+## List of Queries
+
+The List of Queries blade resides within the “Need Attention!” section of Update Compliance. This blade contains a list of queries with a description and a link to the query. These queries contain important meta-information that did not fit within any specific section or were listed to serve as a good starting point for modification into custom queries.
\ No newline at end of file
diff --git a/windows/deployment/update/update-compliance-perspectives.md b/windows/deployment/update/update-compliance-perspectives.md
new file mode 100644
index 0000000000..f039195996
--- /dev/null
+++ b/windows/deployment/update/update-compliance-perspectives.md
@@ -0,0 +1,56 @@
+---
+title: Update Compliance - Perspectives
+description: an overview of Update Compliance Perspectives
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: deploy
+author: DaniHalfin
+ms.author: daniha
+ms.date: 10/17/2017
+---
+
+# Perspectives
+
+
+
+Perspectives are elaborations on specific queries hand-crafted by developers which data views that provide deeper insight into your data. Perspectives are loaded whenever clicking into more detailed views from both the Security Update Status section and Feature Update Status section of Update Compliance.
+
+There is only one perspective framework; it is for **Update Deployment Status**. The same framework is utilized for both feature and quality updates.
+
+The first blade is the **Build Summary** blade. This blade summarizes the most important aspects of the given build being queried, listing the total number of devices, the total number of update failures for the build, and a breakdown of the different errors encountered.
+
+The second blade is the **Deferral Configurations** blade, breaking down Windows Update for Business deferral settings (if any).
+
+The third blade is the **Deployment Status** blade. This defines how many days it has been since the queried version has been released, and breaks down the various states in the update funnel each device has reported to be in. The possible states are as follows:
+
+| State | Description |
+| --- | --- |
+| Update Completed | When a device has finished the update process and is on the queried update, it will display here as Update completed. |
+| In Progress | Devices that report they are “In Progress” are one of the various stages of installing an update; these stages are reported in the Detailed Deployment Status blade. |
+| Deferred | When a device’s Windows Update for Business deferral policy dictates that the update is not yet applicable due to deferral, it will report as such in this blade. |
+| Progress stalled | Devices that report as “Progress stalled” have been stuck at “In progress” for more than 7 days. |
+| Cancelled | The update was cancelled. |
+| Blocked | There is a hard block on the update being completed. This could be that another update must be completed before this one, or some other task is blocking the installation of the update. |
+| Unknown | Devices that do not report detailed information on the status of their updates will report Unknown. This is most likely devices that do not use Windows Update for deployment. |
+| Update paused | These devices have Windows Update for Business pause enabled, preventing this update from being installed. |
+
+The final blade is the **Detailed Deployment Status** blade. This blade breaks down the detailed stage of deployment a device is in, beyond the generalized terms defined in Deployment Status. The following are the possible stages a device can report:
+
+| State | Description |
+| --- | --- |
+| Update deferred | When a device’s Windows Update for Business policy dictates the update is deferred. |
+| Update paused | The device’s Windows Update for Business policy dictates the update is paused from being offered. |
+| Update offered | The device has been offered the update, but has not begun downloading it. |
+| Pre-Download tasks passed | The device has finished all necessary tasks prior to downloading the update. |
+| Download Started | The update has begun downloading on the device. |
+| Download Succeeded | The update has successfully completed downloading. |
+| Pre-Install Tasks Passed | Tasks that must be completed prior to installing the update have been completed. |
+| Install Started | Installation of the update has begun. |
+| Reboot Required | The device has finished installing the update, and a reboot is required before the update can be completed.
+| Reboot Pending | The device has a scheduled reboot to apply the update. |
+| Reboot Initiated | The scheduled reboot has been initiated. |
+| Update Completed/Commit | The update has successfully installed. |
+
+>[!NOTE]
+>Interacting with any rows in the perspective view will automatically apply the given value to the query and execute it with the new parameter, narrowing the perspective to devices that satisfy that criteria. For example, clicking “Not configured (-1)” devices in Deferral Configurations will filter the query to only contain devices that do not have a deferral configuration. These filters can also be applied to queries via the filter sidebar.
diff --git a/windows/deployment/update/update-compliance-security-update-status.md b/windows/deployment/update/update-compliance-security-update-status.md
new file mode 100644
index 0000000000..b361f73d30
--- /dev/null
+++ b/windows/deployment/update/update-compliance-security-update-status.md
@@ -0,0 +1,32 @@
+---
+title: Update Compliance - Security Update Status report
+description: an overview of the Security Update Status report
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: deploy
+author: DaniHalfin
+ms.author: daniha
+ms.date: 10/17/2017
+---
+
+# Security Update Status
+
+
+
+The Security Update Status section provides information about [quality updates](waas-quick-start.md#definitions) across all devices. The section tile within the O[verview Blade](update-compliance-using.md#overview-blade) lists the percentage of devices on the latest security update to provide the most essential data without needing to navigate into the section. However, within the section the Overall Quality Update Status blade also considers whether devices are up-to-date on non-security updates.
+
+>[!NOTE]
+>It is possible for the percentage of devices on the latest security update to differ from devices that are up-to-date on all quality updates. This is because some devices may have non-security updates that are applicable to them.
+
+The **Overall Quality Update Status** blade provides a visualization of devices that are and are not up-to-date on the latest quality updates (not just security updates). Below the visualization are all devices further broken down by OS Version and a count of how many are up-to-date and not up-to-date. Within the “Not up-to-date” column, the count of update failures is also given.
+
+The **Latest Security Update Status** and **Previous Security Update Status** tiles are stacked to form one blade. The **Latest Security Update Status** provides a visualization of the different deployment states devices are in regarding the latest update for each build (or version) of Windows 10, along with the revision of that update. The **Previous Security Update Status** blade provides the same information without the accompanying visualization.
+
+What follows is a breakdown of the different deployment states reported by devices:
+* **Installed** devices are devices that have completed installation for the given update.
+* When a device is counted as **In Progress or Deferred**, it has either begun the installation process for the given update or has been intentionally deferred or paused using WU for Business Settings.
+* Devices that have **Update Failed**, failed updating at some point during the installation process of the given security update.
+* If a device should be, in some way, progressing toward this security update, but its status cannot be inferred, it will count as **Status Unknown**. Devices not using Windows Update are the most likely devices to fall into this category.
+
+The rows of each tile in this section are interactive; clicking on them will navigate you to the query that is representative of that row and section. These queries are also attached to [Perspectives](update-compliance-perspectives.md) with detailed deployment data for that update.
\ No newline at end of file
diff --git a/windows/deployment/update/update-compliance-using.md b/windows/deployment/update/update-compliance-using.md
index a49a7adb06..07e1970441 100644
--- a/windows/deployment/update/update-compliance-using.md
+++ b/windows/deployment/update/update-compliance-using.md
@@ -5,12 +5,14 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: deploy
-author: greg-lindsay
+author: DaniHalfin
+ms.author: daniha
+ms.date: 10/17/2017
---
-# Use Update Compliance to monitor Windows Updates
+# Use Update Compliance
-This section describes how to use Update Compliance to monitor Windows Updates and troubleshoot update failures on your network.
+In this section you'll learn how to use Update Compliance to monitor your device's Windows updates and Windows Defender Antivirus status. To configure your environment for use with Update Compliance, refer to [Get started with Update Compliance](update-compliance-get-started.md).
Update Compliance:
@@ -18,469 +20,60 @@ Update Compliance:
- Enables you to maintain a high-level perspective on the progress and status of updates across all devices.
- Provides a workflow that can be used to quickly identify which devices require attention.
- Enables you to track deployment compliance targets for updates.
+- Summarizes Windows Defender Antivirus status for devices that use it.
>[!NOTE]
>Information is refreshed daily so that update progress can be monitored. Changes will be displayed about 24 hours after their occurrence, so you always have a recent snapshot of your devices.
-In OMS, the aspects of a solution's dashboard are usually divided into blades. Blades are a slice of information, typically with a summarization tile and an enumeration of the items that makes up that data. All data is presented through queries. Perspectives are also possible, wherein a given query has a unique view designed to display custom data. The terminology of blades, tiles, and perspectives will be used in the sections that follow.
+In Update Compliance, data is separated into vertically-sliced sections. Each section is referred to as a blade. Within a blade, there may or may not be multiple tiles, which serve to represent the data in different ways. Blades are summarized by their title in the upper-left corner above it. Every number displayed in OMS is the direct result of one or more queries. Clicking on data in blades will often navigate you to the query view, with the query used to produce that data. Some of these queries have perspectives attached to them; when a perspective is present, an additional tab will load in the query view. These additional tabs provide blades containing more information relevant to the results of the query.
-Update Compliance has the following primary blades:
+## The Update Compliance Tile
+After Update Compliance has successfully been added from the solution gallery, you’ll see this tile:
+
-1. [OS Update Overview](#os-update-overview)
-2. [Overall Quality Update Status](#overall-quality-update-status)
-3. [Latest and Previous Security Update Status](#latest-and-previous-security-update-status)
-4. [Overall Feature Update Status](#overall-feature-update-status)
-5. [CB, CBB, LTSB Deployment Status](#cb-cbb-ltsb-deployment-status)
-6. [Windows Defender Antivirus Assessment](#wdav-assessment)
-7. [List of Queries](#list-of-queries)
+When the solution is added, data is not immediately available. Data will begin to be collected after data is sent up that is associated with the Commercial ID associated with the device. If you haven’t read about assigning your Commercial ID to your devices, refer to [this topic](update-compliance-get-started.md#deploy-your-commercial-id-to-your-windows-10-devices). After Microsoft has collected and processed any device data associated with your Commercial ID, the tile will be replaced with the following summary:
+
-## OS Update Overview
+The summary details the total number of devices that Microsoft has received data from with your Commercial ID. It also provides the number of devices that need attention if any. Finally, it details the last point at which your Update Compliance workspace was updated.
