deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-15 10:23:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

test migration of everything

Browse Source
This commit is contained in:
Brian Lich
2016-03-07 16:53:55 -08:00
parent db8fb9a516
commit afab4332a6
655 changed files with 51217 additions and 59 deletions
Download Patch File Download Diff File Expand all files Collapse all files

57
windows/manage/TOC.md
View File

@ -1 +1,56 @@
#[Manage and update](placeholder.md)
# [Manage and update Windows 10](manage-and-update-windows-10.md)
## [Change history for Manage and update Windows 10](change-history-for-manage-and-update-windows-10.md)
## [Administrative Tools in Windows 10](administrative-tools-in-windows-10.md)
## [Cortana integration in your business or enterprise](manage-cortana-in-your-enterprise.md)
## [Manage corporate devices](manage-corporate-devices.md)
### [New policies for Windows 10](new-policies-for-windows-10.md)
### [Changes to Group Policy settings for Windows 10 Start](changes-to-start-policies-in-windows-10.md)
### [Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md)
### [Introduction to configuration service providers (CSPs)](how-it-pros-can-use-configuration-service-providers--csps--.md)
## [Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md)
### [Customize and export Start layout](customize-and-export-start-layout.md)
### [Customize Windows 10 Start with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
### [Customize Windows 10 Start with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
### [Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management--mdm-.md)
## [Lock down Windows 10](lock-down-windows-10.md)
### [Set up a device for anyone to use (kiosk mode)](set-up-a-device-for-anyone-to-use.md)
#### [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md)
#### [Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](set-up-a-kiosk-for-windows-10-for-mobile-edition.md)
### [Lock down Windows 10 to specific apps](lock-down-windows-10-to-specific-apps.md)
### [Configure telemetry and other settings in your organization](manage-privacy-for-windows-10-in-your-company.md)
### [Configure access to Windows Store](stop-employees-from-using-the-windows-store.md)
### [Manage Wi-Fi Sense in your company](manage-wi-fi-sense-in-your-company.md)
### [Configure Windows 10 Mobile using Lockdown XML](lockdown-xml.md)
#### [Settings and quick actions that can be locked down in Windows 10 Mobile](settings-that-can-be-locked-down.md)
#### [Product IDs in Windows 10 Mobile](product-ids-in-windows-10-mobile.md)
### [Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md)
## [Join Windows 10 Mobile to Azure Active Directory](join-windows-10-mobile-to-azure-active-directory.md)
## [Configure devices without MDM](configure-devices-without-mdm.md)
## [Windows 10 servicing options for updates and upgrades](introduction-to-windows-10-servicing.md)
## [Windows Store for Business](windows-store-for-business.md)
### [Sign up and get started](sign-up-and-get-started.md)
#### [Prerequisites for Windows Store for Business](prerequisites-for-windows-store-for-business.md)
#### [Sign up for Windows Store for Business](sign-up-for-windows-store-for-business.md)
#### [Roles and permissions in the Windows Store for Business](roles-and-permissions-in-the-windows-store-for-business.md)
#### [Settings reference: Windows Store for Business](settings-reference--windows-store-for-business.md)
### [Find and acquire apps](find-and-acquire-apps.md)
#### [Apps in the Windows Store for Business](apps-in-the-windows-store-for-business.md)
#### [Working with line-of-business apps](working-with-line-of-business-apps.md)
### [Distribute apps to your employees from the Windows Store for Business](distribute-apps-to-your-employees-from-the-windows-store-for-business.md)
#### [Distribute apps using your private store](distribute-apps-from-your-private-store.md)
#### [Assign apps to employees](assign-apps-to-employees.md)
#### [Distribute apps with a management tool](distribute-apps-with-a-management-tool.md)
#### [Distribute offline apps](distribute-offline-apps.md)
### [Manage apps](manage-apps.md)
#### [Manage access to private store](manage-access-to-private-store.md)
#### [App inventory managemement for Windows Store for Business](app-inventory-managemement-for-windows-store-for-business.md)
#### [Manage private store settings](manage-private-store-settings.md)
#### [Configure MDM provider](configure-mdm-provider.md)
### [Device Guard signing portal](device-guard-signing-portal.md)
#### [Add unsigned app to code integrity policy](add-unsigned-app-to-code-integrity-policy.md)
#### [Sign code integrity policy with Device Guard signing](sign-code-integrity-policy-with-device-guard-signing.md)
### [Manage settings in the Windows Store for Business](manage-settings-in-the-windows-store-for-business.md)
#### [Update Windows Store for Business account settings](update-windows-store-for-business-account-settings-.md)
#### [Manage user accounts in Windows Store for Business](manage-users-and-groups-in-the-windows-store-for-business.md)
### [Troubleshoot Windows Store for Business](troubleshoot.md)

122
windows/manage/add-unsigned-app-to-code-integrity-policy.md Normal file
View File

@ -0,0 +1,122 @@
---
title: Add unsigned app to code integrity policy (Windows 10)
description: When you want to add an unsigned app to a code integrity policy, you need to start with a code integrity policy created from a reference device.
ms.assetid: 580E18B1-2FFD-4EE4-8CC5-6F375BE224EA
ms.prod: W10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
---
# Add unsigned app to code integrity policy
**Applies to**
- Windows 10
- Windows 10 Mobile
When you want to add an unsigned app to a code integrity policy, you need to start with a code integrity policy created from a reference device. Then, create the catalog files for your unsigned app, sign the catalog files, and then merge the default policy that includes your signing certificate with existing code integrity policies.
## In this section
- [Create a code integrity policy based on a reference device](#create_ci_policy)
- [Create catalog files for your unsigned app](#create_catalog_files)
- [Catalog signing with Device Guard signing portal](#catalog_signing_device_guard_portal)
## Create a code integrity policy based on a reference device
To add an unsigned app to a code integrity policy, your code integrity policy must be created from golden image machine. For more information, see [Create a Device Guard code integrity policy based on a reference device](https://technet.microsoft.com/library/mt243445.aspx).
## Create catalog files for your unsigned app
Creating catalog files starts the process for adding an unsigned app to a code integrity policy.
Before you get started, be sure to review these best practices and requirements:
**Requirements**
- You'll use Package Inspector during this process.
- Only perform this process with a code integrity policy running in audit mode. You should not perform this process on a system running an enforced Device Guard policy.
**Best practices**
- **Naming convention** -- Using a naming convention makes it easier to find deployed catalog files. We'll use \*-Contoso.cat as the naming convention in this topic. For more information, see the section Inventorying catalog files by using Configuration Manager in the [Device Guard deployment guide](https://technet.microsoft.com/library/mt463091.aspx).
- **Where to deploy code integrity policy** -- The [code integrity policy that you created](#create_ci_policy) should be deployed to the system on which you are running Package Inspector. This will ensure that the code integrity policy binaries are trusted.
Copy the commands for each step into an elevated Windows PowerShell session. You'll use Package Inspector to find and trust all binaries in the app.
**To create catalog files for your unsigned app**
1. Start Package Inspector to scan the C drive.
`PackageInspector.exe Start C:`
2. Copy the installation media to the C drive.
Copying the installation media to the C drive ensures that Package Inspector finds and catalogs the installer. If you skip this step, the code integrity policy may trust the application to run, but not trust it to be installed.
3. Install and start the app.
All binaries that are used while Package Inspector is running will be part of the catalog files. After the installation, start the app and make sure that any product updates are installed and any downloadable content was found during the scan. Then, close and restart the app to make sure that the scan found all binaries.
4. Stop the scan and create definition and catalog files.
After app install is complete, stop the Package Inspector scan and create catalog and definition files on your desktop.
`$ExamplePath=$env:userprofile+"\Desktop"`
`$CatFileName=$ExamplePath+"\LOBApp-Contoso.cat"`
`$CatDefName=$ExamplePath+"\LOBApp.cdf"`
`PackageInspector.exe Stop C: -Name $CatFileName -cdfpath $CatDefName`
The Package Inspector scan catalogs the hash values for each binary file that is finds. If the app that was scanned are updated, do this process again to trust the new binaries hash values.
After you're done, the files are saved to your desktop. You still need to sign the catalog file so that it will be trusted within the code integrity policy.
## Catalog signing with Device Guard signing portal
To sign catalog files with the Device Guard signing portal, you need to be signed up with the Windows Store for Business. For more information, see [Sign up for the Windows Store for Business](sign-up-for-windows-store-for-business.md).
Catalog signing is a vital step to adding your unsigned apps to your code integrity policy.
**To sign a catalog file with Device Guard signing portal**
1. Sign in to the Store for Business
2. Click **Settings**, and then choose **Device Guard signing**.
3. Click **Upload** to upload your unsigned catalog files. These are the catalog files you created earlier in [Create catalog files for your unsigned app](#create_catalog_files).
4. After the files are uploaded, click **Sign** to sign the catalog files.
5. Click Download to download each item:
- signed catalog file
- default policy
- root certificate for your organization
When you use the Device Guard signing portal to sign a catalog file, the signing certificate is added to the default policy. When you download the signed catalog file, you should also download the default policy and merge this code integrity policy with your existing code integrity policies to protect machines running the catalog file. You need to do this step to trust and run your catalog files. For more information, see the Merging code integrity policies in the [Device Guard deployment guide](https://technet.microsoft.com/library/mt463091.aspx).
6. Open the root certificate that you downloaded, and follow the steps in **Certificate Import wizard** to install the certificate in your machine's certificate store.
7. Deploy signed catalogs to your managed devices. For more information, see Deploy catalog files with Group Policy, or Deploy catalog files with System Center Configuration Manager in the [Device Guard deployment guide](https://technet.microsoft.com/library/mt463091.aspx).
 
 

52
windows/manage/administrative-tools-in-windows-10.md Normal file
View File

@ -0,0 +1,52 @@
---
title: Administrative Tools in Windows 10 (Windows 10)
description: Administrative Tools is a folder in Control Panel that contains tools for system administrators and advanced users.
ms.assetid: FDC63933-C94C-43CB-8373-629795926DC8
ms.prod: W10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
---
# Administrative Tools in Windows 10
**Applies to**
- Windows 10
Administrative Tools is a folder in Control Panel that contains tools for system administrators and advanced users. The tools in the folder might vary depending on which edition of Windows you are using.
These tools were included in previous versions of Windows and the associated documentation for each tool should help you use these tools in Windows 10. The following list links to documentation for each tool.
**Tip**  
If the content that is linked to a tool in the following list doesn't provide the information you need to use that tool, send us a comment by using the **Was this page helpful?** feature on this **Administrative Tools in Windows 10** page. Details about the information you want for a tool will help us plan future content.
 
- [Component Services]( http://go.microsoft.com/fwlink/p/?LinkId=708489)
- [Computer Management](http://go.microsoft.com/fwlink/p/?LinkId=708490)
- [Defragment and Optimize Drives](http://go.microsoft.com/fwlink/p/?LinkId=708488)
- [Disk Cleanup](http://go.microsoft.com/fwlink/p/?LinkID=698648)
- [Event Viewer](http://go.microsoft.com/fwlink/p/?LinkId=708491)
- [iSCSI Initiator](http://go.microsoft.com/fwlink/p/?LinkId=708492)
- [Local Security Policy](http://go.microsoft.com/fwlink/p/?LinkId=708493)
- [ODBC Data Sources]( http://go.microsoft.com/fwlink/p/?LinkId=708494)
- [Performance Monitor](http://go.microsoft.com/fwlink/p/?LinkId=708495)
- [Print Management](http://go.microsoft.com/fwlink/p/?LinkId=708496)
- [Resource Monitor](http://go.microsoft.com/fwlink/p/?LinkId=708497)
- [Services](http://go.microsoft.com/fwlink/p/?LinkId=708498)
- [System Configuration](http://go.microsoft.com/fwlink/p/?LinkId=708499)
- [System Information]( http://go.microsoft.com/fwlink/p/?LinkId=708500)
- [Task Scheduler](http://go.microsoft.com/fwlink/p/?LinkId=708501)
- [Windows Firewall with Advanced Security](http://go.microsoft.com/fwlink/p/?LinkId=708503)
- [Windows Memory Diagnostic]( http://go.microsoft.com/fwlink/p/?LinkId=708507)
 
 

206
windows/manage/app-inventory-managemement-for-windows-store-for-business.md Normal file
View File

