Merge branch 'master' into maricia-uefi

windows/client-management/mdm/assignedaccess-csp.md

@@ -7,7 +7,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: MariciaAlforque
-ms.date: 04/25/2018
+ms.date: 09/18/2018
 ---
 
 # AssignedAccess CSP
@@ -95,15 +95,36 @@ In Windows 10, version 1803, Assigned Access runtime status only supports monito
 
 Note that status codes available in the Status payload correspond to a specific KioskModeAppRuntimeStatus.
 
-
 |Status code  | KioskModeAppRuntimeStatus |
 |---------|---------|
 | 1     | KioskModeAppRunning         |
 | 2     | KioskModeAppNotFound          |
 | 3     | KioskModeAppActivationFailure         |
 
+Additionally, the status payload includes a profileId that can be used by the MDM server to correlate which kiosk app caused the error.
 
-Additionally, the status payload includes a profileId, which can be used by the MDM server to correlate which kiosk app caused the error.
+In Windows 10, version 1810, Assigned Access runtime status supports monitoring single-app kiosk and multi-app modes. Here are the possible status codes.
+
+|Status|Description|
+|---|---|
+|Running|The AssignedAccess account (kiosk or multi-app) is running normally.|
+|AppNotFound|The kiosk app isn't deployed to the machine.|
+|ActivationFailed|The AssignedAccess account (kiosk or multi-app) failed to sign in.|
+|AppNoResponse|The kiosk app launched successfully but is now unresponsive.|
+
+Note that status codes available in the Status payload correspond to a specific AssignedAccessRuntimeStatus.
+
+|Status code|AssignedAccessRuntimeStatus|
+|---|---|
+|1|Running|
+|2|AppNotFound|
+|3|ActivationFailed|
+|4|AppNoResponse|
+
+Additionally, the Status payload includes the following fields:
+
+- profileId: can be used by the MDM server to correlate which account caused the error.
+- OperationList: list of failed operations that occurred while applying the assigned access CSP, if any exist.
 
 Supported operation is Get.
 
@@ -1116,10 +1137,11 @@ ShellLauncherConfiguration Get
 
     <xs:simpleType name="status_t">
         <xs:restriction base="xs:int">
-            <xs:enumeration value="0"/>
-            <xs:enumeration value="1"/>
-            <xs:enumeration value="2"/>
-            <xs:enumeration value="3"/>
+            <xs:enumeration value="0"/> <!-- Unknown -->
+            <xs:enumeration value="1"/> <!-- Running -->
+            <xs:enumeration value="2"/> <!-- AppNotFound -->
+            <xs:enumeration value="3"/> <!-- ActivationFailed -->
+            <xs:enumeration value="4"/> <!-- AppNoResponse -->
         </xs:restriction>
     </xs:simpleType>
 
@@ -1129,19 +1151,35 @@ ShellLauncherConfiguration Get
         </xs:restriction>
     </xs:simpleType>
 
+    <xs:complexType name="operation_t">
+        <xs:sequence minOccurs="1" maxOccurs="1">
+            <xs:element name="name" type="xs:string" minOccurs="1" maxOccurs="1"/>
+            <xs:element name="errorCode" type="xs:int" minOccurs="1" maxOccurs="1"/>
+            <xs:element name="data" type="xs:string" minOccurs="0" maxOccurs="1"/>
+        </xs:sequence>
+    </xs:complexType>
+
+    <xs:complexType name="operationlist_t">
+        <xs:sequence minOccurs="1" maxOccurs="1">
+            <xs:element name="Operation" type="operation_t" minOccurs="1" maxOccurs="unbounded"/>
+        </xs:sequence>
+    </xs:complexType>
+
     <xs:complexType name="event_t">
         <xs:sequence minOccurs="1" maxOccurs="1">
             <xs:element name="status" type="status_t" minOccurs="1" maxOccurs="1"/>
             <xs:element name="profileId" type="guid_t" minOccurs="1" maxOccurs="1"/>
+            <xs:element name="errorCode" type="xs:int" minOccurs="0" maxOccurs="1"/>
+            <xs:element name="OperationList" type="operationlist_t" minOccurs="0" maxOccurs="1"/>
         </xs:sequence>
-        <xs:attribute name="Name" type="xs:string" fixed="KioskModeAppRuntimeStatus" use="required"/>
+        <xs:attribute name="Name" type="xs:string" use="required"/>
     </xs:complexType>
 