-The first blade of OMS Update Compliance is the General **OS Update Overview** blade:
+## The Update Compliance Workspace
-
+
+Upon clicking the tile, you will be redirected to the Update Compliance workspace. The workspace is organized with the Overview Blade providing a hub from which to navigate to different reports of your device’s data.
+### Overview Blade
-This blade is divided into three sections:
-- Device Summary:
-- Needs Attention Summary
-- Update Status Summary
+
-The **Device Summary** displays the total number of devices in your organization. These devices have the commercial ID configured, telemetry enabled, and have sent telemetry to Microsoft within the last 28 days. The tile also shows the devices that Need Attention.
+Update Compliance’s overview blade provides a summarization of all the data Update Compliance focuses on. It functions as a hub from which different sections can be navigated to. The total number of devices detected by Update Compliance are counted within the title of this blade. What follows is a distribution for all devices as to whether they are up to date on:
+* Quality updates: A device is up to date on quality updates whenever it has the latest applicable quality update installed. Quality updates are monthly cumulative updates that are specific to a version of Windows 10.
+* Feature updates: A device is up to date on feature updates whenever it has the latest applicable feature update installed. Update Compliance considers [Servicing Channel](waas-overview.md#servicing-channels) when determining update applicability.
+* AV Signature: A device is up to date on Antivirus Signature when the latest Windows Defender Signatures have been downloaded. This distribution only considers devices that are running Windows Defender Antivirus.
+The blade also provides the time at which your Update Compliance workspace was refreshed.
-The **Needs Attention Summary** summarizes devices that require action on your part. There are multiple reasons why a device might need attention, and these reasons are categorized and summarized in the tile. You can view details about devices that are categorized as Needs Attention using a table view. The following **Needs Attention** states are defined:
+Below the “Last Updated” time, a list of the different sections follows that can be clicked on to view more information, they are:
+* [Need Attention!](update-compliance-need-attention.md) - This section is the default section when arriving to your Update Compliance workspace. It counts the number of devices encountering issues and need attention; clicking into this provides blades that summarize the different issues that devices are encountering, and provides a List of Queries that Microsoft finds useful.
+* [Security Update Status](update-compliance-security-update-status.md) - This section lists the percentage of devices that are on the latest security update released for the version of Windows 10 it is running. Clicking into this section provides blades that summarize the overall status of Quality updates across all devices; including deployment.
+* [Feature Update Status](update-compliance-feature-update-status.md) - This section lists the percentage of devices that are on the latest feature update that is applicable to a given device. Clicking into this section provides blades that summarize the overall feature update status across all devices, with an emphasis on deployment progress.
+* [Windows Defender AV Status](update-compliance-wd-av-status.md) - This section lists the percentage of devices running Windows Defender Antivirus that are not sufficiently protected. Clicking into this section provides a summary of signature and threat status across all devices that are running Windows Defender Antivirus. This section is not applicable to devices not running Windows Defender Antivirus.
+Use [Perspectives](update-compliance-perspectives.md) for data views that provide deeper insight into your data.
-
-
Needs Attention
Definition
-
Out of Support
Total number of devices that are no longer receiving servicing updates
-
Update failed
When a device has reported a failure at some stage in its update deployment process, it will report that the Update Failed. You can click on this to see the full set of devices with more details about the stage at which a failure was reported, when the device reported a failure, and other data.
-
Missing 2+ Security Updates
Total number of devices that are missing two or more security updates
-
Update Progress Stalled
Total number of devices where an update installation has been “in progress” for more than 7 days
-
+## Utilizing Log Analytics
+Update Compliance is built upon the Log Analytics platform that is integrated into Operations Management Suite. All data within the workspace is the direct result of a query. Understanding the tools and features at your disposal, all integrated within OMS, can deeply enhance your experience and complement Update Compliance.
-The **Update Status Summary** summarizes your organization's devices per the Windows 10 "Windows as a Service" (WaaS) model. For more information about WaaS, see [Overview of Windows as a service](waas-overview.md). Devices are categorized as: **Current**, **Up-to-date**, and **Not up-to-date**. See the following graphical representation of this model:
+See below for a few topics related to Log Analytics:
+* Learn how to effectively execute custom Log Searches by referring to Microsoft Azure’s excellent documentation on [querying data in Log Analytics](https://docs.microsoft.com/azure/log-analytics/log-analytics-log-searches).
+* To develop your own custom data views in Operations Management Suite or [Power BI](https://powerbi.microsoft.com/); check out documentation on [analyzing data for use in Log Analytics](https://docs.microsoft.com/azure/log-analytics/log-analytics-dashboards).
+* [Gain an overview of Log Analytics’ alerts](https://docs.microsoft.com/azure/log-analytics/log-analytics-alerts) and learn how to utilize it to always stay informed about the most critical issues you care about.
-
-
-
-
-Update Status Summary definitions:
-
-
-
-
Update Status
Definition
-
Current and Up-to-date
A device that is current is on the latest and greatest Microsoft offers. It is on the very newest feature update (ex. The Windows Anniversary Update, RS1), on the very latest quality update for its servicing branch.
-
Up-to-date
A device that is up-to-date is on the latest quality update for its servicing option (CB, CBB, LTSB), and the device is running an OS that is supported by Microsoft.
-
Not up-to-date
A device does not have the latest quality update for its servicing option.
-
-
-
-## Overall Quality Update Status
-
-**Overall Quality Update Status** is the second blade in Update Compliance. It has a donut data tile and lists the breakdown of the Up-to-date status of devices pivoted on OS version. See the following example:
-
-
-
-
-
-The donut tile offers a summary of all devices in your organization, divided into **Up-to-date** and **Not up-to-date**. Recall that devices that are current are also up-to-date.
-
-
-The list view contains the breakdown of Up-to-date, Not up-to-date, and Update failed, all pivoted on OS version (e.g., 1507, 1511, 1607). Clicking on any of the rows of this list view will display the **OS Quality Update Summary Perspective** for that OS version.
-
-
-## Latest and Previous Security Update Status
-
-Security updates are extremely important to your organization, so in addition to an overall view of Quality Updates, the deployment status for the latest two security updates are displayed for each supported OS build offered by Microsoft.
-
-
-
-
-
-For the latest security update, a doughnut chart is displayed across all OS builds with a count of installed, in progress/deferred, update failed, and unknown status relative to that update. Two table views are provided below the doughnut displaying the same breakdown for each OS build supported by Microsoft.
-
-See the following definitions:
-
-
-
-
Term
Definition
-
OS Build
The OS build + Revision for the OS Version. The build + revision is a one-to-one mapping of the given security update in this context.
-
Version
The OS Version corresponding to the OS build.
-
Installed
The count of devices that have the given security update installed. In the case that the latest security update is not latest quality update (that is, an update has since been released but it did not contain any security fixes), then devices that are on a newer update will also be counted.
-
For the previous security update, a device will display as **Installed** until it has at least installed the latest security update.
-
In Progress or Deferred
The count of devices that are either currently in the process of installing the given security update, or are deferring the install as per their WUFB policy.
-
All devices in this category for Previous Security Update Status are missing 2 or more security updates, and therefore qualify as needing attention.
-
Update Failed
The count of devices that were **In Progress** for the given security update, but failed at some point in the process. They will no longer be shown as **In Progress or deferred** in this case, and only be counted as **Update failed**.
-
Status Unknown
If a device should be, in some way, progressing toward this security update, but it’s status cannot be inferred, it will count as **Status Unknown**. Devices that are not using Windows Update are the most likely devices to fall into this category.
-
-
-
-## Overall Feature Update Status
-
-Windows 10 has two main update types: Quality and Feature updates. The third blade in Update Compliance provides the most essential data about your organization’s devices for feature updates.
-
-Microsoft has developed terms to help specify the state of a given device for how it fits into the Windows as a Service (WaaS) model. There are three update states for a device:
-- Current
-- Up-to-date
-- Not up-to-date
-
-
-See the **Update Status Summary** description under [OS Update Overview](#os-update-overview) in this guide for definitions of these terms.
-
-
-The Overall Feature Update Status blade focuses around whether or not your devices are considered Current. See the following example:
-
-
-
-
-
-Devices are evaluated by OS Version (e.g., 1607) and the count of how many are Current, Not Current, and have Update Failures is displayed. Clicking on any of these counts will allow you to view all those devices, as well as select the **Update Deployment Status** perspective, described below.
-
-
-## Windows Defender Antivirus Assessment
-
-You'll notice some new tiles in the Overview blade which provide a summary of Windows Defender AV-related issues, highlighted in the following screenshot.
-
-
-
->[!IMPORTANT]
->If your devices are not showing up in the Windows Defender AV assessment section, check the [Troublshoot Windows Defender Antivirus reporting](/windows/threat-protection/windows-defender-antivirus/troubleshoot-reporting) topic for help.
-
-The **AV Signature** chart shows the number of devices that either have up-to-date [protection updates (also known as signatures or definitions)](/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus), while the **Windows Defender AV Status** tile indicates the percentage of all assessed devices that are not updated and do not have real-time protection enabled. The Windows Defender Antivirus Assessment section provides more information that lets you investigate potential issues.
