deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 22:37:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'master' into privacy-update-vb

Browse Source
This commit is contained in:
Sinead O'Sullivan 2021-11-04 15:02:12 +00:00
commit b14cbcb6cf
925 changed files with 3369 additions and 6023 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -10,6 +10,7 @@ Tools/NuGet/
*.ini
_themes*/
common/
.vscode/
.openpublishing.build.mdproj
.openpublishing.buildcore.ps1
packages.config

87
.openpublishing.redirection.json
View File

@ -1,5 +1,60 @@
{
"redirections": [
{
"source_path": "windows/configuration/wcd/wcd-embeddedlockdownprofiles.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/mobile-devices/configure-mobile.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/mobile-devices/lockdown-xml.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/mobile-devices/mobile-lockdown-designer.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/mobile-devices/product-ids-in-windows-10-mobile.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/mobile-devices/provisioning-configure-mobile.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/mobile-devices/provisioning-nfc.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/mobile-devices/provisioning-package-splitter.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/mobile-devices/settings-that-can-be-locked-down.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/mobile-devices/start-layout-xml-mobile.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/whats-new/windows-11.md",
"redirect_url": "/windows/whats-new/windows-11-whats-new",
@ -6637,22 +6692,22 @@
},
{
"source_path": "windows/manage/set-up-a-kiosk-for-windows-10-for-mobile-edition.md",
"redirect_url": "/windows/configuration/mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/manage/lockdown-xml.md",
"redirect_url": "/windows/configuration/mobile-devices/lockdown-xml",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/manage/settings-that-can-be-locked-down.md",
"redirect_url": "/windows/configuration/mobile-devices/settings-that-can-be-locked-down",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/manage/product-ids-in-windows-10-mobile.md",
"redirect_url": "/windows/configuration/mobile-devices/product-ids-in-windows-10-mobile",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
@ -6682,7 +6737,7 @@
},
{
"source_path": "windows/manage/start-layout-xml-mobile.md",
"redirect_url": "/windows/configuration/mobile-devices/start-layout-xml-mobile",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
@ -6847,7 +6902,7 @@
},
{
"source_path": "windows/deploy/provisioning-nfc.md",
"redirect_url": "/windows/configuration/provisioning-packages/provisioning-nfc",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
@ -7602,7 +7657,7 @@
},
{
"source_path": "windows/configure/configure-mobile.md",
"redirect_url": "/windows/configuration/mobile-devices/configure-mobile",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
@ -7767,7 +7822,7 @@
},
{
"source_path": "windows/configure/lockdown-xml.md",
"redirect_url": "/windows/configuration/mobile-devices/lockdown-xml",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
@ -7787,12 +7842,12 @@
},
{
"source_path": "windows/configure/mobile-lockdown-designer.md",
"redirect_url": "/windows/configuration/mobile-devices/mobile-lockdown-designer",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/configure/product-ids-in-windows-10-mobile.md",
"redirect_url": "/windows/configuration/mobile-devices/product-ids-in-windows-10-mobile",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
@ -7822,7 +7877,7 @@
},
{
"source_path": "windows/configure/provisioning-configure-mobile.md",
"redirect_url": "/windows/configuration/mobile-devices/provisioning-configure-mobile",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
@ -7847,12 +7902,12 @@
},
{
"source_path": "windows/configure/provisioning-nfc.md",
"redirect_url": "/windows/configuration/mobile-devices/provisioning-nfc",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/configure/provisioning-package-splitter.md",
"redirect_url": "/windows/configuration/mobile-devices/provisioning-package-splitter",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
@ -7892,7 +7947,7 @@
},
{
"source_path": "windows/configure/set-up-a-kiosk-for-windows-10-for-mobile-edition.md",
"redirect_url": "/windows/configuration/mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
@ -7902,7 +7957,7 @@
},
{
"source_path": "windows/configure/settings-that-can-be-locked-down.md",
"redirect_url": "/windows/configuration/mobile-devices/settings-that-can-be-locked-down",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
@ -7912,7 +7967,7 @@
},
{
"source_path": "windows/configure/start-layout-xml-mobile.md",
"redirect_url": "/windows/configuration/mobile-devices/start-layout-xml-mobile",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{

2
browsers/edge/group-policies/index.yml
View File

@ -6,7 +6,7 @@ summary: Microsoft Edge Legacy works with Group Policy and Microsoft Intune to h
metadata:
title: Microsoft Edge Legacy # Required; page title displayed in search results. Include the brand. < 60 chars.
description: Find the tools and resources you need to help deploy and use Microsoft Edge in your organization. # Required; article description that is displayed in search results. < 160 chars.
keywords: Microsoft Edge Legacy, Windows 10, Windows 10 Mobile
keywords: Microsoft Edge Legacy, Windows 10
ms.localizationpriority: medium
ms.prod: edge
author: shortpatti

4
browsers/edge/microsoft-edge-faq.yml
View File

@ -15,7 +15,7 @@ metadata:
title: Frequently Asked Questions (FAQ) for IT Pros
summary: |
Applies to: Microsoft Edge on Windows 10 and Windows 10 Mobile
Applies to: Microsoft Edge on Windows 10
> [!NOTE]
> You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](/DeployEdge/).
@ -40,7 +40,7 @@ sections:
- question: How do I customize Microsoft Edge and related settings for my organization?
answer: |
You can use Group Policy or Microsoft Intune to manage settings related to Microsoft Edge, such as security settings, folder redirection, and preferences. See [Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](./group-policies/index.yml) for a list of policies currently available for Microsoft Edge and configuration information. Note that the preview release of Chromium-based Microsoft Edge might not include management policies or other enterprise functionality; our focus during the preview is modern browser fundamentals.
You can use Group Policy or Microsoft Intune to manage settings related to Microsoft Edge, such as security settings, folder redirection, and preferences. See [Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](./group-policies/index.yml) for a list of policies currently available for Microsoft Edge and configuration information. The preview release of Chromium-based Microsoft Edge might not include management policies or other enterprise functionality; our focus during the preview is modern browser fundamentals.
- question: Is Adobe Flash supported in Microsoft Edge?
answer: |

4
browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md
View File

@ -1,7 +1,7 @@
---
ms.localizationpriority: medium
title: Change history for Internet Explorer 11 (IE11) - Deployment Guide for IT Pros (Internet Explorer 11 for IT Pros)
description: This topic lists new and updated topics in the Internet Explorer 11 Deployment Guide documentation for Windows 10 and Windows 10 Mobile.
description: This topic lists new and updated topics in the Internet Explorer 11 Deployment Guide documentation for Windows 10.
ms.mktglfcycl: deploy
ms.prod: ie11
ms.sitesec: library
@ -18,7 +18,7 @@ ms.author: dansimp
[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
This topic lists new and updated topics in the Internet Explorer 11 documentation for both Windows 10 and Windows 10 Mobile.
This topic lists new and updated topics in the Internet Explorer 11 documentation for Windows 10.
## April 2017
|New or changed topic | Description |

4
browsers/internet-explorer/ie11-deploy-guide/index.md
View File

@ -33,7 +33,7 @@ Because this content isn't intended to be a step-by-step guide, not all of the s
## In this guide
|Topic |Description |
|------|------------|
|[Change history for Internet Explorer 11](change-history-for-internet-explorer-11.md) |Lists new and updated topics in the Internet Explorer 11 documentation for both Windows 10 and Windows 10 Mobile. |
|[Change history for Internet Explorer 11](change-history-for-internet-explorer-11.md) |Lists new and updated topics in the Internet Explorer 11 documentation for Windows 10. |
|[System requirements and language support for Internet Explorer 11 (IE11)](system-requirements-and-language-support-for-ie11.md) |IE11 is available for a number of systems and languages. This topic provides info about the minimum system requirements and language support. |
|[List of updated features and tools - Internet Explorer 11 (IE11)](updated-features-and-tools-with-ie11.md) |IE11 includes several new features and tools. This topic includes high-level info about the each of them. |
|[Install and Deploy Internet Explorer 11 (IE11)](install-and-deploy-ie11.md) |Use the topics in this section to learn how to customize your Internet Explorer installation package, how to choose the right method for installation, and how to deploy IE into your environment. You can also find more info about your virtualization options for legacy apps. |
@ -42,7 +42,7 @@ Because this content isn't intended to be a step-by-step guide, not all of the s
|[Group Policy and Internet Explorer 11 (IE11)](group-policy-and-ie11.md) |Use the topics in this section to learn about Group Policy and how to use it to manage IE. |
|[Manage Internet Explorer 11](manage-ie11-overview.md) |Use the topics in this section to learn about how to auto detect your settings, auto configure your configuration settings, and auto configure your proxy configuration settings for IE. |
|[Troubleshoot Internet Explorer 11 (IE11)](troubleshoot-ie11.md) |Use the topics in this section to learn how to troubleshoot several of the more common problems experienced with IE. |
|[Out-of-date ActiveX control blocking](out-of-date-activex-control-blocking.md) |ActiveX controls are small apps that let websites provide content, like videos, games, and let you interact with content like toolbars. Unfortunately, because many ActiveX controls arent automatically updated, they can become outdated as new versions are released. Its very important that you keep your ActiveX controls up-to-date because malicious software (or malware) can target security flaws in outdated controls, damaging your computer by collecting info from it, installing unwanted software, or by letting someone else control it remotely. To help avoid this situation, IE includes a new security feature, called <em>out-of-date ActiveX control blocking</em>. |
|[Out-of-date ActiveX control blocking](out-of-date-activex-control-blocking.md) |ActiveX controls are small apps that let websites provide content, like videos, games, and let you interact with content like toolbars. Unfortunately, because many ActiveX controls arent automatically updated, they can become outdated as new versions are released. Its important that you keep your ActiveX controls up-to-date because malicious software (or malware) can target security flaws in outdated controls, damaging your computer by collecting info from it, installing unwanted software, or by letting someone else control it remotely. To help avoid this situation, IE includes a new security feature, called <em>out-of-date ActiveX control blocking</em>. |
|[Deprecated document modes and Internet Explorer 11](deprecated-document-modes.md) |Internet Explorer 8 introduced document modes as a way to move from the proprietary coding of web features to a more standardized type of coding that could run on multiple browsers and devices. Starting with Windows 10, were deprecating document modes.<p>This means that while IE11 will continue to support document modes, Microsoft Edge wont. And because of that, it also means that if you want to use Microsoft Edge, youre going to have to update your legacy webpages and apps to support modern features, browsers, and devices.<p><b>Note</b><br>For specific details about the technologies and APIs that are no longer supported in Microsoft Edge, see [A break from the past, part 2: Saying goodbye to ActiveX, VBScript, attachEvent](https://go.microsoft.com/fwlink/p/?LinkId=615953). |
|[What is the Internet Explorer 11 Blocker Toolkit?](what-is-the-internet-explorer-11-blocker-toolkit.md) |The IE11 Blocker Toolkit lets you turn off the automatic delivery of IE11 through the <b>Automatic Updates</b> feature of Windows Update. |
|[Missing Internet Explorer Maintenance (IEM) settings for Internet Explorer 11](missing-internet-explorer-maintenance-settings-for-ie11.md) |The Internet Explorer Maintenance (IEM) settings have been deprecated in favor of Group Policy preferences, Administrative Templates (.admx), and the Internet Explorer Administration Kit 11 (IEAK 11).<p>Because of this change, your IEM-configured settings will no longer work on computers running Internet Explorer 10 or newer. To fix this, you need to update the affected settings using Group Policy preferences, Administrative Templates (.admx), or the IEAK 11.<p>Because Group Policy Preferences and IEAK 11 run using asynchronous processes, you should choose to use only one of the tools within each group of settings. For example, using only IEAK 11 in the <b>Security</b> settings or Group Policy Preferences within the <b>Internet Zone</b> settings. Also, it's important to remember that policy is enforced and can't be changed by the user, while preferences are configured, but can be changed by the user. |