@ -0,0 +1,206 @@
---
title: App inventory management for Windows Store for Business (Windows 10)
description: You can manage all apps that you've acquired on your Inventory page.
ms.assetid: 44211937-801B-4B85-8810-9CA055CDB1B2
ms.prod: W10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
---
# App inventory management for Windows Store for Business
**Applies to**
- Windows 10
- Windows 10 Mobile
You can manage all apps that you've acquired on your **Inventory** page.
The **Inventory** page in Windows Store for Business shows all apps in your inventory. This includes all apps that you've acquired from Store for Business, and the line-of-business (LOB) apps that you've accepted into your inventory. After LOB apps are submitted to your organization, you'll see a notification on your **Inventory** page. On the **New line-of-business apps** page, you can accept, or reject the LOB apps. For more information on LOB apps, see [Working with line-of-business apps](working-with-line-of-business-apps.md).
All of these apps are treated the same once they are in your inventory and you can perform app lifecycle tasks for them: distribute apps, add apps to private store, review license details, and reclaim app licenses.
![](images/wsfb-inventoryaddprivatestore.png)
Store for Business shows this info for each app in your inventory:
- Name
- Access to actions for the app
- Last modified date
- Supported devices
- Private store status
### Find apps in your inventory
There are a couple of ways to find specific apps, or groups of apps in your inventory.
**Search** - Use the Search box to search for an app.
**Refine** - Use **Refine** to scope your list of apps by one or more of these app attributes:
- **License** - Online or offline licenses. For more info, see [Apps in Windows Store for Business](apps-in-the-windows-store-for-business.md#licensing_model).
- **Platforms** - Lists the devices that apps in your inventory were originally written to support. This list is cumulative for all apps in your inventory.
- **Source** - **Store**, for apps acquired from Store for Business, or LOB, for line-of-business apps.
- **Private store** - **In private store**, or **Not in private store**, depending on whether or not you've added the app to your private store.
### Manage apps in your inventory
Each app in the Store for Business has an online, or an offline license. For more information on Store for Business licensing model, see [Apps in the Windows Store for Business](apps-in-the-windows-store-for-business.md#licensing_model). There are different actions you can take depending on the app license type. They're summarized in this table.
<table>
<colgroup>
<col width="33%" />
<col width="33%" />
<col width="33%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Action</th>
<th align="left">Online-licensed app</th>
<th align="left">Offline-licensed app</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Assign to employees</p></td>
<td align="left"><p>X</p></td>
<td align="left"></td>
</tr>
<tr class="even">
<td align="left"><p>Add to private store</p></td>
<td align="left"><p>X</p></td>
<td align="left"></td>
</tr>
<tr class="odd">
<td align="left"><p>Remove from private store</p></td>
<td align="left"><p>X</p></td>
<td align="left"></td>
</tr>
<tr class="even">
<td align="left"><p>View license details</p></td>
<td align="left"><p>X</p></td>
<td align="left"></td>
</tr>
<tr class="odd">
<td align="left"><p>View product details</p></td>
<td align="left"><p>X</p></td>
<td align="left"><p>X</p></td>
</tr>
<tr class="even">
<td align="left"><p>Download for offline use</p></td>
<td align="left"></td>
<td align="left"><p>X</p></td>
</tr>
</tbody>
</table>
 
**Note**  
Removing apps from inventory is not currently supported.
 
The actions in the table are how you distribute apps, and manage app licenses. We'll cover those in the next sections. Working with offline-licensed apps has different steps. For more information on distributing offline-licensed apps, see [Distribute offline apps](distribute-offline-apps.md).
### Distribute apps
For online-licensed apps, there are a couple of ways to distribute apps from your inventory:
- Assign apps to people in your organization.
- Add apps to your private store, and let people in your organization install the app.
If you use a management tool that supports Store for Business, you can distribute apps with your management tool. Once it is configured to work with Store for Business, your managment tool will have access to all apps in your inventory. For more information, see [Distribute apps with a management tool](distribute-apps-with-a-management-tool.md).
### Assign apps
You can assign apps directly to people in your organization. You can assign apps to individuals, a few people, or to a group. For more information, see [Assign apps to employees](assign-apps-to-employees.md).
### Private store
The private store is a feature in the Store for Business. Once an online-licensed app is in your inventory, you can make it available in your private store. When you add apps to the private store, all employees in your organization can view and download the app. Employees access the private store as a page in Windows Store app.
For more information, see [Distribute apps using your private store](distribute-apps-from-your-private-store.md).
### Manage app licenses
For each app in your inventory, you can view and manage license details. This give you another way to assign apps to people in your organization. It also allows you to reclaim app licenses after they've been assigned to people, or claimed by people in your organization.
**To view license details**
1. Sign in to [Store for Business](http://go.microsoft.com/fwlink/p/?LinkId=691845)
2. Click **Manage**, and then choose **Inventory**.
3. Click the ellipses for and app, and then choose **View license details**.
![](images/wsfb-inventory-viewlicense.png)
You'll see the names of people in your organization who have installed the app and are using one of the licenses.
![](images/wsfb-licensedetails.png)
On **Assigned licenses**, you can do several things:
- Assign the app to other people in your organization.
- Reclaim app licenses.
- View app details.
- Add the app to your private store, if it is not in the private store.
You can assign the app to more people in your organization, or reclaim licenses.
**To assign an app to more people**
- Click Assign to people, type the email address for the employee that you're assigning the app to, and click **Assign**.
![](images/wsfb-licenseassign.png)
Store for Business updates the list of assigned licenses.
**To reclaim licenses**
- Choose the person you want to reclaim the license from, click **Reclaim licenses**, and then click **Reclaim licenses**.
![](images/wsfb-licensereclaim.png)
Store for Business updates the list of assigned licenses.
### Download offline-licensed app
Offline licensing is a new feature in Windows 10 and allows apps to be deployed to devices that are not connected to the Internet. This means organizations can deploy apps when users or devices do not have connectivity to the Store.
You can download offline-licensed apps from your inventory. You'll need to download these items:
- App metadata
- App package
- App license
- App framework
For more information about online and offline licenses, see [Apps in the Windows Store for Business](apps-in-the-windows-store-for-business.md#licensing_model).
For more information about downloading offline-licensed apps, see [Download offline apps](../p_ent_manage_Update/download-offline-licensed-app.md).
 
 

91
windows/manage/apps-in-the-windows-store-for-business.md Normal file
View File

@ -0,0 +1,91 @@
---
title: Apps in Windows Store for Business (Windows 10)
description: Windows Store for Business has thousands of apps from many different categories.
ms.assetid: CC5641DA-3CEA-4950-AD81-1AF1AE876926
ms.prod: W10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
---
# Apps in Windows Store for Business
**Applies to**
- Windows 10
- Windows 10 Mobile
Windows Store for Business has thousands of apps from many different categories.
##
These app types are supported in Store for Business:
- Universal Windows apps for Windows 10
- Universal Windows apps, by device: phone, Surface Hub, IoT, HoloLens
Apps in your inventory will have at least one of these supported platforms listed for the app:
- Windows 10 desktops
- Windows 10 phones
- Windows 10 xbox
- Windows 10 IOT devices
- Windows 10 servers
- Windows 10 \*all devices\*
- Windows 10 Surface Hub
- Windows 10 HoloLens
Apps that you acquire from the Store for Business only work on Windows 10-based devices. Even though an app might list Windows 8 as its supported platform, that tells you what platform the app was originally written for. Apps developed for Windows 8, or Windows phone 8 will work on Windows 10.
Line-of-business (LOB) apps are also supported using the Store for Business. Admins can invite IT devs and ISVs to be LOB publishers. Apps developed by your LOB publishers that are submitted to the Store are only available to your organization. Once an administrator accepts an app submitted by one of their LOB publishers, the app can be distributed just like any other app from Store for Business. For more information, see Working with Line-of-Business apps.
## In-app purchases
Some apps offer you the option to make in-app purchases. In-app purchases are not currently supported for apps that are acquired through Store for Business and distributed to employees.
If an employee makes an in-app purchase, they'll make it with their personal Microsoft account and pay for it with a personal payment method. The employee will own the item purchased, and it cannot be transferred to your organizations inventory.
## Licensing model: online and offline licenses
Store for Business supports two options to license apps: online and offline.
**Online** licensing is the default licensing model and is similar to the Windows Store. Online licensed apps require users and devices to connect to the Store for Business service to acquire an app and its license. Licensing management is enforced based on the users Azure AD identity and maintained by the store as well as the management tool. By default app updates are handled by Windows Update.
Distribution options for online-licensed apps include the ability to:
- Assign an app to employees.
- Add an app to your private store, allowing employees to download the app.
- Distribute through a management tool.
**Offline** licensing is a new licensing option for Windows 10. With offline licenses, organizations can cache apps and their licenses to deploy within their network. ISVs or devs can opt-in their apps for offline licensing when they submit them to the developer center. Only apps that are opted in to offline licensing will show that they are available for offline licensing in Store for Business. This model means organizations can deploy apps when users or devices do not have connectivity to the Store.
You have the following distribution options for offline-licensed apps:
- Include the app in a provisioning package, and then use it as part of imaging a device.
- Distribute the app through a management tool.
For more information, see [Distribute apps to your employees from the Store for Business](distribute-apps-to-your-employees-from-the-windows-store-for-business.md).
 
 

40
windows/manage/assign-apps-to-employees.md Normal file
View File

@ -0,0 +1,40 @@
---
title: Assign apps to employees (Windows 10)
description: Administrators can assign online-licensed apps to employees in their organization.
ms.assetid: A0DF4EC2-BE33-41E1-8832-DBB0EBECA31A
ms.prod: W10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
---
# Assign apps to employees
**Applies to**
- Windows 10
- Windows 10 Mobile
Administrators can assign online-licensed apps to employees in their organization.
**To assign an app to an employee**
1. Sign in to Windows Store for Business.
2. Click **Manage**, and then choose **Inventory**.
3. Find an app, click the ellipses under **Action**, and then choose **Assign to people**.
4. Type the email address for the employee that you're assigning the app to, and click **Confirm**.
Employees will receive an email with a link that will install the app on their device. Click the link to start the Windows Store app, and then click **Install**.
 
 

157
windows/manage/change-history-for-manage-and-update-windows-10.md Normal file
View File

@ -0,0 +1,157 @@
---
title: Change history for Manage and update Windows 10 (Windows 10)
description: This topic lists new and updated topics in the Manage and update Windows 10 documentation for Windows 10 and Windows 10 Mobile.
ms.assetid: 29144AFA-1DA9-4532-B07D-1EBE34B7E1E0
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
author: jdeckerMS
---
# Change history for Manage and update Windows 10
This topic lists new and updated topics in the [Manage and update Windows 10](manage-and-update-windows-10.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
## March 2016
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">New or changed topic</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left">[Join Windows 10 Mobile to Azure Active Directory](join-windows-10-mobile-to-azure-active-directory.md)</td>
<td align="left"><p>New</p></td>
</tr>
</tbody>
</table>
 
## February 2016
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">New or changed topic</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left">[Configure telemetry and other settings in your organization](manage-privacy-for-windows-10-in-your-company.md)</td>
<td align="left"><p>Added call history and email to the Settings &gt; Privacy section.</p>
<p>Added the Turn off Windows Mail application Group Policy to the Mail synchronization section.</p></td>
</tr>
<tr class="even">
<td align="left">[Customize and export Start layout](customize-and-export-start-layout.md)</td>
<td align="left">Added a note to clarify that partial Start layout is only supported in Windows 10, Version 1511 and later</td>
</tr>
<tr class="odd">
<td align="left">[Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management--mdm-.md)</td>
<td align="left">Added instructions for replacing markup characters with escape characters in Start layout XML</td>
</tr>
<tr class="even">
<td align="left">[Introduction to configuration service providers (CSPs) for IT pros](how-it-pros-can-use-configuration-service-providers--csps--.md)</td>
<td align="left">New</td>
</tr>
<tr class="odd">
<td align="left">[Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md)</td>
<td align="left">New</td>
</tr>
<tr class="even">
<td align="left">[Windows 10 servicing options for updates and upgrades](introduction-to-windows-10-servicing.md)</td>
<td align="left">Added information on servicing options for Windows 10 Mobile, Windows 10 Mobile Enterprise, and Windows 10 IoT Core (IoT Core).</td>
</tr>
</tbody>
</table>
 
## December 2015
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">New or changed topic</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left">[Cortana integration in your business or enterprise](manage-cortana-in-your-enterprise.md)</td>
<td align="left">New</td>
</tr>
<tr class="even">
<td align="left">[Manage Wi-Fi Sense in your company](manage-wi-fi-sense-in-your-company.md)</td>
<td align="left">New</td>
</tr>
<tr class="odd">
<td align="left">Customize Windows 10 Start with mobile device management (MDM)</td>
<td align="left"></td>
</tr>
</tbody>
</table>
 