-
-If you're using [Windows Defender Antivirus in Windows 10](/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) to protect devices in your organization and have enabled [cloud-delivered protection](/windows/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus), you can use this section to review the overall status of key protection features, including the number of devices that have [always-on real-time protection](/windows/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) and up-to-date definitions.
-
-There are two blades in the Windows Defender AV Assessment section:
-
-- Protection status
-- Threats status
-
-
-
-The **Protection Status** blade shows three key measurements:
-
-1. How many devices have old or current signatures (also known as protection updates or definitions)
-2. How many devices have the core Windows Defender AV always-on scanning feature enabled, called real-time protection
-
-
-
-
-See the [Manage Windows Defender AV updates and apply baselines](/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus) topic for an overview on how updates work, and further information on applying updates.
-
-The **Threats Status** blade shows the following measurements:
-
-1. How many devices that have threats that have been remediated (removed or quarantined on the device)
-2. How many devices that have threats where remediation was not successful (this may indicate a manual reboot or clean is required)
-
-
-
-
-Devices can be in multiple states at once, as one device may have multiple threats, some of which may or may not be remediated.
-
-> [!IMPORTANT]
-> The data reported in Update Compliance can be delayed by up to 24 hours.
-
-See the [Customize, initiate, and review the results of Windows Defender AV scans and remediation](/windows/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus) topic for more information on how to perform scans and other manual remediation tasks.
-
-As with other blades in Update Compliance, clicking on a specific measurement or item will open the associated query that you can use to investigate individual devices and issues, as described below.
-
-
-### Investigate individual devices and threats
-
-
-Click on any of the status measurements to be taken to a pre-built log query that shows the impacted devices for that status.
-
-
-
-You can also find a pre-built query on the main Update Compliance screen, under the **Queries** blade, that lists devices that have not been assessed for Windows Defender AV.
-
-
-
-
-
-
-
-
-
-
-You can further filter queries by clicking any of the measurement labels for each incident, changing the values in the query filter pane, and then clicking **Apply**.
-
-
-
-
-
-Click **+Add** at the bottom of the filter pane to open a list of filters you can apply.
-
-
-
-
-You can also click the **. . .** button next to each label to instantly filter by that label or value.
-
-
-
-You can create your own queries by using a query string in the following format:
-
-```
-Type:
**Reference**
-This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 6 digits and can have a maximum length of 20 digits.
+This policy setting is applied when you turn on BitLocker.
+The startup PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits.
+
+Originally, BitLocker allowed from 4 to 20 characters for a PIN.
+Windows Hello has its own PIN for logon, which can be 4 to 127 characters.
+Both BitLocker and Windows Hello use the TPM to prevent PIN brute-force attacks.
+
+The TPM can be configured to use Dictionary Attack Prevention parameters ([lockout threshold and lockout duration](/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings)) to control how many failed authorizations attempts are allowed before the TPM is locked out, and how much time must elapse before another attempt can be made.
+
+The Dictionary Attack Prevention Parameters provide a way to balance security needs with usability.
+For example, when BitLocker is used with a TPM + PIN configuration, the number of PIN guesses is limited over time.
+A TPM 2.0 in this example could be configured to allow only 32 PIN guesses immediately, and then only one more guess every two hours.
+This totals a maximum of about 4415 guesses per year.
+If the PIN is 4 digits, all 9999 possible PIN combinations could be attempted in a little over two years.
+
+Increasing the PIN length requires a greater number of guesses for an attacker.
+In that case, the lockout duration between each guess can be shortened to allow legitimate users to retry a failed attempt sooner, while maintaining a similar level of protection.
+
+Beginning with Windows 10, version 1703, the minimum length for the BitLocker PIN was increased to 6 characters to better align with other Windows features that leverage TPM 2.0, including Windows Hello.
+To help organizations with the transition, beginning with Windows 10, version 1709 and Windows 10, version 1703 with the October 2017 [cumulative update](https://support.microsoft.com/help/4018124) installed, the BitLocker PIN length is 6 characters by default, but it can be reduced to 4 characters.
+If the minimum PIN length is reduced from the default of six characters, then the TPM 2.0 lockout period will be extended.
### Disable new DMA devices when this computer is locked
diff --git a/windows/device-security/change-history-for-device-security.md b/windows/device-security/change-history-for-device-security.md
index cb46edf710..148538f76e 100644
--- a/windows/device-security/change-history-for-device-security.md
+++ b/windows/device-security/change-history-for-device-security.md
@@ -11,6 +11,12 @@ author: brianlic-msft
# Change history for device security
This topic lists new and updated topics in the [Device security](index.md) documentation.
+## September 2017
+|New or changed topic |Description |
+|---------------------|------------|
+| [TPM fundamentals](tpm/tpm-fundamentals.md) [BitLocker Group Policy settings](bitlocker/bitlocker-group-policy-settings.md) | Explained the change to allow reducing the maximum PIN length from 6 characters to 4. |
+
+
## August 2017
|New or changed topic |Description |
|---------------------|------------|
diff --git a/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md b/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md
index ec2f600b51..a2e6dd92f6 100644
--- a/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md
+++ b/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md
@@ -116,7 +116,7 @@ Catalog files can be very useful for unsigned LOB applications that cannot easil
To obtain signed applications or embed signatures in your in-house applications, you can choose from a variety of methods:
-- Using the Windows Store publishing process. All apps that come out of the Microsoft Store are automatically signed with special signatures that can roll-up to our certificate authority (CA) or to your own.
+- Using the Microsoft Store publishing process. All apps that come out of the Microsoft Store are automatically signed with special signatures that can roll-up to our certificate authority (CA) or to your own.
- Using your own digital certificate or public key infrastructure (PKI). ISV's and enterprises can sign their own Classic Windows applications themselves, adding themselves to the trusted list of signers.
@@ -124,7 +124,7 @@ To obtain signed applications or embed signatures in your in-house applications,
To use catalog signing, you can choose from the following options:
-- Use the Windows Defender Device Guard signing portal available in the Windows Store for Business. The portal is a Microsoft web service that you can use to sign your Classic Windows applications. For more information, see [Windows Defender Device Guard signing](https://technet.microsoft.com/itpro/windows/manage/device-guard-signing-portal).
+- Use the Windows Defender Device Guard signing portal available in the Microsoft Store for Business. The portal is a Microsoft web service that you can use to sign your Classic Windows applications. For more information, see [Windows Defender Device Guard signing](https://technet.microsoft.com/itpro/windows/manage/device-guard-signing-portal).
- Create your own catalog files, which are described in the next section. For information about how creating catalog files fits into Windows Defender Device Guard deployment, see [Planning and getting started on the Windows Defender Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md).
diff --git a/windows/device-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md b/windows/device-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
index 337320eccf..006a0c4470 100644
--- a/windows/device-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
+++ b/windows/device-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
@@ -292,8 +292,8 @@ Device Guard policy into the UpdateSigner section.
On computers with Device Guard, Microsoft proposes to move from a world where unsigned apps can be run without restriction to a world where only signed and trusted code is allowed to run on Windows 10.
-With Windows 10, organizations will make line-of-business (LOB) apps available to members of the organization through the Windows Store infrastructure. More specifically, LOB apps will be available in a private store within the public Windows Store. Windows Store signs and distributes Universal
-Windows apps and Classic Windows apps. All apps downloaded from the Windows Store are signed.
+With Windows 10, organizations will make line-of-business (LOB) apps available to members of the organization through the Microsoft Store infrastructure. More specifically, LOB apps will be available in a private store within the public Microsoft Store. Microsoft Store signs and distributes Universal
+Windows apps and Classic Windows apps. All apps downloaded from the Microsoft Store are signed.
In organizations today, the vast majority of LOB applications are unsigned. Code signing is frequently viewed as a tough problem to solve for a variety of reasons, like the lack of code signing expertise. Even if code signing is a best practice, a lot of internal applications are not signed.
diff --git a/windows/device-security/tpm/tpm-fundamentals.md b/windows/device-security/tpm/tpm-fundamentals.md
index 525a5a312d..ee007150c7 100644
--- a/windows/device-security/tpm/tpm-fundamentals.md
+++ b/windows/device-security/tpm/tpm-fundamentals.md
@@ -97,10 +97,7 @@ Because many entities can use the TPM, a single authorization success cannot res
TPM 2.0 has well defined anti-hammering behavior. This is in contrast to TPM 1.2 for which the anti-hammering protection was implemented by the manufacturer, and the logic varied widely throughout the industry.
-> [!WARNING]
-> For the purposes of this topic, Windows 8 Certified Hardware also pertains to Windows 8.1 systems. The following references to “Windows” include these supported Windows versions.
-
-For Windows 8 Certified Hardware systems with TPM 2.0, the TPM is configured by Windows to lock after 32 authorization failures and to forget one authorization failure every two hours. This means that a user could quickly attempt to use a key with the wrong authorization value 32 times. For each of the 32 attempts, the TPM records if the authorization value was correct or not. This inadvertently causes the TPM to enter a locked state after 32 failed attempts.
+For systems with TPM 2.0, the TPM is configured by Windows to lock after 32 authorization failures and to forget one authorization failure every two hours. This means that a user could quickly attempt to use a key with the wrong authorization value 32 times. For each of the 32 attempts, the TPM records if the authorization value was correct or not. This inadvertently causes the TPM to enter a locked state after 32 failed attempts.