8
browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md
View File

@ -39,7 +39,7 @@ Using Enterprise Mode means that you can continue to use Microsoft Edge as your
> [!TIP]
> If you are running an earlier version of Internet Explorer, we recommend upgrading to IE11, so that any legacy apps continue to work correctly.
For Windows 10 and Windows 10 Mobile, Microsoft Edge is the default browser experience. However, Microsoft Edge lets you continue to use IE11 for sites that are on your corporate intranet or included on your Enterprise Mode Site List.
For Windows 10, Microsoft Edge is the default browser experience. However, Microsoft Edge lets you continue to use IE11 for sites that are on your corporate intranet or included on your Enterprise Mode Site List.
## What is Enterprise Mode?
@ -68,12 +68,12 @@ Download the [Enterprise Mode Site List Manager (schema v.2)](https://go.microso
[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
XML file
The Enterprise Mode Site List is an XML document that specifies a list of sites, their compat mode, and their intended browser. Using [Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853), you can automatically start a webpage using a specific browser. In the case of IE11, the webpage can also be launched in a specific compat mode, so it always renders correctly. Your employees can easily view this site list by typing _about:compat_ in either Microsoft Edge or IE11.
The Enterprise Mode Site List is an XML document that specifies a list of sites, their compatibility mode, and their intended browser. Using [Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853), you can automatically start a webpage using a specific browser. In IE11, the webpage can also be launched in a specific compatibility mode, so it always renders correctly. Your employees can easily view this site list by typing `about:compat` in either Microsoft Edge or IE11.
Starting with Windows 10, version 1511 (also known as the Anniversary Update), you can also [restrict IE11 to only the legacy web apps that need it](https://blogs.windows.com/msedgedev/2016/05/19/edge14-ie11-better-together/), automatically sending sites not included in the Enterprise Mode Site List to Microsoft Edge.
### Site list xml file
This is a view of the [raw EMIE v2 schema.xml file](https://gist.github.com/kypflug/9e9961de771d2fcbd86b#file-emie-v2-schema-xml). There are equivalent Enterprise Mode Site List policies for both [Microsoft Edge](/microsoft-edge/deploy/emie-to-improve-compatibility) and [Internet Explorer 11](turn-on-enterprise-mode-and-use-a-site-list.md). The Microsoft Edge list is used to determine which sites should open in IE11; while the IE11 list is used to determine the compat mode for a site, and which sites should open in Microsoft Edge. We recommend using one list for both browsers, where each policy points to the same XML file location.
This is a view of the [raw EMIE v2 schema.xml file](https://gist.github.com/kypflug/9e9961de771d2fcbd86b#file-emie-v2-schema-xml). There are equivalent Enterprise Mode Site List policies for both [Microsoft Edge](/microsoft-edge/deploy/emie-to-improve-compatibility) and [Internet Explorer 11](turn-on-enterprise-mode-and-use-a-site-list.md). The Microsoft Edge list is used to determine which sites should open in IE11; while the IE11 list is used to determine the compatibility mode for a site, and which sites should open in Microsoft Edge. We recommend using one list for both browsers, where each policy points to the same XML file location.
```xml
<site-list version="205">
@ -123,7 +123,7 @@ You can build and manage your Enterprise Mode Site List is by using any generic
### Enterprise Mode Site List Manager
This tool helps you create error-free XML documents with simple n+1 versioning and URL verification. We recommend using this tool if your site list is relatively small. For more info about this tool, see the Use the [Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) topics.
There are 2 versions of this tool, both supported on Windows 7, Windows 8.1, and Windows 10:
There are two versions of this tool, both supported on Windows 7, Windows 8.1, and Windows 10:
- [Enterprise Mode Site List Manager (schema v.1)](https://www.microsoft.com/download/details.aspx?id=42501). This is an older version of the schema that you must use if you want to create and update your Enterprise Mode Site List for devices running the v.1 version of the schema.

16
education/windows/deploy-windows-10-in-a-school-district.md
View File

@ -20,11 +20,11 @@ manager: dansimp
- Windows 10
This guide shows you how to deploy the Windows 10 operating system in a school district. You learn how to deploy Windows 10 in classrooms; integrate the school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD); and deploy Windows 10 and your apps to new devices or upgrade existing devices to Windows 10. This guide also describes how to use Microsoft Endpoint Configuration Manager, Microsoft Intune, and Group Policy to manage devices. Finally, the guide discusses common, ongoing maintenance tasks that you will perform after initial deployment as well as the automated tools and built-in features of the operating system.
This guide shows you how to deploy the Windows 10 operating system in a school district. You learn how to deploy Windows 10 in classrooms; integrate the school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD); and deploy Windows 10 and your apps to new devices or upgrade existing devices to Windows 10. This guide also describes how to use Microsoft Endpoint Configuration Manager, Microsoft Intune, and Group Policy to manage devices. Finally, the guide discusses common, ongoing maintenance tasks that you will perform after initial deployment and the automated tools and built-in features of the operating system.
## Prepare for district deployment
Proper preparation is essential for a successful district deployment. To avoid common mistakes, your first step is to plan a typical district configuration. Just as with building a house, you need a blueprint for what your district and individual schools should look like when its finished. The second step in preparation is to learn how you will manage the users, apps, and devices in your district. Just as a builder needs to have the right tools to build a house, you need the right set of tools to deploy your district.
Proper preparation is essential for a successful district deployment. To avoid common mistakes, your first step is to plan a typical district configuration. As with building a house, you need a blueprint for what your district and individual schools should look like when its finished. The second step in preparation is to learn how you will manage the users, apps, and devices in your district. Just as a builder needs to have the right tools to build a house, you need the right set of tools to deploy your district.
> [!NOTE]
> This guide focuses on Windows 10 deployment and management in a district. For management of other devices and operating systems in education environments, see [Manage BYOD and corporate-owned devices with MDM solutions](https://www.microsoft.com/cloud-platform/mobile-device-management).
@ -126,7 +126,7 @@ Office 365 Education allows:
* Students and faculty to use Yammer to collaborate through private social networking.
* Students and faculty to access classroom resources from anywhere on any device (including Windows 10 Mobile, iOS, and Android devices).
* Students and faculty to access classroom resources from anywhere on any device (including iOS and Android devices).
For more information about Office 365 Education features and an FAQ, go to [Office 365 Education plans and pricing](https://products.office.com/en-us/academic).
@ -1577,7 +1577,7 @@ For more information about Intune, see [Microsoft Intune Documentation](/intune/
If you selected to deploy and manage apps by using Microsoft Endpoint Manager and Intune in a hybrid configuration, then skip this section and continue to the [Deploy and manage apps by using Microsoft Endpoint Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager) section.
You can use Intune to deploy Microsoft Store and Windows desktop apps. Intune provides improved control over which users receive specific apps. In addition, Intune allows you to deploy apps to companion devices (such as Windows 10 Mobile, iOS, or Android devices). Finally, Intune helps you manage app security and features, such as mobile application management policies that let you manage apps on devices that are not enrolled in Intune or that another solution manages.
You can use Intune to deploy Microsoft Store and Windows desktop apps. Intune provides improved control over which users receive specific apps. In addition, Intune allows you to deploy apps to companion devices (such as iOS or Android devices). Finally, Intune helps you manage app security and features, such as mobile application management policies that let you manage apps on devices that are not enrolled in Intune or that another solution manages.
For more information about how to configure Intune to manage your apps, see the following resources:
@ -1589,9 +1589,9 @@ For more information about how to configure Intune to manage your apps, see the
### Deploy and manage apps by using Microsoft Endpoint Configuration Manager
You can use Microsoft Endpoint Manager to deploy Microsoft Store and Windows desktop apps. Configuration Manager allows you to create a Configuration Manager application that you can use to deploy apps to different devices (such as Windows 10 desktop, Windows 10 Mobile, iOS, or Android devices) by using *deployment types*. You can think of a Configuration Manager application as a box. You can think of deployment types as one or more sets of installation files and installation instructions within that box.
You can use Microsoft Endpoint Manager to deploy Microsoft Store and Windows desktop apps. Configuration Manager allows you to create a Configuration Manager application that you can use to deploy apps to different devices (such as Windows 10 desktop, iOS, or Android devices) by using *deployment types*. You can think of a Configuration Manager application as a box. You can think of deployment types as one or more sets of installation files and installation instructions within that box.
For example, you could create a Skype application that contains a deployment type for Windows 10 desktop, Windows 10 Mobile, iOS, and Android. You can deploy the one application to multiple device types.
For example, you could create a Skype application that contains a deployment type for Windows 10 desktop, iOS, and Android. You can deploy the one application to multiple device types.
> [!NOTE]
> When you configure Configuration Manager and Intune in a hybrid model, you deploy apps by using Configuration Manager as described in this section.
@ -1607,7 +1607,7 @@ If you selected to manage updates by using Configuration Manager and Intune in a
To help ensure that your users have the most current features and security protection, keep Windows 10 and your apps current with updates. To configure Windows 10 and app updates, use the **Updates** workspace in Intune.
> [!NOTE]
> You can only manage updates (including antivirus and antimalware updates) for Windows 10 desktop operating systems (not Windows 10 Mobile, iOS, or Android).
> You can only manage updates (including antivirus and antimalware updates) for Windows 10 desktop operating systems (not iOS or Android).
For more information about how to configure Intune to manage updates and malware protection, see the following resources:
@ -1631,7 +1631,7 @@ In this section, you prepared your institution for device management. You identi
## Deploy Windows 10 to devices
Youre ready to deploy Windows 10 to faculty and student devices. You must complete the steps in this section for each student device in the classrooms as well as for any new student devices you add in the future. You can also perform these actions for any device thats eligible for a Windows 10 upgrade. This section discusses deploying Windows 10 to new devices, refreshing Windows 10 on existing devices, and upgrading existing devices that are running eligible versions of Windows 8.1 or Windows 7 to Windows 10.
Youre ready to deploy Windows 10 to faculty and student devices. You must complete the steps in this section for each student device in the classrooms and for any new student devices you add in the future. You can also perform these actions for any device thats eligible for a Windows 10 upgrade. This section discusses deploying Windows 10 to new devices, refreshing Windows 10 on existing devices, and upgrading existing devices that are running eligible versions of Windows 8.1 or Windows 7 to Windows 10.
### Prepare for deployment

876
education/windows/deploy-windows-10-in-a-school.md
View File

File diff suppressed because it is too large Load Diff

66
education/windows/index.md
View File

@ -18,29 +18,63 @@ ms.date: 10/13/2017
## ![Learn more about Windows.](images/education.png) Learn
<p><b><a href="windows-editions-for-education-customers.md" data-raw-source="[Windows 10 editions for education customers](windows-editions-for-education-customers.md)">Windows 10 editions for education customers</a></b><br />Windows 10, version 1607 introduces two editions designed for the unique needs of K-12 institutions: Windows 10 Pro Education and Windows 10 Education. These editions provide education-specific default settings for the evolving landscape in K-12 education IT environments.</p>
<p><b><a href="https://www.microsoft.com/WindowsForBusiness/Compare" data-raw-source="[Compare each Windows edition](https://www.microsoft.com/WindowsForBusiness/Compare)">Compare each Windows edition</a></b><br />Find out more about the features and functionality we support in each edition of Windows.</p>
<p><b><a href="https://www.microsoft.com/education/buy-license/overview-of-how-to-buy/default.aspx?tabshow=schools" data-raw-source="[Get Windows 10 Education or Windows 10 Pro Education](https://www.microsoft.com/education/buy-license/overview-of-how-to-buy/default.aspx?tabshow=schools)">Get Windows 10 Education or Windows 10 Pro Education</a></b><br />When you&#39;ve made your decision, find out how to buy Windows for your school.</p>
**[Windows 10 editions for education customers](windows-editions-for-education-customers.md)**
Windows 10, version 1607 introduces two editions designed for the unique needs of K-12 institutions: Windows 10 Pro Education and Windows 10 Education. These editions provide education-specific default settings for the evolving landscape in K-12 education IT environments.
**[Compare each Windows edition](https://www.microsoft.com/WindowsForBusiness/Compare)**
Find out more about the features and functionality we support in each edition of Windows.
**[Get Windows 10 Education or Windows 10 Pro Education](https://www.microsoft.com/education/buy-license/overview-of-how-to-buy/default.aspx?tabshow=schools)**
When you've made your decision, find out how to buy Windows for your school.
## ![Plan for Windows 10 in your school.](images/clipboard.png) Plan
<p><b><a href="configure-windows-for-education.md" data-raw-source="[Windows 10 configuration recommendations for education customers](configure-windows-for-education.md)">Windows 10 configuration recommendations for education customers</a></b><br />Provides guidance on ways to customize the OS diagnostic data, consumer experiences, Cortana, search, as well as some of the preinstalled apps, so that Windows is ready for your school.</p>
<p><b><a href="edu-deployment-recommendations.md" data-raw-source="[Deployment recommendations for school IT administrators](edu-deployment-recommendations.md)">Deployment recommendations for school IT administrators</a></b><br />Learn how to customize the OS privacy settings, Skype, and Xbox for Windows-based devices used in schools so that you can choose what information is shared with Microsoft.</p>
<b><a href="get-minecraft-for-education.md" data-raw-source="[Get Minecraft Education Edition](get-minecraft-for-education.md)">Get Minecraft Education Edition</a></b><br />Minecraft Education Edition is built for learning. Learn how to get early access and add it to your Microsoft Store for Business for distribution.</p></div>
<div class="side-by-side-content-right"><p><b><a href="take-tests-in-windows-10.md" data-raw-source="[Take tests in Windows 10](take-tests-in-windows-10.md)">Take tests in Windows 10</a></b><br />Take a Test is a new app that lets you create the right environment for taking tests. Learn how to use and get it set up.</p>
<p><b><a href="chromebook-migration-guide.md" data-raw-source="[Chromebook migration guide](chromebook-migration-guide.md)">Chromebook migration guide</a></b><br />Find out how you can migrate a Chromebook-based learning environment to a Windows 10-based learning environment.</p>
**[Windows 10 configuration recommendations for education customers](configure-windows-for-education.md)**
Provides guidance on ways to customize the OS diagnostic data, consumer experiences, Cortana, search, and some of the preinstalled apps, so that Windows is ready for your school.
**[Deployment recommendations for school IT administrators](edu-deployment-recommendations.md)**
Learn how to customize the OS privacy settings, Skype, and Xbox for Windows-based devices used in schools so that you can choose what information is shared with Microsoft.
**[Get Minecraft Education Edition](get-minecraft-for-education.md)**
Minecraft Education Edition is built for learning. Learn how to get early access and add it to your Microsoft Store for Business for distribution.
**[Take tests in Windows 10](take-tests-in-windows-10.md)**
Take a Test is a new app that lets you create the right environment for taking tests. Learn how to use and get it set up.
**[Chromebook migration guide](chromebook-migration-guide.md)**
Find out how you can migrate a Chromebook-based learning environment to a Windows 10-based learning environment.
## ![Deploy Windows 10 for Education.](images/PCicon.png) Deploy
<p><b><a href="set-up-windows-10.md" data-raw-source="[Set up Windows devices for education](set-up-windows-10.md)">Set up Windows devices for education</a></b><br />Depending on your school&#39;s device management needs, you can use the Set up School PCs app or the Windows Configuration Designer tool to quickly set up student PCs.</p>
<p><b><a href="deploy-windows-10-in-a-school.md" data-raw-source="[Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)">Deploy Windows 10 in a school</a></b><br />Get step-by-step guidance to help you deploy Windows 10 in a school environment.</p>
<p><b><a href="deploy-windows-10-in-a-school-district.md" data-raw-source="[Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)">Deploy Windows 10 in a school district</a></b><br />Get step-by-step guidance on how to deploy Windows 10 to PCs and devices across a school district.</p>
<p><b><a href="test-windows10s-for-edu.md" data-raw-source="[Test Windows 10 S on existing Windows 10 education devices](test-windows10s-for-edu.md)">Test Windows 10 S on existing Windows 10 education devices</a></b><br />Test Windows 10 S on a variety of Windows 10 devices (except Windows 10 Home) in your school and share your feedback with us.</p>
**[Set up Windows devices for education](set-up-windows-10.md)**
Depending on your school's device management needs, you can use the Set up School PCs app or the Windows Configuration Designer tool to quickly set up student PCs.
**[Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)**
Get step-by-step guidance to help you deploy Windows 10 in a school environment.
**[Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)**
Get step-by-step guidance on how to deploy Windows 10 to PCs and devices across a school district.
**[Test Windows 10 S on existing Windows 10 education devices](test-windows10s-for-edu.md)**
Test Windows 10 S on various Windows 10 devices (except Windows 10 Home) in your school and share your feedback with us.
## ![Switch to Windows 10 for Education.](images/windows.png) Switch
<p><b><a href="change-to-pro-education.md" data-raw-source="[Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md)">Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S</a></b><br />If you have an education tenant and use Windows 10 Pro or Windows 10 S in your schools, find out how you can opt-in to a free switch to Windows 10 Pro Education.</p>
**[Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md)**
If you have an education tenant and use Windows 10 Pro or Windows 10 S in your schools, find out how you can opt-in to a free switch to Windows 10 Pro Education.
## Windows 8.1
@ -54,9 +88,11 @@ Follow these links to find step-by-step guidance on how to deploy Windows 8.1 in
<p><b><a href="/previous-versions/windows/it-pro/windows-8.1-and-8/dn645532(v=ws.11)" target="_blank">Microsoft Store apps</a></b><br />Explore Microsoft Store app deployment strategies and considerations for educational institutions running Windows 8.1.</p>
<p><b><a href="/previous-versions/windows/it-pro/windows-8.1-and-8/dn645486(v=ws.11)" target="_blank">Windows To Go</a></b><br />Learn about the benefits, limitations, and processes involved in deploying Windows To Go.</p>
## Related topics
## Related articles
- [Microsoft Education documentation and resources](/education)
- [Windows 10 and Windows 10 Mobile](/windows/windows-10/)
- [Windows for business](https://www.microsoft.com/windows/business)
- [Microsoft 365 for business](https://www.microsoft.com/microsoft-365/business)
<!--
<p><b><a href="/education/" target="_blank">Try it out: Windows 10 deployment (for education)</a></b><br />Learn how to upgrade devices running the Windows 7 operating system to Windows 10 Anniversary Update, and how to manage devices, apps, and users in Windows 10 Anniversary Update.<br /><br />For the best experience, use this guide in tandem with the <a href="https://vlabs.holsystems.com/vlabs/technet?eng=VLabs&auth=none&src=vlabs&altadd=true&labid=20949&lod=true" target="_blank">TechNet Virtual Lab: IT Pro Try-It-Out</a>.</p>

72
smb/cloud-mode-business-setup.md
View File

@ -27,7 +27,7 @@ ms.topic: conceptual
Are you ready to move your business to the cloud or wondering what it takes to make this happen with Microsoft cloud services and tools?
In this walkthrough, we'll show you how to deploy and manage a full cloud IT solution for your small to medium business using Microsoft 365 Business Standard, Microsoft Azure AD, Intune, Microsoft Store for Business, and Windows 10. We'll show you the basics on how to:
- Acquire an Microsoft 365 for business domain
- Acquire a Microsoft 365 for business domain
- Add Microsoft Intune and Azure Active Directory (AD) Premium licenses to your business tenant
- Set up Microsoft Store for Business and manage app deployment and sync with Intune
- Add users and groups in Azure AD and Intune
@ -37,27 +37,29 @@ In this walkthrough, we'll show you how to deploy and manage a full cloud IT sol
Go to the <a href="https://business.microsoft.com" target="_blank">Microsoft Business site</a> and select **Products** to learn more about pricing and purchasing options for your business.
## Prerequisites
Here's a few things to keep in mind before you get started:
- You'll need a registered domain to successfully go through the walkthrough.
- If you already own a domain, you can add this during the Office 365 setup.
- If you don't already own a domain, you'll have the option to purchase a domain from the Microsoft 365 admin center. We'll show how to do this as part of the walkthrough.
- If you don't already own a domain, you can purchase a domain from the Microsoft 365 admin center. This walkthrough includes the steps.
- You'll need an email address to create your Office 365 tenant.
- We recommend that you use Internet Explorer for the entire walkthrough. Right click on Internet Explorer and then choose **Start InPrivate Browsing**.
- We recommend that you use Internet Explorer for the entire walkthrough. Right select on Internet Explorer > **Start InPrivate Browsing**.
## 1. Set up your cloud infrastructure
To set up a cloud infrastructure for your organization, follow the steps in this section.
### 1.1 Set up Office 365 for business
See <a href="https://support.office.com/en-us/article/Set-up-Office-365-for-business-6a3a29a0-e616-4713-99d1-15eda62d04fa" target="_blank">Set up Office 365 for business</a> to learn more about the setup steps for businesses and nonprofits who have Office 365. You can watch video and learn how to:
See <a href="https://support.office.com/article/Set-up-Office-365-for-business-6a3a29a0-e616-4713-99d1-15eda62d04fa" target="_blank">Set up Office 365 for business</a> to learn more about the setup steps for businesses and nonprofits who have Office 365. You can watch video and learn how to:
- Plan your setup
- Create Office 365 accounts and how to add your domain.
- Install Office
To set up your Microsoft 365 for business tenant, see <a href="https://support.office.com/en-us/article/Get-started-with-Office-365-for-Business-d6466f0d-5d13-464a-adcb-00906ae87029" target="_blank">Get Started with Microsoft 365 for business</a>.
To set up your Microsoft 365 for business tenant, see <a href="https://support.office.com/article/Get-started-with-Office-365-for-Business-d6466f0d-5d13-464a-adcb-00906ae87029" target="_blank">Get Started with Microsoft 365 for business</a>.
If this is the first time you're setting this up, and you'd like to see how it's done, you can follow these steps to get started:
If you're new at setting up Office 365, and you'd like to see how it's done, you can follow these steps to get started:
1. Go to the <a href="https://products.office.com/en-us/business/office-365-affiliate-program-buy-business-premium" target="_blank">Office 365</a> page in the <a href="https://business.microsoft.com" target="_blank">Microsoft Business site</a>. Select **Try now** to use the Microsoft 365 Business Standard Trial or select **Buy now** to sign up for Microsoft 365 Business Standard. In this walkthrough, we'll select **Try now**.
1. Go to the <a href="https://products.office.com/business/office-365-affiliate-program-buy-business-premium" target="_blank">Office 365</a> page in the <a href="https://business.microsoft.com" target="_blank">Microsoft Business site</a>. Select **Try now** to use the Microsoft 365 Business Standard Trial or select **Buy now** to sign up for Microsoft 365 Business Standard. In this walkthrough, we'll select **Try now**.
**Figure 1** - Try or buy Office 365
@ -76,17 +78,17 @@ If this is the first time you're setting this up, and you'd like to see how it's
**Figure 2** - Microsoft 365 admin center
![Microsoft 365 admin center.](images/office365_portal.png)
![Opens the Microsoft 365 admin center.](images/office365_portal.png)
6. Select the **Admin** tile to go to the admin center.
7. In the admin center, click **Next** to see the highlights and welcome info for the admin center. When you're done, click **Go to setup** to complete the Office 365 setup.
This may take up to a half hour to complete.
This step can take up to a half hour to complete.
**Figure 3** - Admin center
![Microsoft 365 admin center.](images/office365_admin_portal.png)
![Complete the Office 365 setup in the Microsoft 365 admin center.](images/office365_admin_portal.png)
8. Go back to the <a href="https://portal.office.com/adminportal/home#/homepage" target="_blank">admin center</a> to add or buy a domain.
@ -97,7 +99,7 @@ If this is the first time you're setting this up, and you'd like to see how it's
![Add or buy a domain in admin center.](images/office365_buy_domain.png)
2. In the **Home > Domains** page, you will see the Microsoft-provided domain, such as *fabrikamdesign.onmicrosoft.com*.
2. In the **Home > Domains** page, you will see the Microsoft-provided domain, such as `fabrikamdesign.onmicrosoft.com`.
**Figure 5** - Microsoft-provided domain
@ -128,7 +130,7 @@ When adding users, you can also assign admin privileges to certain users in your
2. In the **Home > Active users** page, add users individually or in bulk.
- To add users one at a time, select **+ Add a user**.
If you select this option, you'll see the **New user** screen and you can add details about the new user including their name, user name, role, and so on. You also have the opportunity to assign **Product licenses**. For detailed step-by-step info on adding a user account, see *Add a user account in the admin center* in <a href="https://support.office.com/en-us/article/Add-users-individually-or-in-bulk-to-Office-365-Admin-Help-1970f7d6-03b5-442f-b385-5880b9c256ec" target="_blank">Add users individually or in bulk to Office 365 - Admin Help</a>.
If you select this option, you'll see the **New user** screen and you can add details about the new user including their name, user name, role, and so on. You also have the opportunity to assign **Product licenses**. For detailed step-by-step info on adding a user account, see *Add a user account in the admin center* in <a href="https://support.office.com/article/Add-users-individually-or-in-bulk-to-Office-365-Admin-Help-1970f7d6-03b5-442f-b385-5880b9c256ec" target="_blank">Add users individually or in bulk to Office 365 - Admin Help</a>.
**Figure 8** - Add an individual user
@ -136,7 +138,7 @@ When adding users, you can also assign admin privileges to certain users in your
- To add multiple users at once, select **More** and then choose **+ Import multiple users**. If you select this option, you'll need to create and upload a CSV file containing the list of users.
The **Import multiple users** screen includes a link where you can learn more about importing multiple users and also links for downloading a sample CSV file (one with headers only and another with headers and sample user information). For detailed step-by-step info on adding multiple users to Office 365, see <a href="https://support.office.com/en-us/article/Add-several-users-at-the-same-time-to-Office-365-Admin-Help-1f5767ed-e717-4f24-969c-6ea9d412ca88" target="_blank">Add several users at the same time to Office 365 - Admin Help</a>. Once you've added all the users, don't forget to assign **Product licenses** to the new users.
The **Import multiple users** screen includes a link where you can learn more about importing multiple users and also links for downloading a sample CSV file (one with headers only and another with headers and sample user information). For detailed step-by-step info on adding multiple users to Office 365, see <a href="https://support.office.com/article/Add-several-users-at-the-same-time-to-Office-365-Admin-Help-1f5767ed-e717-4f24-969c-6ea9d412ca88" target="_blank">Add several users at the same time to Office 365 - Admin Help</a>. Once you've added all the users, don't forget to assign **Product licenses** to the new users.
**Figure 9** - Import multiple users
@ -163,7 +165,7 @@ Microsoft Intune provides mobile device management, app management, and PC manag
![Assign Microsoft Intune licenses to users.](images/o365_assign_intune_license.png)
5. In the admin center, confirm that **Intune** shows up in the list under **Admin centers**. If it doesn't, sign out and then sign back in and then check again.
6. Select **Intune**. This will take you to the Intune management portal.
6. Select **Intune**. This step opens the Endpoint Manager admin center.
**Figure 12** - Microsoft Intune management portal
@ -187,8 +189,8 @@ Microsoft Azure is an open and flexible cloud platform that enables you to quick
![Access to Azure AD not available.](images/azure_ad_access_not_available.png)
3. From the error message, select the country/region for your business. This should match with the location you specified when you signed up for Office 365.
4. Click **Azure subscription**. This will take you to a free trial sign up screen.
3. From the error message, select the country/region for your business. The region should match with the location you specified when you signed up for Office 365.
4. Select **Azure subscription**. This step will take you to a free trial sign up screen.
**Figure 14** - Sign up for Microsoft Azure
@ -201,7 +203,7 @@ Microsoft Azure is an open and flexible cloud platform that enables you to quick
![Start managing your Azure subscription.](images/azure_ad_successful_signup.png)
This will take you to the <a href="https://portal.azure.com" target="_blank">Microsoft Azure portal</a>.
This step will take you to the <a href="https://portal.azure.com" target="_blank">Microsoft Azure portal</a>.
### 1.5 Add groups in Azure AD
This section is the walkthrough is optional. However, we recommend that you create groups in Azure AD to manage access to corporate resources, such as apps, policies and settings, and so on. For more information, see <a href="/azure/active-directory/active-directory-manage-groups" target="_blank">Managing access to resources with Azure Active Directory groups</a>.
@ -257,7 +259,7 @@ You can read <a href="https://blogs.technet.microsoft.com/enterprisemobility/201
**To enable automatic MDM enrollment**
1. In to the <a href="https://manage.windowsazure.com/" target="_blank">classic Azure portal</a>, click on your company's Azure Active Directory to go back to the main window. Select **Applications** from the list of directory menu options.
1. In the <a href="https://manage.windowsazure.com/" target="_blank">classic Azure portal</a>, click on your company's Azure Active Directory to go back to the main window. Select **Applications** from the list of directory menu options.
The list of applications for your company will appear. **Microsoft Intune** will be one of the applications on the list.
@ -294,7 +296,7 @@ You can read <a href="https://blogs.technet.microsoft.com/enterprisemobility/201
### 1.7 Configure Microsoft Store for Business for app distribution
Next, you'll need to configure Microsoft Store for Business to distribute apps with a management tool such as Intune.
In this part of the walkthrough, we'll be working on the <a href="https://manage.microsoft.com/" target="_blank">Microsoft Intune management portal</a> and <a href="https://businessstore.microsoft.com/en-us/Store/Apps" target="_blank">Microsoft Store for Business</a>.
In this part of the walkthrough, we'll be working on the <a href="https://manage.microsoft.com/" target="_blank">Microsoft Intune management portal</a> and <a href="https://businessstore.microsoft.com/Store/Apps" target="_blank">Microsoft Store for Business</a>.