## November 2015
| New or changed topic | Description |
|--------------------------------------------------------------------------------------------------------------------------------------------------|-------------|
| [Administrative Tools in Windows 10](administrative-tools-in-windows-10.md) | New |
| [Configure Windows 10 Mobile using Lockdown XML](lockdown-xml.md) | New |
| [Customize and export Start layout](customize-and-export-start-layout.md) | New |
| [Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management--mdm-.md) | New |
| [Lock down Windows 10 to specific apps](lock-down-windows-10-to-specific-apps.md) | New |
| [Product IDs in Windows 10 Mobile](product-ids-in-windows-10-mobile.md) | New |
| [Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md) | New |
| [Settings and quick actions that can be locked down in Windows 10 Mobile](settings-that-can-be-locked-down.md) | New |
| [Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](set-up-a-kiosk-for-windows-10-for-mobile-edition.md) | New |
| [Windows Hello biometrics in the enterprise](../keep-secure/windows-hello-biometrics-in-the-enterprise.md) | New |
| [Windows Store for Business](windows-store-for-business.md) (multiple topics) | New |
| [Changes to Group Policy settings for Windows 10 Start](changes-to-start-policies-in-windows-10.md) | Updated |
| [Configure telemetry and other settings in your organization](manage-privacy-for-windows-10-in-your-company.md) | Updated |
| [New policies for Windows 10](new-policies-for-windows-10.md) | Updated |
 
## Related topics
[Change history for What's new in Windows 10](../whats-new/change-history-for-what-s-new-in-windows-10.md)
[Change history for Plan for Windows 10 deployment](../plan/change-history-for-plan-for-windows-10-deployment.md)
[Change history for Deploy Windows 10](../deploy/change-history-for-deploy-windows-10.md)
[Change history for Keep Windows 10 secure](../keep-secure/change-history-for-keep-windows-10-secure.md)
 
 

180
windows/manage/changes-to-start-policies-in-windows-10.md Normal file
View File

@ -0,0 +1,180 @@
---
title: Changes to Group Policy settings for Windows 10 Start (Windows 10)
description: Windows 10 has a brand new Start experience.
ms.assetid: 612FB68A-3832-451F-AA97-E73791FEAA9F
keywords: ["group policy", "start menu", "start screen"]
ms.prod: W10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
---
# Changes to Group Policy settings for Windows 10 Start
**Applies to**
- Windows 10
**In this article**
- [Start policy settings supported for Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education](#start_policy_settings_supported_for_windows_10_pro__windows_10_enterprise__and_windows_10_education)
- [Deprecated Group Policy settings for Start](#deprecated_group_policy_settings_for_start_)
- [Related topics](#related_topics)
Windows 10 has a brand new Start experience. As a result, there are changes to the Group Policy settings that you can use to manage Start. Some policy settings are new or changed, and some old Start policy settings still apply. Other Start policy settings no longer apply and are deprecated.
## Start policy settings supported for Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
These policy settings are available in **Administrative Templates\\Start Menu and Taskbar** under **User Configuration**.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Policy</th>
<th align="left">Notes</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left">Clear history of recently opened documents on exit</td>
<td align="left">Documents that the user opens are tracked during the session. When the user signs off, the history of opened documents is deleted.</td>
</tr>
<tr class="even">
<td align="left">Do not allow pinning items in Jump Lists</td>
<td align="left">Jump Lists are lists of recently opened items, such as files, folders, or websites, organized by the program that you use to open them. This policy prevents users from pinning items to any Jump List.</td>
</tr>
<tr class="odd">
<td align="left">Do not display or track items in Jump Lists from remote locations</td>
<td align="left">When this policy is applied, only items local on the computer are shown in Jump Lists.</td>
</tr>
<tr class="even">
<td align="left">Do not keep history of recently opened documents</td>
<td align="left">Documents that the user opens are not tracked during the session.</td>
</tr>
<tr class="odd">
<td align="left">Prevent changes to Taskbar and Start Menu Settings</td>
<td align="left">In Windows 10, this disables all of the settings in <strong>Settings</strong> &gt; <strong>Personalization</strong> &gt; <strong>Start</strong> as well as the options in dialog available via right-click Taskbar &gt; <strong>Properties</strong></td>
</tr>
<tr class="even">
<td align="left">Prevent users from customizing their Start Screen</td>
<td align="left"><p>Use this policy in conjunction with [CopyProfile](http://go.microsoft.com/fwlink/p/?LinkId=623229) or other methods for configuring the layout of Start to prevent users from changing it</p></td>
</tr>
<tr class="odd">
<td align="left">Prevent users from uninstalling applications from Start</td>
<td align="left">In Windows 10, this removes the uninstall button in the context menu. It does not prevent users from uninstalling the app through other entry points (e.g. PowerShell)</td>
</tr>
<tr class="even">
<td align="left">Remove All Programs list from the Start menu</td>
<td align="left">In Windows 10, this removes the <strong>All apps</strong> button.</td>
</tr>
<tr class="odd">
<td align="left">Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands</td>
<td align="left">This removes the Shut Down, Restart, Sleep, and Hibernate commands from the Start Menu, Start Menu power button, CTRL+ALT+DEL screen, and Alt+F4 Shut Down Windows menu.</td>
</tr>
<tr class="even">
<td align="left">Remove common program groups from Start Menu</td>
<td align="left">As in earlier versions of Windows, this removes apps specified in the All Users profile from Start</td>
</tr>
<tr class="odd">
<td align="left">Remove frequent programs list from the Start Menu</td>
<td align="left">In Windows 10, this removes the top left <strong>Most used</strong> group of apps.</td>
</tr>
<tr class="even">
<td align="left">Remove Logoff on the Start Menu</td>
<td align="left"><strong>Logoff</strong> has been changed to <strong>Sign Out</strong> in the user interface, however the functionality is the same.</td>
</tr>
<tr class="odd">
<td align="left">Remove pinned programs list from the Start Menu</td>
<td align="left">In Windows 10, this removes the bottom left group of apps (by default, only File Explorer and Settings are pinned).</td>
</tr>
<tr class="even">
<td align="left">Show &quot;Run as different user&quot; command on Start</td>
<td align="left">This enables the <strong>Run as different user</strong> option in the right-click menu for apps.</td>
</tr>
<tr class="odd">
<td align="left">Start Layout</td>
<td align="left"><p>This applies a specific Start layout, and it also prevents users from changing the layout. This policy can be configured in <strong>User Configuration</strong> or <strong>Computer Configuration</strong>.</p>
<div class="alert">
<strong>Note</strong>  
<p>Start Layout policy setting applies only to Windows 10 Enterprise and Windows 10 Education.</p>
</div>
<div>
 
</div></td>
</tr>
<tr class="even">
<td align="left">Force Start to be either full screen size or menu size</td>
<td align="left">This applies a specific size for Start.</td>
</tr>
</tbody>
</table>
 
## Deprecated Group Policy settings for Start
The Start policy settings listed below do not work on Windows 10. Most of them were deprecated in Windows 8 however a few more were deprecated in Windows 10. Deprecation in this case means that the policy setting will not work on Windows 10. The “Supported on” text for a policy setting will not list Windows 10. The policy settings are still in the Group Policy Management Console and can be used on the operating systems that they apply to.
| Policy | When deprecated |
|----------------------------------------------------------------------------------|-----------------|
| Go to the desktop instead of Start when signing in | Windows 10 |
| List desktop apps first in the Apps view | Windows 10 |
| Pin Apps to Start when installed (User or Computer) | Windows 10 |
| Remove Default Programs link from the Start menu. | Windows 10 |
| Remove Documents icon from Start Menu | Windows 10 |
| Remove programs on Settings menu | Windows 10 |
| Remove Run menu from Start Menu | Windows 10 |
| Remove the "Undock PC" button from the Start Menu | Windows 10 |
| Search just apps from the Apps view | Windows 10 |
| Show Start on the display the user is using when they press the Windows logo key | Windows 10 |
| Show the Apps view automatically when the user goes to Start | Windows 10 |
| Add the Run command to the Start Menu | Windows 8 |
| Change Start Menu power button | Windows 8 |
| Gray unavailable Windows Installer programs Start Menu shortcuts | Windows 8 |
| Remove Downloads link from Start Menu | Windows 8 |
| Remove Favorites menu from Start Menu | Windows 8 |
| Remove Games link from Start Menu | Windows 8 |
| Remove Help menu from Start Menu | Windows 8 |
| Remove Homegroup link from Start Menu | Windows 8 |
| Remove Music icon from Start Menu | Windows 8 |
| Remove Network icon from Start Menu | Windows 8 |
| Remove Pictures icon from Start Menu | Windows 8 |
| Remove Recent Items menu from Start Menu | Windows 8 |
| Remove Recorded TV link from Start Menu | Windows 8 |
| Remove user folder link from Start Menu | Windows 8 |
| Remove Videos link from Start Menu | Windows 8 |
 
## Related topics
[Manage corporate devices](manage-corporate-devices.md)
[New policies for Windows 10](new-policies-for-windows-10.md)
[Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md)
[Customize and export Start layout](customize-and-export-start-layout.md)
[Customize Windows 10 Start screens with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
[Customize Windows 10 Start screens with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management--mdm-.md)
[Customize Windows 10 Start screens with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
 
 

195
windows/manage/configure-devices-without-mdm.md Normal file
View File

@ -0,0 +1,195 @@
---
title: Configure devices without MDM (Windows 10)
description: Create a runtime provisioning package to apply settings, profiles, and file assets to a device running Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile, or Windows 10 Mobile Enterprise.
ms.assetid: 66D14E97-E116-4218-8924-E2A326C9367E
keywords: ["runtime provisioning", "provisioning package"]
ms.prod: W10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
---
# Configure devices without MDM
**Applies to**
- Windows 10
- Windows 10 Mobile
**In this article**
- [Advantages](#advantages)
- [Typical use cases](#typical_use_cases)
- [Create package](#create_package)
- [Apply package](#apply_package)
- [Manage a package](#manage_a_package)
- [Learn more](#learn_more)
Create a runtime provisioning package to apply settings, profiles, and file assets to a device running Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile, or Windows 10 Mobile Enterprise.
Sometimes mobile device management (MDM) isn't available to you for setting up a device because the device isn't connected to your network, or because an employee is remote and needs a fast replacement for a work device. You might not use MDM in your organization at all, but would like an easy way to place a standard configuration on multiple devices.
Rather than wiping a device and applying a new system image, in Windows 10 you can apply a provisioning package at any time. A provisioning package can include management instructions and policies, installation of specific apps, customization of network connections and policies, and more.
You can provide provisioning packages on a network shared folder that employees can access to configure their devices. Or you can put a provisioning package on a USB flash drive or SD card to hand out. You can even send the provisioning package to someone in email.
Provisioning packages are simple for employees to install. And when they remove a provisioning package, policies that the package applied to their device are removed.
## Advantages
- You can configure new devices without re-imaging.
- Works on both mobile and desktop devices.
- No network connectivity required.
- Simple for people to apply.
- Ensures compliance and security before a device is enrolled in MDM.
## Typical use cases
- **Set up a new off-the-shelf device for an employee**
Package might include edition upgrade, device name, company root certificate, Wi-Fi profile, domain join with service account, or company application.
- **Configure an off-the-shelf mobile device to be used as a point of sale or inventory terminal**
Package might include edition upgrade, device name, company root certificate, Wi-Fi profile, security policies, company application, or assigned access (also known as [kiosk mode](set-up-a-device-for-anyone-to-use.md)).
- **Help employees set up personally-owned devices to use for work**
Package might include company root certificate, Wi-Fi profiles, security policies, or company application.
**Note**  
Test to make sure that removing the provisioning package from a personal device removes everything that the package installed. Some settings are not reverted when a provisioning package is removed from the device.
 
- **Repurpose devices by returning the device to a specific state between users**
Package might include computer name, company root certificate, Wi-Fi profile, or company application.
**Note**  
To return the **Start** menu to a specific state, you must reset the device. When you reset the device, you can apply the provisioning package during the first-run experience.
 
For details about the settings you can customize in provisioning packages, see [Windows Provisioning settings reference]( http://go.microsoft.com/fwlink/p/?LinkId=619012).
## Create package
Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a runtime provisioning package. [Install the ADK.](http://go.microsoft.com/fwlink/p/?LinkId=526740)
1. Open Windows ICD (by default, %windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe).
2. Choose **New provisioning package**.
3. Name your project, and click **Next**.
4. Choose **Common to all Windows editions**, **Common to all Windows desktop editions**, or **Common to all Windows mobile editions**, depending on the devices you intent to provision, and click **Next**.
5. On **New project**, click **Finish**. The workspace for your package opens.
6. Configure settings. [Learn more about specific settings in provisioning packages.]( http://go.microsoft.com/fwlink/p/?LinkId=615916)
7. On the **File** menu, select **Save.**
8. On the **Export** menu, select **Provisioning package**.
9. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.**
10. Set a value for **Package Version**.
**Tip**  
You can make changes to existing packages and change the version number to update previously applied packages.
 
11. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing.
- **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
- **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select...** and choosing the certificate you want to use to sign the package.
**Important**  
We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store and any package signed with that certificate thereafter can be applied silently.
 
12. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location.
Optionally, you can click **Browse** to change the default output location.
13. Click **Next**.
14. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.
If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
15. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
- If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
- If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
16. Select the **output location** link to go to the location of the package. You can provide that .ppkg to others through any of the following methods:
- Shared network folder
- SharePoint site
- Removable media (USB/SD)
- Email
- USB tether (mobile only)
Learn more: [Build and apply a provisioning package](http://go.microsoft.com/fwlink/p/?LinkID=629651)
## Apply package
On a desktop computer, the employee goes to **Settings** &gt; **Accounts** &gt; **Work access** &gt; **Add or remove a management package** &gt; **Add a package**, and selects the package to install. The user can also add a provisioning package simply by double-clicking the .ppkg file in email, in local storage, on removable media, or at a URL.
![add a package option](images/package.png)
On a mobile device, the employee goes to **Settings** &gt; **Accounts** &gt; **Provisioning.** &gt; **Add a package**, and selects the package on removable media to install. The user can also add a provisioning package simply by double-tapping the .ppkg file in email.
![add provisioning package on phone](images/phoneprovision.png)
## Manage a package
- Users can view details or delete package (if policy allows deletion); only user-installed packages are listed.
- Deleting a package removes settings, profiles, certificates, and apps it contains.
- Use policies to disable manual deletion of packages, installation of unsigned packages, or the installation of any additional packages.
- Update content by installing a new package with same name and new version number.
- Optionally, keep packages when you reset a mobile device. When you reset a desktop, runtime packages are removed.
![](images/resetdevice.png)
## Learn more
- [Provisioning Windows 10 Devices with New Tools](http://go.microsoft.com/fwlink/p/?LinkId=615921)
- [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](http://go.microsoft.com/fwlink/p/?LinkId=615922)
 
 

54
windows/manage/configure-mdm-provider.md Normal file
View File

@ -0,0 +1,54 @@
---
title: Configure an MDM provider (Windows 10)
description: For companies or organizations using mobile device management (MDM) tools, those tools can synchronize with Windows Store for Business inventory to manage apps with offline licenses.
ms.assetid: B3A45C8C-A96C-4254-9659-A9B364784673
ms.prod: W10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
---
# Configure an MDM provider
**Applies to**
- Windows 10
- Windows 10 Mobile
For companies or organizations using mobile device management (MDM) tools, those tools can synchronize with Windows Store for Business inventory to manage apps with offline licenses. Store for Business management tool services work with your third-party management tool to manage content.
Your management tool needs to be installed and configured with Azure AD, in the same directory that you are using for Store for Business. Once that's done, you can configure it to work with Store for Business
**To configure a management tool in Azure AD**
1. Sign in to the Azure Portal as an Administrator.
2. Click **Active Directory**, and then choose your directory. 
3. Click **Applications**, find the application, and add it to your directory.
After your management tool is added to your Azure AD directory, you can configure it to work with Store for Business.
**To configure a management tool in Store for Business**
1. Log in to Store for Business.
2. Click **Settings**, and then choose **Management tool**.
You'll see a list of available MDM tools.
![](images/wsfb-settings-mgmt.png)
3. Choose the MDM tool you want to synchronize with Store for Business, and then click **Activate.**
Your MDM tool is ready to use with Store for Business. Consult docs for your management tool to learn how to distribute apps from your synchronized inventory.
 
 

148
windows/manage/customize-and-export-start-layout.md Normal file
View File

@ -0,0 +1,148 @@
---
title: Customize and export Start layout (Windows 10)
description: The easiest method for creating a customized Start layout to apply to other Windows 10 devices is to set up the Start screen on a test computer and then export the layout.
ms.assetid: CA8DF327-5DD4-452F-9FE5-F17C514B6236
keywords: ["start screen"]
ms.prod: W10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
---
# Customize and export Start layout
**Applies to**
- Windows 10
**Looking for consumer information?**
- [Customize the Start menu](http://go.microsoft.com/fwlink/p/?LinkId=623630)
**In this article**
- [Customize the Start screen on your test computer](#BKMKCustomizeStartScreen)
- [Export the Start layout](#BMK_ExportStartScreenLayout)
- [Configure a partial Start layout](#configure_a_partial_start_layout)
- [Related topics](#related_topics)
The easiest method for creating a customized Start layout to apply to other Windows 10 devices is to set up the Start screen on a test computer and then export the layout.
After you export the layout, decide whether you want to apply a *full* Start layout or a *partial* Start layout.
When a full Start layout is applied, the users cannot pin, unpin, or uninstall apps from Start. Users can view and open all apps in the **All Apps** view, but they cannot pin any apps to Start.
When [a partial Start layout](#configure_a_partial_start_layout) is applied, the contents of the specified tile groups cannot be changed, but users can move those groups, and can also create and customize their own groups.
**Note**  Partial Start layout is only supported on Windows 10, Version 1511 and later.
 
You can deploy the resulting .xml file to devices using one of the following methods:
- [Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
- [Windows Imaging and Configuration Designer provisioning package](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
- [Mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management--mdm-.md)
## Customize the Start screen on your test computer
To prepare a Start layout for export, you simply customize the Start layout on a test computer.
**To prepare a test computer**
1. Set up a test computer on which to customize the Start layout. Your test computer should have the operating system that is installed on the users computers (Windows 10 Enterprise or Windows 10 Education). Install all apps and services that the Start layout should display.
**Important**  
**Start layout** can only be applied to a device using the same architecture (32-bit or 64-bit) as the device on which **Start layout** was created.
 
2. Create a new user account that you will use to customize the Start layout.
**To customize Start**
1. Sign in to your test computer with the user account that you created.
2. Customize the Start layout as you want users to see it by using the following techniques:
- **Pin apps to Start**. From Start, type the name of the app. When the app appears in the search results, right-click the app, and then click **Pin to Start**.
To view all apps, click **All apps** in the bottom-left corner of Start. Right-click any app, and pin or unpin it from Start.
- **Unpin apps** that you dont want to display. To unpin an app, right-click the app, and then click **Unpin from Start**.
- **Drag tiles** on Start to reorder or group apps.
- **Resize tiles**. To resize tiles, right-click the tile and then click **Resize.**
- **Create your own app groups**. Drag the apps to an empty area. To name a group, click above the group of tiles and then type the name in the **Name group** field that appears above the group.
## Export the Start layout
When you have the Start layout that you want your users to see, use the [Export-StartLayout](http://go.microsoft.com/fwlink/p/?LinkId=620879) cmdlet in Windows PowerShell to export the Start layout to an .xml file.
**To export the Start layout to an .xml file**
1. From Start, open **Windows PowerShell**.
2. At the Windows PowerShell command prompt, enter the following command:
`export-startlayout path <path><file name>.xml `
In the previous command, `-path` is a required parameter that specifies the path and file name for the export file. You can specify a local path or a UNC path (for example, \\\\FileServer01\\StartLayouts\\StartLayoutMarketing.xml).
Use a file name of your choice—for example, StartLayoutMarketing.xml. Include the .xml file name extension. The [Export-StartLayout](http://go.microsoft.com/fwlink/p/?LinkId=620879) cmdlet does not append the file name extension, and the policy settings require the extension.
## Configure a partial Start layout
A partial Start layout enables you to add one or more customized tile groups to users' Start screens or menus, while still allowing users to make changes to other parts of the Start layout. All groups that you add are *locked*, meaning users cannot change the contents of those tile groups, however users can change the location of those groups. Locked groups are identified with an icon, as shown in the following image.
![locked tile group](images/start-pinned-app.png)
When a partial Start layout is applied for the first time, the new groups are added to the users' existing Start layouts. If an app tile is in both an existing group and in a new locked group, the duplicate app tile is removed from the existing (unlocked) group.
When a partial Start layout is applied to a device that already has a StartLayout.xml applied, groups that were added previously are removed and the groups in the new layout are added.
If the Start layout is applied by Group Policy or MDM, and the policy is removed, the groups remain on the devices but become unlocked.
**To configure a partial Start screen layout**
1. [Customize the Start layout](#BMK_customize_start).
2. [Export the Start layout](#BMK_ExportStartScreenLayout).
3. Open the layout .xml file. There is a `<DefaultLayoutOverride>` element. Add `LayoutCustomizationRestrictionType="OnlySpecifiedGroups"` to the **DefaultLayoutOverride** element as follows:
``` syntax
<DefaultLayoutOverride LayoutCustomizationRestrictionType="OnlySpecifiedGroups">
```
4. Save the file and apply using any of the deployment methods.
## Related topics
[Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md)
[Customize Windows 10 Start with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
[Customize Windows 10 Start with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
[Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management--mdm-.md)
[Changes to Group Policy settings for Windows 10 Start](changes-to-start-policies-in-windows-10.md)
 
 

148
windows/manage/customize-windows-10-start-screens-by-using-group-policy.md Normal file
View File

@ -0,0 +1,148 @@
---
title: Customize Windows 10 Start with Group Policy (Windows 10)
description: In Windows 10 Enterprise and Windows 10 Education, you can use a Group Policy Object (GPO) to deploy a customized Start layout to users in a domain.
ms.assetid: F4A47B36-F1EF-41CD-9CBA-04C83E960545
keywords: ["Start layout", "start menu", "layout", "group policy"]
ms.prod: W10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
---
# Customize Windows 10 Start with Group Policy
**Applies to**
- Windows 10
**Looking for consumer information?**
- [Customize the Start menu](http://go.microsoft.com/fwlink/p/?LinkId=623630)
**In this article**
- [Operating system requirements](#operating_system_requirements)
- [How Start layout control works](#BKMK_HowStartScreenControlWorks)
- [Use Group Policy to apply a customized Start layout in a domain](#BKMK_DomainGPODeployment)
- [Use Group Policy to apply a customized Start layout on the local computer](#BKMK_LocalGPImport)
- [Update a customized Start layout](#BKMK_UpdateStartScreenLayout)
- [Related topics](#related_topics)
In Windows 10 Enterprise and Windows 10 Education, you can use a Group Policy Object (GPO) to deploy a customized Start layout to users in a domain. No reimaging is required, and the Start layout can be updated simply by overwriting the .xml file that contains the layout. This enables you to customize Start layouts for different departments or organizations, with minimal management overhead.
This topic describes how to update Group Policy settings to display a customized Start layout when the users sign in. By creating a domain-based GPO with these settings, you can deploy a customized Start layout to users in a domain.
**Warning**  
When a full Start layout is applied with this method, the users cannot pin, unpin, or uninstall apps from Start. Users can view and open all apps in the **All Apps** view, but they cannot pin any apps to Start. When a partial Start layout is applied, the contents of the specified tile groups cannot be changed, but users can move those groups, and can also create and customize their own groups.
 
**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md)
## Operating system requirements
Start layout control using Group Policy is supported in Windows 10 Enterprise and Windows 10 Education. Start layout control is not supported in Windows 10 Pro.
The GPO can be configured from any computer on which the necessary ADMX and ADML files (StartMenu.admx and StartMenu.adml) for Windows 10 are installed. In Group Policy, ADMX files are used to define Registry-based policy settings in the Administrative Templates category. To find out how to create a central store for Administrative Templates files, see [article 929841](http://go.microsoft.com/fwlink/p/?LinkId=691687) in the Microsoft Knowledge Base.
## How Start layout control works
Two features enable Start layout control:
- The [Export-StartLayout](http://go.microsoft.com/fwlink/p/?LinkID=620879) cmdlet in Windows PowerShell exports a description of the current Start layout in .xml file format. **Start layout** can only be applied to a device using the same architecture (32-bit or 64-bit) as the device on which **Start layout** was created.
**Note**  
To import the layout of Start to a mounted Windows image, use the [Import-StartLayout](http://go.microsoft.com/fwlink/p/?LinkId=623707) cmdlet.
 
- In Group Policy, you use the **Start Layout** settings for the **Start Menu and Taskbar** administrative template to set a Start layout from an .xml file when the policy is applied.
**Note**  
To learn how customize Start to include your line-of-business apps when you deploy Windows 10, see [Customize the Windows 10 Start layout]( http://go.microsoft.com/fwlink/p/?LinkId=620863).
 