Attempts to use a key with an authorization value for the next two hours would not return success or failure; instead the response indicates that the TPM is locked. After two hours, one authorization failure is forgotten and the number of authorization failures remembered by the TPM drops to 31, so the TPM leaves the locked state and returns to normal operation. With the correct authorization value, keys could be used normally if no authorization failures occur during the next two hours. If a period of 64 hours elapses with no authorization failures, the TPM does not remember any authorization failures, and 32 failed attempts could occur again.
@@ -112,10 +109,28 @@ In some enterprise situations, the TPM owner authorization value is configured t
TPM 2.0 allows some keys to be created without an authorization value associated with them. These keys can be used when the TPM is locked. For example, BitLocker with a default TPM-only configuration is able to use a key in the TPM to start Windows, even when the TPM is locked.
-### Rationale behind the Windows 8.1 and Windows 8 defaults
+### Rationale behind the defaults
-Windows relies on the TPM 2.0 anti-hammering protection for multiple features. The defaults that are selected for Windows 8 balance trade-offs for different scenarios.
-For example, when BitLocker is used with a TPM plus PIN configuration, it needs the number of PIN guesses to be limited over time. If the computer is lost, someone could make only 32 PIN guesses immediately, and then only one more guess every two hours. This totals about 4415 guesses per year. This makes a good standard for system administrators to determine how many PIN characters to use for BitLocker deployments.
+Originally, BitLocker allowed from 4 to 20 characters for a PIN.
+Windows Hello has its own PIN for logon, which can be 4 to 127 characters.
+Both BitLocker and Windows Hello use the TPM to prevent PIN brute-force attacks.
+
+The TPM can be configured to use Dictionary Attack Prevention parameters ([lockout threshold and lockout duration](trusted-platform-module-services-group-policy-settings.md)) to control how many failed authorizations attempts are allowed before the TPM is locked out, and how much time must elapse before another attempt can be made.
+
+The Dictionary Attack Prevention Parameters provide a way to balance security needs with usability.
+For example, when BitLocker is used with a TPM + PIN configuration, the number of PIN guesses is limited over time.
+A TPM 2.0 in this example could be configured to allow only 32 PIN guesses immediately, and then only one more guess every two hours.
+This totals a maximum of about 4415 guesses per year.
+If the PIN is 4 digits, all 9999 possible PIN combinations could be attempted in a little over two years.
+
+Increasing the PIN length requires a greater number of guesses for an attacker.
+In that case, the lockout duration between each guess can be shortened to allow legitimate users to retry a failed attempt sooner, while maintaining a similar level of protection.
+
+Beginning with Windows 10, version 1703, the minimum length for the BitLocker PIN was increased to 6 characters to better align with other Windows features that leverage TPM 2.0, including Windows Hello.
+To help organizations with the transition, beginning with Windows 10, version 1709 and Windows 10, version 1703 with the October 2017 [cumulative update](https://support.microsoft.com/help/4018124) installed, the BitLocker PIN length is 6 characters by default, but it can be reduced to 4 characters.
+If the minimum PIN length is reduced from the default of six characters, then the TPM 2.0 lockout period will be extended.
+
+### TPM-based smart cards
The Windows TPM-based smart card, which is a virtual smart card, can be configured to allow sign in to the system. In contrast with physical smart cards, the sign-in process uses a TPM-based key with an authorization value. The following list shows the advantages of virtual smart cards:
diff --git a/windows/device-security/windows-10-mobile-security-guide.md b/windows/device-security/windows-10-mobile-security-guide.md
index 207c463b85..48ce7f6de9 100644
--- a/windows/device-security/windows-10-mobile-security-guide.md
+++ b/windows/device-security/windows-10-mobile-security-guide.md
@@ -2,7 +2,7 @@
title: Windows 10 Mobile security guide (Windows 10)
description: This guide provides a detailed description of the most important security features in the Windows 10 Mobile operating system—identity access and control, data protection, malware resistance, and app platform security.
ms.assetid: D51EF508-699E-4A68-A7CD-91D821A97205
-keywords: data protection, encryption, malware resistance, smartphone, device, Windows Store
+keywords: data protection, encryption, malware resistance, smartphone, device, Microsoft Store
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -183,7 +183,7 @@ The table below outlines how Windows 10 Mobile mitigates specific malware threat
An unauthorized app or malware attempts to start on the device.
-
All Windows 10 Mobile apps must come from Windows Store or Windows Store for Business. Device Guard enforces administrative policies to select exactly which apps are allowed to run.
+
All Windows 10 Mobile apps must come from Microsoft Store or Microsoft Store for Business. Device Guard enforces administrative policies to select exactly which apps are allowed to run.
User-level malware exploits a vulnerability in the system or an application and owns the device.
@@ -286,7 +286,7 @@ Because this solution can detect and prevent low-level malware that may be extre
Device Guard is a feature set that consists of both hardware and software system integrity–hardening features. These features revolutionize Windows operating system security by moving the entire operating system to a trust-nothing model.
-All apps on Windows 10 Mobile must be digitally signed and come from Windows Store or a trusted enterprise store. Device Guard implements policies that further restrict this. By default, Device Guard supports all apps from Windows Store. You can create policies that define the apps that can and cannot run on the Windows 10 Mobile device. If the app does not have a digital signature, is prevented by policy, or does not come from a trusted store, it will not run on Windows 10 Mobile.
+All apps on Windows 10 Mobile must be digitally signed and come from Microsoft Store or a trusted enterprise store. Device Guard implements policies that further restrict this. By default, Device Guard supports all apps from Microsoft Store. You can create policies that define the apps that can and cannot run on the Windows 10 Mobile device. If the app does not have a digital signature, is prevented by policy, or does not come from a trusted store, it will not run on Windows 10 Mobile.
Advanced hardware features, described above, drive these security offerings. By integrating these hardware features further into the core operating system, Windows 10 Mobile can use them in new ways. To deliver this additional security, Device Guard requires UEFI with Secure Boot.
@@ -339,10 +339,10 @@ A set of default permissions are granted to all AppContainers, including access
The AppContainer concept is advantageous because it provides:
- **Attack surface reduction.** Apps can access only those capabilities that are declared in the application code and needed to perform their functions.
-- **User consent and control.** Capabilities that apps use are automatically published to the app details page in the Windows Store. App access to capabilities that may expose sensitive information automatically prompt the user to acknowledge and provide consent.
+- **User consent and control.** Capabilities that apps use are automatically published to the app details page in the Microsoft Store. App access to capabilities that may expose sensitive information automatically prompt the user to acknowledge and provide consent.
- **App isolation.** Communication between Windows apps is tightly controlled. Apps are isolated from one another and can communicate only by using predefined communication channels and data types.
-Apps receive the minimal privileges they need to perform their legitimate tasks. This means that even if a malicious attacker exploits an app, the potential damage is limited because the app cannot elevate its privileges and is contained within its AppContainer. Windows Store displays the permissions that the app requires along with the app’s age rating and publisher.
+Apps receive the minimal privileges they need to perform their legitimate tasks. This means that even if a malicious attacker exploits an app, the potential damage is limited because the app cannot elevate its privileges and is contained within its AppContainer. Microsoft Store displays the permissions that the app requires along with the app’s age rating and publisher.
The combination of Device Guard and AppContainer help to prevent unauthorized apps from running. In the event malware slips into the app ecosystem, the AppContainer helps to constrain the app and limit potential damage. The Windows 10 Mobile trust-nothing model doesn’t assume that any component is perfect. However, potential vulnerabilities in apps, AppContainers, and Windows 10 Mobile itself could give an attacker a chance to compromise a system. For this reason, redundant vulnerability mitigations are needed. The next several topics describe some of the redundant mitigations in Windows 10 Mobile.
diff --git a/windows/hub/TOC.md b/windows/hub/TOC.md
index 56c4ddc65a..e24c5d48f2 100644
--- a/windows/hub/TOC.md
+++ b/windows/hub/TOC.md
@@ -1,4 +1,5 @@
# [Windows 10 and Windows 10 Mobile](index.md)
+## [Get started](/windows/whats-new/get-started-with-1709)
## [What's new](/windows/whats-new)
## [Deployment](/windows/deployment)
## [Configuration](/windows/configuration)
diff --git a/windows/threat-protection/TOC.md b/windows/threat-protection/TOC.md
index dc2e70068a..262d4779b0 100644
--- a/windows/threat-protection/TOC.md
+++ b/windows/threat-protection/TOC.md
@@ -243,7 +243,7 @@
#### [Create a Windows Information Protection (WIP) policy using the classic console for Microsoft Intune](windows-information-protection\create-wip-policy-using-intune.md)
##### [Deploy your Windows Information Protection (WIP) policy using the classic console for Microsoft Intune](windows-information-protection\deploy-wip-policy-using-intune.md)
##### [Associate and deploy a VPN policy for Windows Information Protection (WIP) using the classic console for Microsoft Intune](windows-information-protection\create-vpn-and-wip-policy-using-intune.md)
-#### [Create a Windows Information Protection (WIP) with MDM using the Azure portal for Microsoft Intune](windows-information-protection\create-wip-policy-using-intune-azure.md)
+#### [Create a Windows Information Protection (WIP) policy with MDM using the Azure portal for Microsoft Intune](windows-information-protection\create-wip-policy-using-intune-azure.md)
##### [Deploy your Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune](windows-information-protection\deploy-wip-policy-using-intune-azure.md)
##### [Associate and deploy a VPN policy for Windows Information Protection (WIP) using the Azure portal for Microsoft Intune](windows-information-protection\create-vpn-and-wip-policy-using-intune-azure.md)
#### [Create a Windows Information Protection (WIP) policy with MAM using the Azure portal for Microsoft Intune](windows-information-protection\create-wip-policy-using-mam-intune-azure.md)
diff --git a/windows/threat-protection/overview-of-threat-mitigations-in-windows-10.md b/windows/threat-protection/overview-of-threat-mitigations-in-windows-10.md
index ad126f35fa..a8f1dd39c7 100644
--- a/windows/threat-protection/overview-of-threat-mitigations-in-windows-10.md
+++ b/windows/threat-protection/overview-of-threat-mitigations-in-windows-10.md
@@ -205,11 +205,11 @@ With Protected Processes, Windows 10 prevents untrusted processes from interacti
### Universal Windows apps protections
-When users download Universal Windows apps from the Windows Store, it’s unlikely that they will encounter malware because all apps go through a careful screening process before being made available in the store. Apps that organizations build and distribute through sideloading processes will need to be reviewed internally to ensure that they meet organizational security requirements.