**To associate your Store account with Intune and configure synchronization**
@ -305,7 +307,7 @@ In this part of the walkthrough, we'll be working on the <a href="https://manage
![Set up mobile device management in Intune.](images/intune_admin_mdm_configure.png)
3. Sign into <a href="https://businessstore.microsoft.com/en-us/Store/Apps" target="_blank">Microsoft Store for Business</a> using the same tenant account that you used to sign into Intune.
3. Sign into <a href="https://businessstore.microsoft.com/Store/Apps" target="_blank">Microsoft Store for Business</a> using the same tenant account that you used to sign into Intune.
4. Accept the EULA.
5. In the Store portal, select **Settings > Management tools** to go to the management tools page.
6. In the **Management tools** page, find **Microsoft Intune** on the list and click **Activate** to get Intune ready to use with Microsoft Store for Business.
@ -331,7 +333,7 @@ In this part of the walkthrough, we'll be working on the <a href="https://manage
**To buy apps from the Store**
In your <a href="https://businessstore.microsoft.com/en-us/Store/Apps" target="_blank">Microsoft Store for Business</a> portal, you can see the list of apps that you own by going to **Manage > Inventory**. You should see the following apps in your inventory:
In your <a href="https://businessstore.microsoft.com/Store/Apps" target="_blank">Microsoft Store for Business</a> portal, you can see the list of apps that you own by going to **Manage > Inventory**. You should see the following apps in your inventory:
- Sway
- OneNote
- PowerPoint Mobile
@ -344,7 +346,7 @@ In the following example, we'll show you how to buy apps through the Microsoft S
**Example 1 - Add other apps like Reader and InstaNote**
1. In the <a href="https://businessstore.microsoft.com/en-us/Store/Apps" target="_blank">Microsoft Store for Business</a> portal, click **Shop**, scroll down to the **Made by Microsoft** category, and click **Show all** to see all the Microsoft apps in the list.
1. In the <a href="https://businessstore.microsoft.com/Store/Apps" target="_blank">Microsoft Store for Business</a> portal, click **Shop**, scroll down to the **Made by Microsoft** category, and click **Show all** to see all the Microsoft apps in the list.
**Figure 28** - Shop for Store apps
@ -405,7 +407,7 @@ To set up new Windows devices, go through the Windows initial device setup or fi
![Choose how you'll connect the Windows device.](images/win10_choosehowtoconnect.png)
4. In the **Let's get you signed in** screen, sign in using one of the user accounts you added in section [1.2 Add users and assign product licenses](#12-add-users-and-assign-product-licenses). We suggest signing in as one of the global administrators. Later, sign in on another device using one of the non-admin accounts.
4. In the **Let's get you signed in** screen, sign in using a user account you added in section [1.2 Add users and assign product licenses](#12-add-users-and-assign-product-licenses). We suggest signing in as one of the global administrators. Later, sign in on another device using one of the non-admin accounts.
**Figure 33** - Sign in using one of the accounts you added
@ -419,14 +421,14 @@ To set up new Windows devices, go through the Windows initial device setup or fi
Verify that the device is set up correctly and boots without any issues.
**To verify that the device was set up correctly**
1. Click on the **Start** menu and select some of the options to make sure everything launches properly.
1. Click on the **Start** menu and select some of the options to make sure everything opens properly.
2. Confirm that the Store and built-in apps are working.
### 2.3 Verify the device is Azure AD joined
In the <a href="https://manage.microsoft.com/" target="_blank">Intune management portal</a>, verify that the device is joined to Azure AD and shows up as being managed in Microsoft Intune.
**To verify if the device is joined to Azure AD**
1. Check the device name on your PC. To do this, on your Windows PC, select **Settings > System > About** and then check **PC name**.
1. Check the device name on your PC. On your Windows PC, select **Settings > System > About** and then check **PC name**.
**Figure 34** - Check the PC name on your device
@ -456,7 +458,7 @@ In some cases, if an app is missing from the device, you need to reconfigure the
2. Select the app, right-click, then select **Manage Deployment...**.
3. Select the group(s) whose apps will be managed, and then click **Add** to add the group.
4. Click **Next** at the bottom of the app deployment settings window or select **Deployment Action** on the left column to check the deployment settings for the app.
5. For each group that you selected, set **Approval** to **Required Install**. This automatically sets **Deadline** to **As soon as possible**. If **Deadline** is not automatically set, set it to **As soon as possible**.
5. For each group that you selected, set **Approval** to **Required Install**. This step automatically sets **Deadline** to **As soon as possible**. If **Deadline** is not automatically set, set it to **As soon as possible**.
**Figure 36** - Reconfigure an app's deployment setting in Intune
@ -464,7 +466,7 @@ In some cases, if an app is missing from the device, you need to reconfigure the
6. Click **Finish**.
7. Repeat steps 2-6 for other apps that you want to deploy to the device(s) as soon as possible.
8. Verify that the app shows up on the device. To do this:
8. Verify that the app shows up on the device using the following steps:
- Make sure you're logged in to the Windows device.
- Click the **Start** button and check the apps that appear in the **Recently added** section. If you don't see the apps that you deployed in Intune, give it a few minutes. Only apps that aren't already deployed on the device will appear in the **Recently added** section.
@ -563,23 +565,25 @@ For other devices, such as those personally-owned by employees who need to conne
### 4.2 Add a new user
You can add new users to your tenant simply by adding them to the Microsoft 365 groups. Adding new users to Microsoft 365 groups automatically adds them to the corresponding groups in Microsoft Intune.
See [Add users to Office 365](https://support.office.com/en-us/article/Add-users-to-Office-365-for-business-435ccec3-09dd-4587-9ebd-2f3cad6bc2bc?ui=en-US&rs=en-US&ad=US&fromAR=1) to learn more. Once you're done adding new users, go to the <a href="https://manage.microsoft.com/" target="_blank">Intune management portal</a> and verify that the same users were added to the Intune groups as well.
See [Add users to Office 365](/microsoft-365/admin/add-users/add-users) to learn more. Once you're done adding new users, go to the <a href="https://manage.microsoft.com/" target="_blank">Intune management portal</a> and verify that the same users were added to the Intune groups as well.
## Get more info
### For IT admins
To learn more about the services and tools mentioned in this walkthrough, and learn what other tasks you can do, follow these links:
- <a href="https://support.office.com/en-us/article/Set-up-Office-365-for-business-6a3a29a0-e616-4713-99d1-15eda62d04fa" target="_blank">Set up Office 365 for business</a>
- Common admin tasks in Office 365 including email and OneDrive in <a href="https://support.office.com/en-us/article/Common-management-tasks-for-Office-365-46c667f7-5073-47b9-a75f-05a60cf77d91" target="_blank">Manage Office 365</a>
- <a href="https://support.office.com/article/Set-up-Office-365-for-business-6a3a29a0-e616-4713-99d1-15eda62d04fa" target="_blank">Set up Office 365 for business</a>
- Common admin tasks in Office 365 including email and OneDrive in <a href="https://support.office.com/article/Common-management-tasks-for-Office-365-46c667f7-5073-47b9-a75f-05a60cf77d91" target="_blank">Manage Office 365</a>
- More info about managing devices, apps, data, troubleshooting, and more in <a href="/intune/" target="_blank">Intune documentation</a>
- Learn more about Windows 10 in <a href="/windows/windows-10/" target="_blank">Windows 10 guide for IT pros</a>
- Learn more about Windows client in the [Windows client documentation for IT Pros](/windows/resources/).
- Info about distributing apps to your employees, managing apps, managing settings, and more in <a href="/microsoft-store/" target="_blank">Microsoft Store for Business</a>
### For information workers
Whether it's in the classroom, getting the most out of your devices, or learning some of the cool things you can do, we've got teachers covered. Follow these links for more info:
- <a href="https://support.office.com/" target="_blank">Office help and training</a>
- <a href="https://support.microsoft.com/products/windows?os=windows-10" target="_blank">Windows 10 help</a>
- [Office Help & Training](https://support.microsoft.com/office)
- [Windows help & learning](https://support.microsoft.com/windows)
## Related topics
- [Windows 10 and Windows 10 Mobile](/windows/windows-10/)
- [Windows for business](https://www.microsoft.com/windows/business)
- [Microsoft 365 for business](https://www.microsoft.com/microsoft-365/business)

35
smb/index.md
View File

@ -1,7 +1,7 @@
---
title: Windows 10 for small to midsize businesses
title: Windows 10/11 for small to midsize businesses
description: Microsoft products and devices to transform and grow your businessLearn how to use Windows 10 for your small to midsize business.
keywords: Windows 10, SMB, small business, midsize business, business
keywords: Windows 10, Windows 11, SMB, small business, midsize business, business
ms.prod: w10
ms.technology:
ms.topic: article
@ -15,22 +15,39 @@ manager: dansimp
audience: itpro
---
# Windows 10 for SMB
# Windows 10/11 for Small and Medium Business (SMB)
![Windows 10 for SMB.](images/smb_portal_banner.png)
## ![Learn more about Windows and other resources for SMBs.](images/learn.png) Learn
<p><b><a href="https://business.microsoft.com/en-us/products/windows" target="_blank">Windows 10 for business</a></b><br />Learn how Windows 10 and Windows devices can help your business.</p>
<p><b><a href="https://blogs.business.microsoft.com/" target="_blank">SMB blog</a></b><br />Read about the latest stories, technology insights, and business strategies for SMBs.</p>
<p><b><a href="https://business.microsoft.com/en-us/products" target="_blank">How to buy</a></b><br />Go here when you&#39;re ready to buy or want to learn more about Microsoft products you can use to help transform your business.</p>
**[Windows for business](https://www.microsoft.com/windows/business)**
Learn how Windows can help your business be more productive, collaborate better, and be more secure.
**[Bing Pages](https://www.microsoft.com/bing/bing-pages-overview)**
Use Bing to grow your business and enhance your brand online.
**[Customer stories](https://customers.microsoft.com/)**
Read about the latest stories and technology insights.
**[SMB Blog](https://techcommunity.microsoft.com/t5/small-and-medium-business-blog/bg-p/Microsoft365BusinessBlog)**
Read about business strategies and collaborations with SMBs.
**[Business Solutions and Technology](https://www.microsoft.com/store/b/business)**
Learn more about Microsoft products, or when you're ready to buy products and services to help transform your business.
## ![Deploy a Microsoft solution for your business.](images/deploy.png) Deploy
<p><b><a href="cloud-mode-business-setup.md" data-raw-source="[Get started: Deploy and manage a full cloud IT solution for your business](cloud-mode-business-setup.md)">Get started: Deploy and manage a full cloud IT solution for your business</a></b><br />Find out how easy it is to deploy and manage a full cloud IT solution for your small to midsize business using Microsoft cloud services and tools.</p>
**[Get started: Deploy and manage a full cloud IT solution for your business](cloud-mode-business-setup.md)**
Using Microsoft cloud services and tools, it can be easy to deploy and manage a full cloud IT solution for your small to midsize business.
## Related topics
## Related articles
- [Windows 10 and Windows 10 Mobile](/windows/windows-10/)
- [Windows for business](https://www.microsoft.com/windows/business)
- [Microsoft 365 for business](https://www.microsoft.com/microsoft-365/business)

3
store-for-business/add-unsigned-app-to-code-integrity-policy.md
View File

@ -24,7 +24,7 @@ ms.date: 07/21/2021
> We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) is now available. As announced earlier, you will have until June 9, 2021 to transition to DGSS v2. On June 9, 2021, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service by June 9, 2021.
>
> Following are the major changes we are making to the service:
> - The method for consuming the service will change to a more automation-friendly method based on PowerShell cmdlets. These cmdlets are available as a NuGet download, https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client/.
> - The method for consuming the service will change to a more automation-friendly method based on PowerShell cmdlets. These cmdlets are available as a NuGet download at [https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client/](https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client/).
> - In order to achieve desired isolation, you will be required to get a new CI policy from DGSS v2 (and optionally sign it).
> - DGSS v2 will not have support for downloading leaf certificates used to sign your files (however, the root certificate will still be available to download). Note that the certificate used to sign a file can be easily extracted from the signed file itself. As a result, after DGSS v1 is retired, you will no longer be able to download the leaf certificates used to sign your files.
>
@ -41,7 +41,6 @@ ms.date: 07/21/2021
**Applies to**
- Windows 10
- Windows 10 Mobile
When you want to add an unsigned app to a code integrity policy, you need to start with a code integrity policy created from a reference device. Then, create the catalog files for your unsigned app, sign the catalog files, and then merge the default policy that includes your signing certificate with existing code integrity policies.

13
store-for-business/app-inventory-management-microsoft-store-for-business.md
View File

@ -19,7 +19,6 @@ ms.date: 07/21/2021
**Applies to**
- Windows 10
- Windows 10 Mobile
> [!IMPORTANT]
> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
@ -64,12 +63,12 @@ Each app in the Store for Business has an online, or an offline license. For mor
| Action | Online-licensed app | Offline-licensed app |
| ------ | ------------------- | -------------------- |
| Assign to employees | X | |
| Add to private store | X | |
| Remove from private store | X | |
| View license details | X | |
| View product details | X | X |
| Download for offline use | | X |
| Assign to employees | ✔️ | |
| Add to private store | ✔️ | |
| Remove from private store | ✔️ | |
| View license details | ✔️ | |
| View product details | ✔️ | ✔️ |
| Download for offline use | | ✔️ |
The actions in the table are how you distribute apps, and manage app licenses. We'll cover those in the next sections. Working with offline-licensed apps has different steps. For more information on distributing offline-licensed apps, see [Distribute offline apps](distribute-offline-apps.md).

1
store-for-business/apps-in-microsoft-store-for-business.md
View File

@ -21,7 +21,6 @@ ms.date: 07/21/2021
**Applies to**
- Windows 10
- Windows 10 Mobile
> [!IMPORTANT]
> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).

1
store-for-business/assign-apps-to-employees.md
View File

@ -21,7 +21,6 @@ ms.date: 07/21/2021
**Applies to**
- Windows 10
- Windows 10 Mobile
> [!IMPORTANT]
> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).

2
store-for-business/configure-mdm-provider-microsoft-store-for-business.md
View File

@ -18,8 +18,8 @@ ms.date: 07/21/2021
# Configure an MDM provider
**Applies to**
- Windows 10
- Windows 10 Mobile
> [!IMPORTANT]
> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).

3
store-for-business/device-guard-signing-portal.md
View File

@ -20,7 +20,6 @@ ms.date: 07/21/2021
**Applies to**
- Windows 10
- Windows 10 Mobile
> [!IMPORTANT]
> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
@ -133,7 +132,7 @@ Device Guard is a feature set that consists of both hardware and software system
**JobDescription** - string, optional - A short (< 100 chars), human-readable description of this submission. If the script is being called as part of an automated build rocess the agent may wish to pass a version number or changeset number for this field. This information will be provided as part of the results of the Get-SigningHistory command.
**Submit-SigningV1MigrationPolicy** Submits a file to the service for signing and timestamping. The only valid file type for policy
signing is binary policy files with the extension (.bin) that have been created via the [ConvertFromCiPolicy](/powershell/module/configci/convertfrom-cipolicy?view=windowsserver2019-ps&viewFallbackFrom=win10-ps) cmdlet. Otherwise, binary policy file may not be deployed properly. Note: Only use for V1 migration.
signing is binary policy files with the extension (.bin) that have been created via the [ConvertFromCiPolicy](/powershell/module/configci/convertfrom-cipolicy) cmdlet. Otherwise, binary policy file may not be deployed properly. Note: Only use for V1 migration.
- Usage:

1
store-for-business/distribute-apps-from-your-private-store.md
View File

@ -20,7 +20,6 @@ ms.date: 07/21/2021
**Applies to**
- Windows 10
- Windows 10 Mobile
> [!IMPORTANT]
> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).

1
store-for-business/distribute-apps-to-your-employees-microsoft-store-for-business.md
View File

@ -21,7 +21,6 @@ ms.date: 07/21/2021
**Applies to**
- Windows 10
- Windows 10 Mobile
> [!IMPORTANT]
> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).

1
store-for-business/distribute-apps-with-management-tool.md
View File

@ -21,7 +21,6 @@ ms.date: 07/21/2021
**Applies to**
- Windows 10
- Windows 10 Mobile
> [!IMPORTANT]
> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).

1
store-for-business/distribute-offline-apps.md
View File

@ -21,7 +21,6 @@ ms.date: 07/21/2021
**Applies to:**
- Windows 10
- Windows 10 Mobile
> [!IMPORTANT]
> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).

1
store-for-business/find-and-acquire-apps-overview.md
View File

@ -21,7 +21,6 @@ ms.date: 07/21/2021
**Applies to**
- Windows 10
- Windows 10 Mobile
> [!IMPORTANT]
> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).

1
store-for-business/index.md
View File

@ -19,7 +19,6 @@ ms.date: 07/21/2021
**Applies to**
- Windows 10
- Windows 10 Mobile
> [!IMPORTANT]
> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).

4
store-for-business/manage-access-to-private-store.md
View File

@ -20,7 +20,6 @@ ms.date: 07/21/2021
**Applies to**
- Windows 10
- Windows 10 Mobile
> [!IMPORTANT]
> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
@ -40,9 +39,9 @@ Organizations can use either an MDM policy, or Group Policy to show only their p
Organizations using an MDM to manage apps can use a policy to show only the private store. When your MDM supports Microsoft Store for Business, the MDM can use the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider). More specifically, the [ApplicationManagement/RequirePrivateStoreOnly](/windows/client-management/mdm/policy-configuration-service-provider#ApplicationManagement_RequirePrivateStoreOnly) policy.
**ApplicationManagement/RequirePrivateStoreOnly** policy is supported on the following Windows 10 editions:
- Enterprise
- Education
- Mobile
For more information on configuring an MDM provider, see [Configure an MDM provider](./configure-mdm-provider-microsoft-store-for-business.md).
@ -51,6 +50,7 @@ For more information on configuring an MDM provider, see [Configure an MDM provi
If you're using Microsoft Store and you want employees to only see apps you're managing in your private store, you can use Group Policy to show only the private store. Microsoft Store app will still be available, but employees can't view or purchase apps. Employees can view and install apps that the admin has added to your organization's private store.
**Only display the private store within Microsoft Store app** group policy is supported on the following Windows 10 editions:
- Enterprise
- Education

1
store-for-business/manage-apps-microsoft-store-for-business-overview.md
View File

@ -20,7 +20,6 @@ ms.date: 07/21/2021
**Applies to**
- Windows 10
- Windows 10 Mobile
> [!IMPORTANT]
> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).

1
store-for-business/manage-private-store-settings.md
View File

@ -20,7 +20,6 @@ ms.localizationpriority: medium
**Applies to**
- Windows 10
- Windows 10 Mobile
> [!IMPORTANT]
> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).

1
store-for-business/manage-settings-microsoft-store-for-business.md
View File

@ -20,7 +20,6 @@ ms.date: 07/21/2021
**Applies to**
- Windows 10
- Windows 10 Mobile
> [!IMPORTANT]
> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).

1
store-for-business/manage-users-and-groups-microsoft-store-for-business.md
View File

@ -21,7 +21,6 @@ ms.date: 07/21/2021
**Applies to**
- Windows 10
- Windows 10 Mobile
> [!IMPORTANT]
> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).

11
store-for-business/microsoft-store-for-business-overview.md
View File

@ -4,7 +4,7 @@ description: With Microsoft Store for Business and Microsoft Store for Education
ms.assetid: 9DA71F6B-654D-4121-9A40-D473CC654A1C
ms.reviewer:
ms.prod: w10
ms.pagetype: store, mobile
ms.pagetype: store
ms.mktglfcycl: manage
ms.sitesec: library
ms.author: cmcatee
@ -20,7 +20,6 @@ ms.date: 07/21/2021
**Applies to**
- Windows 10
- Windows 10 Mobile
> [!IMPORTANT]
> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
@ -92,10 +91,10 @@ After your admin signs up for the Store for Business and Education, they can ass
| Permission | Account settings | Acquire apps | Distribute apps | Device Guard signing |
| ---------- | ---------------- | ------------ | --------------- | -------------------- |
| Admin | X | X | X | |
| Purchaser | | X | X | |
| Device Guard signer | | | | X |
| Basic purchaser | | X | X | |
| Admin | ✔️ | ✔️ | ✔️ | |
| Purchaser | | ✔️ | ✔️ | |
| Device Guard signer | | | | ✔️ |
| Basic purchaser | | ✔️ | ✔️ | |
> [!NOTE]
> Currently, the Basic purchaser role is only available for schools using Microsoft Store for Education. For more information, see [Microsoft Store for Education permissions](/education/windows/education-scenarios-store-for-business?toc=%2fmicrosoft-store%2feducation%2ftoc.json#manage-domain-settings).

1
store-for-business/notifications-microsoft-store-business.md
View File

@ -22,7 +22,6 @@ ms.date: 07/21/2021
**Applies to**
- Windows 10
- Windows 10 Mobile
> [!IMPORTANT]
> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).

1
store-for-business/prerequisites-microsoft-store-for-business.md
View File

@ -20,7 +20,6 @@ ms.date: 07/21/2021
**Applies to**
- Windows 10
- Windows 10 Mobile
> [!IMPORTANT]
> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).

27
store-for-business/roles-and-permissions-microsoft-store-for-business.md
View File

@ -21,7 +21,6 @@ ms.date: 07/21/2021
**Applies to**
- Windows 10
- Windows 10 Mobile
> [!IMPORTANT]
> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
@ -37,13 +36,13 @@ Microsoft Store for Business and Education has a set of roles that help admins a
This table lists the global user accounts and the permissions they have in Microsoft Store.
| | **Global Administrator** | **Billing Administrator** |
|| Global Administrator | Billing Administrator |
| ------------------------------ | --------------------- | --------------------- |
| **Sign up for Microsoft Store for Business and Education** | X | X |
| **Modify company profile settings** | X | X |
| **Purchase apps** | X | X |
| **Distribute apps** | X | X |
| **Purchase subscription-based software** | X | X |
| **Sign up for Microsoft Store for Business and Education** | ✔️ | ✔️ |
| **Modify company profile settings** | ✔️ | ✔️ |
| **Purchase apps** | ✔️ | ✔️ |
| **Distribute apps** | ✔️ | ✔️ |
| **Purchase subscription-based software** | ✔️ | ✔️ |
- **Global Administrator** and **Billing Administrator** - IT Pros with these accounts have full access to Microsoft Store. They can do everything allowed in the Microsoft Store Admin role, plus they can sign up for Microsoft Store.
@ -53,14 +52,14 @@ Microsoft Store for Business has a set of roles that help IT admins and employee
This table lists the roles and their permissions.
| | **Admin** | **Purchaser** | **Device Guard signer** |
|| Admin | Purchaser | Device Guard signer |
| ------------------------------ | ------ | -------- | ------------------- |
| **Assign roles** | X | | |
| **Manage Microsoft Store for Business and Education settings** | X | | |
| **Acquire apps** | X | X | |
| **Distribute apps** | X | X | |
| **Sign policies and catalogs** | X | | |
| **Sign Device Guard changes** | X | | X |
| **Assign roles** | ✔️ | | |
| **Manage Microsoft Store for Business and Education settings** | ✔️ | | |
| **Acquire apps** | ✔️ | ✔️ | |
| **Distribute apps** | ✔️ | ✔️ | |
| **Sign policies and catalogs** | ✔️ | | |
| **Sign Device Guard changes** | ✔️ | | ✔️ |
These permissions allow people to:

1
store-for-business/sign-code-integrity-policy-with-device-guard-signing.md
View File

@ -42,7 +42,6 @@ ms.date: 07/21/2021
**Applies to**
- Windows 10
- Windows 10 Mobile
Signing code integrity policies prevents policies from being tampered with after they're deployed. You can sign code integrity policies with the Device Guard signing portal.

1
store-for-business/sign-up-microsoft-store-for-business-overview.md
View File

@ -20,7 +20,6 @@ ms.date: 07/21/2021
**Applies to**
- Windows 10
- Windows 10 Mobile
> [!IMPORTANT]
> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).

4
store-for-business/troubleshoot-microsoft-store-for-business.md
View File

@ -20,7 +20,6 @@ ms.date: 07/21/2021
**Applies to**
- Windows 10
- Windows 10 Mobile
> [!IMPORTANT]
> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
@ -29,6 +28,7 @@ Troubleshooting topics for Microsoft Store for Business.
## Can't find apps in private store
The private store for your organization is a page in Microsoft Store app that contains apps that are private to your organization. After your organization acquires an app, your Store for Business admin can add it to your organization's private store. Your private store usually has a name that is close to the name of your organization or company. If you can't see your private store, there are a couple of things to check:
- **No apps in the private store** - The private store page is only available in Microsoft Store on Windows 10 if there are apps added to your private store. You won't see your private store page with no apps listed on it. If your Microsoft Store for Business admin has added an app to the private store, and the private store page is still not available, they can check the private store status for the app on **Product & services - Apps**. If the status under **Private store** is **Add in progress**, wait and check back.
- **Signed in with the wrong account** - If you have multiple accounts that you use in your organization, you might be signed in with the wrong account. Or, you might not be signed in. Use this procedure to sign in with your organization account.
@ -64,5 +64,5 @@ If you are still having trouble using Microsoft Store or installing an app, Admi
**To view Support page** 
1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com)
1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com).
2.Choose **Manage**> **Support**.

1
store-for-business/working-with-line-of-business-apps.md
View File

@ -20,7 +20,6 @@ ms.date: 07/21/2021
**Applies to**
- Windows 10
- Windows 10 Mobile
> [!IMPORTANT]
> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).

9
windows/application-management/apps-in-windows-10.md
View File

@ -71,6 +71,15 @@ There are different types of apps that can run on your Windows client devices. T
Using an MDM provider, you can create shortcuts to your web apps and progressive web apps on devices.
## Android™ apps
Starting with Windows 11, users in the [Windows Insider program](https://insider.windows.com/) can use the Microsoft Store to search, download, and install Android™ apps. This feature uses the Windows Subsystem for Android, and allows users to interact with Android apps, just like others apps installed from the Microsoft Store.
For more information, see:
- [Windows Subsystem for Android](https://support.microsoft.com/windows/abed2335-81bf-490a-92e5-fe01b66e5c48)
- [Windows Subsystem for Android developer information](/windows/android/wsa)
## Add or deploy apps to devices
When your apps are ready, you can add or deploy these apps to your Windows devices. This section lists some common options.

4
windows/application-management/toc.yml
View File

@ -23,7 +23,7 @@ items:
href: manage-windows-mixed-reality.md
- name: Application Virtualization (App-V)
items:
- name: App-V for Windows 10 overview
- name: App-V for Windows overview
href: app-v/appv-for-windows.md
- name: Getting Started
items:
@ -266,5 +266,5 @@ items:
href: per-user-services-in-windows.md
- name: Disabling System Services in Windows Server
href: /windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server
- name: How to keep apps removed from Windows 10 from returning during an update
- name: How to keep apps removed from Windows from returning during an update
href: remove-provisioned-apps-during-update.md

14
windows/client-management/mdm/accountmanagement-csp.md
View File

@ -19,10 +19,18 @@ AccountManagement CSP is used to configure setting in the Account Manager servic
> [!NOTE]
> The AccountManagement CSP is only supported in Windows Holographic for Business edition.
The following shows the AccountManagement configuration service provider in tree format.
The following diagram shows the AccountManagement configuration service provider in tree format.
![accountmanagement csp.](images/provisioning-csp-accountmanagement.png)
```console
./Vendor/MSFT
AccountManagement
----UserProfileManagement
--------EnableProfileManager
--------DeletionPolicy
--------StorageCapacityStartDeletion
--------StorageCapacityStopDeletion
--------ProfileInactivityThreshold
```
<a href="" id="accountmanagement"></a>**./Vendor/MSFT/AccountManagement**
Root node for the AccountManagement configuration service provider.

31
windows/client-management/mdm/appv-deploy-and-config.md
View File

@ -23,7 +23,36 @@ manager: dansimp
[EnterpriseAppVManagement CSP reference](./enterpriseappvmanagement-csp.md)
![enterpriseappvmanagement csp.](images/provisioning-csp-enterpriseappvmanagement.png)
The following shows the EnterpriseAppVManagement configuration service provider in tree format.
```console
./Vendor/MSFT
EnterpriseAppVManagement
----AppVPackageManagement
--------EnterpriseID
------------PackageFamilyName
---------------PackageFullName
------------------Name
------------------Version
------------------Publisher
------------------InstallLocation
------------------InstallDate
------------------Users
------------------AppVPackageID
------------------AppVVersionId
------------------AppVPackageUri
----AppVPublishing
--------LastSync
------------LastError
------------LastErrorDescription
------------SyncStatusDescription
------------SyncProgress
--------Sync
------------PublishXML
----AppVDynamicPolicy
--------ConfigurationId
------------Policy
```
<p>(./User/Vendor/MSFT/EnterpriseAppVManagement) contains the following sub-nodes.</p>

8
windows/client-management/mdm/azure-active-directory-integration-with-mdm.md
View File

@ -226,7 +226,7 @@ However, key management is different for on-premises MDM. You must obtain the cl
## Themes
The pages rendered by the MDM as part of the integrated enrollment process must use Windows 10 templates ([Download the Windows 10 templates and CSS files](https://download.microsoft.com/download/3/E/5/3E535D52-6432-47F6-B460-4E685C5D543A/MDM-ISV_1.1.3.zip)). This is important for enrollment during the Azure AD Join experience in OOBE where all of the pages are edge-to-edge HTML pages. Don't try to copy the templates because you'll never get the button placement right. Using the shared Windows 10 templates ensure a seamless experience for the customers.
The pages rendered by the MDM as part of the integrated enrollment process must use Windows templates ([Download the Windows templates and CSS files (1.1.4)](https://download.microsoft.com/download/0/7/0/0702afe3-dc1e-48f6-943e-886a4876f6ca/MDM-ISV_1.1.4.zip)). This is important for enrollment during the Azure AD Join experience in OOBE where all of the pages are edge-to-edge HTML pages. Don't try to copy the templates because you'll never get the button placement right. Using the shared templates ensure a seamless experience for the customers.
There are 3 distinct scenarios:
@ -236,7 +236,11 @@ There are 3 distinct scenarios:
Scenarios 1, 2, and 3 are available in Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education. Scenarios 1 and 3 are available in Windows 10 Mobile. Support for scenario 1 was added in Windows 10 Mobile, version 1511.
The CSS files provided by Microsoft contains version information and we recommend that you use the latest version. There are separate CSS files for desktop and mobile devices, OOBE, and post-OOBE experiences. [Download the Windows 10 templates and CSS files](https://download.microsoft.com/download/3/E/5/3E535D52-6432-47F6-B460-4E685C5D543A/MDM-ISV_1.1.3.zip).
The CSS files provided by Microsoft contains version information and we recommend that you use the latest version. There are separate CSS files for desktop and mobile devices, OOBE, and post-OOBE experiences. [Download the Windows templates and CSS files (1.1.4)](https://download.microsoft.com/download/0/7/0/0702afe3-dc1e-48f6-943e-886a4876f6ca/MDM-ISV_1.1.4.zip).
- For Windows 10, use **oobe-desktop.css**
- For Windows 11, use **oobe-light.css**
### Using themes

20
windows/client-management/mdm/bootstrap-csp.md
View File

@ -16,18 +16,18 @@ ms.date: 06/26/2017
The BOOTSTRAP configuration service provider sets the Trusted Provisioning Server (TPS) for the device.
>[!Note]
>BOOTSTRAP CSP is only supported in Windows 10 Mobile.
>
> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application.
> **Note**  BOOTSTRAP CSP is only supported in Windows 10 Mobile.
>
>
>
> **Note**   This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application.
The following shows the BOOTSTRAP configuration service provider in tree format as used by Open Mobile Alliance (OMA) Client Provisioning. The OMA Device Management protocol is not supported with this configuration service provider.
The following image shows the BOOTSTRAP configuration service provider in tree format as used by Open Mobile Alliance (OMA) Client Provisioning. The OMA Device Management protocol is not supported with this configuration service provider.
![bootstrap csp (cp).](images/provisioning-csp-bootstrap-cp.png)
```console
BOOTSTRAP
----CONTEXT-ALLOW
----PROVURL
```
<a href="" id="context-allow"></a>**CONTEXT-ALLOW**
Optional. Specifies a context for the TPS. Only one context is supported, so this parameter is ignored and "0" is assumed for its value.

16
windows/client-management/mdm/browserfavorite-csp.md
View File

@ -28,9 +28,13 @@ This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID
The following diagram shows the BrowserFavorite configuration service provider in tree format as used by Open Mobile Alliance Device (OMA) Client Provisioning. The OMA Device Management protocol is not supported with this configuration service provider.
The following shows the BrowserFavorite configuration service provider in tree format as used by Open Mobile Alliance Device (OMA) Client Provisioning. The OMA Device Management protocol is not supported with this configuration service provider.
![browserfavorite csp (cp).](images/provisioning-csp-browserfavorite-cp.png)
```console
BrowserFavorite
favorite name
----URL
```
<a href="" id="favorite-name-------------"></a>***favorite name***
Required. Specifies the user-friendly name of the favorite URL that is displayed in the Favorites list of Internet Explorer.
@ -78,19 +82,19 @@ The following table shows the Microsoft custom elements that this configuration
</thead>
<tbody>
<tr class="odd">
<td><p>parm-query</p></td>
<td><p>Parm-query</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="even">
<td><p>noparm</p></td>
<td><p>Noparm</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="odd">
<td><p>nocharacteristic</p></td>
<td><p>Nocharacteristic</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="even">
<td><p>characteristic-query</p></td>
<td><p>Characteristic-query</p></td>
<td><p>Yes</p>
<p>Recursive query: Yes</p>
<p>Top-level query: Yes</p></td>

8
windows/client-management/mdm/cellularsettings-csp.md
View File

@ -19,9 +19,13 @@ The CellularSettings configuration service provider is used to configure cellula
> [!Note]
> Starting in Windows 10, version 1703 the CellularSettings CSP is supported in Windows 10 Home, Pro, Enterprise, and Education editions.
The following image shows the CellularSettings CSP in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP). The OMA DM protocol is not supported with this configuration service provider.
The following shows the CellularSettings CSP in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP). The OMA DM protocol is not supported with this configuration service provider.
![provisioning for cellular settings.](images/provisioning-csp-cellularsettings.png)
```console
./Vendor/MSFT
CellularSettings
----DataRoam
```
<a href="" id="dataroam"></a>**DataRoam**
<p> Optional. Integer. Specifies the default roaming value. Valid values are:</p>

48
windows/client-management/mdm/cm-cellularentries-csp.md
View File

@ -18,9 +18,35 @@ The CM\_CellularEntries configuration service provider is used to configure the
This configuration service provider requires the ID\_CAP\_NETWORKING\_ADMIN capability to be accessed from a network configuration application.
The following diagram shows the CM\_CellularEntries configuration service provider management object in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP). The OMA DM protocol is not supported with this configuration service provider.
The following shows the CM\_CellularEntries configuration service provider management object in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP). The OMA DM protocol is not supported with this configuration service provider.
![cm\-cellularentries csp.](images/provisioning-csp-cm-cellularentries.png)
```console
CM_CellularEntries
----entryname
--------AlwaysOn
--------AuthType
--------ConnectionType
--------Desc.langid
--------Enabled
--------IpHeaderCompression
--------Password
--------SwCompression
--------UserName
--------UseRequiresMappingPolicy
--------Version
--------DevSpecificCellular
-----------GPRSInfoAccessPointName
--------Roaming
--------OEMConnectionID
--------ApnId
--------IPType
--------ExemptFromDisablePolicy
--------ExemptFromRoaming
--------TetheringNAI
--------IdleDisconnectTimeout
--------SimIccId
--------PurposeGroups
```
<a href="" id="entryname"></a>***entryname***
<p>Defines the name of the connection.</p>
@ -51,27 +77,27 @@ The following diagram shows the CM\_CellularEntries configuration service provid
</colgroup>
<tbody>
<tr class="odd">
<td><p>gprs</p></td>
<td><p>Gprs</p></td>
<td><p>Default. Used for GPRS type connections (GPRS + GSM + EDGE + UMTS + LTE).</p></td>
</tr>
<tr class="even">
<td><p>cdma</p></td>
<td><p>Cdma</p></td>
<td><p>Used for CDMA type connections (1XRTT + EVDO).</p></td>
</tr>
<tr class="odd">
<td><p>lte</p></td>
<td><p>Lte</p></td>
<td><p>Used for LTE type connections (eHRPD + LTE) when the device is registered HOME.</p></td>
</tr>
<tr class="even">
<td><p>legacy</p></td>
<td><p>Legacy</p></td>
<td><p>Used for GPRS + GSM + EDGE + UMTS connections.</p></td>
</tr>
<tr class="odd">
<td><p>lte_iwlan</p></td>
<td><p>Lte_iwlan</p></td>
<td><p>Used for GPRS type connections that may be offloaded over WiFi</p></td>
</tr>
<tr class="even">
<td><p>iwlan</p></td>
<td><p>Iwlan</p></td>
<td><p>Used for connections that are implemented over WiFi offload only</p></td>
</tr>
</tbody>
@ -285,15 +311,15 @@ The following table shows the Microsoft custom elements that this configuration
</thead>
<tbody>
<tr class="odd">
<td><p>nocharacteristic</p></td>
<td><p>Nocharacteristic</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="even">
<td><p>characteristic-query</p></td>
<td><p>Characteristic-query</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="odd">
<td><p>parm-query</p></td>
<td><p>Parm-query</p></td>
<td><p>Yes</p></td>
</tr>
</tbody>

133
windows/client-management/mdm/config-lock.md Normal file
View File

@ -0,0 +1,133 @@
---
title: Secured-Core Configuration Lock
description: A Secured-Core PC (SCPC) feature that prevents configuration drift from Secured-Core PC features (shown below) caused by unintentional misconfiguration.
manager: dansimp
keywords: mdm,management,administrator,config lock
ms.author: v-lsaldanha
ms.topic: article
ms.prod: w11
ms.technology: windows
author: lovina-saldanha
ms.date: 10/07/2021
---
# Secured-Core PC Configuration Lock
**Applies to**
- Windows 11
In an enterprise organization, IT administrators enforce policies on their corporate devices to keep the devices in a compliant state and protect the OS by preventing users from changing configurations and creating config drift. Config drift occurs when users with local admin rights change settings and put the device out of sync with security policies. Devices in a non-compliant state can be vulnerable until the next sync and configuration reset with the MDM. Windows 11 with Config Lock enables IT administrators to prevent config drift and keep the OS configuration in the desired state. With config lock, the OS monitors the registry keys that configure each feature and when it detects a drift, reverts to the IT-desired state in seconds.
Secured-Core Configuration Lock (Config Lock) is a new [Secured-Core PC (SCPC)](/windows-hardware/design/device-experiences/oem-highly-secure) feature that prevents configuration drift from Secured-Core PC features caused by unintentional misconfiguration. In short, it ensures a device intended to be a Secured-Core PC remains a Secured-Core PC.
To summarize, Config Lock:
- Enables IT to “lock” Secured-Core PC features when managed through MDM
- Detects drift remediates within seconds
- DOES NOT prevent malicious attacks
## Configuration Flow
After a Secured-Core PC reaches the desktop, Config Lock will prevent configuration drift by detecting if the device is a Secured-Core PC or not. When the device isn't a Secured-Core PC, the lock won't apply. If the device is a Secured-Core PC, config lock will lock the policies listed under [List of locked policies](#list-of-locked-policies).
## System Requirements
Config Lock will be available for all Windows Professional and Enterprise Editions running on [Secured-Core PCs](/windows-hardware/design/device-experiences/oem-highly-secure).
## Enabling Config Lock using Microsoft Intune
Config Lock isn't enabled by default (or turned on by the OS during boot). Rather, an IT Admin must intentionally turn it on.
The steps to turn on Config Lock using Microsoft Endpoint Manager (Microsoft Intune) are as follows:
1. Ensure that the device to turn on Config Lock is enrolled in Microsoft Intune.
1. From the Microsoft Intune portal main page, select **Devices** > **Configuration Profiles** > **Create a profile**.
1. Select the following and press **Create**:
- **Platform**: Windows 10 and later
- **Profile type**: Templates
- **Template name**: Custom
:::image type="content" source="images/configlock-mem-createprofile.png" alt-text="create profile":::
1. Name your profile.
1. When you reach the Configuration Settings step, select “Add” and add the following information:
- **OMA-URI**: ./Vendor/MSFT/DMClient/Provider/MS%20DM%20Server/ConfigLock/Lock
- **Data type**: Integer
- **Value**: 1 </br>
To turn off Config Lock. Change value to 0.
:::image type="content" source="images/configlock-mem-editrow.png" alt-text="edit row":::
1. Select the devices to turn on Config Lock. If you're using a test tenant, you can select “+ Add all devices”.
1. You'll not need to set any applicability rules for test purposes.
1. Review the Configuration and select “Create” if everything is correct.
1. After the device syncs with the Microsoft Intune server, you can confirm if the Config Lock was successfully enabled.
:::image type="content" source="images/configlock-mem-dev.png" alt-text="status":::
:::image type="content" source="images/configlock-mem-devstatus.png" alt-text="device status":::
## Disabling
Config Lock is designed to ensure that a Secured-Core PC isn't unintentionally misconfigured. IT Admins retain the ability to change (enabled/disable) SCPC features via Group Policies and/or mobile device management (MDM) tools, such as Microsoft Intune.
:::image type="content" source="images/configlock-mem-firmwareprotect.png" alt-text="firmware protect":::
## FAQ
**Can an IT admins disable Config Lock ?** </br>
Yes. IT admins can use MDM to turn off Config Lock.</br>
### List of locked policies
|**CSPs** |
|-----|
|[BitLocker ](bitlocker-csp.md) |
|[PassportForWork](passportforwork-csp.md) |
|[WindowsDefenderApplicationGuard](windowsdefenderapplicationguard-csp.md) |
|[ApplicationControl](applicationcontrol-csp.md)
|**MDM policies** |
|-----|
|[DataProtection/AllowDirectMemoryAccess](policy-csp-dataprotection.md) |
|[DataProtection/LegacySelectiveWipeID](policy-csp-dataprotection.md) |
|[DeviceGuard/ConfigureSystemGuardLaunch](policy-csp-deviceguard.md) |
|[DeviceGuard/EnableVirtualizationBasedSecurity](policy-csp-deviceguard.md) |
|[DeviceGuard/LsaCfgFlags](policy-csp-deviceguard.md) |
|[DeviceGuard/RequirePlatformSecurityFeatures](policy-csp-deviceguard.md) |
|[DeviceInstallation/AllowInstallationOfMatchingDeviceIDs](policy-csp-deviceinstallation.md) |
|[DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs](policy-csp-deviceinstallation.md) |
|[DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses](policy-csp-deviceinstallation.md) |
|[DeviceInstallation/PreventDeviceMetadataFromNetwork](policy-csp-deviceinstallation.md) |
|[DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings](policy-csp-deviceinstallation.md) |
|[DeviceInstallation/PreventInstallationOfMatchingDeviceIDs](policy-csp-deviceinstallation.md) |
|[DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs](policy-csp-deviceinstallation.md) |
|[DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses](policy-csp-deviceinstallation.md) |
|[DmaGuard/DeviceEnumerationPolicy](policy-csp-dmaguard.md) |
|[WindowsDefenderSecurityCenter/CompanyName](policy-csp-windowsdefendersecuritycenter.md) |
|[WindowsDefenderSecurityCenter/DisableAccountProtectionUI](policy-csp-windowsdefendersecuritycenter.md) |
|[WindowsDefenderSecurityCenter/DisableAppBrowserUI](policy-csp-windowsdefendersecuritycenter.md) |
|[WindowsDefenderSecurityCenter/DisableClearTpmButton](policy-csp-windowsdefendersecuritycenter.md) |
|[WindowsDefenderSecurityCenter/DisableDeviceSecurityUI](policy-csp-windowsdefendersecuritycenter.md) |
|[WindowsDefenderSecurityCenter/DisableEnhancedNotifications](policy-csp-windowsdefendersecuritycenter.md) |
|[WindowsDefenderSecurityCenter/DisableFamilyUI](policy-csp-windowsdefendersecuritycenter.md) |
|[WindowsDefenderSecurityCenter/DisableHealthUI](policy-csp-windowsdefendersecuritycenter.md) |
|[WindowsDefenderSecurityCenter/DisableNetworkUI](policy-csp-windowsdefendersecuritycenter.md) |
|[WindowsDefenderSecurityCenter/DisableNotifications](policy-csp-windowsdefendersecuritycenter.md) |
|[WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning](policy-csp-windowsdefendersecuritycenter.md)|
|[WindowsDefenderSecurityCenter/DisableVirusUI](policy-csp-windowsdefendersecuritycenter.md) |
|[WindowsDefenderSecurityCenter/DisallowExploitProtectionOverride](policy-csp-windowsdefendersecuritycenter.md) |
|[WindowsDefenderSecurityCenter/Email](policy-csp-windowsdefendersecuritycenter.md) |
|[WindowsDefenderSecurityCenter/EnableCustomizedToasts](policy-csp-windowsdefendersecuritycenter.md) |
|[WindowsDefenderSecurityCenter/EnableInAppCustomization](policy-csp-windowsdefendersecuritycenter.md) |
|[WindowsDefenderSecurityCenter/HideRansomwareDataRecovery](policy-csp-windowsdefendersecuritycenter.md) |
|[WindowsDefenderSecurityCenter/HideSecureBoot](policy-csp-windowsdefendersecuritycenter.md) |
|[WindowsDefenderSecurityCenter/HideTPMTroubleshooting](policy-csp-windowsdefendersecuritycenter.md) |
|[WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl](policy-csp-windowsdefendersecuritycenter.md) |
|[WindowsDefenderSecurityCenter/Phone](policy-csp-windowsdefendersecuritycenter.md) |
|[WindowsDefenderSecurityCenter/URL](policy-csp-windowsdefendersecuritycenter.md) |
|[SmartScreen/EnableAppInstallControl](policy-csp-smartscreen.md)|
|[SmartScreen/EnableSmartScreenInShell](policy-csp-smartscreen.md) |
|[SmartScreen/PreventOverrideForFilesInShell](policy-csp-smartscreen.md) |

1196
windows/client-management/mdm/configuration-service-provider-reference.md
View File

File diff suppressed because it is too large Load Diff

2
windows/client-management/mdm/devdetail-csp.md
View File

@ -179,7 +179,7 @@ Value type is string. Supported operations are Get and Replace.
> [!NOTE]
> We recommend using `%SERIAL%` or `%RAND:x%` with a high character limit to reduce the chance of name collision when generating a random name. This feature doesn't check if a particular name is already present in the environment.
On desktop PCs, this setting specifies the DNS hostname of the computer (Computer Name) up to 63 characters. Use `%RAND:x%` to generate x number of random digits in the name, where x must be a number less than 63. For domain-joined computers, the unique name must use `%RAND:x%`. Use `%SERIAL%` to generate the name with the `computer's` serial number embedded. If the serial number exceeds the character limit, it will be truncated from the beginning of the sequence. The character restriction limit does not count the length of the macros, `%RAND:x%` and `%SERIAL%`. This setting is supported only in Windows 10, version 1803 and later. To change this setting in Windows 10, version 1709 and earlier releases, use the **ComputerName** setting under **Accounts** > **ComputerAccount**.
On desktop PCs, this setting specifies the DNS hostname of the computer (Computer Name) up to 63 characters. Use `%RAND:x%` to generate x number of random digits in the name, where x must be a number less than 63. For domain-joined computers, the unique name must use `%RAND:x%`. Use `%SERIAL%` to generate the name with the computer's serial number embedded. If the serial number exceeds the character limit, it will be truncated from the beginning of the sequence. The character restriction limit does not count the length of the macros, `%RAND:x%` and `%SERIAL%`. This setting is supported only in Windows 10, version 1803 and later. To change this setting in Windows 10, version 1709 and earlier releases, use the **ComputerName** setting under **Accounts** > **ComputerAccount**.
<a href="" id="ext-microsoft-totalstorage"></a>**Ext/Microsoft/TotalStorage**
Added in Windows 10, version 1511. Integer that specifies the total available storage in MB from first internal drive on the device (may be less than total physical storage).

74
windows/client-management/mdm/device-update-management.md
View File

@ -138,9 +138,46 @@ Updates are configured using a combination of the [Update CSP](update-csp.md), a
The enterprise IT can configure auto-update polices via OMA DM using the [Policy CSP](policy-configuration-service-provider.md) (this functionality is not supported in Windows 10 Mobile and Windows 10 Home). Here's the CSP diagram for the Update node in Policy CSP.
The following diagram shows the Update policies in a tree format.
The following shows the Update policies in a tree format.
![update policies.](images/update-policies.png)
```console
./Vendor/MSFT
Policy
----Config
--------Update
-----------ActiveHoursEnd
-----------ActiveHoursMaxRange
-----------ActiveHoursStart
-----------AllowAutoUpdate
-----------AllowMUUpdateService
-----------AllowNonMicrosoftSignedUpdate
-----------AllowUpdateService
-----------AutoRestartNotificationSchedule
-----------AutoRestartRequiredNotificationDismissal
-----------BranchReadinessLevel
-----------DeferFeatureUpdatesPeriodInDays
-----------DeferQualityUpdatesPeriodInDays
-----------DeferUpdatePeriod
-----------DeferUpgradePeriod
-----------EngagedRestartDeadline
-----------EngagedRestartSnoozeSchedule
-----------EngagedRestartTransitionSchedule
-----------ExcludeWUDriversInQualityUpdate
-----------IgnoreMOAppDownloadLimit
-----------IgnoreMOUpdateDownloadLimit
-----------PauseDeferrals
-----------PauseFeatureUpdates
-----------PauseQualityUpdates
-----------RequireDeferUpgrade
-----------RequireUpdateApproval
-----------ScheduleImminentRestartWarning
-----------ScheduledInstallDay
-----------ScheduledInstallTime
-----------ScheduleRestartWarning
-----------SetAutoRestartNotificationDisable
-----------UpdateServiceUrl
-----------UpdateServiceUrlAlternate
```
<a href="" id="update-activehoursend"></a>**Update/ActiveHoursEnd**
> [!NOTE]
@ -674,9 +711,38 @@ Example
### Update management
The enterprise IT can configure the set of approved updates and get compliance status via OMA DM using the [Update CSP](update-csp.md). The following diagram shows the Update CSP in tree format..
The enterprise IT can configure the set of approved updates and get compliance status via OMA DM using the [Update CSP](update-csp.md). The following shows the Update CSP in tree format.
![provisioning csp update.](images/provisioning-csp-update.png)
```console
./Vendor/MSFT
Update
----ApprovedUpdates
--------Approved Update Guid
------------ApprovedTime
----FailedUpdates
--------Failed Update Guid
------------HResult
------------Status
------------RevisionNumber
----InstalledUpdates
--------Installed Update Guid
------------RevisionNumber
----InstallableUpdates
--------Installable Update Guid
------------Type
------------RevisionNumber
----PendingRebootUpdates
--------Pending Reboot Update Guid
------------InstalledTime
------------RevisionNumber
----LastSuccessfulScanTime
----DeferUpgrade
----Rollback
--------QualityUpdate
--------FeatureUpdate
--------QualityUpdateStatus
--------FeatureUpdateStatus
```
<a href="" id="update"></a>**Update**
The root node.

34
windows/client-management/mdm/deviceinstanceservice-csp.md
View File

@ -24,9 +24,27 @@ The DeviceInstance CSP is only supported in Windows 10 Mobile.
The following diagram shows the DeviceInstanceService configuration service provider in tree format.
The following shows the DeviceInstanceService configuration service provider in tree format.
![provisioning\-csp\-deviceinstanceservice.](images/provisioning-csp-deviceinstanceservice.png)
```console
./Vendor/MSFT
DeviceInstanceService
------------Roaming
------------PhoneNumber
------------IMEI
------------IMSI
------------Identity
---------------Identity1
------------------Roaming
------------------PhoneNumber
------------------IMEI
------------------IMSI
---------------Identity2
------------------PhoneNumber
------------------IMEI
------------------IMSI
------------------Roaming
```
<a href="" id="roaming"></a>**Roaming**
A boolean value that specifies the roaming status of the device. In dual SIM mode when the device supports two different phone numbers, querying SIM 1 explicitly with ./Vendor/MSFT/DeviceInstanceService/Identify1/Roaming is functionally equivalent to using ./Vendor/MSFT/DeviceInstanceService/Roaming.
@ -36,34 +54,34 @@ Supported operation is **Get**.
Returns **True** if the device is roaming; otherwise **False**.
<a href="" id="phonenumber"></a>**PhoneNumber**
A string that represents the phone number of the device. In case of dual SIM mode when the device supports two different phone numbers, querying SIM 1 explicitly with ./Vendor/MSFT/DeviceInstanceService/Identify1/PhoneNumber is functionally equivalent to using ./Vendor/MSFT/DeviceInstanceService/PhoneNumber.
A string that represents the phone number of the device. In dual SIM mode, when the device supports two different phone numbers, querying SIM 1 explicitly with ./Vendor/MSFT/DeviceInstanceService/Identify1/PhoneNumber is functionally equivalent to using ./Vendor/MSFT/DeviceInstanceService/PhoneNumber.
Value type is chr.
Supported operation is **Get**.
<a href="" id="imei"></a>**IMEI**
A string the represents the International Mobile Station Equipment Identity (IMEI) of the device. In case of dual SIM mode when the device supports two different phone numbers, querying SIM 1 explicitly with ./Vendor/MSFT/DeviceInstanceService/Identify1/IMEI is functionally equivalent to using ./Vendor/MSFT/DeviceInstanceService/IMEI.
A string the represents the International Mobile Station Equipment Identity (IMEI) of the device. In dual SIM mode, when the device supports two different phone numbers, querying SIM 1 explicitly with ./Vendor/MSFT/DeviceInstanceService/Identify1/IMEI is functionally equivalent to using ./Vendor/MSFT/DeviceInstanceService/IMEI.
Value type is chr.
Supported operation is **Get**.
<a href="" id="imsi"></a>**IMSI**
A string that represents the first six digits of device IMSI number (Mobile Country/region Code, Mobile Network Code) of the device. In case of dual SIM mode when the device supports two different phone numbers, querying SIM 1 explicitly with ./Vendor/MSFT/DeviceInstanceService/Identify1/IMSI is functionally equivalent to using ./Vendor/MSFT/DeviceInstanceService/IMSI.
A string that represents the first six digits of device IMSI number (Mobile Country/region Code, Mobile Network Code) of the device. In dual SIM mode when the device supports two different phone numbers, querying SIM 1 explicitly with ./Vendor/MSFT/DeviceInstanceService/Identify1/IMSI is functionally equivalent to using ./Vendor/MSFT/DeviceInstanceService/IMSI.
Value type is chr.
Supported operation is **Get**.
<a href="" id="identity"></a>**Identity**
The parent node to group per SIM specific information in case of dual SIM mode.
The parent node to group per SIM-specific information in dual SIM mode.
<a href="" id="identity1"></a>**Identity1**
The parent node to group SIM1 specific information in case of dual SIM mode.
The parent node to group SIM1 specific information in dual SIM mode.
<a href="" id="identity2"></a>**Identity2**
The parent node to group SIM2 specific information in case of dual SIM mode.
The parent node to group SIM2 specific information in dual SIM mode.
## Examples

28
windows/client-management/mdm/devicelock-csp.md
View File

@ -30,9 +30,33 @@ The DevicePasswordEnabled setting must be set to 0 (device password is enabled)
- MaxInactivityTimeDeviceLock
- MinDevicePasswordComplexCharacters
The following image shows the DeviceLock configuration service provider in tree format.
The following shows the DeviceLock configuration service provider in tree format.
![devicelock csp.](images/provisioning-csp-devicelock.png)
```console
./Vendor/MSFT
DeviceLock
--------Provider
----------ProviderID
-------------DevicePasswordEnabled
-------------AllowSimpleDevicePassword
-------------MinDevicePasswordLength
-------------AlphanumericDevicePasswordRequired
-------------MaxDevicePasswordFailedAttempts
-------------DevicePasswordExpiration
-------------DevicePasswordHistory
-------------MaxInactivityTimeDeviceLock
-------------MinDevicePasswordComplexCharacters
----------DeviceValue
-------------DevicePasswordEnabled
-------------AllowSimpleDevicePassword
-------------MinDevicePasswordLength
-------------AlphanumericDevicePasswordRequired
-------------MaxDevicePasswordFailedAttempts
-------------DevicePasswordExpiration
-------------DevicePasswordHistory
-------------MaxInactivityTimeDeviceLock
-------------MinDevicePasswordComplexCharacters
```
<a href="" id="provider"></a>**Provider**
Required. An interior node to group all policy providers. Scope is permanent. Supported operation is Get.

33
windows/client-management/mdm/dmclient-csp.md
View File

@ -22,7 +22,7 @@ The following shows the DMClient CSP in tree format.
./Vendor/MSFT
DMClient
----Provider
--------
--------ProviderID
------------EntDeviceName
------------ExchangeID
------------EntDMID
@ -45,6 +45,10 @@ DMClient
------------HWDevID
------------ManagementServerAddressList
------------CommercialID
------------ConfigLock
----------------Lock
----------------UnlockDuration
----------------SecureCore
------------Push
----------------PFN
----------------ChannelURI
@ -598,6 +602,33 @@ Optional. Boolean value that allows the IT admin to require the device to start
Supported operations are Add, Get, and Replace.
<a href="" id="provider-providerid-configlock"></a>**Provider/*ProviderID*/ConfigLock**
Optional. This node enables [Config Lock](config-lock.md) feature. If enabled, policies defined in the Config Lock document will be monitored and quickly remediated when a configuration drift is detected.
Default = Locked
> [!Note]
>If the device is not a Secured-core PC, then this feature will not work. To know more, see [Secured-core PC](/windows-hardware/design/device-experiences/oem-highly-secure).
<a href="" id="provider-providerid-configlock-lock"></a>**Provider/*ProviderID*/ConfigLock/Lock**
The supported values for this node are 0-unlock, 1-lock.
Supported operations are Add, Delete, Get.
<a href="" id="provider-providerid-configlock-unlockduration"></a>**Provider/*ProviderID*/ConfigLock/UnlockDuration**
The supported values for this node are 1 to 480 (in min).
Supported operations are Add, Delete, Get.
<a href="" id="provider-providerid-configlock-securecore"></a>**Provider/*ProviderID*/ConfigLock/SecureCore**
The supported values for this node are false or true.
Supported operation is Get only.
<a href="" id="provider-providerid-push"></a>**Provider/*ProviderID*/Push**
Optional. Not configurable during WAP Provisioning XML. If removed, DM sessions triggered by Push will no longer be supported.

4
windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
View File

@ -289,6 +289,10 @@ To collect Event Viewer logs:
- [Filter Using Security Groups](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc752992(v=ws.11))
- [Enforce a Group Policy Object Link](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753909(v=ws.11))
- [Group Policy Central Store](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra)
- [Getting started with Cloud Native Windows Endpoints](https://docs.microsoft.com/mem/cloud-native-windows-endpoints)
- [A Framework for Windows endpoint management transformation](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/a-framework-for-windows-endpoint-management-transformation/ba-p/2460684)
- [Success with remote Windows Autopilot and Hybrid Azure Active Director join](https://techcommunity.microsoft.com/t5/intune-customer-success/success-with-remote-windows-autopilot-and-hybrid-azure-active/ba-p/2749353)
### Useful Links
- [Windows 10 Administrative Templates for Windows 10 May 2021 Update 21H1](https://www.microsoft.com/download/details.aspx?id=103124)

104
windows/client-management/mdm/enterprise-app-management.md
View File

@ -39,9 +39,109 @@ Windows 10 lets you inventory all apps deployed to a user and all apps for all
These classifications are represented as nodes in the EnterpriseModernAppManagement CSP.
The following diagram shows the EnterpriseModernAppManagement CSP in a tree format.
The following shows the EnterpriseModernAppManagement CSP in a tree format.
![enterprisemodernappmanagement csp diagram.](images/provisioning-csp-enterprisemodernappmanagement.png)
```console
./Device/Vendor/MSFT
or
./User/Vendor/MSFT
EnterpriseAppManagement
----AppManagement
--------UpdateScan
--------LastScanError
--------AppInventoryResults
--------AppInventoryQuery
--------RemovePackage
--------AppStore
----------PackageFamilyName
------------PackageFullName
--------------Name
--------------Version
--------------Publisher
--------------Architecture
--------------InstallLocation
--------------IsFramework
--------------IsBundle
--------------InstallDate
--------------ResourceID
--------------RequiresReinstall
--------------PackageStatus
--------------Users
--------------IsProvisioned
--------------IsStub
------------DoNotUpdate
------------AppSettingPolicy
--------------SettingValue
------------MaintainProcessorArchitectureOnUpdate
------------NonRemovable
----------ReleaseManagement
------------ReleaseManagementKey
--------------ChannelId
--------------ReleaseId
--------------EffectiveRelease
-----------------ChannelId
-----------------ReleaseId
--------nonStore
----------PackageFamilyName
------------PackageFullName
--------------Name
--------------Version
--------------Publisher
--------------Architecture
--------------InstallLocation
--------------IsFramework
--------------IsBundle
--------------InstallDate
--------------ResourceID
--------------RequiresReinstall
--------------PackageStatus
--------------Users
--------------IsProvisioned
--------------IsStub
------------DoNotUpdate
------------AppSettingPolicy
--------------SettingValue
------------MaintainProcessorArchitectureOnUpdate
------------NonRemoveable
--------System
----------PackageFamilyName
------------PackageFullName
--------------Name
--------------Version
--------------Publisher
--------------Architecture
--------------InstallLocation
--------------IsFramework
--------------IsBundle
--------------InstallDate
--------------ResourceID
--------------RequiresReinstall
--------------PackageStatus
--------------Users
--------------IsProvisioned
--------------IsStub
------------DoNotUpdate
------------AppSettingPolicy
--------------SettingValue
------------MaintainProcessorArchitectureOnUpdate
------------NonRemoveable
----AppInstallation
--------PackageFamilyName
----------StoreInstall
----------HostedInstall
----------LastError
----------LastErrorDesc
----------Status
----------ProgressStatus
----AppLicenses
--------StoreLicenses
----------LicenseID
------------LicenseCategory
------------LicenseUsage
------------RequesterID
------------AddLicense
------------GetLicenseFromStore
```
Each app displays one package family name and 1-n package full names for installed apps. The apps are categorized based on their origin (Store, nonStore, System).

30
windows/client-management/mdm/enterpriseappmanagement-csp.md
View File

@ -21,9 +21,35 @@ The EnterpriseAppManagement enterprise configuration service provider is used to
The following diagram shows the EnterpriseAppManagement configuration service provider in tree format.
The following shows the EnterpriseAppManagement configuration service provider in tree format.
![enterpriseappmanagement csp.](images/provisioning-csp-enterpriseappmanagement.png)
```console
./Vendor/MSFT
EnterpriseAppManagement
----EnterpriseID
--------EnrollmentToken
--------StoreProductID
--------StoreUri
--------CertificateSearchCriteria
--------Status
--------CRLCheck
--------EnterpriseApps
------------Inventory
----------------ProductID
--------------------Version
--------------------Title
--------------------Publisher
--------------------InstallDate
------------Download
----------------ProductID
--------------------Version
--------------------Name
--------------------URL
--------------------Status
--------------------LastError
--------------------LastErrorDesc
--------------------DownloadInstall
```
<a href="" id="enterpriseid"></a>***EnterpriseID***
Optional. A dynamic node that represents the EnterpriseID as a GUID. It is used to enroll or unenroll enterprise applications.

3
windows/client-management/mdm/enterpriseassignedaccess-csp.md
View File

@ -19,8 +19,7 @@ The EnterpriseAssignedAccess configuration service provider allows IT administra
> **Note**   The EnterpriseAssignedAccess CSP is only supported in Windows 10 Mobile.
To use an app to create a lockdown XML see [Use the Lockdown Designer app to create a Lockdown XML file](/windows/configuration/mobile-devices/mobile-lockdown-designer). For more information about how to interact with the lockdown XML at runtime, see [**DeviceLockdownProfile class**](/uwp/api/Windows.Embedded.DeviceLockdown.DeviceLockdownProfile).
For more information about how to interact with the lockdown XML at runtime, see [**DeviceLockdownProfile class**](/uwp/api/Windows.Embedded.DeviceLockdown.DeviceLockdownProfile).
The following shows the EnterpriseAssignedAccess configuration service provider in tree format as used by both the Open Mobile Alliance (OMA) Device Management (DM) and OMA Client Provisioning.
```