## Use Group Policy to apply a customized Start layout in a domain
To apply the Start layout to users in a domain, use the Group Policy Management Console (GPMC) to configure a domain-based Group Policy Object (GPO) that sets **Start Layout** policy settings in the **Start Menu and Taskbar** administrative template for users in a domain.
The GPO applies the Start layout at the next user sign-in. Each time the user signs in, the timestamp of the .xml file with the Start layout is checked and if a newer version of the file is available, the settings in the latest version of the file are applied.
The GPO can be configured from any computer on which the necessary ADMX and ADML files (StartMenu.admx and StartMenu.adml) for Windows 10 are installed.
The .xml file with the Start layout must be located on shared network storage that is available to the users computers when they sign in and the users must have Read-only access to the file. If the file is not available at sign-in, Start is not customized during the session, and the user can make changes to Start.
For information about deploying GPOs in a domain, see [Working with Group Policy Objects](http://go.microsoft.com/fwlink/p/?LinkId=620889).
## Use Group Policy to apply a customized Start layout on the local computer
You can use the Local Group Policy Editor to provide a customized Start layout for any user who signs in on the local computer. To display the customized Start layout for any user who signs in, configure **Start Layout** policy settings for the **Start Menu and Taskbar** administrative template. You can use the **Start Menu and Taskbar** administrative template in **User Configuration** or **Computer Configuration**.
**Note**  
This procedure applies the policy settings on the local computer only. For information about deploying the Start layout to users in a domain, see [Use Group Policy to deploy a customized Start layout in a domain](#BKMK_DomainGPODeployment), later in this topic.
This procedure creates a Local Group Policy that applies to all users on the computer. To configure Local Group Policy that applies to a specific user or group on the computer, see [Step-by-Step Guide to Managing Multiple Local Group Policy Objects](http://go.microsoft.com/fwlink/p/?LinkId=620881). The guide was written for Windows Vista and the procedures still apply to Windows 10.
 
This procedure adds the customized Start layout to the user configuration, which overrides any Start layout settings in the local computer configuration when a user signs in on the computer.
**To configure Start Layout policy settings in Local Group Policy Editor**
1. On the test computer, press the Windows key, type **gpedit**, and then select **Edit group policy (Control panel)**.
2. Go to **User Configuration** or **Computer Configuration** &gt; **Administrative Templates** &gt;**Start Menu and Taskbar**.
![start screen layout policy settings](images/starttemplate.jpg)
3. Right-click **Start Layout** in the right pane, and click **Edit**.
This opens the **Start Layout** policy settings.
![policy settings for start screen layout](images/startlayoutpolicy.jpg)
4. Enter the following settings, and then click **OK**:
1. Select **Enabled**.
2. Under **Options**, specify the path to the .xml file that contains the Start layout. For example, type **C:\\Users\\Test01\\StartScreenMarketing.xml**.
3. Optionally, enter a comment to identify the Start layout.
**Important**  
If you disable Start Layout policy settings that have been in effect and then re-enable the policy, users will not be able to make changes to Start, however the layout in the .xml file will not be reapplied unless the file has been updated. In Windows PowerShell, you can update the timestamp on a file by running the following command:
`(ls <path>).LastWriteTime = Get-Date`
 
## Update a customized Start layout
After you use Group Policy to apply a customized Start layout on a computer or in a domain, you can update the layout simply by replacing the .xml file that is specified in the Start Layout policy settings with a file with a newer timestamp.
## Related topics
[Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md)
[Customize and export Start layout](customize-and-export-start-layout.md)
[Customize Windows 10 Start with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
[Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management--mdm-.md)
 
 

159
windows/manage/customize-windows-10-start-screens-by-using-mobile-device-management--mdm-.md Normal file
View File

@ -0,0 +1,159 @@
---
title: Customize Windows 10 Start with mobile device management (MDM) (Windows 10)
description: In Windows 10 Enterprise and Windows 10 Education, you can use a mobile device management (MDM) policy to deploy a customized Start layout to users.
ms.assetid: F487850D-8950-41FB-9B06-64240127C1E4
keywords: ["start screen", "start menu"]
ms.prod: W10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
---
# Customize Windows 10 Start with mobile device management (MDM)
**Applies to**
- Windows 10
**Looking for consumer information?**
- [Customize the Start menu](http://go.microsoft.com/fwlink/p/?LinkId=623630)
In Windows 10 Enterprise and Windows 10 Education, you can use a mobile device management (MDM) policy to deploy a customized Start layout to users. No reimaging is required, and the Start layout can be updated simply by overwriting the .xml file that contains the layout. This enables you to customize Start layouts for different departments or organizations, with minimal management overhead.
**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md)
**Warning**  
When a full Start layout is applied with this method, the users cannot pin, unpin, or uninstall apps from Start. Users can view and open all apps in the **All Apps** view, but they cannot pin any apps to Start. When a partial Start layout is applied, the contents of the specified tile groups cannot be changed, but users can move those groups, and can also create and customize their own groups.
 
## How Start layout control works
Two features enable Start layout control:
- The **Export-StartLayout** cmdlet in Windows PowerShell exports a description of the current Start layout in .xml file format. **Start layout** can only be applied to a device using the same architecture (32-bit or 64-bit) as the device on which **Start layout** was created.
**Note**  
To import the layout of Start to a mounted Windows image, use the [Import-StartLayout](http://go.microsoft.com/fwlink/p/?LinkId=623707) cmdlet.
 
- In MDM, you set the path to the .xml file that defines the Start layout using an OMA-URI setting, which is based on the [Policy configuration service provider (CSP)](http://go.microsoft.com/fwlink/p/?LinkID=623244).
## Create a policy for your customized Start layout
This example uses Microsoft Intune to configure an MDM policy that applies a customized Start layout. See the documentation for your MDM solution for help in applying the policy.
1. In the Start layout file created when you ran **Export-StartLayout**, replace markup characters with escape characters, and save the file. (You can replace the characters manually or use an online tool.)
Example of a layout file produced by Export-StartLayout:
<span codelanguage="XML"></span>
<table>
<colgroup>
<col width="100%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">XML</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><pre><code>&lt;LayoutModificationTemplate Version=&quot;1&quot; xmlns=&quot;http://schemas.microsoft.com/Start/2014/LayoutModification&quot;&gt;
&lt;DefaultLayoutOverride&gt;
&lt;StartLayoutCollection&gt;
&lt;defaultlayout:StartLayout GroupCellWidth=&quot;6&quot; xmlns:defaultlayout=&quot;http://schemas.microsoft.com/Start/2014/FullDefaultLayout&quot;&gt;
&lt;start:Group Name=&quot;Life at a glance&quot; xmlns:start=&quot;http://schemas.microsoft.com/Start/2014/StartLayout&quot;&gt;
&lt;start:Tile Size=&quot;2x2&quot; Column=&quot;0&quot; Row=&quot;0&quot; AppUserModelID=&quot;Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge&quot; /&gt;
&lt;start:Tile Size=&quot;2x2&quot; Column=&quot;4&quot; Row=&quot;0&quot; AppUserModelID=&quot;Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI&quot; /&gt;
&lt;start:Tile Size=&quot;2x2&quot; Column=&quot;2&quot; Row=&quot;0&quot; AppUserModelID=&quot;Microsoft.BingWeather_8wekyb3d8bbwe!App&quot; /&gt;
&lt;/start:Group&gt;
&lt;/defaultlayout:StartLayout&gt;
&lt;/StartLayoutCollection&gt;
&lt;/DefaultLayoutOverride&gt;
&lt;/LayoutModificationTemplate&gt;</code></pre></td>
</tr>
</tbody>
</table>
Example of the same layout file with escape characters replacing the markup characters:
<span codelanguage="XML"></span>
<table>
<colgroup>
<col width="100%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">XML</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><pre><code>&amp;lt;wdcml:p xmlns:wdcml=&amp;quot;http://microsoft.com/wdcml&amp;quot;&amp;gt;Example of a layout file produced by Export-StartLayout:&amp;lt;/wdcml:p&amp;gt;&amp;lt;wdcml:snippet xmlns:wdcml=&amp;quot;http://microsoft.com/wdcml&amp;quot;&amp;gt;&amp;lt;![CDATA[&amp;lt;LayoutModificationTemplate Version=&amp;quot;1&amp;quot; xmlns=&amp;quot;http://schemas.microsoft.com/Start/2014/LayoutModification&amp;quot;&amp;gt;
&amp;lt;DefaultLayoutOverride&amp;gt;
&amp;lt;StartLayoutCollection&amp;gt;
&amp;lt;defaultlayout:StartLayout GroupCellWidth=&amp;quot;6&amp;quot; xmlns:defaultlayout=&amp;quot;http://schemas.microsoft.com/Start/2014/FullDefaultLayout&amp;quot;&amp;gt;
&amp;lt;start:Group Name=&amp;quot;Life at a glance&amp;quot; xmlns:start=&amp;quot;http://schemas.microsoft.com/Start/2014/StartLayout&amp;quot;&amp;gt;
&amp;lt;start:Tile Size=&amp;quot;2x2&amp;quot; Column=&amp;quot;0&amp;quot; Row=&amp;quot;0&amp;quot; AppUserModelID=&amp;quot;Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge&amp;quot; /&amp;gt;
&amp;lt;start:Tile Size=&amp;quot;2x2&amp;quot; Column=&amp;quot;4&amp;quot; Row=&amp;quot;0&amp;quot; AppUserModelID=&amp;quot;Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI&amp;quot; /&amp;gt;
&amp;lt;start:Tile Size=&amp;quot;2x2&amp;quot; Column=&amp;quot;2&amp;quot; Row=&amp;quot;0&amp;quot; AppUserModelID=&amp;quot;Microsoft.BingWeather_8wekyb3d8bbwe!App&amp;quot; /&amp;gt;
&amp;lt;/start:Group&amp;gt;
&amp;lt;/defaultlayout:StartLayout&amp;gt;
&amp;lt;/StartLayoutCollection&amp;gt;
&amp;lt;/DefaultLayoutOverride&amp;gt;
&amp;lt;/LayoutModificationTemplate&amp;gt;]]&amp;gt;&amp;lt;/wdcml:snippet&amp;gt;</code></pre></td>
</tr>
</tbody>
</table>
2. In the Microsoft Intune administration console, click **Policy** &gt; **Add Policy**.
3. Under **Windows**, choose a **Custom Configuration (Windows 10 Desktop and Mobile and later)** policy.
4. Enter a name (mandatory) and description (optional) for the policy.
5. In the **OMA-URI Settings** section, click **Add.**
6. In **Add or Edit OMA-URI Setting**, enter the following information.
| Item | Information |
|------------------------------|-------------------------------------------------------------------------------------------------------------------|
| **Setting name** | Enter a unique name for the OMA-URI setting to help you identify it in the list of settings. |
| **Setting description** | Provide a description that gives an overview of the setting and other relevant information to help you locate it. |
| **Data type** | **String** |
| **OMA-URI (case sensitive)** | **./User/Vendor/MSFT/Policy/Config/Start/StartLayout** |
| **Value** | Path to the Start layout .xml file that you created. |
 
7. Click **OK** to save the setting and return to the **Create Policy** page.
8. Click **Save Policy**.
## Related topics
[Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md)
[Customize and export Start layout](customize-and-export-start-layout.md)
[Customize Windows 10 Start with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
[Customize Windows 10 Start with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
[Use Windows 10 custom policies to manage device settings with Microsoft Intune](http://go.microsoft.com/fwlink/p/?LinkID=616316)
 
 

122
windows/manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md Normal file
View File

@ -0,0 +1,122 @@
---
title: Customize Windows 10 Start with ICD and provisioning packages (Windows 10)
description: In Windows 10 Enterprise and Windows 10 Education, you can use a provisioning package that you create with Windows Imaging and Configuration Designer (ICD) tool to deploy a customized Start layout to users.
ms.assetid: AC952899-86A0-42FC-9E3C-C25F45B1ACAC
keywords: ["Start layout", "start menu"]
ms.prod: W10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
---
# Customize Windows 10 Start with ICD and provisioning packages
**Applies to**
- Windows 10
**Looking for consumer information?**
- [Customize the Start menu](http://go.microsoft.com/fwlink/p/?LinkId=623630)
**In this article**
- [How Start layout control works](#BKMK_HowStartScreenControlWorks)
- [Create a provisioning package that contains a customized Start layout](#BKMK_DomainGPODeployment)
- [Related topics](#related_topics)
In Windows 10 Enterprise and Windows 10 Education, you can use a provisioning package that you create with Windows Imaging and Configuration Designer (ICD) tool to deploy a customized Start layout to users. No reimaging is required, and the Start layout can be updated simply by overwriting the .xml file that contains the layout. The provisioning package can be applied to a running device. This enables you to customize Start layouts for different departments or organizations, with minimal management overhead.
**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md)
## How Start layout control works
Two features enable Start layout control:
- The **Export-StartLayout** cmdlet in Windows PowerShell exports a description of the current Start layout in .xml file format. **Start layout** can only be applied to a device using the same architecture (32-bit or 64-bit) as the device on which **Start layout** was created.
**Note**  
To import the layout of Start to a mounted Windows image, use the [Import-StartLayout](http://go.microsoft.com/fwlink/p/?LinkId=623707) cmdlet.
 