+When users download Universal Windows apps from the Microsoft Store, it’s unlikely that they will encounter malware because all apps go through a careful screening process before being made available in the store. Apps that organizations build and distribute through sideloading processes will need to be reviewed internally to ensure that they meet organizational security requirements.
Regardless of how users acquire Universal Windows apps, they can use them with increased confidence. Universal Windows apps run in an AppContainer sandbox with limited privileges and capabilities. For example, Universal Windows apps have no system-level access, have tightly controlled interactions with other apps, and have no access to data unless the user explicitly grants the application permission.
-In addition, all Universal Windows apps follow the security principle of least privilege. Apps receive only the minimum privileges they need to perform their legitimate tasks, so even if an attacker exploits an app, the damage the exploit can do is severely limited and should be contained within the sandbox. The Windows Store displays the exact capabilities the app requires (for example, access to the camera), along with the app’s age rating and publisher.
+In addition, all Universal Windows apps follow the security principle of least privilege. Apps receive only the minimum privileges they need to perform their legitimate tasks, so even if an attacker exploits an app, the damage the exploit can do is severely limited and should be contained within the sandbox. The Microsoft Store displays the exact capabilities the app requires (for example, access to the camera), along with the app’s age rating and publisher.
### Windows heap protections
diff --git a/windows/threat-protection/secure-the-windows-10-boot-process.md b/windows/threat-protection/secure-the-windows-10-boot-process.md
index 83a8c454ed..e602778817 100644
--- a/windows/threat-protection/secure-the-windows-10-boot-process.md
+++ b/windows/threat-protection/secure-the-windows-10-boot-process.md
@@ -17,7 +17,7 @@ ms.date: 06/23/2017
- Windows 10
- Windows 8.1
-The Windows operating system has many features to help protect you from malware, and it does an amazingly good job. Except for apps that businesses develop and use internally, all Windows Store apps must meet a series of requirements to be certified and included in the Windows Store. This certification process examines several criteria, including security, and is an effective means of preventing malware from entering the Windows Store. Even if a malicious app does get through, the Windows 10 operating system includes a series of security features that can mitigate the impact. For instance, Windows Store apps are sandboxed and lack the privileges necessary to access user data or change system settings.
+The Windows operating system has many features to help protect you from malware, and it does an amazingly good job. Except for apps that businesses develop and use internally, all Microsoft Store apps must meet a series of requirements to be certified and included in the Microsoft Store. This certification process examines several criteria, including security, and is an effective means of preventing malware from entering the Microsoft Store. Even if a malicious app does get through, the Windows 10 operating system includes a series of security features that can mitigate the impact. For instance, Microsoft Store apps are sandboxed and lack the privileges necessary to access user data or change system settings.
Windows 10 has multiple levels of protection for desktop apps and data, too. Windows Defender uses signatures to detect and quarantine apps that are known to be malicious. The SmartScreen Filter warns users before allowing them to run an untrustworthy app, even if it’s recognized as malware. Before an app can change system settings, the user would have to grant the app administrative privileges by using User Account Control.
diff --git a/windows/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md
index 26057dc724..8baf528def 100644
--- a/windows/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md
@@ -225,13 +225,13 @@ For an endpoint to be considered "well configured", it must comply to a minimum
The following settings must be configured with the following settings:
- Check apps and files: **Warn** or **Block**
- SmartScreen for Microsoft Edge: **Warn** or **Block**
-- SmartScreen for Windows Store apps: **Warn** or **Off**
+- SmartScreen for Microsoft store apps: **Warn** or **Off**
You can take the following actions to increase the overall security score of your organization:
- Set **Check app and files** to **Warn** or **Block**
- Set **SmartScreen for Microsoft Edge** to **Warn** or **Block**
-- Set **SmartScreen for Windows Store apps** to **Warn** or **Off**
+- Set **SmartScreen for Microsoft store apps** to **Warn** or **Off**
For more information, see [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md).
diff --git a/windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md b/windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
index 1f4767560d..d4b64f44ef 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
@@ -74,7 +74,7 @@ Arbitrary code guard (ACG) | Prevents the introduction of non-image-backed execu
Block low integrity images | Prevents the loading of images marked with Low Integrity. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)]
Block remote images | Prevents loading of images from remote devices. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)]
Block untrusted fonts | Prevents loading any GDI-based fonts not installed in the system fonts directory, notably fonts from the web. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)]
-Code integrity guard | Restricts loading of images signed by Microsoft, WQL, and higher. Can optionally allow Windows Store signed images. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)]
+Code integrity guard | Restricts loading of images signed by Microsoft, WQL, and higher. Can optionally allow Microsoft Store signed images. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)]
Disable extension points | Disables various extensibility mechanisms that allow DLL injection into all processes, such as AppInit DLLs, window hooks, and Winsock service providers. | App-level only | [!include[Check mark no](images/svg/check-no.md)]
Disable Win32k system calls | Prevents an app from using the Win32k system call table. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)]
Do not allow child processes | Prevents an app from creating child processes. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)]
diff --git a/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md b/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md
index 957fc1f33b..951336cea2 100644
--- a/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md
+++ b/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md
@@ -9,7 +9,6 @@ ms.pagetype: security
author: eross-msft
ms.localizationpriority: high
---
-
# Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings
**Applies to:**
@@ -34,7 +33,7 @@ SmartScreen uses registry-based Administrative Template policy settings. For mor
Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control
Windows 10, version 1703
-
This setting helps protect PCs by allowing users to install apps only from the Windows Store. SmartScreen must be enabled for this feature to work properly.
If you enable this setting, your employees can only install apps from the Windows Store.
If you disable this setting, your employees can install apps from anywhere, including as a download from the Internet.
If you don't configure this setting, your employees can choose whether they can install from anywhere or only from Windows Store.
+
This setting helps protect PCs by allowing users to install apps only from the Microsoft Store. SmartScreen must be enabled for this feature to work properly.
If you enable this setting, your employees can only install apps from the Microsoft Store.
If you disable this setting, your employees can install apps from anywhere, including as a download from the Internet.
If you don't configure this setting, your employees can choose whether they can install from anywhere or only from Microsoft Store.
Windows 10, version 1703: Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen
Windows 10, Version 1607 and earlier: Administrative Templates\Windows Components\Microsoft Edge\Configure Windows SmartScreen
@@ -97,7 +96,7 @@ If you manage your policies using Microsoft Intune, you'll want to use these MDM
Data type. Integer
Allowed values:
0 . Turns off Application Installation Control, allowing users to download and install files from anywhere on the web.
-
1. Turns on Application Installation Control, allowing users to install apps from the Windows Store only.
+
1. Turns on Application Installation Control, allowing users to install apps from the Microsoft Store only.
diff --git a/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md b/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md
index 45117e0ad1..6d68a0784a 100644
--- a/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md
+++ b/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md
@@ -47,9 +47,9 @@ Starting with Windows 10, version 1703 your employees can use Windows Defender S
- **Off.** Turns off SmartScreen, so an employee isn't alerted or stopped from downloading potentially malicious apps and files.
- - In the **SmartScreen from Windows Store apps** area:
+ - In the **SmartScreen from Microsoft Store apps** area:
- - **Block** or **Warn.** Warns employees that the sites and downloads used by Windows Store apps are potentially dangerous, but allows the action to continue.
+ - **Block** or **Warn.** Warns employees that the sites and downloads used by Microsoft Store apps are potentially dangerous, but allows the action to continue.
- **Off.** Turns off SmartScreen, so an employee isn't alerted or stopped from visiting sites or from downloading potentially malicious apps and files.
diff --git a/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
index 8cf5020f32..4255d5c2e8 100644
--- a/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
+++ b/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
@@ -106,7 +106,7 @@ For this example, we’re going to add Microsoft Power BI, a store app, to the *
If you don't know the publisher or product name, you can find them for both desktop devices and Windows 10 Mobile phones by following these steps.
**To find the publisher and product name values for Store apps without installing them**
-1. Go to the [Windows Store for Business](https://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, *Microsoft Power BI*.
+1. Go to the [Microsoft Store for Business](https://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, *Microsoft Power BI*.