     <xs:element name="Events">
         <xs:complexType>
-            <xs:sequence minOccurs="1" maxOccurs="1">
+            <xs:choice minOccurs="1" maxOccurs="1">
                 <xs:element name="Event" type="event_t" minOccurs="1" maxOccurs="1"/>
-            </xs:sequence>
+            </xs:choice>
         </xs:complexType>
     </xs:element>
 </xs:schema>

windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md

@@ -10,7 +10,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: MariciaAlforque
-ms.date: 08/27/2018
+ms.date: 09/20/2018
 ---
 
 # What's new in MDM enrollment and management
@@ -1405,7 +1405,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
 <li>Defender/EnableLowCPUPriority</li>
 <li>Defender/SignatureUpdateFallbackOrder</li>
 <li>Defender/SignatureUpdateFileSharesSources</li>
-<li>DeviceGuard/EnableSystemGuard</li>
+<li>DeviceGuard/ConfigureSystemGuardLaunch</li>
 <li>DeviceInstallation/AllowInstallationOfMatchingDeviceIDs</li>
 <li>DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses</li>
 <li>DeviceInstallation/PreventDeviceMetadataFromNetwork</li>
@@ -1762,9 +1762,10 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
 
 ### September 2018
 
-New or updated topic | Description
---- | ---
-[Mobile device management](index.md#mmat) | Added information about the MDM Migration Analysis Tool (MMAT).
+|New or updated topic | Description|
+|--- | ---|
+|[Mobile device management](index.md#mmat) | Added information about the MDM Migration Analysis Tool (MMAT).|
+|[Policy CSP - DeviceGuard](policy-csp-deviceguard.md) | Updated ConfigureSystemGuardLaunch policy and replaced EnableSystemGuard with it.|
 
 ### August 2018
 
@@ -1912,7 +1913,7 @@ New or updated topic | Description
 <li>Defender/EnableLowCPUPriority</li>
 <li>Defender/SignatureUpdateFallbackOrder</li>
 <li>Defender/SignatureUpdateFileSharesSources</li>
-<li>DeviceGuard/EnableSystemGuard</li>
+<li>DeviceGuard/ConfigureSystemGuardLaunch</li>
 <li>DeviceInstallation/AllowInstallationOfMatchingDeviceIDs</li>
 <li>DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses</li>
 <li>DeviceInstallation/PreventDeviceMetadataFromNetwork</li>

windows/client-management/mdm/policy-configuration-service-provider.md

@@ -987,7 +987,7 @@ The following diagram shows the Policy configuration service provider in tree fo
 
 <dl>
   <dd>
-    <a href="./policy-csp-deviceguard.md#deviceguard-enablesystemguard" id="deviceguard-enablesystemguard">DeviceGuard/EnableSystemGuard</a>
+    <a href="./policy-csp-deviceguard.md#deviceguard-configuresystemguardlaunch" id="deviceguard-configuresystemguardlaunch">DeviceGuard/ConfigureSystemGuardLaunch</a>
   </dd>
   <dd>
     <a href="./policy-csp-deviceguard.md#deviceguard-enablevirtualizationbasedsecurity" id="deviceguard-enablevirtualizationbasedsecurity">DeviceGuard/EnableVirtualizationBasedSecurity</a>
@@ -4324,7 +4324,7 @@ The following diagram shows the Policy configuration service provider in tree fo
 -   [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth)
 -   [DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth)
 -   [Desktop/PreventUserRedirectionOfProfileFolders](./policy-csp-desktop.md#desktop-preventuserredirectionofprofilefolders)
--   [DeviceGuard/EnableSystemGuard](./policy-csp-deviceguard.md#deviceguard-enablesystemguard)
+-   [DeviceGuard/ConfigureSystemGuardLaunch](./policy-csp-deviceguard.md#deviceguard-configuresystemguardlaunch)
 -   [DeviceGuard/EnableVirtualizationBasedSecurity](./policy-csp-deviceguard.md#deviceguard-enablevirtualizationbasedsecurity)
 -   [DeviceGuard/LsaCfgFlags](./policy-csp-deviceguard.md#deviceguard-lsacfgflags)
 -   [DeviceGuard/RequirePlatformSecurityFeatures](./policy-csp-deviceguard.md#deviceguard-requireplatformsecurityfeatures)