- In ICD, you use the **Start/StartLayout** setting to set the path to the .xml file that defines the Start layout.
## Create a provisioning package that contains a customized Start layout
Use the [Imaging and Configuration Designer (ICD) tool](http://go.microsoft.com/fwlink/p/?LinkID=525483) included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package that applies a customized Start layout. [Install the ADK.](http://go.microsoft.com/fwlink/p/?LinkId=526740)
1. Open ICD (by default, %systemdrive%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe).
2. Choose **New provisioning package**.
3. Name your project, and click **Next**.
4. Choose **Common to all Windows desktop editions** and click **Next**.
5. On **New project**, click **Finish**. The workspace for your package opens.
6. Expand **Runtime settings** &gt; **Start**, and click **StartLayout**.
7. Specify the path and file name of the Start layout .xml that you created with the [Export-StartLayout](http://go.microsoft.com/fwlink/p/?LinkId=620879) cmdlet.
8. On the **File** menu, select **Save.**
9. On the **Export** menu, select **Provisioning package**.
10. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.**
11. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing.
- **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
- **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select...** and choosing the certificate you want to use to sign the package.
12. Click **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows Imaging and Configuration Designer (ICD) uses the project folder as the output location.
Optionally, you can click **Browse** to change the default output location.
13. Click **Next**.
14. Click **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status.
If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
15. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
- If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
- If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
16. Copy the provisioning package to the target device.
17. Double-click the ppkg file and allow it to install.
**Warning**  
When a full Start layout is applied with this method, the users cannot pin, unpin, or uninstall apps from Start. Users can view and open all apps in the **All Apps** view, but they cannot pin any apps to Start. When a partial Start layout layout is applied, the contents of the specified tile groups cannot be changed, but users can move those groups, and can also create and customize their own groups.
 
## Related topics
[Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md)
[Customize and export Start layout](customize-and-export-start-layout.md)
[Customize Windows 10 Start with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
[Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management--mdm-.md)
 
 

95
windows/manage/device-guard-signing-portal.md Normal file
View File

@ -0,0 +1,95 @@
---
title: Device Guard signing (Windows 10)
description: Device Guard signing is a Device Guard feature that is available in the Windows Store for Business.
ms.assetid: 8D9CD2B9-5FC6-4C3D-AA96-F135AFEEBB78
ms.prod: W10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
---
# Device Guard signing
**Applies to**
- Windows 10
- Windows 10 Mobile
Device Guard signing is a Device Guard feature that is available in the Windows Store for Business. It gives admins a single place to sign catalog files and code integrity policies. After admins have created catalog files for unsigned apps and signed the catalog files, they can add the signers to a code integrity policy. You can merge the code integrity policy with your existing policy to include your custom signing certificate. This allows you to trust the catalog files.
Device Guard is a feature set that consists of both hardware and software system integrity hardening features. These features use new virtualization-based security options and the trust-nothing mobile device operating system model. A key feature in this model is called configurable code integrity, which allows your organization to choose exactly which software or trusted software publishers are allowed to run code on your client machines. Also, Device Guard offers organizations a way to sign existing line-of-business (LOB) applications so that they can trust their own code, without the requirement that the application be repackaged. Also, this same method of signing allows organizations to trust individual third-party applications. For more information, see [Device Guard deployment guide](https://technet.microsoft.com/library/mt463091.aspx).
## In this section
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Topic</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>[Add unsigned app to code integrity policy](add-unsigned-app-to-code-integrity-policy.md)</p></td>
<td align="left"><p>When you want to add an unsigned app to a code integrity policy, you need to start with a code integrity policy created from a reference device. Then, create the catalog files for your unsigned app, sign the catalog files, and then merge the default policy that includes your signing certificate with existing code integrity policies.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Sign code integrity policy with Device Guard signing](sign-code-integrity-policy-with-device-guard-signing.md)</p></td>
<td align="left"><p>Signing code integrity policies prevents policies from being tampered with after they're deployed. You can sign code integrity policies with the Device Guard signing portal.</p></td>
</tr>
</tbody>
</table>
 
## File and size limits
When you're uploading files for Device Guard signing, there are a few limits for files and file size:
| | |
|-------------------------------------------------------|----------|
| Description | Limit |
| Maximum size for a policy or catalog file | 3.5 MB |
| Maximum size for multiple files (uploaded in a group) | 4 MB |
| Maximum number of files per upload | 15 files |
 
## File types
Catalog and policy files have required files types.
| | |
|---------------|--------------------|
| File | Required file type |
| catalog files | .cat |
| policy files | .bin |
 
## Store for Business roles and permissions
Signing code integrity policies and access to Device Guard portal requires the Device Guard signer role.
## Device Guard signing certificates
All certificates generated by the Device Guard signing service are unique per customer and are independent of the Microsoft production code signing certificate authorities. All Certification Authority (CA) keys are stored within the cryptographic boundary of Federal Information Processing Standards (FIPS) publication 140-2 compliant hardware security modules. After initial generation, root certificate keys and top level CA keys are removed from the online signing service, encrypted, and stored offline.
 
 

75
windows/manage/distribute-apps-from-your-private-store.md Normal file
View File

@ -0,0 +1,75 @@
---
title: Distribute apps using your private store (Windows 10)
description: The private store is a feature in Windows Store for Business that organizations receive during the sign up process.
ms.assetid: C4644035-845C-4C84-87F0-D87EA8F5BA19
ms.prod: W10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
---
# Distribute apps using your private store
**Applies to**
- Windows 10
- Windows 10 Mobile
The private store is a feature in Windows Store for Business that organizations receive during the sign up process. When admins add apps to the private store, all employees in the organization can view and download the apps. Your private store is available as a tab in the Windows Store, and is usually named for your company or organization. Only apps with online licenses can be added to the private store.
You can make an app available in your private store when you acquire the app, or you can do it later from your inventory. Once the app is in your private store, employees can claim and install the app.
**To acquire an app and make it available in your private store**
1. Sign in to the Store for Business.
2. Click an app and then click **Get the app** to acquire the app for your organization.
3. You'll have a few options for distributing the app -- choose **Add to your private store where all people in your organization can find and install it.**
![](images/wsfb-distribute.png)
It will take approximately twelve hours before the app is available in the private store.
**To make an app in inventory available in your private store**
1. Sign in to the Store for Business.
2. Click **Manage**, and then choose **Inventory**.
![](images/wsfb-manageinventory.png)
3. Click **Refine**, and then choose **Online**. Store for Business will update the list of apps on the **Inventory** page.
4. From an app in **Inventory**, click the ellipses under **Action**, and then choose **Add to private store**.
![](images/wsfb-inventoryaddprivatestore.png)
The value under **Private store** for the app will change to pending. It will take approximately twelve hours before the app is available in the private store.
Employees can claim apps that admins added to the private store by doing the following.
**To claim an app from the private store**
1. Sign in to your computer with your Azure Active Directory (AD) credentials, and start the Windows Store app.
2. Click the **private store** tab.
3. Click the app you want to install, and then click **Install**.
## Related topics
[Manage access to private store](manage-access-to-private-store.md)
[Configure access to Windows Store](stop-employees-from-using-the-windows-store.md)
 
 

64
windows/manage/distribute-apps-to-your-employees-from-the-windows-store-for-business.md Normal file
View File

@ -0,0 +1,64 @@
---
title: Distribute apps to your employees from the Windows Store for Business (Windows 10)
description: Distribute apps to your employees from Windows Store for Business. You can assign apps to employees, or let employees install them from your private store.
ms.assetid: E591497C-6DFA-49C1-8329-4670F2164E9E
ms.prod: W10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
---
# Distribute apps to your employees from the Windows Store for Business
**Applies to**
- Windows 10
- Windows 10 Mobile
Distribute apps to your employees from Windows Store for Business. You can assign apps to employees, or let employees install them from your private store.
## In this section
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Topic</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>[Distribute apps using your private store](distribute-apps-from-your-private-store.md)</p></td>
<td align="left"><p>The private store is a feature in Store for Business that organizations receive during the sign up process. When admins add apps to the private store, all employees in the organization can view and download the apps. Your private store is available as a tab in the Windows Store, and is usually named for your company or organization. Only apps with online licenses can be added to the private store.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Assign apps to employees](assign-apps-to-employees.md)</p></td>
<td align="left"><p>Administrators can assign online-licensed apps to employees in their organization.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Distribute apps with a management tool](distribute-apps-with-a-management-tool.md)</p></td>
<td align="left"><p>You can configure a mobile device management (MDM) tool to synchronize your Store for Business inventory. Store for Business management tool services work with MDM tools to manage content.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Distribute offline apps](distribute-offline-apps.md)</p></td>
<td align="left"><p>Offline licensing is a new licensing option for Windows 10. With offline licenses, organizations can download apps and their licenses to deploy within their network, or on devices that are not connected to the Internet. ISVs or devs can opt-in their apps for offline licensing when they submit them to the Windows Dev Center. Only apps that are opted in to offline licensing will show that they are available for offline licensing in the Store for Business. This model means organizations can deploy apps when users or devices do not have connectivity to the Store.</p></td>
</tr>
</tbody>
</table>
 
 
 

66
windows/manage/distribute-apps-with-a-management-tool.md Normal file
View File

@ -0,0 +1,66 @@
---
title: Distribute apps with a management tool (Windows 10)
description: You can configure a mobile device management (MDM) tool to synchronize your Store for Business inventory. Store for Business management tool services work with MDM tools to manage content.
ms.assetid: 006F5FB1-E688-4769-BD9A-CFA6F5829016
ms.prod: W10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
---
# Distribute apps with a management tool
**Applies to**
- Windows 10
- Windows 10 Mobile
You can configure a mobile device management (MDM) tool to synchronize your Store for Business inventory. Store for Business management tool services work with MDM tools to manage content.
Your MDM tool needs to be installed and configured in Azure AD, in the same Azure AD directory used with Windows Store for Business.
In Azure AD management portal, find the MDM application, and then add it to your directory. Once the MDM has been configured in Azure AD, you can authorize the tool to work with the Store for Business. This allows the MDM tool to call Store for Business management tool services. For more information, see [Configure MDM provider](configure-mdm-provider.md).
Store for Business services provide:
- Services for third-party MDM tools.
- Synchronize app purchases and updates.
- Synchronize metadata. For offline-licensed apps, also synchronize offline app package and offline licenses.
- The ability to download offline-licensed apps from Store for Business.
MDM tool requirements:
- Must be an Azure Active Directory (AD) application to authenticate against the Store for Business services.
- Must be configured in Azure AD, and Store for Business.
- Azure AD identity is required to authorize Store for Business services.
## Distribute offline-licensed apps
If your vendor doesnt support the ability to synchronize applications from the management tool services or cannot connect to the management tool services, your vendor may support the ability to deploy offline licensed applications by downloading the application and license from the store and then deploying the app through your MDM. For more information on online and offline licensing with Store for Business, see [Apps in the Windows Store for Business.](apps-in-the-windows-store-for-business.md#licensing_model)
This diagram shows how you can use a management tool to distribute offline-licensed app to employees in your organization. Once synchronized from Store for Business, management tools can use the Windows Management framework to distribute applications to devices.
![](images/wsfb-offline-distribute-mdm.png)
## Distribute online-licensed apps
This diagram shows how you can use a management tool to distribute an online-licensed app to employees in your organization. Once synchronized from Store for Business, management tools use the Windows Management framework to distribute applications to devices. For Online licensed applications, the management tool calls back in to Store for Business management services to assign an application prior to issuing the policy to install the application.
![](images/wsfb-online-distribute-mdm.png)
 
 