2. Copy the ID value from the app URL. For example, Microsoft Power BI ID URL is https://www.microsoft.com/en-us/store/p/microsoft-power-bi/9nblgggzlxn1, and you'd copy the ID value, `9nblgggzlxn1`.
diff --git a/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune.md b/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune.md
index b21ecd9232..54e8e27d8e 100644
--- a/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune.md
+++ b/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune.md
@@ -66,7 +66,7 @@ For this example, we’re going to add Microsoft OneNote, a store app, to the **
If you don't know the publisher or product name, you can find them for both desktop devices and Windows 10 Mobile phones by following these steps.
**To find the Publisher and Product Name values for Store apps without installing them**
-1. Go to the [Windows Store for Business](https://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, *Microsoft OneNote*.
+1. Go to the [Microsoft Store for Business](https://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, *Microsoft OneNote*.
2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, `9wzdncrfhvjl`.
diff --git a/windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md b/windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md
index 3de0553a21..195f3f3fe2 100644
--- a/windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md
+++ b/windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md
@@ -89,7 +89,7 @@ If you don't know the publisher or product name, you can find them for both desk
**To find the Publisher and Product Name values for Store apps without installing them**
-1. Go to the [Windows Store for Business](https://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, Microsoft OneNote.
+1. Go to the [Microsoft Store for Business](https://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, Microsoft OneNote.
>[!NOTE]
diff --git a/windows/whats-new/TOC.md b/windows/whats-new/TOC.md
index 4944339989..11ef584f2a 100644
--- a/windows/whats-new/TOC.md
+++ b/windows/whats-new/TOC.md
@@ -1,4 +1,5 @@
# [What's new in Windows 10](index.md)
+## [What's new in Windows 10, version 1709](whats-new-windows-10-version-1709.md)
## [What's new in Windows 10, version 1703](whats-new-windows-10-version-1703.md)
## [What's new in Windows 10, version 1607](whats-new-windows-10-version-1607.md)
## [What's new in Windows 10, versions 1507 and 1511](whats-new-windows-10-version-1507-and-1511.md)
diff --git a/windows/whats-new/contribute-to-a-topic.md b/windows/whats-new/contribute-to-a-topic.md
index 460964a3ed..3ad83a94ec 100644
--- a/windows/whats-new/contribute-to-a-topic.md
+++ b/windows/whats-new/contribute-to-a-topic.md
@@ -1,73 +1,79 @@
---
title: Edit an existing topic using the Edit link
-description: Instructions about how to edit an existing topic by using the Edit link on TechNet.
+description: Instructions about how to edit an existing topic by using the Edit link on docs.microsoft.com.
keywords: contribute, edit a topic
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
+ms.date: 10/09/2017
---
# Editing existing Windows IT professional documentation
-You can now make suggestions and update existing, public content with a GitHub account and a simple click of a link.
+You can make suggestions and update existing, public content with just a GitHub account and a simple click of a link. You can use GitHub pull requests to edit the technical articles in the Windows IT libraries and then ask us to "pull" your changes into the published articles.
>[!NOTE]
->At this time, only the English (en-us) content is available for editing.
+>At this time, you can only edit the English (en-us) content.
+
+Across the docs.microsoft.com site, if you see **Edit** in the right-hand corner of an article, you can suggest changes to it. You can specifically edit articles in the following libraries:
+
+- [Windows 10](https://docs.microsoft.com/windows/windows-10)
+- [Windows Server](/windows-server/)
+- [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy)
+- [Surface](https://docs.microsoft.com/surface)
+- [Surface Hub](https://docs.microsoft.com/surface-hub)
+- [HoloLens](https://docs.microsoft.com/hololens)
+- [Microsoft Store](https://docs.microsoft.com/microsoft-store)
+- [Windows 10 for Education](https://docs.microsoft.com/education/windows)
+- [Windows 10 for SMB](https://docs.microsoft.com/windows/smb)
+- [Internet Explorer 11](https://docs.microsoft.com/internet-explorer)
+- [Microsoft Desktop Optimization Pack](https://docs.microsoft.com/microsoft-desktop-optimization-pack)
+
**To edit a topic**
-1. All contributors who are ***not*** a Microsoft employee must [sign a Microsoft Contribution Licensing Agreement (CLA)](https://cla.microsoft.com/) before updating or adding to any Microsoft repositories.
-If you've previously contributed to topics in the Microsoft repositories, congratulations! You've already completed this step.
-
-2. Go to the page on TechNet that you want to update, and then click **Edit**.
+1. Go to the article that you want to update, and then click **Edit**.
-3. Log into (or sign up for) a GitHub account.
+2. Sign into (or sign up for) a GitHub account.
You must have a GitHub account to get to the page that lets you edit a topic.
-4. Click the **Pencil** icon (in the red box) to edit the content.
+3. Click the **Pencil** icon (in the red box) to edit the content.
-5. Using Markdown language, make your changes to the topic. For info about how to edit content using Markdown, see:
+4. Using Markdown language, make your changes to the topic. For info about how to edit content using Markdown, see:
- **If you're linked to the Microsoft organization in GitHub:** [Windows authoring guide](https://aka.ms/WindowsAuthoring)
- **If you're external to Microsoft:** [Mastering Markdown](https://guides.github.com/features/mastering-markdown/)
-6. Make your suggested change, and then click **Preview Changes** to make sure it looks correct.
+5. Make your suggested change, and then click **Preview Changes** to make sure it looks correct.
-7. When you’re done editing the topic, scroll to the bottom of the page, and then click **Propose file change** to create a fork in your personal GitHub account.
+6. When you’re done editing the topic, scroll to the bottom of the page, and then click **Propose file change**.
- The **Comparing changes** screen appears to see what the changes are between your fork and the original content.
+ The **Comparing changes** screen shows the changes between your version of the article and the original content.
-8. On the **Comparing changes** screen, you’ll see if there are any problems with the file you’re checking in.
+7. On the **Comparing changes** screen, you’ll see if there are any problems with the file you’re checking in. (Occasionally there are merge conflicts, where you've edited the file one way, while someone else edited the same lines in the same file in a different way. Before you can propose your changes, you need to fix those conflicts.)
If there are no problems, you’ll see the message, **Able to merge**.
-9. Click **Create pull request**.
+8. Click **Create pull request**.
-10. Enter a title and description to give the approver the appropriate context about what’s in the request.
+9. Enter a title and description to let us know what’s in the request.
-11. Scroll to the bottom of the page, making sure that only your changed files are in this pull request. Otherwise, you could overwrite changes from other people.
+10. Scroll to the bottom of the page, and make sure that only your changed files are in this pull request. Otherwise, you could overwrite changes from other people.
-12. Click **Create pull request** again to actually submit the pull request.
+11. Click **Create pull request** again to actually submit your edits.
- The pull request is sent to the writer of the topic and your edits are reviewed. If your request is accepted, updates are published to one of the following places:
+12. If you aren't a Microsoft employee, you need to [sign a Microsoft Contribution Licensing Agreement (CLA)](https://cla.microsoft.com/) before updating or adding to any Microsoft repositories. A bot running in GitHub checks whether you've signed the CLA - if not, you'll be prompted, in the pull request, to sign it.
- - [Windows 10](https://docs.microsoft.com/windows/windows-10)
- - [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy)
- - [Surface](https://docs.microsoft.com/surface)
- - [Surface Hub](https://docs.microsoft.com/surface-hub)
- - [HoloLens](https://docs.microsoft.com/hololens)
- - [Microsoft Store](https://docs.microsoft.com/microsoft-store)
- - [Windows 10 for Education](https://docs.microsoft.com/education/windows)
- - [Windows 10 for SMB](https://docs.microsoft.com/windows/smb)
- - [Internet Explorer 11](https://docs.microsoft.com/internet-explorer)
- - [Microsoft Desktop Optimization Pack](https://docs.microsoft.com/microsoft-desktop-optimization-pack)
\ No newline at end of file
+ If you've previously contributed to topics in the Microsoft repositories, congratulations! You've already completed this step.
+
+Next, the pull request is sent to one of our writers to review your edits for technical and editorial accuracy. If we have any suggestions or questions, we'll add them to the pull request where we can discuss them with you. If we accept your edits, you'll see your changes the next time the article is published.
\ No newline at end of file
diff --git a/windows/whats-new/get-started-with-1709.md b/windows/whats-new/get-started-with-1709.md
new file mode 100644
index 0000000000..43468d37f4
--- /dev/null
+++ b/windows/whats-new/get-started-with-1709.md
@@ -0,0 +1,48 @@
+---
+title: Get started with Windows 10, version 1709
+description: All the information to get you started with Windows 10, version 1709.
+keywords: ["get started", "windows 10", "fall creators update", "1709"]
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: DaniHalfin
+ms.author: daniha
+ms.date: 10/17/2017
+ms.localizationpriority: high
+---
+
+# Get started with Windows 10, version 1709
+
+**Applies to**
+
+- Windows 10
+
+> **Looking for information about Windows 10 for personal or home use?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
+
+Welcome to Windows 10, version 1709, also known as the Fall Creators Update. Use the following information to learn about new features, review system requirements, and plan your deployment of the latest version of Windows 10.
+
+## Specification and systems requirements
+
+Before you install any version of Windows 10, make sure you visit the [Windows 10 Specifications & Systems Requirements](https://www.microsoft.com/windows/windows-10-specifications) page. This page contains the minimum systems requirements and important notes to install Windows 10, as well as feature deprecation information and additional requirements to use certain features.
+
+## What's new in Windows 10, version 1709 IT Pro content
+
+Take a look at the [What's new in Windows 10, version 1709 IT Pro content](whats-new-windows-10-version-1709.md), for the latest updates in content. Use this topic to easily navigate the documentation for the new features in Windows 10, version 1709.