windows/client-management/mdm/policy-csp-deviceguard.md

@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: MariciaAlforque
-ms.date: 07/30/2018
+ms.date: 09/20/2018
 ---
 
 # Policy CSP - DeviceGuard
@@ -22,7 +22,7 @@ ms.date: 07/30/2018
 
 <dl>
   <dd>
-    <a href="#deviceguard-enablesystemguard">DeviceGuard/EnableSystemGuard</a>
+    <a href="#deviceguard-configuresystemguardlaunch">DeviceGuard/ConfigureSystemGuardLaunch</a>
   </dd>
   <dd>
     <a href="#deviceguard-enablevirtualizationbasedsecurity">DeviceGuard/EnableVirtualizationBasedSecurity</a>
@@ -39,7 +39,7 @@ ms.date: 07/30/2018
 <hr/>
 
 <!--Policy-->
-<a href="" id="deviceguard-enablesystemguard"></a>**DeviceGuard/EnableSystemGuard**  
+<a href="" id="deviceguard-configuresystemguardlaunch"></a>**DeviceGuard/ConfigureSystemGuardLaunch**  
 
 <!--SupportedSKUs-->
 <table>

windows/client-management/mdm/policy-csp-settings.md

@@ -788,6 +788,7 @@ The following list shows the supported values:
 
 > [!div class = "checklist"]
 > * Device
+> * User
 
 <hr/>
 

windows/client-management/mdm/policy-ddf-file.md

@@ -25635,7 +25635,7 @@ Related policy:
           </DFType>
         </DFProperties>
         <Node>
-          <NodeName>EnableSystemGuard</NodeName>
+          <NodeName>ConfigureSystemGuardLaunch</NodeName>
           <DFProperties>
             <AccessType>
               <Add />
@@ -27217,7 +27217,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
               <Get />
               <Replace />
             </AccessType>
-            <Description>You can configure Microsoft Edge, when enabled, to prevent the &quot;browser&quot; group from using the Sync your Settings option to sync information, such as history and favorites, between user&apos;s devices. If you want syncing turned off by default in Microsoft Edge but not disabled, enable the Allow users to turn browser syncing on policy. If disabled or not configured, the Sync your Settings options are turned on in Microsoft Edge by default, and configurable by the user.
+            <Description>You can configure Microsoft Edge, when enabled, to prevent the &quot;browser&quot; group from using the Sync your Settings option to sync information, such as history and favorites, between user&apos;s devices. If you want syncing turned off by default in Microsoft Edge but not disabled, enable the Allow users to turn browser syncing on policy. If disabled or not configured, the Sync your Settings options are turned on in Microsoft Edge by default, and configurable by the user. 
                         Related policy: PreventUsersFromTurningOnBrowserSyncing
                         0 (default) = allow syncing, 2 = disable syncing</Description>
             <DFFormat>
@@ -33474,7 +33474,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
               <Replace />
             </AccessType>
             <Description>Devices joined to Azure Active Directory in a hybrid environment need to interact with Active Directory Domain Controllers, but they lack the built-in ability to find a Domain Controller that a domain-joined device has. This can cause failures when such a device needs to resolve an AAD UPN into an Active Directory Principal.
-
+                
                 This parameter adds a list of domains that an Azure Active Directory joined device should attempt to contact if it is otherwise unable to resolve a UPN to a principal.</Description>
             <DFFormat>
               <chr/>
@@ -33862,7 +33862,7 @@ If you disable or do not configure this policy (recommended), users will be able
 Notes
 