88
windows/manage/distribute-offline-apps.md Normal file
View File

@ -0,0 +1,88 @@
---
title: Distribute offline apps (Windows 10)
description: Offline licensing is a new licensing option for Windows 10.
ms.assetid: 6B9F6876-AA66-4EE4-A448-1371511AC95E
ms.prod: W10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
---
# Distribute offline apps
**Applies to**
- Windows 10
- Windows 10 Mobile
Offline licensing is a new licensing option for Windows 10. With offline licenses, organizations can download apps and their licenses to deploy within their network, or on devices that are not connected to the Internet. ISVs or devs can opt-in their apps for offline licensing when they submit them to the Windows Dev Center. Only apps that are opted in to offline licensing will show that they are available for offline licensing in the Windows Store for Business. This model means organizations can deploy apps when users or devices do not have connectivity to the Store.
## Why offline-licensed apps?
Offline-licensed apps offer an alternative to online apps, and provide additional deployment options. Some reasons to use offline-licensed apps include:
- **You don't have access to Windows Store services** - If your employees don't have access to the internet and Windows Store services, downloading offline-licensed apps and deploying them with imaging is an alternative to online-licensed apps.
- **You use imaging to manage devices in your organization** - Offline-licensed apps can be added to images and deployed with Deployment Image Servicing and Management (DISM), or Windows Imaging and Configuration Designer (ICD).
- **Your employees do not have Azure Active Directory (AD) accounts** - Azure AD accounts are required for employees that install apps assigned to them from Store for Business or that claim apps from a private store.
## Distribution options for offline-licensed apps
You can't distribute offline-licensed apps directly from the Store for Business. Once you download the items for the offline-licensed app, you have three options for distributing the apps:
- **Deployment Image Servicing and Management**. DISM is a command-line tool that is used to mount and service Microsoft WindowsWindows images before deployment. You can also use DISM to install, uninstall, configure, and update Windows features, packages, drivers, and international settings in a .wim file or VHD using the DISM servicing commands. DISM commands are used on offline images. For more information, see [Deployment Image Servicing and Management](https://msdn.microsoft.com/library/windows/hardware/dn898558.aspx).
- **Windows ICD**. ICD is GUI tool that you can use to create Windows provisioning answer files, and add third-party drivers, apps, or other assets to an answer file. For more information, see [Windows Imaging and Configuration Designer](https://msdn.microsoft.com/library/windows/hardware/dn916113.aspx).
- **Management server.**
## Download an offline-licensed app
There are several items to download or create for offline-licensed apps. You'll need all of these items to distribute offline apps to your employees. This section includes more info on each item, and tells you how to download an offline-licensed app.
- **App metadata** -- App metadata is required for distributing offline apps. The metadata includes app details, links to icons, product id, localized product ids, and other items.
- **App package** -- App packages are required for distributing offline apps. There are app packages for different combinations of app platform and device architecture. You'll need to know what device architectures you have in your organization to know if there are app packages to support your devices.
- **App license** -- App licenses are required for distributing offline apps. Use encoded licenses when you distribute offline-licensed apps using a management tool or ICD. Use unencoded licenses when you distribute offline-licensed apps using DISM.
- **App frameworks** -- App frameworks are required for distributing offline apps, but you might not need to download one. If you already have the required framework, you don't need to download another copy. The Store for Business will select the app framework needed for the app platform and architecture that you selected.
**To download an offline-licensed app**
1. Sign in to the Store for Business
2. Click **Manage**, and then choose **Inventory**.
3. Click **Refine**, and then choose **Offline**.
4. Find the app you want to download, click the ellipses under **Actions**, and then choose **Download for offline use**.
5. To download app metadata: choose the language for the app metadata, and then click **Download**. Save the downloaded app metadata.
6. To download app package for offline use: click to expand the package details information, choose the Platform and Architecture combination that you need for your organization, and then click **Download**. Save the downloaded app package.
7. To download an app license: choose either **Encoded**, or **Unencoded**, and then click **Generate license**. Save the downloaded license.
8. To download an app framework: find the framework you need to support your app package, and click **Download**.
**Note**  
You need the framework to support your app package, but if you already have a copy, you don't need to download it again.
Frameworks are backward compatible.
 
 
 

56
windows/manage/find-and-acquire-apps.md Normal file
View File

@ -0,0 +1,56 @@
---
title: Find and acquire apps (Windows 10)
description: Use the Windows Store for Business to find apps for your organization. You can also work with developers to create line-of-business apps that are only available to your organization.
ms.assetid: 274A5003-5F15-4635-BB8B-953953FD209A
ms.prod: W10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
---
# Find and acquire apps
**Applies to**
- Windows 10
- Windows 10 Mobile
Use the Windows Store for Business to find apps for your organization. You can also work with developers to create line-of-business apps that are only available to your organization.
## In this section
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Topic</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>[Apps in the Windows Store for Business](apps-in-the-windows-store-for-business.md)</p></td>
<td align="left"><p>Store for Business has thousands of apps from many different categories.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Working with line-of-business apps](working-with-line-of-business-apps.md)</p></td>
<td align="left"><p>Your company can make line-of-business (LOB) applications available through Store for Business. These apps are custom to your company they might be internal business apps, or apps specific to your business or industry.</p></td>
</tr>
</tbody>
</table>
 
 
 

228
windows/manage/how-it-pros-can-use-configuration-service-providers--csps--.md Normal file
View File

@ -0,0 +1,228 @@
---
title: Introduction to configuration service providers (CSPs) for IT pros (Windows 10)
description: Configuration service providers (CSPs) expose device configuration settings in Windows 10. This topic is written for people who have no experience with CSPs.
ms.assetid: 25C1FDCA-0E10-42A1-A368-984FFDB2B7B6
ms.prod: W10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
---
# Introduction to configuration service providers (CSPs) for IT pros
**Applies to**
- Windows 10
- Windows 10 Mobile
**In this article**
- [What is a CSP?](#what_is_a_csp_)
- [Why should you learn about CSPs?](#why_should_you_learn_about_csps_)
- [How do you use the CSP documentation?](#BKMK_CSP_Doc)
- [CSP examples](#csp_examples)
- [Related topics](#related_topics)
Configuration service providers (CSPs) expose device configuration settings in Windows 10. This topic is written for people who have no experience with CSPs.
The CSPs are documented on the [Hardware Dev Center](http://go.microsoft.com/fwlink/p/?LinkId=717390) because CSPs are used by mobile device management (MDM) service providers. This topic explains how IT pros and system administrators can take advantage of many settings available through CSPs to configure devices running Windows 10 and Windows 10 Mobile in their organizations.
**Note**  
The explanation of CSPs and CSP documentation also apply to Windows Mobile 5, Windows Mobile 6, Windows Phone 7, and Windows Phone 8, but links to current CSPs are for Windows 10 and Windows 10 Mobile.
 