11
windows/client-management/mdm/filesystem-csp.md
View File

@ -22,9 +22,16 @@ The FileSystem configuration service provider is used to query, add, modify, and
> [!NOTE]
> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_CSP\_OEM capabilities to be accessed from a network configuration application.
The following diagram shows the FileSystem configuration service provider management object in tree format as used by OMA DM. The OMA Client Provisioning protocol is not supported by this configuration service provider.
The following shows the FileSystem configuration service provider management object in tree format as used by OMA DM. The OMA Client Provisioning protocol is not supported by this configuration service provider.
![filesystem csp (dm).](images/provisioning-csp-filesystem-dm.png)
```console
./Vendor/MSFT
FileSystem
----file name
----file directory
--------file name
--------file directory
```
<a href="" id="filesystem"></a>**FileSystem**
Required. Defines the root of the file system management object. It functions as the root directory for file system queries.

21
windows/client-management/mdm/hotspot-csp.md
View File

@ -25,9 +25,26 @@ The HotSpot configuration service provider is used to configure and enable Inter
The following diagram shows the HotSpot configuration service provider management object in tree format as used by OMA Client Provisioning. The OMA DM protocol is not supported by this configuration service provider.
The following shows the HotSpot configuration service provider management object in tree format as used by OMA Client Provisioning. The OMA DM protocol is not supported by this configuration service provider.
![hotspot csp (cp).](images/provisioning-csp-hotspot-cp.png)
```console
./Vendor/MSFT
HotSpot
-------Enabled
-------DedicatedConnections
-------TetheringNAIConnection
-------MaxUsers
-------MaxBluetoothUsers
-------MOHelpNumber
-------MOInfoLink
-------MOAppLink
-------MOHelpMessage
-------EntitlementRequired
-------EntitlementDll
-------EntitlementInterval
-------PeerlessTimeout
-------PublicConnectionTimeout
```
<a href="" id="enabled"></a>**Enabled**
Required. Specifies whether to enable Internet sharing on the device. The default is false.

BIN
windows/client-management/mdm/images/configlock-mem-createprofile.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 91 KiB

BIN
windows/client-management/mdm/images/configlock-mem-dev.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 53 KiB

BIN
windows/client-management/mdm/images/configlock-mem-devstatus.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 47 KiB

BIN
windows/client-management/mdm/images/configlock-mem-editrow.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 42 KiB

BIN
windows/client-management/mdm/images/configlock-mem-firmwareprotect.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 14 KiB

BIN
windows/client-management/mdm/images/faq-max-devices.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 6.0 KiB

After

Width:  |  Height:  |  Size: 5.4 KiB

BIN
windows/client-management/mdm/images/flow-configlock.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 27 KiB

13
windows/client-management/mdm/messaging-csp.md
View File

@ -15,9 +15,18 @@ manager: dansimp
The Messaging configuration service provider is used to configure the ability to get text messages audited on a mobile device. This CSP was added in Windows 10, version 1703.
The following diagram shows the Messaging configuration service provider in tree format.
The following shows the Messaging configuration service provider in tree format.
![messaging csp.](images/provisioning-csp-messaging.png)
```console
./User/Vendor/MSFT
Messaging
----AuditingLevel
----Auditing
--------Messages
----------Count
----------RevisionId
----------Data
```
<a href="" id="--user-msft-applocker"></a>**./User/Vendor/MSFT/Messaging**

53
windows/client-management/mdm/mobile-device-enrollment.md
View File

@ -66,13 +66,13 @@ Devices that are joined to an on-premises Active Directory can enroll into MDM v
## Disable MDM enrollments
Starting in Windows 10, version 1607, IT admin can disable MDM enrollments for domain-joined PCs using Group Policy. Using the GP editor, the path is **Computer configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **MDM** &gt; **Disable MDM Enrollment**.
In Windows 10 and Windows 11, IT admin can disable MDM enrollments for domain-joined PCs using Group Policy. Using the GP editor, the path is **Computer configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **MDM** &gt; **Disable MDM Enrollment**.
![Disable MDM enrollment policy in GP Editor.](images/mdm-enrollment-disable-policy.png)
Here is the corresponding registry key:
Key: \\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\MDM
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\MDM
Value: DisableRegistration
@ -80,19 +80,8 @@ Value: DisableRegistration
The following scenarios do not allow MDM enrollments:
- Built-in administrator accounts on Windows desktop cannot enroll into MDM.
- Standard users cannot enroll in MDM. Only admin users can enroll.
- Windows 8.1 devices enrolled into MDM via enroll-on-behalf-of (EOBO) can upgrade to Windows 10, but the enrollment is not supported. We recommend performing a server initiated unenroll to remove these enrollments and then enrolling after the upgrade to Windows 10 is completed.
## Enrollment migration
**Desktop:** After the MDM client upgrade from Windows 8.1 to Windows 10, enrollment migration starts at the first client-initiated sync with the MDM service. The enrollment migration start time depends on the MDM server configuration. For example, for Intune it runs every 6 hours.
Until the enrollment migration is completed, the user interface will show no enrollment and server push will not work.
To manually trigger enrollment migration, you can run MDMMaintenenceTask.
**Mobile devices:** After the MDM client upgrade from Windows Phone 8.1 to Windows 10 Mobile, enrollment migration is performed during the first boot after the upgrade.
- Built-in administrator accounts on Windows desktop cannot enroll into MDM.
- Standard users cannot enroll in MDM. Only admin users can enroll.
## Enrollment error messages
@ -143,49 +132,49 @@ The enrollment server can decline enrollment messages using the SOAP Fault forma
<td><p>s:</p></td>
<td><p>MessageFormat</p></td>
<td><p>MENROLL_E_DEVICE_MESSAGE_FORMAT_ERROR</p></td>
<td><p>Message format is bad</p></td>
<td><p>Invalid message from the Mobile Device Management (MDM) server.</p></td>
<td><p>80180001</p></td>
</tr>
<tr class="even">
<td><p>s:</p></td>
<td><p>Authentication</p></td>
<td><p>MENROLL_E_DEVICE_AUTHENTICATION_ERROR</p></td>
<td><p>User not recognized</p></td>
<td><p>The Mobile Device Management (MDM) server failed to authenticate the user. Try again or contact your system administrator.</p></td>
<td><p>80180002</p></td>
</tr>
<tr class="odd">
<td><p>s:</p></td>
<td><p>Authorization</p></td>
<td><p>MENROLL_E_DEVICE_AUTHORIZATION_ERROR</p></td>
<td><p>User not allowed to enroll</p></td>
<td><p>The user is not authorized to enroll to Mobile Device Management (MDM). Try again or contact your system administrator.</p></td>
<td><p>80180003</p></td>
</tr>
<tr class="even">
<td><p>s:</p></td>
<td><p>CertificateRequest</p></td>
<td><p>MENROLL_E_DEVICE_CERTIFCATEREQUEST_ERROR</p></td>
<td><p>Failed to get certificate</p></td>
<td><p>MENROLL_E_DEVICE_CERTIFICATEREQUEST_ERROR</p></td>
<td><p>The user has no permission for the certificate template or the certificate authority is unreachable. Try again or contact your system administrator.</p></td>
<td><p>80180004</p></td>
</tr>
<tr class="odd">
<td><p>s:</p></td>
<td><p>EnrollmentServer</p></td>
<td><p>MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR</p></td>
<td></td>
<td>The Mobile Device Management (MDM) server encountered an error. Try again or contact your system administrator.</td>
<td><p>80180005</p></td>
</tr>
<tr class="even">
<td><p>a:</p></td>
<td><p>InternalServiceFault</p></td>
<td><p>MENROLL_E_DEVICE_INTERNALSERVICE_ERROR</p></td>
<td><p>The server hit an unexpected issue</p></td>
<td><p> There was an unhandled exception on the Mobile Device Management (MDM) server. Try again or contact your system administrator.</p></td>
<td><p>80180006</p></td>
</tr>
<tr class="odd">
<td><p>a:</p></td>
<td><p>InvalidSecurity</p></td>
<td><p>MENROLL_E_DEVICE_INVALIDSECURITY_ERROR</p></td>
<td><p>Cannot parse the security header</p></td>
<td><p>The Mobile Device Management (MDM) server was not able to validate your account. Try again or contact your system administrator.</p></td>
<td><p>80180007</p></td>
</tr>
</tbody>
@ -242,43 +231,43 @@ In Windows 10, version 1507, we added the deviceenrollmentserviceerror element.
<tr class="odd">
<td><p>DeviceCapReached</p></td>
<td><p>MENROLL_E_DEVICECAPREACHED</p></td>
<td><p>User already enrolled in too many devices. Delete or unenroll old ones to fix this error. The user can fix it without admin help.</p></td>
<td><p>The account has too many devices enrolled to Mobile Device Management (MDM). Delete or unenroll old devices to fix this error.</p></td>
<td><p>80180013</p></td>
</tr>
<tr class="even">
<td><p>DeviceNotSupported</p></td>
<td><p>MENROLL_E_DEVICENOTSUPPORTED</p></td>
<td><p>Specific platform (e.g. Windows) or version is not supported. There is no point retrying or calling admin. User could upgrade device.</p></td>
<td><p>The Mobile Device Management (MDM) server doesn't support this platform or version, consider upgrading your device.</p></td>
<td><p>80180014</p></td>
</tr>
<tr class="odd">
<td><p>NotSupported</p></td>
<td><p>MENROLL_E_NOTSUPPORTED</p></td>
<td><p>Mobile device management generally not supported (would save an admin call)</p></td>
<td><p>MENROLL_E_NOT_SUPPORTED</p></td>
<td><p>Mobile Device Management (MDM) is generally not supported for this device.</p></td>
<td><p>80180015</p></td>
</tr>
<tr class="even">
<td><p>NotEligibleToRenew</p></td>
<td><p>MENROLL_E_NOTELIGIBLETORENEW</p></td>
<td><p>Device is trying to renew but server rejects the request. Client might show notification for this if Robo fails. Check time on device. The user can fix it by re-enrolling.</p></td>
<td><p>The device is attempting to renew the Mobile Device Management (MDM) certificate, but the server rejected the request. Check renew schedule on the device.</p></td>
<td><p>80180016</p></td>
</tr>
<tr class="odd">
<td><p>InMaintenance</p></td>
<td><p>MENROLL_E_INMAINTENANCE</p></td>
<td><p>Account is in maintenance, retry later. The user can retry later, but they may need to contact the admin because they would not know when problem is solved.</p></td>
<td><p>The Mobile Device Management (MDM) server states your account is in maintenance, try again later.</p></td>
<td><p>80180017</p></td>
</tr>
<tr class="even">
<td><p>UserLicense</p></td>
<td><p>MENROLL_E_USERLICENSE</p></td>
<td><p>License of user is in bad state and blocking the enrollment. The user needs to call the admin.</p></td>
<td><p>MENROLL_E_USER_LICENSE</p></td>
<td><p>There was an error with your Mobile Device Management (MDM) user license. Contact your system administrator.</p></td>
<td><p>80180018</p></td>
</tr>
<tr class="odd">
<td><p>InvalidEnrollmentData</p></td>
<td><p>MENROLL_E_ENROLLMENTDATAINVALID</p></td>
<td><p>The server rejected the enrollment data. The server may not be configured correctly.</p></td>
<td><p>The Mobile Device Management (MDM) server rejected the enrollment data. The server may not be configured correctly.</p></td>
<td><p>80180019</p></td>
</tr>
</tbody>

46
windows/client-management/mdm/napdef-csp.md
View File

@ -25,13 +25,41 @@ The NAPDEF configuration service provider is used to add, modify, or delete WAP
The following diagram shows the NAPDEF configuration service provider management object in tree format as used by OMA Client Provisioning for **initial bootstrapping of the phone**. The OMA DM protocol is not supported by this configuration service provider.
The following shows the NAPDEF configuration service provider management object in tree format as used by OMA Client Provisioning for **initial bootstrapping of the phone**. The OMA DM protocol is not supported by this configuration service provider.
![napdef csp (cp) (initial bootstrapping).](images/provisioning-csp-napdef-cp.png)
```console
NAPDEF
----NAPAUTHINFO
------AUTHNAME
------AUTHSECRET
------AUTHTYPE
----BEARER
----INTERNET
----LOCAL-ADDR
----LOCAL-ADDRTYPE
----NAME
----NAP-ADDRESS
----NAP-ADDRTYPE
----NAPID
```
The following diagram shows the NAPDEF configuration service provider management object in tree format as used by OMA Client Provisioning for **updating the bootstrapping of the phone**. The OMA DM protocol is not supported by this configuration service provider.
The following shows the NAPDEF configuration service provider management object in tree format as used by OMA Client Provisioning for **updating the bootstrapping of the phone**. The OMA DM protocol is not supported by this configuration service provider.
![napdef csp (cp) (update bootstrapping).](images/provisioning-csp-napdef-cp-2.png)
```console
NAPDEF
--NAPID
----NAPAUTHINFO
------AUTHNAME
------AUTHSECRET
------AUTHTYPE
----BEARER
----INTERNET
----LOCAL-ADDR
----LOCAL-ADDRTYPE
----NAME
----NAP-ADDRESS
----NAP-ADDRTYPE
```
<a href="" id="napauthinfo"></a>**NAPAUTHINFO**
Defines a group of authentication settings.
@ -106,26 +134,26 @@ The following table shows the Microsoft custom elements that this configuration
</colgroup>
<thead>
<tr class="header">
<th>ELements</th>
<th>Elements</th>
<th>Available</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>parm-query</p></td>
<td><p>Parm-query</p></td>
<td><p>Yes</p>
<p>Note that some GPRS parameters will not necessarily contain the exact same value as was set.</p></td>
</tr>
<tr class="even">
<td><p>noparm</p></td>
<td><p>Noparm</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="odd">
<td><p>nocharacteristic</p></td>
<td><p>Nocharacteristic</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="even">
<td><p>characteristic-query</p></td>
<td><p>Characteristic-query</p></td>
<td><p>Yes</p></td>
</tr>
</tbody>

366
windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
View File

File diff suppressed because one or more lines are too long

61
windows/client-management/mdm/passportforwork-csp.md
View File

@ -21,15 +21,68 @@ The PassportForWork configuration service provider is used to provision Windows
 
### User configuration diagram
The following diagram shows the PassportForWork configuration service provider in tree format.
The following shows the PassportForWork configuration service provider in tree format.
![passportforwork csp.](images/provisioning-csp-passportforwork.png)
```console
./User/Vendor/MSFT
PassportForWork
-------TenantId
----------Policies
-------------UsePassportForWork
-------------RequireSecurityDevice
-------------EnablePinRecovery
-------------PINComplexity
----------------MinimumPINLength
----------------MaximumPINLength
----------------UppercaseLetters
----------------LowercaseLetters
----------------SpecialCharecters
----------------Digits
----------------History
----------------Expiration
```
### Device configuration diagram
The following diagram shows the PassportForWork configuration service provider in tree format.
The following shows the PassportForWork configuration service provider in tree format.
![passportforwork diagram.](images/provisioning-csp-passportforwork2.png)
```console
./Device/Vendor/MSFT
PassportForWork
-------TenantId
----------Policies
-------------UsePassportForWork
-------------RequireSecurityDevice
-------------ExcludeSecurityDevices
----------------TPM12
-------------EnablePinRecovery
-------------UserCertificateForOnPremAuth
-------------PINComplexity
----------------MinimumPINLength
----------------MaximumPINLength
----------------UppercaseLetters
----------------LowercaseLetters
----------------SpecialCharacters
----------------Digits
----------------History
----------------Expiration
-------------Remote
----------------UseRemotePassport
-------------UseHelloCertificatesAsSmartCardCertificates
-------UseBiometrics
-------Biometrics
----------UseBiometrics
----------FacialFeatureUse
-------DeviceUnlock
----------GroupA
----------GroupB
----------Plugins
-------DynamicLock
----------DynamicLock
----------Plugins
-------SecurityKey
----------UseSecurityKeyForSignin
```
<a href="" id="passportforwork"></a>**PassportForWork**
Root node for PassportForWork configuration service provider.

20
windows/client-management/mdm/policy-configuration-service-provider.md
View File

@ -42,9 +42,25 @@ The Policy configuration service provider has the following sub-categories:
> - **./Vendor/MSFT/Policy/Config/_AreaName/PolicyName_** to configure the policy.
> - **./Vendor/MSFT/Policy/Result/_AreaName/PolicyName_** to get the result.
The following diagram shows the Policy configuration service provider in tree format as used by both Open Mobile Alliance Device Management (OMA DM) and OMA Client Provisioning.
The following shows the Policy configuration service provider in tree format as used by both Open Mobile Alliance Device Management (OMA DM) and OMA Client Provisioning.
![policy csp diagram.](images/provisioning-csp-policy.png)
```console
./Vendor/MSFT
Policy
-------Config
----------AreaName
-------------PolicyName
-------Result
----------AreaName
-------------PolicyName
-------ConfigOperations
----------ADMXInstall
-------------AppName
----------------Policy
------------------UniqueID
----------------Preference
------------------UniqueID
```
<a href="" id="--vendor-msft-policy"></a>**./Vendor/MSFT/Policy**

3
windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md
View File

@ -1551,7 +1551,8 @@ ADMX Info:
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>

4
windows/client-management/mdm/policy-csp-authentication.md
View File

@ -517,7 +517,7 @@ Specifies the list of domains that are allowed to be navigated to in AAD PIN res
<!--/Scope-->
<!--Description-->
> [!Warning]
> This policy is in preview mode only and therefore not meant or recommended for production purposes.
> The Web Sign-in feature is in preview mode only and therefore not meant or recommended for production purposes.
This policy is intended for use on Shared PCs to enable a quick first sign-in experience for a user. It works by automatically connecting new non-admin Azure Active Directory (Azure AD) accounts to the pre-configured candidate local accounts.
@ -596,7 +596,7 @@ Value type is integer. Supported values:
<!--/Scope-->
<!--Description-->
> [!Warning]
> This policy is in preview mode only and therefore not meant or recommended for production purposes.
> The Web Sign-in feature is in preview mode only and therefore not meant or recommended for production purposes.
"Web Sign-in" is a new way of signing into a Windows PC. It enables Windows logon support for new Azure AD credentials, like Temporary Access Pass.

8
windows/client-management/mdm/policy-csp-settings.md
View File

@ -927,18 +927,18 @@ The following list shows the supported values:
<!--/Scope-->
<!--Description-->
Allows IT Admins to either prevent specific pages in the System Settings app from being visible or accessible, or to do so for all pages except those specified. The mode will be specified by the policy string beginning with either the string "showonly:" or "hide:".  Pages are identified by a shortened version of their already published URIs, which is the URI minus the "ms-settings:" prefix. For example, if the URI for a settings page is "ms-settings:bluetooth", the page identifier used in the policy will be just "bluetooth". Multiple page identifiers are separated by semicolons.
Allows IT Admins to either prevent specific pages in the System Settings app from being visible or accessible, or to do so for all pages except those specified. The mode will be specified by the policy string beginning with either the string "showonly:" or "hide:".  Pages are identified by a shortened version of their already published URIs, which is the URI minus the "ms-settings:" prefix. For example, if the URI for a settings page is "ms-settings:bluetooth", the page identifier used in the policy will be just "bluetooth". Multiple page identifiers are separated by semicolons. For additional information on the URI reference scheme used for the various pages of the System Settings app, see [ms-settings: URI scheme reference](/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference).
The following example illustrates a policy that would allow access only to the about and bluetooth pages, which have URI "ms-settings:about" and "ms-settings:bluetooth" respectively:
showonly:about;bluetooth
If the policy is not specified, the behavior will be that no pages are affected. If the policy string is formatted incorrectly, it will be ignored entirely (i.e. treated as not set) to prevent the machine from becoming unserviceable if data corruption occurs. Note that if a page is already hidden for another reason, then it will remain hidden even if it is in a "showonly:" list.
If the policy is not specified, the behavior will be that no pages are affected. If the policy string is formatted incorrectly, it will be ignored entirely (that is, treated as not set) to prevent the machine from becoming unserviceable if data corruption occurs. Note that if a page is already hidden for another reason, then it will remain hidden even if it is in a "showonly:" list.
The format of the PageVisibilityList value is as follows:
- The value is a unicode string up to 10,000 characters long, which will be used without case sensitivity.
- There are two variants: one that shows only the given pages and one which hides the given pages.
- There are two variants: one that shows only the given pages and one that hides the given pages.
- The first variant starts with the string "showonly:" and the second with the string "hide:".
- Following the variant identifier is a semicolon-delimited list of page identifiers, which must not have any extra whitespace.
- Each page identifier is the ms-settings:xyz URI for the page, minus the ms-settings: prefix, so the identifier for the page with URI "ms-settings:network-wifi" would be just "network-wifi".
@ -964,7 +964,7 @@ ADMX Info:
<!--/ADMXMapped-->
<!--Validation-->
To validate on Desktop, do the following:
To validate on Desktop, use the following steps:
1. Open System Settings and verify that the About page is visible and accessible.
2. Configure the policy with the following string: "hide:about".

53
windows/client-management/mdm/pxlogical-csp.md
View File

@ -19,15 +19,56 @@ The PXLOGICAL configuration service provider is used to add, remove, or modify W
> **Note**   This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_NETWORKING\_ADMIN capabilities to be accessed from a network configuration application.
 
The following diagram shows the PXLOGICAL configuration service provider management object in tree format as used by OMA Client Provisioning for initial bootstrapping of the device. The OMA DM protocol is not supported by this configuration service provider.
The following shows the PXLOGICAL configuration service provider management object in tree format as used by OMA Client Provisioning for initial bootstrapping of the device. The OMA DM protocol is not supported by this configuration service provider.
![pxlogical csp (cp) (initial bootstrapping).](images/provisioning-csp-pxlogical-cp.png)
```console
PXLOGICAL
----DOMAIN
----NAME
----PORT
-------PORTNBR
-------SERVICE
----PUSHENABLED
----PROXY-ID
----TRUST
----PXPHYSICAL
-------DOMAIN
-------PHYSICAL-PROXY-ID
-------PORT
---------PORTNBR
---------SERVICE
-------PUSHENABLED
-------PXADDR
-------PXADDRTYPE
-------TO-NAPID
```
The following diagram shows the PXLOGICAL configuration service provider management object in tree format as used by OMA Client Provisioning for updating the bootstrapping of the device. The OMA DM protocol is not supported by this configuration service provider.
![pxlogical csp (cp) (update bootstrapping).](images/provisioning-csp-pxlogical-cp-2.png)
The following shows the PXLOGICAL configuration service provider management object in tree format as used by OMA Client Provisioning for updating the bootstrapping of the device. The OMA DM protocol is not supported by this configuration service provider.
```console
PXLOGICAL
--PROXY-ID
----DOMAIN
----NAME
----PORT
-------PORTNBR
-------SERVICE
----PUSHENABLED
----TRUST
----PXPHYSICAL
-------PHYSICAL-PROXY-ID
----------DOMAIN
----------PORT
-------------PORTNBR
-------------SERVICE
----------PUSHENABLED
----------PXADDR
----------PXADDRTYPE
----------TO-NAPID
```
<a href="" id="pxphysical"></a>**PXPHYSICAL**
Defines a group of logical proxy settings.
@ -37,7 +78,7 @@ The element's mwid attribute is a Microsoft provisioning XML attribute, and is o
<a href="" id="domain"></a>**DOMAIN**
Specifies the domain associated with the proxy (for example, "\*.com").
A Windows device supports only one proxy that does not have a DOMAIN parameter, or has an empty DOMAIN value. That is, the device only supports one default proxy. All other proxy configurations must have a DOMAIN parameter with a non-empty value. A query of this parameter returns a semicolon delimited string of all domains associated with the proxy.
A Windows device supports only one proxy that does not have a DOMAIN parameter, or has an empty DOMAIN value. That is, the device only supports one default proxy. All other proxy configurations must have a DOMAIN parameter with a non-empty value. A query of this parameter returns a semicolon-delimited string of all domains associated with the proxy.
<a href="" id="name"></a>**NAME**
Specifies the name of the logical proxy.