 If you try to reenable the Administrator account after it has been disabled, and if the current Administrator password does not meet the password requirements, you cannot reenable the account. In this case, an alternative member of the Administrators group must reset the password on the Administrator account. For information about how to reset a password, see To reset a password.
-Disabling the Administrator account can become a maintenance issue under certain circumstances.
+Disabling the Administrator account can become a maintenance issue under certain circumstances. 
 
 Under Safe Mode boot, the disabled Administrator account will only be enabled if the machine is non-domain joined and there are no other local active administrator accounts.  If the computer is domain joined the disabled administrator will not be enabled.
 
@@ -34352,7 +34352,7 @@ The options are:
  No Action
  Lock Workstation
  Force Logoff
- Disconnect if a Remote Desktop Services session
+ Disconnect if a Remote Desktop Services session 
 
 If you click Lock Workstation in the Properties dialog box for this policy, the workstation is locked when the smart card is removed, allowing users to leave the area, take their smart card with them, and still maintain a protected session.
 
@@ -35374,7 +35374,7 @@ This policy setting controls the behavior of all User Account Control (UAC) poli
 
 The options are:
 
-• Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode.
+• Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode. 
 
 • Disabled: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced.</Description>
             <DFFormat>
@@ -44745,7 +44745,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the
               <Get />
               <Replace />
             </AccessType>
-            <Description>Assigning this user right to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user&apos;s permissions to administrative or system levels. Caution: Assigning this user right can be a security risk. Only assign this user right to trusted users. Note: By default, services that are started by the Service Control Manager have the built-in Service group added to their access tokens. Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account also have the Service group added to their access tokens. As a result, these services get this user right when they are started. In addition, a user can also impersonate an access token if any of the following conditions exist.
+            <Description>Assigning this user right to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user&apos;s permissions to administrative or system levels. Caution: Assigning this user right can be a security risk. Only assign this user right to trusted users. Note: By default, services that are started by the Service Control Manager have the built-in Service group added to their access tokens. Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account also have the Service group added to their access tokens. As a result, these services get this user right when they are started. In addition, a user can also impersonate an access token if any of the following conditions exist. 
 1) The access token that is being impersonated is for this user.
 2) The user, in this logon session, created the access token by logging on to the network with explicit credentials.
 3) The requested level is less than Impersonate, such as Anonymous or Identify.
@@ -47064,11 +47064,11 @@ Because of these factors, users do not usually need this user right. Warning: If
 