## What is a CSP?
A CSP is an interface in the operating system between configuration settings specified in a provisioning document and configuration settings on the device. Some of these settings are configurable and some are read-only.
Starting in Windows Mobile 5.0, CSPs were used to manage Windows mobile devices. In the Windows 10 platform, the management approach for both desktop and mobile devices converges, taking advantage of the same CSPs to configure and manage all devices running Windows 10.
Each CSP provides access to specific settings. For example, the [Wi-Fi CSP](http://go.microsoft.com/fwlink/p/?LinkId=717438) contains the settings to create a Wi-Fi profile.
CSPs are behind many of the management tasks and policies for Windows 10 in Microsoft Intune and non-Microsoft MDM service providers. For example, in Intune, the policy to allow search suggestions in the Microsoft Edge address bar uses **Browser/AllowSearchSuggestionsinAddressBar** in the [Policy CSP](http://go.microsoft.com/fwlink/p/?LinkID=623244).
![how intune maps to csp](images/policytocsp.png)
## Why should you learn about CSPs?
Generally, enterprises rely on Group Policy or MDM to configure and manage devices. For devices running Windows, MDM services use CSPs to configure your devices.
In addition, you may have unmanaged devices, or a large number of devices that you want to configure before enrolling them in management, or you want to apply custom settings that aren't available through your MDM service. The [CSP documentation](#BKMK_CSP_doc) can help you understand the settings that can be configured or queried.
In addition, some of the topics in the [Windows 10 and Windows 10 Mobile](../index.md) library on Technet include links to applicable CSP reference topics, such as [Cortana integration in your business or enterprise](manage-cortana-in-your-enterprise.md) which links to the [Policy CSP](http://go.microsoft.com/fwlink/p/?LinkID=623244). In the CSP topics, you can learn about all of the available configuration settings.
### CSPs in Windows Imaging and Configuration Designer (ICD)
You can use Windows Imaging and Configuration Designer (ICD) to create [provisioning packages](http://go.microsoft.com/fwlink/p/?LinkId=717466) to apply settings to devices during the out-of-box-experience (OOBE) and after devices are set up. You can use provisioning packages to configure a device's connectivity and enroll the device in MDM. Many of the runtime settings in Windows ICD are based on CSPs.
Many settings in Windows ICD will display documentation for that setting in the center pane, and will include a reference to the CSP if the setting uses one, as shown in the following image.
![how help content appears in icd](images/cspinicd.png)
[Configure devices without MDM](configure-devices-without-mdm.md) explains how to use the Windows ICD tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a runtime provisioning package.
### CSPs in MDM
Most, if not all, CSPs are surfaced through your MDM service. If you see a CSP that provides a capability that you want to make use of and cannot find that capability in your MDM service, contact your MDM provider for assistance. It might simply be named differently than you expected. You can see the CSPs supported by MDM in the [Configuration service provider reference](http://go.microsoft.com/fwlink/p/?LinkId=717390).
When a CSP is available but is not explicitly included in your MDM solution, you may be able to make use of the CSP by using OMA-URI settings. In Intune, for example, you can use [custom policy settings](http://go.microsoft.com/fwlink/p/?LinkID=616316) to deploy settings. Intune documents [a partial list of settings](http://go.microsoft.com/fwlink/p/?LinkID=616317) that you can enter in the **OMA-URI Settings** section of a custom policy, if your MDM service provides that extension. You'll notice that the list doesn't explain the meanings of the allowed and default values, so use the [CSP reference documentation](http://go.microsoft.com/fwlink/p/?LinkId=717390) to locate that information.
### CSPs in Lockdown XML
Lockdown XML can be used to configure devices running Windows 10 Mobile. You can manually author a [Lockdown XML file](lockdown-xml.md) to make use of the configuration settings available through the [EnterpriseAssignedAccess configuration service provider (CSP)](http://go.microsoft.com/fwlink/p/?LinkID=618601).
## How do you use the CSP documentation?
All CSPs in Windows 10 are documented in the [Configuration service provider reference](http://go.microsoft.com/fwlink/p/?LinkId=717390).
The [main CSP topic](http://go.microsoft.com/fwlink/p/?LinkId=717390) tells you which CSPs are supported on each edition of Windows 10, and links to the documentation for each individual CSP.
![csp per windows edition](images/csptable.png)
The documentation for each CSP follows the same structure. After an introduction that explains the purpose of the CSP, a diagram shows the parts of the CSP in tree format. The following example shows the diagram for the [AssignedAccess CSP](http://go.microsoft.com/fwlink/p/?LinkID=626608). The diagram maps to the XML for that CSP. Notice the different shapes in the diagram: rounded elements are nodes and rectangular elements are settings or policies for which a value must be supplied.
![assigned access csp tree](images/provisioning-csp-assignedaccess.png)
The element in the tree diagram after the root node tells you the name of the CSP. Knowing this structure, you would recognize in XML the parts of the URI path for that CSP and, if you saw it in XML, you would know which CSP reference to look up. For example, in the following path, you can see it uses the [AssignedAccess CSP](http://go.microsoft.com/fwlink/p/?LinkID=626608).
```XML
./Vendor/MSFT/AssignedAccess/KioskModeApp
```
When an element in the diagram uses italic font, it indicates a placeholder for specific information, such as the tenant ID in the following example.
![placeholder in csp tree](images/csp-placeholder.png)
After the diagram, the documentation describes each element. For each policy or setting, the valid values are listed.
For example, in the [AssignedAccess CSP](http://go.microsoft.com/fwlink/p/?LinkID=626608), the setting is **KioskModeApp**. The documentation tells you that the value for **KioskModeApp** is a JSON string that contains the user account name and Application User Model ID (AUMID) of the Kiosk mode app.
The documentation for most CSPs will also include an XML example.
## CSP examples
CSPs provide access to a number of settings useful to enterprises. This section introduces two CSPs that an enterprise might find particularly useful.
- [EnterpriseAssignedAccess CSP](http://go.microsoft.com/fwlink/p/?LinkID=618601)
The EnterpriseAssignedAccess configuration service provider allows IT administrators to configure settings on a Windows 10 Mobile device. An enterprise can make use of this CSP to create single-use or limited-use mobile devices, such as a handheld device that only runs a price-checking app.
In addition to lockscreen wallpaper, theme, time zone, and language, the EnterpriseAssignedAccess CSP includes AssignedAccessXml which can be used to lock down the device through the following settings:
- Enabling or disabling the Action Center.
- Configuring the number of tile columns in the Start layout.
- Restricting the apps that will be available on the device.
- Restricting the settings that the user can access.
- Restricting the hardware buttons that will be operable.
- Restricting access to the context menu.
- Enabling or disabling tile manipulation.
- Creating role-specific configurations.
- [Policy CSP](http://go.microsoft.com/fwlink/p/?LinkID=623244)
The Policy configuration service provider enables the enterprise to configure policies on Windows 10 and Windows 10 Mobile. Some of these policy settings can also be applied using Group Policy, and the CSP documentation lists the equivalent Group Policy settings.
Some of the settings available in the Policy CSP include the following:
- **Accounts**, such as whether a non-Microsoft account can be added to the device
- **Application management**, such as whether only Windows Store apps are allowed
- **Bluetooth**, such as the services allowed to use it
- **Browser**, such as restricting InPrivate browsing
- **Connectivity**, such as whether the device can be connected to a computer by USB
- **Defender** (for desktop only), such as day and time to scan
- **Device lock**, such as the type of PIN or password required to unlock the device
- **Experience**, such as allowing Cortana
- **Security**, such as whether provisioning packages are allowed
- **Settings**, such as allowing the user to change VPN settings
- **Start**, such as applying a standard Start layout
- **System**, such as allowing the user to reset the device
- **Text input**, such as allowing the device to send anonymized user text input data samples to Microsoft
- **Update**, such as specifying whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Windows Store
- **WiFi**, such as whether to enable Internet sharing
Here is a list of CSPs supported on Windows 10 Enterprise, Windows 10 Mobile Enterprise, or both:
- [ActiveSync CSP](http://go.microsoft.com/fwlink/p/?LinkId=723219)
- [Application CSP](http://go.microsoft.com/fwlink/p/?LinkId=723220)
- [AppLocker CSP](http://go.microsoft.com/fwlink/p/?LinkID=626609)
- [AssignedAccess CSP](http://go.microsoft.com/fwlink/p/?LinkID=626608)
- [Bootstrap CSP](http://go.microsoft.com/fwlink/p/?LinkId=723224)
- [BrowserFavorite CSP](http://go.microsoft.com/fwlink/p/?LinkId=723428)
- [CellularSettings CSP](http://go.microsoft.com/fwlink/p/?LinkId=723427)
- [CertificateStore CSP](http://go.microsoft.com/fwlink/p/?LinkId=723225)
- [ClientCertificateInstall CSP](http://go.microsoft.com/fwlink/p/?LinkId=723226)
- [CM\_CellularEntries CSP](http://go.microsoft.com/fwlink/p/?LinkId=723426)
- [CM\_ProxyEntries CSP](http://go.microsoft.com/fwlink/p/?LinkId=723425)
- [CMPolicy CSP](http://go.microsoft.com/fwlink/p/?LinkId=723424)
- [Defender CSP](http://go.microsoft.com/fwlink/p/?LinkId=723227)
- [DevDetail CSP](http://go.microsoft.com/fwlink/p/?LinkId=723228)
- [DeviceInstanceService CSP](http://go.microsoft.com/fwlink/p/?LinkId=723275)
- [DeviceLock CSP](http://go.microsoft.com/fwlink/p/?LinkId=723370)
- [DeviceStatus CSP](http://go.microsoft.com/fwlink/p/?LinkId=723229)
- [DevInfo CSP](http://go.microsoft.com/fwlink/p/?LinkId=723230)
- [DiagnosticLog CSP](http://go.microsoft.com/fwlink/p/?LinkId=723231)
- [DMAcc CSP](http://go.microsoft.com/fwlink/p/?LinkId=723232)
- [DMClient CSP](http://go.microsoft.com/fwlink/p/?LinkId=723233)
- [Email2 CSP](http://go.microsoft.com/fwlink/p/?LinkId=723234)
- [EnterpriseAPN CSP](http://go.microsoft.com/fwlink/p/?LinkId=723235)
- [EnterpriseAppManagement CSP](http://go.microsoft.com/fwlink/p/?LinkId=723237)
- [EnterpriseAssignedAccess CSP](http://go.microsoft.com/fwlink/p/?LinkID=618601)
- [EnterpriseDesktopAppManagement CSP](http://go.microsoft.com/fwlink/p/?LinkId=723236)
- [EnterpriseExt CSP](http://go.microsoft.com/fwlink/p/?LinkId=723423)
- [EnterpriseExtFileSystem CSP](http://go.microsoft.com/fwlink/p/?LinkID=703716)
- [EnterpriseModernAppManagement CSP](http://go.microsoft.com/fwlink/p/?LinkId=723257)
- [FileSystem CSP](http://go.microsoft.com/fwlink/p/?LinkId=723422)
- [HealthAttestation CSP](http://go.microsoft.com/fwlink/p/?LinkId=723258)
- [HotSpot CSP](http://go.microsoft.com/fwlink/p/?LinkId=723421)
- [Maps CSP](http://go.microsoft.com/fwlink/p/?LinkId=723420)
- [NAP CSP](http://go.microsoft.com/fwlink/p/?LinkId=723419)
- [NAPDEF CSP](http://go.microsoft.com/fwlink/p/?LinkId=723371)
- [NodeCache CSP]( http://go.microsoft.com/fwlink/p/?LinkId=723265)
- [PassportForWork CSP](http://go.microsoft.com/fwlink/p/?LinkID=692070)
- [Policy CSP](http://go.microsoft.com/fwlink/p/?LinkID=623244)
- [PolicyManager CSP]( http://go.microsoft.com/fwlink/p/?LinkId=723418)
- [Provisioning CSP](http://go.microsoft.com/fwlink/p/?LinkId=723266)
- [Proxy CSP]( http://go.microsoft.com/fwlink/p/?LinkId=723372)
- [PXLOGICAL CSP](http://go.microsoft.com/fwlink/p/?LinkId=723374)
- [Registry CSP](http://go.microsoft.com/fwlink/p/?LinkId=723417)
- [RemoteFind CSP](http://go.microsoft.com/fwlink/p/?LinkId=723267)
- [RemoteWipe CSP](http://go.microsoft.com/fwlink/p/?LinkID=703714)
- [Reporting CSP](http://go.microsoft.com/fwlink/p/?LinkId=723375)
- [RootCATrustedCertificates CSP](http://go.microsoft.com/fwlink/p/?LinkId=723270)
- [SecurityPolicy CSP](http://go.microsoft.com/fwlink/p/?LinkId=723376)
- [Storage CSP](http://go.microsoft.com/fwlink/p/?LinkId=723377)
- [SUPL CSP](http://go.microsoft.com/fwlink/p/?LinkId=723378)
- [UnifiedWriteFilter CSP](http://go.microsoft.com/fwlink/p/?LinkId=723272)
- [Update CSP](http://go.microsoft.com/fwlink/p/?LinkId=723271)
- [VPN CSP](http://go.microsoft.com/fwlink/p/?LinkId=723416)
- [VPNv2 CSP](http://go.microsoft.com/fwlink/p/?LinkID=617588)
- [Wi-Fi CSP](http://go.microsoft.com/fwlink/p/?LinkID=71743)
- [WindowsLicensing CSP](http://go.microsoft.com/fwlink/p/?LinkId=723274)
- [WindowsSecurityAuditing CSP](http://go.microsoft.com/fwlink/p/?LinkId=723415)
## Related topics
[Lock down Windows 10](lock-down-windows-10.md)
[Manage corporate devices](manage-corporate-devices.md)
[New policies for Windows 10](new-policies-for-windows-10.md)
[Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md)
[Changes to Group Policy settings for Start in Windows 10](changes-to-start-policies-in-windows-10.md)
 
 

BIN
windows/manage/images/aadj1.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 46 KiB

BIN
windows/manage/images/aadj2.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 47 KiB

BIN
windows/manage/images/aadj3.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 43 KiB

BIN
windows/manage/images/aadj4.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 23 KiB

BIN
windows/manage/images/aadjcal.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 71 KiB

BIN
windows/manage/images/aadjcalmail.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 23 KiB

BIN
windows/manage/images/aadjmail1.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 55 KiB

BIN
windows/manage/images/aadjmail2.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 38 KiB

BIN
windows/manage/images/aadjmail3.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 50 KiB

BIN
windows/manage/images/aadjonenote.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 54 KiB

BIN
windows/manage/images/aadjonenote2.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 43 KiB

BIN
windows/manage/images/aadjonenote3.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 34 KiB

BIN
windows/manage/images/aadjpin.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 44 KiB

BIN
windows/manage/images/aadjverify.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 69 KiB

BIN
windows/manage/images/aadjwsfb.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 43 KiB

BIN
windows/manage/images/apprule.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 114 KiB

BIN
windows/manage/images/appwarning.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 3.6 KiB

BIN
windows/manage/images/backicon.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 304 B

BIN
windows/manage/images/checkmark.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.2 KiB

BIN
windows/manage/images/configconflict.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 140 KiB

BIN
windows/manage/images/crossmark.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.5 KiB

BIN
windows/manage/images/csp-placeholder.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 3.2 KiB

BIN
windows/manage/images/cspinicd.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 67 KiB

BIN
windows/manage/images/csptable.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 23 KiB

BIN
windows/manage/images/doneicon.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 410 B

BIN
windows/manage/images/genrule.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 8.4 KiB

BIN
windows/manage/images/icdbrowse.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 2.8 KiB

BIN
windows/manage/images/identitychoices.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 64 KiB

BIN
windows/manage/images/launchicon.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 462 B

BIN
windows/manage/images/lockdownapps.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 4.1 KiB

BIN
windows/manage/images/mdm.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 59 KiB

BIN
windows/manage/images/package.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 4.4 KiB

BIN
windows/manage/images/phoneprovision.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 10 KiB

BIN
windows/manage/images/policytocsp.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 22 KiB

BIN
windows/manage/images/powericon.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 411 B

BIN
windows/manage/images/priv-settings-table-1511.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 16 KiB

BIN
windows/manage/images/priv-telemetry-levels.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 77 KiB

BIN
windows/manage/images/provisioning-csp-assignedaccess.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 2.4 KiB

BIN
windows/manage/images/resetdevice.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 27 KiB

BIN
windows/manage/images/settingsicon.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 353 B

BIN
windows/manage/images/start-pinned-app.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 19 KiB

BIN
windows/manage/images/startannotated.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 47 KiB

BIN
windows/manage/images/starticon.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 272 B

BIN
windows/manage/images/startlayoutpolicy.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 127 KiB

BIN
windows/manage/images/starttemplate.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 178 KiB

BIN
windows/manage/images/w10servicing-f1-branches.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 101 KiB

BIN
windows/manage/images/wifisense-grouppolicy.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 55 KiB

BIN
windows/manage/images/wifisense-registry.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 99 KiB

BIN
windows/manage/images/wifisense-settingscreens.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 17 KiB

BIN
windows/manage/images/win10-mobile-mdm-fig1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 126 KiB

BIN
windows/manage/images/win10servicing-fig2-featureupgrade.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 145 KiB

BIN
windows/manage/images/win10servicing-fig3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 126 KiB

BIN
windows/manage/images/win10servicing-fig4-upgradereleases.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 123 KiB

BIN
windows/manage/images/win10servicing-fig5.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 67 KiB

BIN
windows/manage/images/win10servicing-fig6.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 71 KiB

BIN
windows/manage/images/win10servicing-fig7.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 57 KiB

BIN
windows/manage/images/wsfb-distribute.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 46 KiB

BIN
windows/manage/images/wsfb-firstrun.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 100 KiB

BIN
windows/manage/images/wsfb-inventory-viewlicense.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 26 KiB

BIN
windows/manage/images/wsfb-inventoryaddprivatestore.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 24 KiB

BIN
windows/manage/images/wsfb-landing.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 302 KiB

BIN
windows/manage/images/wsfb-licenseassign.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 16 KiB

BIN
windows/manage/images/wsfb-licensedetails.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 15 KiB

BIN
windows/manage/images/wsfb-licensereclaim.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 16 KiB

BIN
windows/manage/images/wsfb-manageinventory.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 144 KiB

BIN
windows/manage/images/wsfb-offline-distribute-mdm.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 40 KiB

BIN
windows/manage/images/wsfb-onboard-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 150 KiB

BIN
windows/manage/images/wsfb-onboard-2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 194 KiB

BIN
windows/manage/images/wsfb-onboard-3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 86 KiB

BIN
windows/manage/images/wsfb-onboard-4.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 98 KiB

BIN
windows/manage/images/wsfb-onboard-5.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 77 KiB

BIN
windows/manage/images/wsfb-onboard-7.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 188 KiB

BIN
windows/manage/images/wsfb-online-distribute-mdm.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 37 KiB

BIN
windows/manage/images/wsfb-permissions-assignrole.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 21 KiB

BIN
windows/manage/images/wsfb-privatestore.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 14 KiB

BIN
windows/manage/images/wsfb-privatestoreapps.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 16 KiB

BIN
windows/manage/images/wsfb-renameprivatestore.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 6.3 KiB

BIN
windows/manage/images/wsfb-settings-mgmt.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 13 KiB

BIN
windows/manage/images/wsfb-settings-permissions.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 14 KiB

Some files were not shown because too many files have changed in this diff Show More