14
windows/client-management/mdm/securitypolicy-csp.md
View File

@ -23,9 +23,13 @@ The SecurityPolicy configuration service provider is used to configure security
For the SecurityPolicy CSP, you cannot use the Replace command unless the node already exists.
The following diagram shows the SecurityPolicy configuration service provider management object in tree format as used by both OMA DM and OMA Client Provisioning.
The following shows the SecurityPolicy configuration service provider management object in tree format as used by both OMA DM and OMA Client Provisioning.
![securitypolicy csp (dm,cp).](images/provisioning-csp-securitypolicy-dmandcp.png)
```console
./Vendor/MSFT
SecurityPolicy
----PolicyID
```
<a href="" id="policyid"></a>***PolicyID***
Defines the security policy identifier as a decimal value.
@ -48,7 +52,7 @@ The following security policies are supported.
<tbody>
<tr class="odd">
<td><p>4104</p>
<p>Hex:1008</p></td>
<p>Hex: 1008</p></td>
<td><p>TPS Policy</p></td>
<td><p>This setting indicates whether mobile operators can be assigned the Trusted Provisioning Server (TPS) SECROLE_OPERATOR_TPS role.</p>
<p>Default value: 1</p>
@ -58,7 +62,7 @@ The following security policies are supported.
</tr>
<tr class="even">
<td><p>4105</p>
<p>Hex:1009</p></td>
<p>Hex: 1009</p></td>
<td><p>Message Authentication Retry Policy</p></td>
<td><p>This setting specifies the maximum number of times the user is allowed to try authenticating a Wireless Application Protocol (WAP) PIN-signed message.</p>
<p>Default value: 3</p>
@ -66,7 +70,7 @@ The following security policies are supported.
</tr>
<tr class="odd">
<td><p>4108</p>
<p>Hex:100c</p></td>
<p>Hex: 100c</p></td>
<td><p>Service Loading Policy</p></td>
<td><p>This setting indicates whether SL messages are accepted, by specifying the security roles that can accept SL messages. An SL message downloads new services or provisioning XML to the device.</p>
<p>Default value: 256 (SECROLE_KNOWN_PPG)</p>

2
windows/client-management/mdm/toc.yml
View File

@ -48,6 +48,8 @@ items:
href: device-update-management.md
- name: Bulk enrollment
href: bulk-enrollment-using-windows-provisioning-tool.md
- name: Secured-Core PC Configuration Lock
href: config-lock.md
- name: Management tool for the Microsoft Store for Business
href: management-tool-for-windows-store-for-business.md
items:

82
windows/client-management/mdm/vpn-csp.md
View File

@ -23,7 +23,7 @@ The VPN configuration service provider allows the MDM server to configure the VP
Important considerations:
- For a VPN that requires a client certificate, the server must first enroll the needed client certificate before deploying a VPN profile to ensure that there is a functional VPN profile at the device. This is particularly critical for forced tunnel VPN.
- For a VPN that requires a client certificate, the server must first enroll the needed client certificate before deploying a VPN profile to ensure that there is a functional VPN profile at the device. This is critical for forced tunnel VPN.
- VPN configuration commands must be wrapped with an Atomic command as shown in the example below.
@ -31,9 +31,61 @@ Important considerations:
- For the VPN CSP, you cannot use the Replace command unless the node already exists.
The following diagram shows the VPN configuration service provider in tree format.
The following shows the VPN configuration service provider in tree format.
![provisioning\-csp\-vpnimg.](images/provisioning-csp-vpn.png)
```console
./Vendor/MSFT
VPN
-----ProfileName
---------Server
---------TunnelType
---------ThirdParty
-------------Name
-------------AppID
-------------CustomStoreURL
-------------CustomConfiguration
---------RoleGroup
---------Authentication
-------------Method
-------------Certificate
---------------Issuer
---------------EKU
---------------CacheLifeTimeProtectedCert
-------------MultiAuth
---------------StartURL
---------------EndURL
-------------EAP
---------Proxy
-------------Automatic
-------------Manual
---------------Server
---------------Port
-------------BypassProxyforLocal
---------SecuredResources
-------------AppPublisherNameList
---------------AppPublisherName
-------------AppAllowedList
---------------AppAllowedList
-------------NetworkAllowedList
---------------NetworkAllowedList
-------------NameSapceAllowedList
---------------NameSapceAllowedList
-------------ExcudedAppList
---------------ExcudedAppList
-------------ExcludedNetworkList
---------------ExcludedNetworkList
-------------ExcludedNameSpaceList
---------------ExcludedNameSpaceList
-------------DNSSuffixSearchList
---------------DNSSuffixSearchList
---------Policies
-------------RememberCredentials
-------------SplitTunnel
-------------BypassforLocal
-------------TrustedNetworkDetection
-------------ConnectionType
---------DNSSuffix
```
<a href="" id="profilename"></a>***ProfileName***
Unique alpha numeric Identifier for the profile. The profile name must not include a forward slash (/).
@ -48,12 +100,12 @@ Supported operations are Get, Add, and Replace.
Value type is chr. Some examples are 208.23.45.130 or vpn.contoso.com.
<a href="" id="tunneltype"></a>**TunnelType**
Optional, but required when deploying a 3rd party IKEv2 VPN profile. Only a value of IKEv2 is supported for this release.
Optional, but required when deploying a third-party IKEv2 VPN profile. Only a value of IKEv2 is supported for this release.
Value type is chr. Supported operations are Get and Add.
<a href="" id="thirdparty"></a>**ThirdParty**
Optional, but required if deploying 3rd party SSL-VPN plugin profile. Defines a group of setting applied to SSL-VPN profile provisioning.
Optional, but required if deploying third-party SSL-VPN plugin profile. Defines a group of setting applied to SSL-VPN profile provisioning.
Supported operations are Get and Add.
@ -73,17 +125,17 @@ Valid values:
- Checkpoint Mobile VPN
<a href="" id="thirdparty-appid"></a>**ThirdParty/AppID**
Optional, but required when deploying a 3rd party SSL-VPN plugin app from a private enterprise storefront. This is the ProductID associated with the store application. The client will use this ProductID to ensure that only the enterprise approved plugin is initialized.
Optional, but required when deploying a third-party SSL-VPN plugin app from a private enterprise storefront. This is the ProductID associated with the store application. The client will use this ProductID to ensure that only the enterprise approved plugin is initialized.
Value type is chr. Supported operations are Get, Add, Replace, and Delete.
<a href="" id="thirdparty-customstoreurl"></a>**ThirdParty/CustomStoreURL**
Optional, but required if an enterprise is deploying a 3rd party SSL-VPN plugin app from the private enterprise storefront. This node specifies the URL of the 3rd party SSL-VPN plugin app.
Optional, but required if an enterprise is deploying a third-party SSL-VPN plugin app from the private enterprise storefront. This node specifies the URL of the third-party SSL-VPN plugin app.
Value type is chr. Supported operations are Get, Add, Replace, and Delete.
<a href="" id="thirdparty-customconfiguration"></a>**ThirdParty/CustomConfiguration**
Optional. This is an HTML encoded XML blob for SSL-VPN plugin specific configuration that is deployed to the device to make it available for SSL-VPN plugins.
Optional. This is an HTML encoded XML blob for SSL-VPN plugin-specific configuration that is deployed to the device to make it available for SSL-VPN plugins.
Value type is char. Supported operations are Get, Add, Replace, and Delete.
@ -98,7 +150,7 @@ Optional node for ThirdParty VPN profiles, but required for IKEv2. This is a col
Supported operations are Get and Add.
<a href="" id="authentication-method"></a>**Authentication/Method**
Required for IKEv2 profiles and optional for third party profiles. This specifies the authentication provider to use for VPN client authentication. Only the EAP method is supported for IKEv2 profiles.
Required for IKEv2 profiles and optional for third-party profiles. This specifies the authentication provider to use for VPN client authentication. Only the EAP method is supported for IKEv2 profiles.
Supported operations are Get and Add.
@ -114,7 +166,7 @@ Optional node. A collection of nodes that enables simpler authentication experie
Supported operations are Get and Add.
<a href="" id="authentication-certificate-issuer"></a>**Authentication/Certificate/Issuer**
Optional. Filters out the installed certificates with private keys stored in registry or TPM. This can be used in conjunction with EKU for more granular filtering.
Optional. Filters out the installed certificates with private keys stored in registry or TPM. This can be used with EKU for more granular filtering.
Value type is chr. Supported operations are Get, Add, Delete, and Replace.
@ -123,7 +175,7 @@ Value type is chr. Supported operations are Get, Add, Delete, and Replace.
 
<a href="" id="authentication-certificate-eku"></a>**Authentication/Certificate/EKU**
Optional. This Extended Key Usage (EKU) element is used to filter out the installed certificates with private keys stored in the registry or TPM. You can use this in conjunction with ISSUER for a more granular filtering.
Optional. This Extended Key Usage (EKU) element is used to filter out the installed certificates with private keys stored in the registry or TPM. You can use this with ISSUER for a more granular filtering.
Value type is chr. Supported operations are Get, Add, Delete, and Replace.
@ -175,16 +227,16 @@ Default is False.
Optional node. A collection of configuration objects that define the inclusion resource lists for what can be secured over VPN. Allowed lists are applied only when Policies/SplitTunnel element is set to True. VPN exclusions are not supported..
<a href="" id="securedresources-appallowedlist-appallowedlist"></a>**SecuredResources/AppAllowedList/AppAllowedList**
Optional. Specifies one or more ProductIDs for the enterprise line of business applications built for Windows. When this element is defined, then all traffic sourced from specified apps will be secured over VPN (assuming protected networks defined allows access). They will not be able to connect directly bypassing the VPN connection. When the profile is auto-triggered, VPN is triggered automatically by these apps.
Optional. Specifies one or more ProductIDs for the enterprise line-of-business applications built for Windows. When this element is defined, then all traffic sourced from specified apps will be secured over VPN (assuming protected networks defined allows access). They will not be able to connect directly bypassing the VPN connection. When the profile is autotriggered, VPN is triggered automatically by these apps.
Supported operations are Get, Add, Replace and Delete.
Supported operations are Get, Add, Replace, and Delete.
Value type is chr.
Examples are {F05DC613-E223-40AD-ABA9-CCCE04277CD9} and ContosoApp.ContosoCorp\_jlsnulm3s397u.
<a href="" id="securedresources-networkallowedlist-networkallowedlist"></a>**SecuredResources/NetworkAllowedList/NetworkAllowedList**
Optional, but required when Policies/SplitTunnel is set to true for IKEv2 profile. Specifies one or more IP ranges that you want secured over VPN. Applications connecting to protected resources that match this list will be secured over VPN. Otherwise, theyll continue to connect directly. The IP ranges are defined in the format 10.0.0.0/8. When the profile is auto-triggered, the VPN is triggered automatically by these protected networks.
Optional, but required when Policies/SplitTunnel is set to true for IKEv2 profile. Specifies one or more IP ranges that you want secured over VPN. Applications connecting to protected resources that match this list will be secured over VPN. Otherwise, theyll continue to connect directly. The IP ranges are defined in the format 10.0.0.0/8. When the profile is autotriggered, the VPN is triggered automatically by these protected networks.
Supported operations are Get, Add, Replace, and Delete.
@ -202,7 +254,7 @@ Value type is chr.
An example is \*.corp.contoso.com.
<a href="" id="securedresources-excluddedapplist-excludedapplist"></a>**SecuredResources/ExcluddedAppList/ExcludedAppList**
Optional. Specifies one or more ProductIDs for enterprise line of business applications built for Windows. When the element is defined, these apps will never use VPN. They will connect directly and bypass the VPN connection.
Optional. Specifies one or more ProductIDs for enterprise line-of-business applications built for Windows. When the element is defined, these apps will never use VPN. They will connect directly and bypass the VPN connection.
Supported operations are Get, Add, Replace, and Delete.

14
windows/client-management/mdm/w4-application-csp.md
View File

@ -21,11 +21,17 @@ The default security roles are defined in the root characteristic, and map to ea
> **Note**   This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_CSP\_W4\_APPLICATION capabilities to be accessed from a network configuration application.
 
The following shows the configuration service provider in tree format as used by OMA Client Provisioning.
The following diagram shows the configuration service provider in tree format as used by OMA Client Provisioning.
![w4 application csp (cp).](images/provisioning-csp-w4-application-cp.png)
```console
APPLICATION
----APPID
----NAME
----TO-PROXY
----TO-NAPID
----ADDR
----MS
```
<a href="" id="appid"></a>**APPID**
Required. This parameter takes a string value. The only supported value for configuring MMS is "w4".

32
windows/client-management/mdm/w7-application-csp.md
View File

@ -19,11 +19,37 @@ The APPLICATION configuration service provider that has an APPID of w7 is used f
> **Note**  This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application.
 
The following image shows the configuration service provider in tree format as used by OMA Client Provisioning.
The following shows the configuration service provider in tree format as used by OMA Client Provisioning.
![w7 application csp (dm).](images/provisioning-csp-w7-application-dm.png)
```console
APPLICATION
---APPADDR
------ADDR
------ADDRTYPE
------PORT
---------PORTNBR
---APPAUTH
------AAUTHDATA
------AAUTHLEVEL
------AAUTHNAME
------AAUTHSECRET
------AAUTHTYPE
---AppID
---BACKCOMPATRETRYDISABLED
---CONNRETRYFREQ
---DEFAULTENCODING
---INIT
---INITIALBACKOFTIME
---MAXBACKOFTIME
---NAME
---PROTOVER
---PROVIDER-ID
---ROLE
---TO-NAPID
---USEHWDEVID
---SSLCLIENTCERTSEARCHCRITERIA
```
> **Note**   All parm names and characteristic types are case sensitive and must use all uppercase.
Both APPSRV and CLIENT credentials must be provided in provisioning XML.

17
windows/client-management/mdm/wifi-csp.md
View File

@ -29,9 +29,22 @@ Programming considerations:
- For the WiFi CSP, you cannot use the Replace command unless the node already exists.
- Using Proxyis only supported in Windows 10 Mobile. Using this configuration in Windows 10 for desktop editions (Home, Pro, Enterprise, and Education) will result in failure.
The following image shows the WiFi configuration service provider in tree format.
The following shows the WiFi configuration service provider in tree format.
```console
./Device/Vendor/MSFT
or
./User/Vendor/MSFT
WiFi
---Profile
------SSID
---------WlanXML
---------Proxy
---------ProxyPacUrl
---------ProxyWPAD
---------WiFiCost
```
![wi-fi csp diagram.](images/provisioning-csp-wifi.png)
The following list shows the characteristics and parameters.

20
windows/client-management/mdm/windowsadvancedthreatprotection-csp.md
View File

@ -17,9 +17,25 @@ ms.date: 11/01/2017
The Windows Defender Advanced Threat Protection (WDATP) configuration service provider (CSP) allows IT Admins to onboard, determine configuration and health status, and offboard endpoints for WDATP.
The following diagram shows the WDATP configuration service provider in tree format as used by the Open Mobile Alliance (OMA) Device Management (DM).
The following shows the WDATP configuration service provider in tree format as used by the Open Mobile Alliance (OMA) Device Management (DM).
![windowsadvancedthreatprotection csp diagram.](images/provisioning-csp-watp.png)
```console
./Device/Vendor/MSFT
WindowsAdvancedThreatProtection
----Onboarding
----HealthState
--------LastConnected
--------SenseIsRunning
--------OnboardingState
--------OrgId
----Configuration
--------SampleSharing
--------TelemetryReportingFrequency
----Offboarding
----DeviceTagging
--------Group
--------Criticality
```
The following list describes the characteristics and parameters.

94
windows/client-management/mdm/wmi-providers-supported-in-windows.md
View File

@ -86,19 +86,19 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw
</tr>
<tr class="odd">
<td><a href="/previous-versions/windows/desktop/mdmsettingsprov/mdm-browsersecurityzones" data-raw-source="[&lt;strong&gt;MDM_BrowserSecurityZones&lt;/strong&gt;](/previous-versions/windows/desktop/mdmsettingsprov/mdm-browsersecurityzones)"><strong>MDM_BrowserSecurityZones</strong></a></td>
<td><img src="images/checkmark.png" alt="cross mark" /></td>
<td>Yes</td>
</tr>
<tr class="even">
<td><a href="/previous-versions/windows/desktop/mdmsettingsprov/mdm-browsersettings" data-raw-source="[&lt;strong&gt;MDM_BrowserSettings&lt;/strong&gt;](/previous-versions/windows/desktop/mdmsettingsprov/mdm-browsersettings)"><strong>MDM_BrowserSettings</strong></a></td>
<td><img src="images/checkmark.png" alt="cross mark" /></td>
<td>Yes</td>
</tr>
<tr class="odd">
<td><a href="/previous-versions/windows/desktop/mdmsettingsprov/mdm-certificate" data-raw-source="[&lt;strong&gt;MDM_Certificate&lt;/strong&gt;](/previous-versions/windows/desktop/mdmsettingsprov/mdm-certificate)"><strong>MDM_Certificate</strong></a></td>
<td><img src="images/checkmark.png" alt="cross mark" /></td>
<td>Yes</td>
</tr>
<tr class="even">
<td><a href="/previous-versions/windows/desktop/mdmsettingsprov/mdm-certificateenrollment" data-raw-source="[&lt;strong&gt;MDM_CertificateEnrollment&lt;/strong&gt;](/previous-versions/windows/desktop/mdmsettingsprov/mdm-certificateenrollment)"><strong>MDM_CertificateEnrollment</strong></a></td>
<td><img src="images/checkmark.png" alt="cross mark" /></td>
<td>Yes</td>
</tr>
<tr class="odd">
<td><a href="/previous-versions/windows/desktop/mdmsettingsprov/mdm-client" data-raw-source="[&lt;strong&gt;MDM_Client&lt;/strong&gt;](/previous-versions/windows/desktop/mdmsettingsprov/mdm-client)"><strong>MDM_Client</strong></a></td>
@ -106,7 +106,7 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw
</tr>
<tr class="even">
<td><a href="/previous-versions/windows/desktop/mdmsettingsprov/mdm-configsetting" data-raw-source="[&lt;strong&gt;MDM_ConfigSetting&lt;/strong&gt;](/previous-versions/windows/desktop/mdmsettingsprov/mdm-configsetting)"><strong>MDM_ConfigSetting</strong></a></td>
<td><img src="images/checkmark.png" alt="cross mark" /></td>
<td>Yes</td>
</tr>
<tr class="odd">
<td><a href="/previous-versions/windows/desktop/mdmsettingsprov/mdm-deviceregistrationinfo" data-raw-source="[&lt;strong&gt;MDM_DeviceRegistrationInfo&lt;/strong&gt;](/previous-versions/windows/desktop/mdmsettingsprov/mdm-deviceregistrationinfo)"><strong>MDM_DeviceRegistrationInfo</strong></a></td>
@ -114,11 +114,11 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw
</tr>
<tr class="even">
<td><a href="/previous-versions/windows/desktop/mdmsettingsprov/mdm-easpolicy" data-raw-source="[&lt;strong&gt;MDM_EASPolicy&lt;/strong&gt;](/previous-versions/windows/desktop/mdmsettingsprov/mdm-easpolicy)"><strong>MDM_EASPolicy</strong></a></td>
<td><img src="images/checkmark.png" alt="cross mark" /></td>
<td>Yes</td>
</tr>
<tr class="odd">
<td><a href="/previous-versions/windows/desktop/mdmsettingsprov/mdm-mgmtauthority" data-raw-source="[&lt;strong&gt;MDM_MgMtAuthority&lt;/strong&gt;](/previous-versions/windows/desktop/mdmsettingsprov/mdm-mgmtauthority)"><strong>MDM_MgMtAuthority</strong></a></td>
<td><img src="images/checkmark.png" alt="cross mark" /></td>
<td>Yes</td>
</tr>
<tr class="even">
<td><strong>MDM_MsiApplication</strong></td>
@ -138,7 +138,7 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw
</tr>
<tr class="even">
<td><a href="/previous-versions/windows/desktop/mdmsettingsprov/mdm-restrictions" data-raw-source="[&lt;strong&gt;MDM_Restrictions&lt;/strong&gt;](/previous-versions/windows/desktop/mdmsettingsprov/mdm-restrictions)"><strong>MDM_Restrictions</strong></a></td>
<td><img src="images/checkmark.png" alt="cross mark" /></td>
<td>Yes</td>
</tr>
<tr class="odd">
<td><a href="/previous-versions/windows/desktop/mdmsettingsprov/mdm-restrictionsuser" data-raw-source="[&lt;strong&gt;MDM_RestrictionsUser&lt;/strong&gt;](/previous-versions/windows/desktop/mdmsettingsprov/mdm-restrictionsuser)"><strong>MDM_RestrictionsUser</strong></a></td>
@ -146,7 +146,7 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw
</tr>
<tr class="even">
<td><a href="/previous-versions/windows/desktop/mdmsettingsprov/mdm-securitystatus" data-raw-source="[&lt;strong&gt;MDM_SecurityStatus&lt;/strong&gt;](/previous-versions/windows/desktop/mdmsettingsprov/mdm-securitystatus)"><strong>MDM_SecurityStatus</strong></a></td>
<td><img src="images/checkmark.png" alt="cross mark" /></td>
<td>Yes</td>
</tr>
<tr class="odd">
<td><a href="/previous-versions/windows/desktop/mdmsettingsprov/mdm-sideloader" data-raw-source="[&lt;strong&gt;MDM_SideLoader&lt;/strong&gt;](/previous-versions/windows/desktop/mdmsettingsprov/mdm-sideloader)"><strong>MDM_SideLoader</strong></a></td>
@ -158,11 +158,11 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw
</tr>
<tr class="odd">
<td><a href="/previous-versions/windows/desktop/mdmsettingsprov/mdm-updates" data-raw-source="[&lt;strong&gt;MDM_Updates&lt;/strong&gt;](/previous-versions/windows/desktop/mdmsettingsprov/mdm-updates)"><strong>MDM_Updates</strong></a></td>
<td><img src="images/checkmark.png" alt="cross mark" /></td>
<td>Yes</td>
</tr>
<tr class="even">
<td><a href="/previous-versions/windows/desktop/mdmsettingsprov/mdm-vpnapplicationtrigger" data-raw-source="[&lt;strong&gt;MDM_VpnApplicationTrigger&lt;/strong&gt;](/previous-versions/windows/desktop/mdmsettingsprov/mdm-vpnapplicationtrigger)"><strong>MDM_VpnApplicationTrigger</strong></a></td>
<td><img src="images/checkmark.png" alt="cross mark" /></td>
<td>Yes</td>
</tr>
<tr class="odd">
<td><strong>MDM_VpnConnection</strong></td>
@ -174,27 +174,27 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw
</tr>
<tr class="odd">
<td><a href="/previous-versions/windows/desktop/mdmsettingsprov/mdm-wirelessprofile" data-raw-source="[&lt;strong&gt;MDM_WirelessProfile&lt;/strong&gt;](/previous-versions/windows/desktop/mdmsettingsprov/mdm-wirelessprofile)"><strong>MDM_WirelessProfile</strong></a></td>
<td><img src="images/checkmark.png" alt="cross mark" /></td>
<td>Yes</td>
</tr>
<tr class="even">
<td><a href="/previous-versions/windows/desktop/mdmsettingsprov/mdm-wirelessprofilexml" data-raw-source="[&lt;strong&gt;MDM_WirelesssProfileXML&lt;/strong&gt;](/previous-versions/windows/desktop/mdmsettingsprov/mdm-wirelessprofilexml)"><strong>MDM_WirelesssProfileXML</strong></a></td>
<td><img src="images/checkmark.png" alt="cross mark" /></td>
<td>Yes</td>
</tr>
<tr class="odd">
<td><a href="/previous-versions/windows/desktop/mdmsettingsprov/mdm-wnschannel" data-raw-source="[&lt;strong&gt;MDM_WNSChannel&lt;/strong&gt;](/previous-versions/windows/desktop/mdmsettingsprov/mdm-wnschannel)"><strong>MDM_WNSChannel</strong></a></td>
<td><img src="images/checkmark.png" alt="cross mark" /></td>
<td>Yes</td>
</tr>
<tr class="even">
<td><a href="/previous-versions/windows/desktop/mdmsettingsprov/mdm-wnsconfiguration" data-raw-source="[&lt;strong&gt;MDM_WNSConfiguration&lt;/strong&gt;](/previous-versions/windows/desktop/mdmsettingsprov/mdm-wnsconfiguration)"><strong>MDM_WNSConfiguration</strong></a></td>
<td><img src="images/checkmark.png" alt="cross mark" /></td>
<td>Yes</td>
</tr>
<tr class="odd">
<td><a href="/previous-versions/windows/desktop/wfascimprov/msft-netfirewallprofile" data-raw-source="[&lt;strong&gt;MSFT_NetFirewallProfile&lt;/strong&gt;](/previous-versions/windows/desktop/wfascimprov/msft-netfirewallprofile)"><strong>MSFT_NetFirewallProfile</strong></a></td>
<td><img src="images/checkmark.png" alt="cross mark" /></td>
<td>Yes</td>
</tr>
<tr class="even">
<td><a href="/previous-versions/windows/desktop/vpnclientpsprov/msft-vpnconnection" data-raw-source="[&lt;strong&gt;MSFT_VpnConnection&lt;/strong&gt;](/previous-versions/windows/desktop/vpnclientpsprov/msft-vpnconnection)"><strong>MSFT_VpnConnection</strong></a></td>
<td><img src="images/checkmark.png" alt="cross mark" /></td>
<td>Yes</td>
</tr>
<tr class="even">
<td><a href="/previous-versions/windows/desktop/sppwmi/softwarelicensingproduct" data-raw-source="[&lt;strong&gt;SoftwareLicensingProduct&lt;/strong&gt;](/previous-versions/windows/desktop/sppwmi/softwarelicensingproduct)"><strong>SoftwareLicensingProduct</strong></a></td>
@ -213,16 +213,16 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw
| Class | Test completed in Windows 10 for desktop |
|--------------------------------------------------------------------------|------------------------------------------|
| [**wpcappoverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark.](images/checkmark.png) |
| [**wpcgameoverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark.](images/checkmark.png) |
| [**wpcgamessettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark.](images/checkmark.png) |
| [**wpcrating**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark.](images/checkmark.png) |
| [**wpcappoverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes |
| [**wpcgameoverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes |
| [**wpcgamessettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes |
| [**wpcrating**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes |
| [**wpcRatingsDescriptor**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | |
| [**wpcratingssystem**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark.](images/checkmark.png) |
| [**wpcsystemsettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark.](images/checkmark.png) |
| [**wpcurloverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark.](images/checkmark.png) |
| [**wpcusersettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark.](images/checkmark.png) |
| [**wpcwebsettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | ![cross mark.](images/checkmark.png) |
| [**wpcratingssystem**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes |
| [**wpcsystemsettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes |
| [**wpcurloverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes |
| [**wpcusersettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes |
| [**wpcwebsettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes |
@ -232,17 +232,17 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw
|--------------------------------------------------------------------------|------------------------------------------|
[**Win32\_1394Controller**](/windows/win32/cimwin32prov/win32-1394controller) |
[**Win32\_BaseBoard**](/windows/win32/cimwin32prov/win32-baseboard) |
[**Win32\_Battery**](/windows/win32/cimwin32prov/win32-battery) | ![cross mark.](images/checkmark.png)
[**Win32\_BIOS**](/windows/win32/cimwin32prov/win32-bios) | ![cross mark.](images/checkmark.png)
[**Win32\_Battery**](/windows/win32/cimwin32prov/win32-battery) | Yes
[**Win32\_BIOS**](/windows/win32/cimwin32prov/win32-bios) | Yes
[**Win32\_CDROMDrive**](/windows/win32/cimwin32prov/win32-cdromdrive) |
[**Win32\_ComputerSystem**](/windows/win32/cimwin32prov/win32-computersystem) | ![cross mark.](images/checkmark.png)
[**Win32\_ComputerSystemProduct**](/windows/win32/cimwin32prov/win32-computersystemproduct) | ![cross mark.](images/checkmark.png)
[**Win32\_CurrentTime**](/previous-versions/windows/desktop/wmitimepprov/win32-currenttime) | ![cross mark.](images/checkmark.png)
[**Win32\_ComputerSystem**](/windows/win32/cimwin32prov/win32-computersystem) | Yes
[**Win32\_ComputerSystemProduct**](/windows/win32/cimwin32prov/win32-computersystemproduct) | Yes
[**Win32\_CurrentTime**](/previous-versions/windows/desktop/wmitimepprov/win32-currenttime) | Yes
[**Win32\_Desktop**](/windows/win32/cimwin32prov/win32-desktop) |
[**Win32\_DesktopMonitor**](/windows/win32/cimwin32prov/win32-desktopmonitor) |![cross mark.](images/checkmark.png)
[**Win32\_DiskDrive**](/windows/win32/cimwin32prov/win32-diskdrive) | ![cross mark.](images/checkmark.png)
[**Win32\_DesktopMonitor**](/windows/win32/cimwin32prov/win32-desktopmonitor) |Yes
[**Win32\_DiskDrive**](/windows/win32/cimwin32prov/win32-diskdrive) | Yes
[**Win32\_DiskPartition**](/windows/win32/cimwin32prov/win32-diskpartition) |
[**Win32\_DisplayConfiguration**](/previous-versions//aa394137(v=vs.85)) | ![cross mark.](images/checkmark.png)
[**Win32\_DisplayConfiguration**](/previous-versions//aa394137(v=vs.85)) | Yes
[**Win32\_DMAChannel**](/windows/win32/cimwin32prov/win32-dmachannel) |
[**Win32\_DriverVXD**](/previous-versions//aa394141(v=vs.85)) |
[**Win32\_EncryptableVolume**](/windows/win32/secprov/win32-encryptablevolume) |
@ -252,23 +252,23 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw
[**Win32\_IRQResource**](/windows/win32/cimwin32prov/win32-irqresource) |
[**Win32\_Keyboard**](/windows/win32/cimwin32prov/win32-keyboard) |
[**Win32\_LoadOrderGroup**](/windows/win32/cimwin32prov/win32-loadordergroup) |
[**Win32\_LocalTime**](/previous-versions/windows/desktop/wmitimepprov/win32-localtime) | ![cross mark.](images/checkmark.png)
[**Win32\_LocalTime**](/previous-versions/windows/desktop/wmitimepprov/win32-localtime) | Yes
[**Win32\_LoggedOnUser**](/windows/win32/cimwin32prov/win32-loggedonuser) |
[**Win32\_LogicalDisk**](/windows/win32/cimwin32prov/win32-logicaldisk) | ![cross mark.](images/checkmark.png)
[**Win32\_LogicalDisk**](/windows/win32/cimwin32prov/win32-logicaldisk) | Yes
[**Win32\_MotherboardDevice**](/windows/win32/cimwin32prov/win32-motherboarddevice) |
[**Win32\_NetworkAdapter**](/windows/win32/cimwin32prov/win32-networkadapter) | ![cross mark.](images/checkmark.png)
[**Win32\_NetworkAdapter**](/windows/win32/cimwin32prov/win32-networkadapter) | Yes
[**Win32\_NetworkAdapterConfiguration**](/windows/win32/cimwin32prov/win32-networkadapterconfiguration) |
[**Win32\_NetworkClient**](/windows/win32/cimwin32prov/win32-networkclient) |
[**Win32\_NetworkLoginProfile**](/windows/win32/cimwin32prov/win32-networkloginprofile) |
[**Win32\_NetworkProtocol**](/windows/win32/cimwin32prov/win32-networkprotocol) |
[**Win32\_NTEventlogFile**](/previous-versions/windows/desktop/legacy/aa394225(v=vs.85)) |
[**Win32\_OperatingSystem**](/windows/win32/cimwin32prov/win32-operatingsystem) | ![cross mark.](images/checkmark.png)
[**Win32\_OperatingSystem**](/windows/win32/cimwin32prov/win32-operatingsystem) | Yes
[**Win32\_OSRecoveryConfiguration**](/windows/win32/cimwin32prov/win32-osrecoveryconfiguration) |
[**Win32\_PageFileSetting**](/windows/win32/cimwin32prov/win32-pagefilesetting) |
[**Win32\_ParallelPort**](/windows/win32/cimwin32prov/win32-parallelport) |
[**Win32\_PCMCIAController**](/windows/win32/cimwin32prov/win32-pcmciacontroller) |
[**Win32\_PhysicalMedia**](/previous-versions/windows/desktop/cimwin32a/win32-physicalmedia) |
[**Win32\_PhysicalMemory**](/windows/win32/cimwin32prov/win32-physicalmemory) | ![cross mark.](images/checkmark.png)
[**Win32\_PhysicalMemory**](/windows/win32/cimwin32prov/win32-physicalmemory) | Yes
[**Win32\_PnPDevice**](/windows/win32/cimwin32prov/win32-pnpdevice) |
[**Win32\_PnPEntity**](/windows/win32/cimwin32prov/win32-pnpentity) |
[**Win32\_PointingDevice**](/windows/win32/cimwin32prov/win32-pointingdevice) |
@ -277,25 +277,25 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw
[**Win32\_POTSModem**](/windows/win32/cimwin32prov/win32-potsmodem) |
[**Win32\_Printer**](/windows/win32/cimwin32prov/win32-printer) |
[**Win32\_PrinterConfiguration**](/windows/win32/cimwin32prov/win32-printerconfiguration) |
[**Win32\_Processor**](/windows/win32/cimwin32prov/win32-processor) | ![cross mark.](images/checkmark.png)
[**Win32\_QuickFixEngineering**](/windows/win32/cimwin32prov/win32-quickfixengineering) | ![cross mark.](images/checkmark.png)
[**Win32\_Processor**](/windows/win32/cimwin32prov/win32-processor) | Yes
[**Win32\_QuickFixEngineering**](/windows/win32/cimwin32prov/win32-quickfixengineering) | Yes
[**Win32\_Registry**](/windows/win32/cimwin32prov/win32-registry) |
[**Win32\_SCSIController**](/windows/win32/cimwin32prov/win32-scsicontroller) |
[**Win32\_SerialPort**](/windows/win32/cimwin32prov/win32-serialport) |
[**Win32\_SerialPortConfiguration**](/windows/win32/cimwin32prov/win32-serialportconfiguration) |
[**Win32\_ServerFeature**](/windows/win32/wmisdk/win32-serverfeature) |
[**Win32\_Service**](/windows/win32/cimwin32prov/win32-service) | ![cross mark.](images/checkmark.png)
[**Win32\_Share**](/windows/win32/cimwin32prov/win32-share) | ![cross mark.](images/checkmark.png)
[**Win32\_Service**](/windows/win32/cimwin32prov/win32-service) | Yes
[**Win32\_Share**](/windows/win32/cimwin32prov/win32-share) | Yes
[**Win32\_SoundDevice**](/windows/win32/cimwin32prov/win32-sounddevice) |
[**Win32\_SystemAccount**](/windows/win32/cimwin32prov/win32-systemaccount) |
[**Win32\_SystemBIOS**](/windows/win32/cimwin32prov/win32-systembios) | ![cross mark.](images/checkmark.png)
[**Win32\_SystemBIOS**](/windows/win32/cimwin32prov/win32-systembios) | Yes
[**Win32\_SystemDriver**](/windows/win32/cimwin32prov/win32-systemdriver) |
[**Win32\_SystemEnclosure**](/windows/win32/cimwin32prov/win32-systemenclosure) | ![cross mark.](images/checkmark.png)
[**Win32\_SystemEnclosure**](/windows/win32/cimwin32prov/win32-systemenclosure) | Yes
[**Win32\_TapeDrive**](/windows/win32/cimwin32prov/win32-tapedrive) |
[**Win32\_TimeZone**](/windows/win32/cimwin32prov/win32-timezone) | ![cross mark.](images/checkmark.png)
[**Win32\_TimeZone**](/windows/win32/cimwin32prov/win32-timezone) | Yes
[**Win32\_UninterruptiblePowerSupply**](/previous-versions//aa394503(v=vs.85)) |
[**Win32\_USBController**](/windows/win32/cimwin32prov/win32-usbcontroller) |
[**Win32\_UTCTime**](/previous-versions/windows/desktop/wmitimepprov/win32-utctime) | ![cross mark.](images/checkmark.png)
[**Win32\_UTCTime**](/previous-versions/windows/desktop/wmitimepprov/win32-utctime) | Yes
[**Win32\_VideoController**](/windows/win32/cimwin32prov/win32-videocontroller) |
**Win32\_WindowsUpdateAgentVersion** |