+
+## Windows 10 release information and update history
+
+To view availability dates and servicing options for each version and update of Windows, including version 1709, visit the [Windows 10 release information](https://technet.microsoft.com/windows/mt679505.aspx) page. For further details on each update, go to the [Windows 10 update history](https://support.microsoft.com/help/4018124/windows-10-update-history) page.
+
+## Windows 10 Roadmap
+
+If you'd like to gain some insight into preview, or in-development features, visit the [Windows 10 Roadmap](https://www.microsoft.com/en-us/WindowsForBusiness/windows-roadmap) page. You'll be able to filter by feature state and product category, to make this information easier to navigate.
+
+## Top support solutions for Windows 10
+
+Having problems with your latest deployment of Windows 10, version 1709? Check out the [Top support solutions for Windows 10](/windows/client-management/windows-10-support-solutions) topic, where we've collected the top Microsoft Support solutions for the most common issues experienced when using Windows 10 in an enterprise or IT pro environment.
+
+> Want even more information? Visit the [Windows 10 lifecycle page](https://www.microsoft.com/itpro/windows-10) on the [Windows IT Pro Center](https://itpro.windows.com).
+
+Ready to get started with Windows 10, version 1709?
+> [!div class="nextstepaction"]
+> [Deploy and Update Windows 10](/windows/deployment)
\ No newline at end of file
diff --git a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md
index bfb93ebeb4..1553191d6c 100644
--- a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md
+++ b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md
@@ -251,7 +251,7 @@ Windows 10 provides mobile device management (MDM) capabilities for PCs, laptop
### MDM support
-MDM policies for Windows 10 align with the policies supported in Windows 8.1 and are expanded to address even more enterprise scenarios, such as managing multiple users who have Microsoft Azure Active Directory (Azure AD) accounts, full control over the Windows Store, VPN configuration, and more.
+MDM policies for Windows 10 align with the policies supported in Windows 8.1 and are expanded to address even more enterprise scenarios, such as managing multiple users who have Microsoft Azure Active Directory (Azure AD) accounts, full control over the Microsoft Store, VPN configuration, and more.
MDM support in Windows 10 is based on [Open Mobile Alliance (OMA)](https://go.microsoft.com/fwlink/p/?LinkId=533885) Device Management (DM) protocol 1.2.1 specification.
@@ -302,12 +302,12 @@ A standard, customized Start layout can be useful on devices that are common to
Administrators can also use mobile device management (MDM) or Group Policy to disable the use of [Windows Spotlight on the lock screen](/windows/configuration/windows-spotlight).
-### Windows Store for Business
+### Microsoft Store for Business
**New in Windows 10, version 1511**
-With the Windows Store for Business, organizations can make volume purchases of Windows apps. The Store for Business provides app purchases based on organizational identity, flexible distribution options, and the ability to reclaim or re-use licenses. Organizations can also use the Store for Business to create a private store for their employees that includes apps from the Store, as well private Line-of-Business (LOB) apps.
+With the Microsoft Store for Business, organizations can make volume purchases of Windows apps. The Store for Business provides app purchases based on organizational identity, flexible distribution options, and the ability to reclaim or re-use licenses. Organizations can also use the Store for Business to create a private store for their employees that includes apps from the Store, as well private Line-of-Business (LOB) apps.
-For more information, see [Windows Store for Business overview](/microsoft-store/windows-store-for-business-overview).
+For more information, see [Microsoft Store for Business overview](/microsoft-store/windows-store-for-business-overview).
## Updates
@@ -338,7 +338,7 @@ Microsoft Edge takes you beyond just browsing to actively engaging with the web
- **Compatibility and security.** Microsoft Edge lets you continue to use IE11 for sites that are on your corporate intranet or that are included on your Enterprise Mode Site List. You must use IE11 to run older, less secure technology, such as ActiveX controls.
### Enterprise guidance
-Microsoft Edge is the default browser experience for Windows 10 and Windows 10 Mobile. However, if you're running web apps that need ActiveX controls, we recommend that you continue to use Internet Explorer 11 for them. If you don't have IE11 installed anymore, you can download it from the Windows Store or from the [Internet Explorer 11 download page](https://go.microsoft.com/fwlink/p/?linkid=290956).
+Microsoft Edge is the default browser experience for Windows 10 and Windows 10 Mobile. However, if you're running web apps that need ActiveX controls, we recommend that you continue to use Internet Explorer 11 for them. If you don't have IE11 installed anymore, you can download it from the Microsoft Store or from the [Internet Explorer 11 download page](https://go.microsoft.com/fwlink/p/?linkid=290956).
We also recommend that you upgrade to IE11 if you're running any earlier versions of Internet Explorer. IE11 is supported on Windows 7, Windows 8.1, and Windows 10. So any legacy apps that work with IE11 will continue to work even as you migrate to Windows 10.
diff --git a/windows/whats-new/whats-new-windows-10-version-1607.md b/windows/whats-new/whats-new-windows-10-version-1607.md
index 20c9142eb6..c23c087238 100644
--- a/windows/whats-new/whats-new-windows-10-version-1607.md
+++ b/windows/whats-new/whats-new-windows-10-version-1607.md
@@ -134,7 +134,7 @@ Windows 10, Version 1607, introduces shared PC mode, which optimizes Windows 10
### Application Virtualization (App-V) for Windows 10
-Application Virtualization (App-V) enables organizations to deliver Win32 applications to users as virtual applications. Virtual applications are installed on centrally managed servers and delivered to users as a service – in real time and on as as-needed basis. Users launch virtual applications from familiar access points, including the Windows Store, and interact with them as if they were installed locally.
+Application Virtualization (App-V) enables organizations to deliver Win32 applications to users as virtual applications. Virtual applications are installed on centrally managed servers and delivered to users as a service – in real time and on as as-needed basis. Users launch virtual applications from familiar access points, including the Microsoft Store, and interact with them as if they were installed locally.
With the release of Windows 10, version 1607, App-V is included with the Windows 10 for Enterprise edition. If you are new to Windows 10 and App-V or if you're upgrading from a previous version of App-V, you’ll need to download, activate, and install server- and client-side components to start delivering virtual applications to users.
@@ -142,7 +142,7 @@ With the release of Windows 10, version 1607, App-V is included with the Windows
### User Experience Virtualization (UE-V) for Windows 10
-Many users customize their settings for Windows and for specific applications. Customizable Windows settings include Windows Store appearance, language, background picture, font size, and accent colors. Customizable application settings include language, appearance, behavior, and user interface options.
+Many users customize their settings for Windows and for specific applications. Customizable Windows settings include Microsoft Store appearance, language, background picture, font size, and accent colors. Customizable application settings include language, appearance, behavior, and user interface options.
With User Experience Virtualization (UE-V), you can capture user-customized Windows and application settings and store them on a centrally managed network file share. When users log on, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they log on to.
diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md
index ce0429a0bf..190f806352 100644
--- a/windows/whats-new/whats-new-windows-10-version-1703.md
+++ b/windows/whats-new/whats-new-windows-10-version-1703.md
@@ -12,7 +12,7 @@ ms.assetid: dca7c655-c4f6-45f8-aa02-64187b202617
# What's new in Windows 10, version 1703 IT pro content
-Below is a list of some of the new and updated content that discusses Information Technology (IT) pro features in Windows 10, version 1703 (also known as the Creators Update).
+Below is a list of some of what's new in Information Technology (IT) pro features in Windows 10, version 1703 (also known as the Creators Update).
For more general info about Windows 10 features, see [Features available only on Windows 10](https://www.microsoft.com/windows/features). For info about previous versions of Windows 10, see [What's New in Windows 10](index.md). Also see this blog post: [What’s new for IT pros in the Windows 10 Creators Update](https://blogs.technet.microsoft.com/windowsitpro/2017/04/05/whats-new-for-it-pros-in-the-windows-10-creators-update/).
@@ -25,7 +25,7 @@ Not finding content you need? Windows 10 users, tell us what you want on [Feedba
### Windows Configuration Designer
-Previously known as *Windows Imaging and Configuration Designer (ICD)*, the tool for creating provisioning packages is renamed **Windows Configuration Designer**. The new Windows Configuration Designer is available in [Windows Store as an app](https://www.microsoft.com/store/apps/9nblggh4tx22). To run Windows Configuration Designer on earlier versions of Windows, you can still install Windows Configuration Designer from the [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit).
+Previously known as *Windows Imaging and Configuration Designer (ICD)*, the tool for creating provisioning packages is renamed **Windows Configuration Designer**. The new Windows Configuration Designer is available in [Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4tx22) as an app. To run Windows Configuration Designer on earlier versions of Windows, you can still install Windows Configuration Designer from the [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit).
Windows Configuration Designer in Windows 10, version 1703, includes several new wizards to make it easier to create provisioning packages.
diff --git a/windows/whats-new/whats-new-windows-10-version-1709.md b/windows/whats-new/whats-new-windows-10-version-1709.md
new file mode 100644
index 0000000000..ee1094e60a
--- /dev/null
+++ b/windows/whats-new/whats-new-windows-10-version-1709.md
@@ -0,0 +1,133 @@
+---
+title: What's new in Windows 10, version 1703
+description: New and updated IT Pro content about new features in Windows 10, version 1709 (also known as the Fall Creators Update).