   <xs:element name="ForceRestart">
     <xs:complexType>
-      <xs:attribute name="StartDateTime" type="xs:dateTime" use="required"/>
-      <xs:attribute name="Recurrence" type="recurrence" use="required"/>
-      <xs:attribute name="RunIfTaskIsMissed" type="xs:boolean" use="required"/>
-      <xs:attribute name="DaysOfWeek" type="daysOfWeek"/>
-      <xs:attribute name="DaysOfMonth" type="daysOfMonth"/>
+      <xs:attribute name="StartDateTime" type="xs:dateTime" use="required"/> 
+      <xs:attribute name="Recurrence" type="recurrence" use="required"/> 
+      <xs:attribute name="RunIfTaskIsMissed" type="xs:boolean" use="required"/> 
+      <xs:attribute name="DaysOfWeek" type="daysOfWeek"/> 
+      <xs:attribute name="DaysOfMonth" type="daysOfMonth"/> 
     </xs:complexType>
   </xs:element>
 </xs:schema>]]></MSFT:XMLSchema>
@@ -55084,7 +55084,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
               <Get />
             </AccessType>
             <DefaultValue>0</DefaultValue>
-            <Description>You can configure Microsoft Edge, when enabled, to prevent the &quot;browser&quot; group from using the Sync your Settings option to sync information, such as history and favorites, between user&apos;s devices. If you want syncing turned off by default in Microsoft Edge but not disabled, enable the Allow users to turn browser syncing on policy. If disabled or not configured, the Sync your Settings options are turned on in Microsoft Edge by default, and configurable by the user.
+            <Description>You can configure Microsoft Edge, when enabled, to prevent the &quot;browser&quot; group from using the Sync your Settings option to sync information, such as history and favorites, between user&apos;s devices. If you want syncing turned off by default in Microsoft Edge but not disabled, enable the Allow users to turn browser syncing on policy. If disabled or not configured, the Sync your Settings options are turned on in Microsoft Edge by default, and configurable by the user. 
                         Related policy: PreventUsersFromTurningOnBrowserSyncing
                         0 (default) = allow syncing, 2 = disable syncing</Description>
             <DFFormat>
@@ -62093,7 +62093,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
             </AccessType>
             <DefaultValue></DefaultValue>
             <Description>Devices joined to Azure Active Directory in a hybrid environment need to interact with Active Directory Domain Controllers, but they lack the built-in ability to find a Domain Controller that a domain-joined device has. This can cause failures when such a device needs to resolve an AAD UPN into an Active Directory Principal.
-
+                
                 This parameter adds a list of domains that an Azure Active Directory joined device should attempt to contact if it is otherwise unable to resolve a UPN to a principal.</Description>
             <DFFormat>
               <chr/>
@@ -62491,7 +62491,7 @@ If you disable or do not configure this policy (recommended), users will be able
 Notes
 
 If you try to reenable the Administrator account after it has been disabled, and if the current Administrator password does not meet the password requirements, you cannot reenable the account. In this case, an alternative member of the Administrators group must reset the password on the Administrator account. For information about how to reset a password, see To reset a password.
-Disabling the Administrator account can become a maintenance issue under certain circumstances.
+Disabling the Administrator account can become a maintenance issue under certain circumstances. 
 
 Under Safe Mode boot, the disabled Administrator account will only be enabled if the machine is non-domain joined and there are no other local active administrator accounts.  If the computer is domain joined the disabled administrator will not be enabled.
 
@@ -63024,7 +63024,7 @@ The options are:
  No Action
  Lock Workstation
  Force Logoff
- Disconnect if a Remote Desktop Services session
+ Disconnect if a Remote Desktop Services session 
 
 If you click Lock Workstation in the Properties dialog box for this policy, the workstation is locked when the smart card is removed, allowing users to leave the area, take their smart card with them, and still maintain a protected session.
 
@@ -64127,7 +64127,7 @@ This policy setting controls the behavior of all User Account Control (UAC) poli
 
 The options are:
 
-• Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode.
+• Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode. 
 
 • Disabled: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced.</Description>
             <DFFormat>
@@ -74444,7 +74444,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the
               <Get />
             </AccessType>
             <DefaultValue></DefaultValue>
-            <Description>Assigning this user right to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user&apos;s permissions to administrative or system levels. Caution: Assigning this user right can be a security risk. Only assign this user right to trusted users. Note: By default, services that are started by the Service Control Manager have the built-in Service group added to their access tokens. Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account also have the Service group added to their access tokens. As a result, these services get this user right when they are started. In addition, a user can also impersonate an access token if any of the following conditions exist.
+            <Description>Assigning this user right to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user&apos;s permissions to administrative or system levels. Caution: Assigning this user right can be a security risk. Only assign this user right to trusted users. Note: By default, services that are started by the Service Control Manager have the built-in Service group added to their access tokens. Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account also have the Service group added to their access tokens. As a result, these services get this user right when they are started. In addition, a user can also impersonate an access token if any of the following conditions exist. 
 1) The access token that is being impersonated is for this user.
 2) The user, in this logon session, created the access token by logging on to the network with explicit credentials.
 3) The requested level is less than Impersonate, such as Anonymous or Identify.