26
windows/configuration/TOC.yml
View File

@ -176,8 +176,6 @@
- name: Reference
items:
- name: Configure Windows 10 Mobile devices
href: mobile-devices/configure-mobile.md
- name: Windows Configuration Designer reference
items:
- name: Windows Configuration Designer provisioning settings (reference)
@ -229,9 +227,7 @@
- name: DMClient
href: wcd/wcd-dmclient.md
- name: EditionUpgrade
href: wcd/wcd-editionupgrade.md
- name: EmbeddedLockdownProfiles
href: wcd/wcd-embeddedlockdownprofiles.md
href: wcd/wcd-editionupgrade.md
- name: FirewallConfiguration
href: wcd/wcd-firewallconfiguration.md
- name: FirstExperience
@ -389,23 +385,3 @@
href: ue-v/uev-application-template-schema-reference.md
- name: Security Considerations for UE-V
href: ue-v/uev-security-considerations.md
- name: Use Windows Configuration Designer for Windows 10 Mobile devices
items:
- name: Use Windows Configuration Designer to configure Windows 10 Mobile devices
href: mobile-devices/provisioning-configure-mobile.md
- name: NFC-based device provisioning
href: mobile-devices/provisioning-nfc.md
- name: Barcode provisioning and the package splitter tool
href: mobile-devices/provisioning-package-splitter.md
- name: Use the Lockdown Designer app to create a Lockdown XML file
href: mobile-devices/mobile-lockdown-designer.md
- name: Configure Windows 10 Mobile using Lockdown XML
href: mobile-devices/lockdown-xml.md
- name: Settings and quick actions that can be locked down in Windows 10 Mobile
href: mobile-devices/settings-that-can-be-locked-down.md
- name: Product IDs in Windows 10 Mobile
href: mobile-devices/product-ids-in-windows-10-mobile.md
- name: Start layout XML for mobile editions of Windows 10 (reference)
href: mobile-devices/start-layout-xml-mobile.md

8
windows/configuration/cortana-at-work/cortana-at-work-overview.md
View File

@ -17,7 +17,7 @@ ms.author: greglin
Cortana is a personal productivity assistant in Microsoft 365, helping your users achieve more with less effort and focus on what matters. The Cortana app in Windows 10 and Windows 11 helps users quickly get information across Microsoft 365, using typed or spoken queries to connect with people, check calendars, set reminders, add tasks, and more.
:::image type="content" source="../screenshot1.png" alt-text="Screenshot: Cortana home page example":::
:::image type="content" source="./images/screenshot1.png" alt-text="Screenshot: Cortana home page example":::
## Where is Cortana available for use in my organization?
@ -34,7 +34,7 @@ Cortana requires a PC running Windows 10, version 1703 or later, as well as the
| Software | Minimum version |
|---------|---------|
|Client operating system | Desktop: <br> - Windows 10, version 2004 (recommended) <br> <br> - Windows 10, version 1703 (legacy version of Cortana) <br> <br> Mobile: Windows 10 mobile, version 1703 (legacy version of Cortana) <br> <br> For more information on the differences between Cortana in Windows 10, version 2004 and earlier versions, see [**How is my data processed by Cortana**](#how-is-my-data-processed-by-cortana) below. |
|Client operating system | - Windows 10, version 2004 (recommended) <br> <br> - Windows 10, version 1703 (legacy version of Cortana) <br> <br> For more information on the differences between Cortana in Windows 10, version 2004 and earlier versions, see [**How is my data processed by Cortana**](#how-is-my-data-processed-by-cortana) below. |
|Azure Active Directory (Azure AD) | While all employees signing into Cortana need an Azure AD account, an Azure AD premium tenant isn't required. |
|Additional policies (Group Policy and Mobile Device Management (MDM)) |There is a rich set of policies that can be used to manage various aspects of Cortana. Most of these policies will limit the abilities of Cortana but won't turn Cortana off. For example, if you turn **Speech** off, your employees won't be able to use the wake word ("Cortana") for hands-free activation or voice commands to easily ask for help. |
@ -51,7 +51,7 @@ Cortana's approach to integration with Microsoft 365 has changed with Windows 10
### Cortana in Windows 10, version 2004 and later, or Windows 11
Cortana enterprise services that can be accessed using Azure AD through Cortana in Windows 10, version 2004 and later, or Windows 11, meet the same enterprise-level privacy, security, and compliance promises as reflected in the [Online Services Terms (OST)](https://www.microsoft.com/en-us/licensing/product-licensing/products). To learn more, see [Cortana in Microsoft 365](/microsoft-365/admin/misc/cortana-integration?view=o365-worldwide#what-data-is-processed-by-cortana-in-office-365&preserve-view=true).
Cortana enterprise services that can be accessed using Azure AD through Cortana meet the same enterprise-level privacy, security, and compliance promises as reflected in the [Online Services Terms (OST)](https://www.microsoft.com/en-us/licensing/product-licensing/products). To learn more, see [Cortana in Microsoft 365](/microsoft-365/admin/misc/cortana-integration?view=o365-worldwide#what-data-is-processed-by-cortana-in-office-365&preserve-view=true).
#### How does Microsoft store, retain, process, and use Customer Data in Cortana?
@ -77,7 +77,7 @@ First, the user must enable the wake word from within Cortana settings. Once it
The first decision is made by the Windows Multiple Voice Assistant platform leveraging hardware optionally included in the user&#39;s PC for power savings. If the wake word is detected, Windows will show a microphone icon in the system tray indicating an assistant app is listening.
:::image type="content" source="../screenshot2.png" alt-text="Screenshot: Microphone icon in the system tray indicating an assistant app is listening":::
:::image type="content" source="./images/screenshot2.png" alt-text="Screenshot: Microphone icon in the system tray indicating an assistant app is listening":::
At that point, the Cortana app will receive the audio, run a second, more accurate wake word detector, and optionally send it to a Microsoft cloud service where a third wake word detector will confirm. If the service does not confirm that the activation was valid, the audio will be discarded and deleted from any further processing or server logs. On the user&#39;s PC, the Cortana app will be silently dismissed, and no query will be shown in conversation history because the query was discarded.

102
windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md
View File

@ -7,46 +7,78 @@ ms.sitesec: library
author: greg-lindsay
ms.localizationpriority: medium
ms.author: greglin
ms.date: 10/05/2017
ms.reviewer:
manager: dansimp
---
# Use Group Policy and mobile device management (MDM) settings to configure Cortana in your organization
>[!NOTE]
>For specific info about how to set, manage, and use each of these MDM policies to configure Cortana in your enterprise, see the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider) topic, located in the configuration service provider reference topics.
For specific info about how to set, manage, and use each of these MDM policies to configure Cortana in your enterprise, see the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider).
- **Allow Cortana**
- **Group policy**: `Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana`
- **MDM policy CSP**: [Experience/AllowCortana](/windows/client-management/mdm/policy-csp-experience#experience-allowcortana)
- **Description**: Specifies if users can use Cortana.
|**Group policy** |**MDM policy** |**Description** |
|---------|---------|---------|
|Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana |Experience/AllowCortana |Specifies whether employees can use Cortana. <br>
> [!IMPORTANT]
> Cortana wont work if this setting is turned off (disabled). However, on Windows 10, version 1809 and below, employees can still perform local searches even with Cortana turned off. |
|Computer Configuration\Administrative Templates\Windows Components\Search\AllowCortanaAboveLock |AboveLock/AllowCortanaAboveLock |Specifies whether an employee can interact with Cortana using voice commands when the system is locked. <br>
> [!NOTE]
> Cortana in Windows 10, versions 2004 and later, or Windows 11 do not currently support Above Lock. |
|Computer Configuration\Administrative Templates\Windows Components\App Privacy\LetAppsActivateWithVoice |[Privacy/LetAppsActivateWithVoice](/windows/client-management/mdm/policy-csp-privacy#privacy-letappsactivatewithvoice) |Specifies whether apps (such as Cortana or other voice assistants) can activate using a wake word (e.g. “Hey Cortana”). <br>
> [!NOTE]
> This setting only applies to Windows 10 versions 2004 and later, or Windows 11. To disable wake word activation on Windows 10 versions 1909 and earlier, you will need to disable voice commands using Privacy/AllowInputPersonalization. |
|Computer Configuration\Administrative Templates\Windows Components\App Privacy\LetAppsAccessMicrophone |[Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps](/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessmicrophone-forcedenytheseapps) | Use this to disable Cortanas access to the microphone. To do so, specify Cortanas Package Family Name: Microsoft.549981C3F5F10_8wekyb3d8bbwe <br>
Users will still be able to type queries to Cortana. |
|Computer Configuration\Administrative Templates\Control Panel\Regional and Language Options\Allow users to enable online speech recognition services |Privacy/AllowInputPersonalization |Specifies whether an employee can use voice commands with Cortana in your organization. <br>
**In Windows 10, version 1511** <br> Cortana wont work if this setting is turned off (disabled). <br> **In Windows 10, version 1607 and later** <br> Non-speech aspects of Cortana will still work if this setting is turned off (disabled). <br> **In Windows 10, version 2004 and later** <br> Cortana will work, but voice input will be disabled. |
|None |System/AllowLocation |Specifies whether to allow app access to the Location service. <br>
**In Windows 10, version 1511** <br> Cortana wont work if this setting is turned off (disabled). <br>
**In Windows 10, version 1607 and later** <br>
Cortana still works if this setting is turned off (disabled). <br>
**In Windows 10, version 2004 and later** <br>
Cortana still works if this setting is turned off (disabled). Cortana in Windows 10, versions 2004 and later, or Windows 11 do not currently use the Location service. |
|None |Accounts/AllowMicrosoftAccountConnection |Specifies whether to allow employees to sign in using a Microsoft account (MSA) from Windows apps. <br>
Disable this setting if you only want to allow users to sign in with their Azure AD account. |
|Computer Configuration\Administrative Templates\Windows Components\Search\Allow search and Cortana to use location |Search/AllowSearchToUseLocation |Specifies whether Cortana can use your current location during searches and for location reminders. <br>
**In Windows 10, version 2004 and later** <br> Cortana still works if this setting is turned off (disabled). Cortana in Windows 10, versions 2004 and later, or Windows 11, do not currently use the Location service. |
|Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results |Search/DoNotUseWebResults |Specifies whether search can perform queries on the web and if the web results are displayed in search. <br>
**In Windows 10 Pro edition** <br> This setting cant be managed.<br>
**In Windows 10 Enterprise edition** <br> Cortana won't work if this setting is turned off (disabled).<br>
**In Windows 10, version 2004 and later** <br> This setting no longer affects Cortana. <br> |
|Computer Configuration\Administrative Templates\Windows Components\Search\Set the SafeSearch setting for Search |Search/SafeSearchPermissions |Specifies what level of safe search (filtering adult content) is required. <br>
> [!NOTE]
> This setting only applies to Windows 10 Mobile. Other versions of Windows should use Don't search the web or display web results. |
Cortana wont work if this setting is turned off (disabled). On Windows 10, version 1809 and below, users can still do local searches, even with Cortana turned off.
- **AllowCortanaAboveLock**
- **Group policy**: `Computer Configuration\Administrative Templates\Windows Components\Search\AllowCortanaAboveLock`
- **MDM policy CSP**: [AboveLock/AllowCortanaAboveLock](/windows/client-management/mdm/policy-csp-abovelock#abovelock-allowcortanaabovelock)
- **Description**: Specifies whether users can interact with Cortana using voice commands when the system is locked.
This setting:
- Doesn't apply to Windows 10, versions 2004 and later
- Doesn't apply to Windows 11
- **LetAppsActivateWithVoice**
- **Group policy**: `Computer Configuration\Administrative Templates\Windows Components\App Privacy\LetAppsActivateWithVoice`
- **MDM policy CSP**: [Privacy/LetAppsActivateWithVoice](/windows/client-management/mdm/policy-csp-privacy#privacy-letappsactivatewithvoice)
- **Description**: Specifies if apps, like Cortana or other voice assistants, can activate using a wake word, like “Hey Cortana”.
This setting applies to:
- Windows 10 versions 2004 and later
- Windows 11
To disable wake word activation on Windows 10 versions 1909 and earlier, disable voice commands using the [Privacy/AllowInputPersonalization CSP](/windows/client-management/mdm/policy-csp-privacy#privacy-allowinputpersonalization).
- **LetAppsAccessMicrophone**
- **Group policy**: `Computer Configuration\Administrative Templates\Windows Components\App Privacy\LetAppsAccessMicrophone`
- **MDM policy CSP**: [Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps](/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessmicrophone-forcedenytheseapps)
- **Description**: Disables Cortanas access to the microphone. To use this setting, enter Cortanas Package Family Name: `Microsoft.549981C3F5F10_8wekyb3d8bbwe`. Users can still type queries to Cortana.
- **Allow users to enable online speech recognition services**
- **Group policy**: `Computer Configuration\Administrative Templates\Control Panel\Regional and Language Options\Allow users to enable online speech recognition services`
- **MDM policy CSP**: [Privacy/AllowInputPersonalization](/windows/client-management/mdm/policy-csp-privacy#privacy-allowinputpersonalization)
- **Description**: Specifies whether users can use voice commands with Cortana in your organization.
- **Windows 10, version 1511**: Cortana wont work if this setting is turned off (disabled).
- **Windows 10, version 1607 and later**: Non-speech aspects of Cortana will still work if this setting is turned off (disabled).
- **Windows 10, version 2004 and later**: Cortana will work, but voice input will be disabled.
- **AllowLocation**
- **Group policy**: None
- **MDM policy CSP**: [System/AllowLocation](/windows/client-management/mdm/policy-csp-system#system-allowlocation)
- **Description**: Specifies whether to allow app access to the Location service.
- **Windows 10, version 1511**: Cortana wont work if this setting is turned off (disabled).
- **Windows 10, version 1607 and later**: Cortana still works if this setting is turned off (disabled).
- **Windows 10, version 2004 and later**: Cortana still works if this setting is turned off (disabled). Cortana in Windows 10, versions 2004 and later, or Windows 11 don't use the Location service.
- **AllowMicrosoftAccountConnection**
- **Group policy**: None
- **MDM policy CSP**: [Accounts/AllowMicrosoftAccountConnection](/windows/client-management/mdm/policy-csp-accounts#accounts-allowmicrosoftaccountconnection)
- **Description**: Specifies whether to allow users to sign in using a Microsoft account (MSA) from Windows apps. If you only want to allow users to sign in with their Azure AD account, then disable this setting.
- **Allow search and Cortana to use location**
- **Group policy**: `Computer Configuration\Administrative Templates\Windows Components\Search\Allow search and Cortana to use location`
- **MDM policy CSP**: [Search/AllowSearchToUseLocation](/windows/client-management/mdm/policy-csp-search#search-allowsearchtouselocation)
- **Description**: Specifies whether Cortana can use your current location during searches and for location reminders. In **Windows 10, version 2004 and later**, Cortana still works if this setting is turned off (disabled). Cortana in Windows 10, versions 2004 and later, or Windows 11, don't use the Location service.
- **Don't search the web or display web results**
- **Group policy**: `Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results`
- **MDM policy CSP**: [Search/DoNotUseWebResults](/windows/client-management/mdm/policy-csp-search#search-donotusewebresults)
- **Description**: Specifies if search can do queries on the web, and if the web results are shown in search.
- **Windows 10 Pro edition**: This setting cant be managed.
- **Windows 10 Enterprise edition**: Cortana won't work if this setting is turned off (disabled).
- **Windows 10, version 2004 and later**: This setting no longer impacts Cortana.

BIN
windows/configuration/cortana-at-work/images/screenshot1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 2.8 MiB

BIN
windows/configuration/cortana-at-work/images/screenshot2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 24 KiB

5
windows/configuration/lockdown-features-windows-10.md
View File

@ -13,14 +13,13 @@ author: greg-lindsay
ms.author: greglin
ms.topic: article
ms.localizationpriority: medium
ms.date: 07/27/2017
---
# Lockdown features from Windows Embedded 8.1 Industry
**Applies to**
- Windows 10
- Windows 10
Many of the lockdown features available in Windows Embedded 8.1 Industry have been modified in some form for Windows 10. This table maps Windows Embedded Industry 8.1 features to Windows 10 Enterprise features, along with links to documentation.
@ -90,7 +89,7 @@ Many of the lockdown features available in Windows Embedded 8.1 Industry have be
<td align="left">MDM and Group Policy</td>
<td align="left"><p>The USB Filter driver has been replaced by MDM and Group Policy settings for blocking the connection of USB devices.</p>
<p>Group Policy: <strong>Computer Configuration</strong> &gt; <strong>Administrative Templates</strong> &gt; <strong>System</strong> &gt; <strong>Device Installation</strong> &gt; <strong>Device Installation Restrictions</strong></p>
<p>MDM policy name may vary depending on your MDM service. In Microsoft Intune, use <strong>Allow removable storage</strong> or <strong>Allow USB connection (Windows 10 Mobile only)</strong>.</p></td>
<p>MDM policy name may vary depending on your MDM service. In Microsoft Intune, use <strong>Removable storage</strong>.</p></td>
</tr>
<tr class="even">
<td align="left"><p><a href="/previous-versions/windows/embedded/dn449303(v=winembedded.82)" data-raw-source="[Assigned Access](/previous-versions/windows/embedded/dn449303(v=winembedded.82))">Assigned Access</a>: launch a UWP app on sign-in and lock access to system</p></td>

7
windows/configuration/manage-wifi-sense-in-enterprise.md
View File

@ -12,15 +12,14 @@ ms.sitesec: library
ms.pagetype: mobile
author: greg-lindsay
ms.localizationpriority: medium
ms.date: 05/02/2018
ms.topic: article
---
# Manage Wi-Fi Sense in your company
**Applies to:**
- Windows 10
- Windows 10 Mobile
**Applies to**
- Windows 10 version 1709 and older
>[!IMPORTANT]
>Beginning with Windows 10, version 1803, Wifi-Sense is no longer available. The following information only applies to Windows 10, version 1709 and prior. Please see [Connecting to open Wi-Fi hotspots in Windows 10](https://privacy.microsoft.com/windows-10-open-wi-fi-hotspots) for more details.