+keywords: ["What's new in Windows 10", "Windows 10", "fall creators update"]
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: greg-lindsay
+ms.localizationpriority: high
+---
+
+# What's new in Windows 10, version 1709 IT Pro content
+
+Below is a list of some of the new and updated content that discusses IT Pro features in Windows 10, version 1709, also known as the Fall Creators Update. Windows 10, version 1709 also contains all features and fixes included in previous cumulative updates to Windows 10, version 1703.
+
+A brief description of new or updated features in this version of Windows 10 is provided, with links to content with more detailed information.
+
+Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897).
+
+
+## Deployment
+
+### Windows AutoPilot
+
+Windows AutoPilot is a zero touch experience for deploying Windows 10 devices. Configuration profiles can now be applied at the hardware vendor with devices being shipped directly to employees. For more information, see [Overview of Windows AutoPilot](https://docs.microsoft.com/windows/deployment/windows-10-auto-pilot).
+
+You can also apply an AutoPilot deployment profile to your devices using Microsoft Store for Business. When people in your organization run the out-of-box experience on the device, the profile configures Windows based on the AutoPilot deployment profile you applied to the device. For more information, see [Manage Windows device deployment with Windows AutoPilot Deployment](https://docs.microsoft.com/en-us/microsoft-store/add-profile-to-devices).
+
+### Windows 10 Subscription Activation
+
+Windows 10 Subscription Activation lets you deploy Windows 10 Enterprise in your organization with no keys and no reboots using a list of subscribed users. When a subscribed user signs in on their Windows 10 Pro device, features that are Enterprise-only are automatically enabled. For more information, see [Windows 10 Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation).
+
+### Windows Automatic Redeployment
+
+IT Pros can use Windows Automatic Redeployment to quickly remove personal files, apps, and settings. A custom login screen is available from the lock screen that enables you to apply original settings and management enrollment (Azure Active Directory and device management) so that devices are returned to a fully configured, known, IT-approved state and ready to use. For more information, see [Reset devices with Windows Automatic Redeployment](https://docs.microsoft.com/education/windows/windows-automatic-redeployment).
+
+
+## Update
+
+### Windows Update for Business (WUfB)
+
+WUfB now has additional controls available to manage Windows Insider Program enrollment through policies. For more information, see [Manage Windows Insider Program flights](https://docs.microsoft.com/windows/deployment/update/waas-configure-wufb).
+
+### Windows Insider Program for Business
+
+You can now register your Azure AD domains to the Windows Insider Program. For more information, see [Windows Insider Program for Business](https://docs.microsoft.com/windows/deployment/update/waas-windows-insider-for-business#getting-started-with-windows-insider-program-for-business).
+
+
+## Administration
+
+### Mobile Device Management (MDM)
+
+MDM has been expanded to include domain joined devices with Azure Active Directory registration. Group Policy can be used with Active Directory joined devices to trigger auto-enrollment to MDM. For more information, see [Enroll a Windows 10 device automatically using Group Policy](https://docs.microsoft.com/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy).
+
+Multiple new configuration items are also added. For more information, see [What's new in MDM enrollment and management](https://docs.microsoft.com/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1709).
+
+
+## Application Management
+
+### Mixed Reality Apps
+
+This version of Windows 10 introduces [Windows Mixed Reality](https://blogs.windows.com/windowsexperience/2017/10/03/the-era-of-windows-mixed-reality-begins-october-17/). Organizations that use WSUS must take action to enable Windows Mixed Reality. You can also prohibit use of Windows Mixed Reality by blocking installation of the Mixed Reality Portal. For more information, see [Enable or block Windows Mixed Reality apps in the enterprise](https://docs.microsoft.com/windows/application-management/manage-windows-mixed-reality).
+
+
+## Configuration
+
+### Kiosk Configuration
+
+The AssignedAccess CSP has been expanded to make it easy for administrators to create kiosks that run more than one app. You can configure multi-app kiosks using a provisioning package. For more information, see [Create a Windows 10 kiosk that runs multiple apps](https://docs.microsoft.com/windows/application-management/manage-windows-mixed-reality).
+
+
+## Security
+
+>[!NOTE]
+>Windows security features have been rebranded as Windows Defender security features, including Windows Defender Device Guard, Windows Defender Credential Guard, and Windows Defender Firewall.
+
+### Windows Defender ATP
+
+Windows Defender ATP has been expanded with powerful analytics, security stack integration, and centralized management for better detection, prevention, investigation, response, and management. For more information, see [View the Windows Defender Advanced Threat Protection Security analytics dashboard](https://docs.microsoft.com/windows/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection).
+
+### Windows Defender Application Guard
+
+Windows Defender Application Guard hardens a favorite attacker entry-point by isolating malware and other threats away from your data, apps, and infrastructure. For more information, see [Windows Defender Application Guard overview](https://docs.microsoft.com/windows/threat-protection/windows-defender-application-guard/wd-app-guard-overview).
+
+### Window Defender Exploit Guard
+
+Window Defender Exploit Guard provides intrusion prevention capabilities to reduce the attack and exploit surface of applications. Exploit Guard has many of the threat mitigations that were available in Enhanced Mitigation Experience Toolkit (EMET) toolkit, a deprecated security download. These mitigations are now built into Windows and configurable with Exploit Guard. For more information, see [Windows Defender Exploit Guard](https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard).
+
+### Windows Defender Device Guard
+
+Configurable code integrity is being rebranded as Windows Defender Application Control. This is to help distinguish it as a standalone feature to control execution of applications. For more information about Device Guard, see Windows [Defender Device Guard deployment guide](https://docs.microsoft.com/en-us/windows/device-security/device-guard/device-guard-deployment-guide).
+
+### Windows Information Protection
+
+Windows Information Protection is now designed to work with Microsoft Office and Azure Information Protection. For more information, see [Deploying and managing Windows Information Protection (WIP) with Azure Information Protection](https://myignite.microsoft.com/sessions/53660?source=sessions).
+
+### Windows Hello
+
+Windows Hello enables better trust decisions when signing in, through the use of new location and user proximity signals. Using Bluetooth signals, you can configure your Windows 10 device to automatically lock when you walk away from it, or to prevent others from accessing the device when you are not present. Details about this feature will be available soon. For general information, see [Windows Unlock with Windows Hello companion (IoT) devices](https://docs.microsoft.com/windows/uwp/security/companion-device-unlock).
+
+### BitLocker
+
+The minimum PIN length is being changed from 6 to 4, with a default of 6. For more information, see [BitLocker Group Policy settings](https://docs.microsoft.com/windows/device-security/bitlocker/bitlocker-group-policy-settings#bkmk-unlockpol3).
+
+
+## Windows Analytics
+
+### Upgrade Readiness
+
+Upgrade Readiness provides insights into application and driver compatibility issues. New capabilities include better app coverage, post-upgrade health reports, and enhanced report filtering capabilities. For more information, see [Manage Windows upgrades with Upgrade Readiness](https://docs.microsoft.com/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness).
+
+### Update Compliance
+
+New capabilities in Update Compliance let you monitor Windows Defender protection status, compare compliance with industry peers, and optimize bandwidth for deploying updates. For more information, see [Monitor Windows Updates and Windows Defender Antivirus with Update Compliance](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor).
+
+### Device Health
+
+Maintaining devices is made easier with Device Health, a new, premium analytic tool that identifies devices and drivers that crash frequently and might need to be rebuilt or replaced. For more information, see [Monitor the health of devices with Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-monitor).
+
+
+## Networking
+
+### Network stack
+
+Several network stack enhancements are available in this release. Some of these features were also available in Windows 10, version 1703. For more information, see [Core Network Stack Features in the Creators Update for Windows 10](https://blogs.technet.microsoft.com/networking/2017/07/13/core-network-stack-features-in-the-creators-update-for-windows-10/).
+
+
+## See Also
+
+[Windows 10 Features](https://www.microsoft.com/windows/features): Review general information about Windows 10 features.
+[What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See what’s new in other versions of Windows 10.
+[What's new in Windows 10, version 1709](https://docs.microsoft.com/windows-hardware/get-started/what-s-new-in-windows): See what’s new in Windows 10 hardware.
+[Windows 10 Fall Creators Update Next Generation Security](https://www.youtube.com/watch?v=JDGMNFwyUg8): YouTube video about Windows Defender ATP in Windows 10, version 1709.
-As indicated in the diagram, Microsoft continues to provide support for deep manageability and security through technologies like Group Policy, Active Directory, and System Center Configuration Manager. It also delivers a “mobile-first, cloud-first” approach of simplified, modern management using cloud-based device management solutions such as Microsoft Enterprise Mobility + Security (EMS). Future Windows innovations, delivered through Windows as a Service, are complemented by cloud services like Microsoft Intune, Azure Active Directory, Azure Information Protection, Office 365, and the Windows Store for Business.
+As indicated in the diagram, Microsoft continues to provide support for deep manageability and security through technologies like Group Policy, Active Directory, and System Center Configuration Manager. It also delivers a “mobile-first, cloud-first” approach of simplified, modern management using cloud-based device management solutions such as Microsoft Enterprise Mobility + Security (EMS). Future Windows innovations, delivered through Windows as a Service, are complemented by cloud services like Microsoft Intune, Azure Active Directory, Azure Information Protection, Office 365, and the Microsoft Store for Business.
## Deployment and Provisioning
diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md
index 2737a54616..5ab0e0ff0b 100644
--- a/windows/client-management/mdm/applocker-csp.md
+++ b/windows/client-management/mdm/applocker-csp.md
@@ -33,7 +33,7 @@ Defines the root node for the AppLocker configuration service provider.