33
windows/configuration/mobile-devices/configure-mobile.md
View File

@ -1,33 +0,0 @@
---
title: Configure Windows 10 Mobile devices
description:
keywords: Windows 10, MDM, WSUS, Windows update
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: greg-lindsay
ms.author: greglin
ms.topic: article
ms.date: 07/27/2017
ms.reviewer:
manager: dansimp
---
# Configure Windows 10 Mobile devices
Windows 10 Mobile enables administrators to define what users can see and do on a device, which you might think of as "configuring" or "customizing" or "device lockdown". Your device configuration can provide a standard Start screen with pre-installed apps, or restrict various settings and features, or even limit the device to run only a single app (kiosk).
## In this section
| Topic | Description |
| --- | --- |
| [Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](set-up-a-kiosk-for-windows-10-for-mobile-edition.md) | You can configure a device running Windows 10 Mobile or Windows 10 Mobile Enterprise as a kiosk device, so that users can only interact with a single application that you select. |
| [Use Windows Configuration Designer to configure Windows 10 Mobile devices](provisioning-configure-mobile.md) | Use Windows Configuration Designer to create provisioning packages. Using provisioning packages, you can easily specify desired configuration and settings required to enroll the devices into management and then apply that configuration to target devices in a matter of minutes. |
| [Use the Lockdown Designer app to configure Windows 10 Mobile devices](mobile-lockdown-designer.md) | The Lockdown Designer app provides a guided wizard-like process to generate a Lockdown XML file that you can apply to devices running Windows 10 Mobile. |
| [Configure Windows 10 Mobile using Lockdown XML](lockdown-xml.md) | Windows 10 Mobile allows enterprises to lock down a device, define multiple user roles, and configure custom layouts on a device. |
| [Start layout XML for mobile editions of Windows 10 (reference)](start-layout-xml-mobile.md) | On Windows 10 Mobile, you can use the XML-based layout to modify the Start screen and provide the most robust and complete Start customization experience. This reference topic describes the supported elements and attributes for the LayoutModification.xml file. |
| [Settings and quick actions that can be locked down in Windows 10 Mobile](settings-that-can-be-locked-down.md) | This topic lists the settings and quick actions that can be locked down in Windows 10 Mobile. |
| [Product IDs in Windows 10 Mobile](product-ids-in-windows-10-mobile.md) | You can use the product ID and Application User Model (AUMID) in Lockdown.xml to specify apps that will be available to the user. |

BIN
windows/configuration/mobile-devices/images/doneicon.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 410 B

868
windows/configuration/mobile-devices/lockdown-xml.md
View File

@ -1,868 +0,0 @@
---
title: Configure Windows 10 Mobile using Lockdown XML (Windows 10)
description: Windows 10 Mobile allows enterprises to lock down a device, define multiple user roles, and configure custom layouts on a device.
ms.assetid: 22C8F654-2EC3-4E6D-8666-1EA9FCF90F5F
ms.reviewer:
manager: dansimp
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security, mobile
author: greg-lindsay
ms.author: greglin
ms.topic: article
ms.localizationpriority: medium
ms.date: 07/27/2017
---
# Configure Windows 10 Mobile using Lockdown XML
**Applies to**
- Windows 10 Mobile
Windows 10 Mobile allows enterprises to lock down a device, define multiple user roles, and configure custom layouts on a device. For example, the enterprise can lock down a device so that only applications and settings in an allow list are available.
This is accomplished using Lockdown XML, an XML file that contains settings for Windows 10 Mobile. When you deploy the lockdown XML file to a device, it is saved on the device as **wehlockdown.xml**. When the device boots, it looks for wehlockdown.xml and applies any settings configured in the file.
In this topic, you'll learn how to create an XML file that contains all lockdown entries available in the AssignedAccessXml area of the [EnterpriseAssignedAccess configuration service provider (CSP)](/windows/client-management/mdm/enterpriseassignedaccess-csp). This topic provides example XML that you can use in your own lockdown XML file that can be included in a provisioning package or when using a mobile device management (MDM) solution to push lockdown settings to enrolled devices. You can also use the [Lockdown Designer app](mobile-lockdown-designer.md) to configure and export your lockdown XML file.
> [!NOTE]
> On Windows 10 desktop editions, *assigned access* is a feature that lets you configure the device to run a single app above the lockscreen ([kiosk mode](../kiosk-methods.md)). On a Windows 10 Mobile device, assigned access refers to the lockdown settings in AssignedAccessXml in the [EnterpriseAssignedAccess configuration service provider (CSP)](/windows/client-management/mdm/enterpriseassignedaccess-csp).
If you're not familiar with CSPs, read [Introduction to configuration service providers (CSPs)](../provisioning-packages/how-it-pros-can-use-configuration-service-providers.md) first.
## Overview of the lockdown XML file
Let's start by looking at the basic structure of the lockdown XML file. You can start your file by pasting the following XML (or any other examples in this topic) into a text or XML editor, and saving the file as *filename*.xml.
```xml
<?xml version="1.0" encoding="utf-8"?>
<HandheldLockdown version="1.0" >
<Default>
<ActionCenter/>
<Apps/>
<Buttons/>
<CSPRunner/>
<MenuItems/>
<Settings/>
<Tiles/>
<StartScreenSize/>
</Default>
</HandheldLockdown>
```
**Default** and the entries beneath it establish the default device settings that are applied for every user. The device will always boot to this Default role. You can create additional roles on the device, each with its own settings, in the same XML file. [Learn how to add roles.](#configure-additional-roles)
The settings for the Default role and other roles must be listed in your XML file in the order presented in this topic. All of the entries are optional. If you don't include a setting, that aspect of the device will operate as it would for an nonconfigured device.
>[!TIP]
>Keep your XML file easy to work with and to understand by using proper indentation and adding comments for each setting you configure.
## Action Center
![XML for Action Center.](../images/ActionCenterXML.jpg)
The Action Center setting controls whether the user can open the Action Center on the device. When the Action Center is disabled, notifications on the lockscreen and toasts are also disabled. You can use optional attributes with the Action Center element to change that behavior for either notifications, toasts, or both.
In the following example, the Action Center is enabled and both policies are disabled.
```xml
<ActionCenter enabled="true" aboveLockToastEnabled="0" actionCenterNotificationEnabled="0"/>
```
In the following example, Action Center and the toast policy are enabled, and the notifications policy is disabled.
```xml
<ActionCenter enabled="true" aboveLockToastEnabled="1" actionCenterNotificationEnabled="0"/>
```
The following example is a complete lockdown XML file that disables Action Center, notifications, and toasts.
```xml
<?xml version="1.0" encoding="utf-8"?>
<HandheldLockdown version="1.0" >
<Default>
<!-- disable Action Center -->
<ActionCenter enabled="false" />
</Default>
</HandheldLockdown>
```
## Apps
![XML for Apps.](../images/AppsXML.png)
The Apps setting serves as an allow list and specifies the applications that will be available in the All apps list. Apps that are not included in this setting are hidden from the user and blocked from running.
You provide the App User Model ID (AUMID) and product ID for each app in your file. The product ID identifies an app package, and an app package can contain multiple apps, so you also provide the ADUMID to differentiate the app. Optionally, you can set an app to run automatically. [Get product ID and AUMID for apps in Windows 10 Mobile.](product-ids-in-windows-10-mobile.md)
The following example makes Outlook Calendar available on the device.
```xml
<Apps>
<!-- Outlook Calendar -->
<Application productId="{A558FEBA-85D7-4665-B5D8-A2FF9C19799B}" aumid="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.calendar">
</Application>
</Apps>
```
When you list an app, you can also set the app to be pinned to the Start screen by specifying the tile size and location. Tip: draw a grid and mark your app tiles on it to make sure you get the result you want. The width (X axis) in the following example is the limit for Windows 10 Mobile, but the length (Y axis) is unlimited. The number of columns available to you depends on the value for [StartScreenSize](#start-screen-size).
![Grid to lay out tiles for Start.](../images/StartGrid.jpg)
Tile sizes are:
* Small: 1x1
* Medium: 2x2
* Large: 2x4
Based on 6 columns, you can pin six small tiles or three medium tiles on a single row. A large tile can be combined with two small tiles or one medium tile on the same row. Obviously, you cannot set a medium tile for LocationX=5, or a large tile for LocationX=3, 4, or 5.
If the tile configuration in your file exceeds the available width, such as setting a large tile to start at position 3 on the X axis, that tile is appended to the bottom of the Start screen. Also, if the tile configuration in your file would result in tiles overlapping each other, the overlapping tiles are instead appended to the bottom of the Start screen.
In the following example, Outlook Calendar and Outlook Mail are pinned to the Start screen, and the Store app is allowed but is not pinned to Start.
```xml
<Apps>
<!-- Outlook Calendar -->
<Application productId="{A558FEBA-85D7-4665-B5D8-A2FF9C19799B}" aumid="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.calendar">
<PinToStart>
<Size>Large</Size>
<Location>
<LocationX>0</LocationX>
<LocationY>0</LocationY>
</Location>
</PinToStart>
</Application>
<!-- Outlook Mail-->
<Application productId="{A558FEBA-85D7-4665-B5D8-A2FF9C19799B}" aumid="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.mail">
<PinToStart>
<Size>Medium</Size>
<Location>
<LocationX>4</LocationX>
<LocationY>0</LocationY>
</Location>
</PinToStart>
</Application>
<!-- Store -->
<Application productId="7D47D89A-7900-47C5-93F2-46EB6D94C159" aumid="Microsoft.WindowsStore_8wekyb3d8bbwe!App" />
</Apps>
```
That layout would appear on a device like this:
![Example of the layout on a Start screen.](../images/StartGridPinnedApps.jpg)
You can create and pin folders to Start by using the Apps setting. Each folder requires a **folderId**, which must be a consecutive positive integer starting with `1`. You can also specify a **folderName** (optional) which will be displayed on Start.
```xml
<Apps>
<!-- Management folder -->
<Application folderId="1" folderName="Management">
<PinToStart>
<Size>Medium</Size>
<Location>
<LocationX>4</LocationX>
<LocationY>0</LocationY>
</Location>
</PinToStart>
</Application>
</Apps>
```
To add apps to the folder, include **ParentFolderId** in the application XML, as shown in the following example:
```xml
<Apps>
<!-- Outlook Calendar -->
<Application productId="{A558FEBA-85D7-4665-B5D8-A2FF9C19799B}" aumid="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.calendar">
<PinToStart>
<Size>Large</Size>
<Location>
<LocationX>0</LocationX>
<LocationY>0</LocationY>
</Location>
<ParentFolderId>1</ParentFolderId>
</PinToStart>
</Application>
<!-- Outlook Mail-->
<Application productId="{A558FEBA-85D7-4665-B5D8-A2FF9C19799B}" aumid="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.mail">
<PinToStart>
<Size>Medium</Size>
<Location>
<LocationX>4</LocationX>
<LocationY>0</LocationY>
</Location>
<ParentFolderId>1</ParentFolderId>
</PinToStart>
</Application>
</Apps>
```
When an app is contained in a folder, its **PinToStart** configuration (tile size and location) applies to its appearance when the folder is opened.
## Buttons
![XML for buttons.](../images/ButtonsXML.jpg)
In the Buttons setting, you use ButtonLockdownList to disable hardware buttons and ButtonRemapList to change button events to open an app that you specify.
### ButtonLockdownList
When a user taps a button that is in the lockdown list, nothing will happen. The following table lists which events can be disabled for each button.
Button | Press | PressAndHold | All
---|:---:|:---:|:--:|-
Start | ![no.](../images/crossmark.png) | ![yes](../images/checkmark.png) | ![no](../images/crossmark.png)
Back | ![yes.](../images/checkmark.png) | ![yes](../images/checkmark.png) | ![yes](../images/checkmark.png)
Search | ![yes.](../images/checkmark.png) | ![yes](../images/checkmark.png) | ![yes](../images/checkmark.png)
Camera | ![yes.](../images/checkmark.png) | ![yes](../images/checkmark.png) | ![yes](../images/checkmark.png)
Custom 1, 2, and 3 | ![yes.](../images/checkmark.png) | ![yes](../images/checkmark.png) | ![yes](../images/checkmark.png)
> [!NOTE]
> Custom buttons are hardware buttons that can be added to devices by OEMs.
In the following example, press-and-hold is disabled for the Back button.
```xml
<Buttons>
<ButtonLockdownList>
<Button name="Back">
<ButtonEvent name="PressAndHold" />
</Button>
</ButtonLockdownList>
</Buttons>
```
If you don't specify a button event, all actions for the button are disabled. In the next example, all actions are disabled for the camera button.
```xml
<Buttons>
<ButtonLockdownList>
<Button name="Camera">
</Button>
</ButtonLockdownList>
</Buttons>
```
### ButtonRemapList
ButtonRemapList lets you change the app that a button will run. You can remap the Search button and any custom buttons included by the OEM. You can't remap the Back, Start, or Camera buttons.
> [!WARNING]
> Button remapping can enable a user to open an application that is not in the allow list for that user role. Use button lock down to prevent application access for a user role.
To remap a button, you specify the button, the event, and the product ID for the app that you want the event to open.
In the following example, when a user presses the Search button, the phone dialer will open instead of the Search app.
```xml
<Buttons>
<ButtonRemapList>
<Button name="Search">
<ButtonEvent name="Press">
<!-- Phone dialer -->
<Application productID="{F41B5D0E-EE94-4F47-9CFE-3D3934C5A2C7 }" parameters="" />
</ButtonEvent>
</Button>
</ButtonRemapList>
</Buttons>
```
## CSPRunner
![XML for CSP Runner.](../images/CSPRunnerXML.jpg)
You can use CSPRunner to include settings that are not defined in AssignedAccessXML. For example, you can include settings from other sections of EnterpriseAssignedAccess CSP, such as lockscreen, theme, and time zone. You can also include settings from other CSPs, such as [Wi-Fi CSP](/windows/client-management/mdm/wifi-csp) or [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider).
CSPRunner is helpful when you are configuring a device to support multiple roles. It lets you apply different policies according to the role that is signed on. For example, Wi-Fi could be enabled for a supervisor role and disabled for a stocking clerk role.
In CSPRunner, you specify the CSP and settings using SyncML, a standardized markup language for device management. A SyncML section can include multiple settings, or you can use multiple SyncML sections -- it's up to you how you want to organize settings in this section.
> [!NOTE]
> This description of SyncML is just the information that you need to use SyncML in a lockdown XML file. To learn more about SyncML, see [Structure of OMA DM provisioning files](/windows/client-management/mdm/structure-of-oma-dm-provisioning-files).
Let's start with the structure of SyncML in the following example:
```xml
SyncML>
<SyncBody>
<Add>|<Replace>
<CmdID>#</CmdID>
<Item>
<Target>
<LocURI>CSP Path</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">Data Type</Format>
</Meta>
<Data>Value</Data>
</Item>
</Add>|</Replace>
<Final/>
</SyncBody>
</SyncML>
```
This table explains the parts of the SyncML structure.
SyncML entry | Description
---|---
**Add** or **Replace** | Use **Add** to apply a setting or policy that is not already configured. Use **Replace** to change an existing setting or policy.
**CmdID** | SyncBody can contain multiple commands. Each command in a lockdown XML file must have a different **CmdID** value.
**Item** | **Item** is a wrapper for a single setting. You can include multiple items for the command if they all use the same **Add** or **Replace** operation.
**Target > LocURI** | **LocURI** is the path to the CSP.
**Meta > Format** | The data format required by the CSP.
**Data** | The value for the setting.
## Menu items
![XML for menu items.](../images/MenuItemsXML.png)
Use DisableMenuItems to prevent use of the context menu, which is displayed when a user presses and holds an application in the All Apps list. You can include this entry in the default profile and in any additional user role profiles that you create.
```xml
<MenuItems>
<DisableMenuItems/>
</MenuItems>
```
## Settings
![XML for settings.](../images/SettingsXML.png)
The **Settings** section contains an `allow` list of pages in the Settings app and quick actions. The following example allows all settings.
```xml
<Settings>
<!-- Allow all settings -->
</Settings>
```
In earlier versions of Windows 10, you used the page name to define allowed settings. Starting in Windows 10, version 1703, you use the settings URI.
In the following example for Windows 10, version 1703, all system setting pages that have a settings URI are enabled.
```xml
<Settings>
<System name="ms-settings:screenrotation" />
<System name="ms-settings:notifications" />
<System name="ms-settings:phone" />
<System name="ms-settings:messaging" />
<System name="ms-settings:batterysaver" />
<System name="ms-settings:batterysaver-usagedetails" />
<System name="ms-settings:about" />
<System name="ms-settings:deviceencryption" />
<System name="ms-settings:maps" />
</Settings>
```
If you list a setting or quick action in **Settings**, all settings and quick actions that are not listed are blocked. To remove access to all of the settings in the system, do not include the settings application in [Apps](#apps).
For a list of the settings and quick actions that you can allow or block, see [Settings and quick actions that can be locked down in Windows 10 Mobile](settings-that-can-be-locked-down.md).
## Tiles
![XML for tiles.](../images/TilesXML.png)
By default, under Assigned Access, tile manipulation is turned off (blocked) and only available if enabled in the users profile. If tile manipulation is enabled in the users profile, they can pin/unpin, move, and resize tiles based on their preferences. When multiple people use one device and you want to enable tile manipulation for multiple users, you must enable it for each user in their user profile.
> [!IMPORTANT]
> If a device is turned off then back on, the tiles reset to their predefined layout. If a device has only one profile, the only way to reset the tiles is to turn off then turn on the device. If a device has multiple profiles, the device resets the tiles to the predefined layout based on the logged-in users profile.
```xml
<Tiles>
<EnableTileManipulation/>
</Tiles>
```
## Start screen size
Specify the size of the Start screen. In addition to 4/6 columns, you can also use 4/6/8 depending on screen resolutions. Valid values:
- Small sets the width to 4 columns on devices with short axis (less than 400epx) or 6 columns on devices with short axis (greater than or equal to 400epx).
- Large sets the width to 6 columns on devices with short axis (less than 400epx) or 8 columns on devices with short axis (greater than or equal to 400epx).
If you have existing lockdown xml, you must update start screen size if your device has >=400epx on its short axis so that tiles on Start can fill all 8 columns if you want to use all 8 columns instead of 6, or use 6 columns instead of 4.
[Learn about effective pixel width (epx) for different device size classes.](/windows/uwp/design/layout/screen-sizes-and-breakpoints-for-responsive-design)
## Configure additional roles
You can add custom configurations by role. In addition to the role configuration, you must also install a login application on the device. The app displays a list of available roles on the device; the user taps a role, such as "Manager"; the configuration defined for the "Manager" role is applied.
[Learn how to create a login application that will work with your Lockdown XML file.](https://github.com/Microsoft/Windows-universal-samples/tree/master/Samples/DeviceLockdownAzureLogin) For reference, see the [Windows.Embedded.DeviceLockdown API](/uwp/api/Windows.Embedded.DeviceLockdown).
In the XML file, you define each role with a GUID and name, as shown in the following example:
```xml
<Role guid="{7bb62e8c-81ba-463c-b691-74af68230b42}" name="Manager">
```
You can create a GUID using a GUID generator -- free tools are available online. The GUID needs to be unique within this XML file.
You can configure the same settings for each role as you did for the default role, except Start screen size which can only be configured for the default role. If you use CSPRunner with roles, be aware that the last CSP setting applied will be retained across roles unless explicitly changed in each role configuration. CSP settings applied by CSPRunner may conflict with settings applied by MDM.
```xml
<?xml version "1.0" encoding "utf-8"?>
<HandheldLockdown version "1.0" >
<Default>
<ActionCenter/>
<Apps/>
<Buttons/>
<CSPRunner/>
<MenuItems/>
<Settings/>
<Tiles/>
<StartScreenSize/>
</Default>
<RoleList>
<Role>
<ActionCenter/>
<Apps/>
<Buttons/>
<CSPRunner/>
<MenuItems/>
<Settings/>
<Tiles/>
</Role>
</RoleList>
</HandheldLockdown>
```
## Validate your XML
You can validate your lockdown XML file against the [EnterpriseAssignedAccess XSD](/windows/client-management/mdm/enterpriseassignedaccess-xsd).
## Add lockdown XML to a provisioning package
Use the Windows ICD tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package. [Install the ADK.](https://go.microsoft.com/fwlink/p/?LinkId=526740)
1. Follow the instructions at [Build and apply a provisioning package](../provisioning-packages/provisioning-create-package.md) to create a project, selecting **Common to all Windows mobile editions** for your project.
2. In **Available customizations**, go to **Runtime settings** &gt; **EmbeddedLockdownProfiles** &gt; **AssignedAccessXml**.
3. In the center pane, click **Browse** to locate and select the lockdown XML file that you created.
![browse button.](../images/icdbrowse.png)
4. On the **File** menu, select **Save.**
5. On the **Export** menu, select **Provisioning package**.
6. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.**
7. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing.
- **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
- **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select** and choosing the certificate you want to use to sign the package.
8. Click **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows ICD uses the project folder as the output location.
Optionally, you can click **Browse** to change the default output location.
9. Click **Next**.
10. Click **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status.
If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
11. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
- If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
- If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
After you build the provisioning package, follow the instructions for [applying a provisioning package at runtime to Windows 10 Mobile](../provisioning-packages/provisioning-create-package.md).
## Push lockdown XML using MDM
After you deploy your devices, you can still configure lockdown settings through your MDM solution if it supports the [EnterpriseAssignedAccess CSP](/windows/client-management/mdm/enterpriseassignedaccess-csp).
To push lockdown settings to enrolled devices, use the AssignedAccessXML setting and use the lockdown XML as the value. The lockdown XML will be in a HandheldLockdown section that becomes XML embedded in XML, so the XML that you enter must use escaped characters (such as `&lt;` in place of &lt;). After the MDM provider pushes your lockdown settings to the device, the CSP processes the file and updates the device.
## Full Lockdown.xml example
```xml
<?xml version="1.0" encoding="utf-8"?>
<HandheldLockdown version="1.0" >
<Default>
<ActionCenter enabled="true" />
<Apps>
<!-- Settings -->
<Application productId="{2A4E62D8-8809-4787-89F8-69D0F01654FB}">
<PinToStart>
<Size>Large</Size>
<Location>
<LocationX>0</LocationX>
<LocationY>0</LocationY>
</Location>
</PinToStart>
</Application>
<!-- Outlook Calendar -->
<Application productId="{A558FEBA-85D7-4665-B5D8-A2FF9C19799B}" aumid="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.calendar">
<PinToStart>
<Size>Small</Size>
<Location>
<LocationX>0</LocationX>
<LocationY>2</LocationY>
</Location>
</PinToStart>
</Application>
<!-- Photos -->
<Application productId="{FCA55E1B-B9A4-4289-882F-084EF4145005}">
<PinToStart>
<Size>Medium</Size>
<Location>
<LocationX>2</LocationX>
<LocationY>2</LocationY>
</Location>
</PinToStart>
</Application>
<!-- Edge -->
<Application productId="{395589FB-5884-4709-B9DF-F7D558663FFD}" />
<!-- Login App -->
<Application productId="{C85DC60D-30D4-4C67-A4B4-58282F1D152C}" />
</Apps>
<Buttons>
<ButtonLockdownList>
<!-- Lockdown all buttons -->
<Button name="Search">
</Button>
<Button name="Camera">
</Button>
<Button name="Custom1">
</Button>
<Button name="Custom2">
</Button>
<Button name="Custom3">
</Button>
</ButtonLockdownList>
<ButtonRemapList>
<Button name="Search">
<ButtonEvent name="Press">
<!-- Edge-->
<Application productId="{395589FB-5884-4709-B9DF-F7D558663FFD}" parameters="" />
</ButtonEvent>
</Button>
</ButtonRemapList>
</Buttons>
<CSPRunner>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseAssignedAccess/Theme/ThemeAccentColorID</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<!-- zero based index of available theme colors -->
<Data>7</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseAssignedAccess/Theme/ThemeBackground</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<!-- 0 for "light", 1 for "dark" -->
<Data>1</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseAssignedAccess/LockScreenWallpaper/BGFileName</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
<Type xmlns="syncml:metinf">text/plain</Type>
</Meta>
<Data>c:\windows\system32\lockscreen\480x800\Wallpaper_05.jpg</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
</CSPRunner>
<MenuItems>
<DisableMenuItems/>
</MenuItems>
<Settings>
<!-- Quick actions: Brightness, Rotation -->
<System name="SystemSettings_System_Display_QuickAction_Brightness"/>
<System name="SystemSettings_System_Display_Internal_Rotation"/>
<!-- Rotation, About -->
<System name="ms-settings:screenrotation"/>
<System name="ms-settings:about"/>
<!-- Ringtones, sounds -->
<System name="ms-settings:personalizationn"/>
<System name="ms-settings:sounds"/>
</Settings>
<Tiles>
<EnableTileManipulation/>
</Tiles>
<StartScreenSize>Small</StartScreenSize>
</Default>
<RoleList>
<Role guid="{88501844-3b51-4c9f-9da7-7ca745e7da6b}" name="Associate">
<ActionCenter enabled="0"/>
<Apps>
<!-- Settings -->
<Application productId="{2A4E62D8-8809-4787-89F8-69D0F01654FB}">
<PinToStart>
<Size>Small</Size>
<Location>
<LocationX>0</LocationX>
<LocationY>0</LocationY>
</Location>
</PinToStart>
</Application>
<!-- Outlook Calendar -->
<Application productId="{A558FEBA-85D7-4665-B5D8-A2FF9C19799B}" aumid="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.calendar">
<PinToStart>
<Size>Large</Size>
<Location>
<LocationX>0</LocationX>
<LocationY>2</LocationY>
</Location>
</PinToStart>
</Application>
<!-- Login App -->
<Application productId="{C85DC60D-30D4-4C67-A4B4-58282F1D152C}" />
</Apps>
<Buttons />
<CSPRunner>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseAssignedAccess/Theme/ThemeAccentColorID</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<!-- zero based index of available theme colors -->
<Data>10</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseAssignedAccess/Theme/ThemeBackground</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<!-- 0 for "light", 1 for "dark" -->
<Data>0</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseAssignedAccess/LockScreenWallpaper/BGFileName</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
<Type xmlns="syncml:metinf">text/plain</Type>
</Meta>
<Data>c:\windows\system32\lockscreen\480x800\Wallpaper_08.jpg</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
</CSPRunner>
<MenuItems>
<DisableMenuItems/>
</MenuItems>
<Settings>
<!-- Rotation, Notifications, About -->
<System name="ms-settings:screenrotation"/>
<System name="ms-settings:notifications"/>
<System name="ms-settings:about"/>
<!-- Ringtones, sounds -->
<System name="ms-settings:personalization"/>
<System name="ms-settings:sounds"/>
<!-- Workplace -->
<System name="ms-settings:workplace"/>
<System name="ms-settings:emailandaccounts"/>
</Settings>
</Role>
<Role guid="{7bb62e8c-81ba-463c-b691-74af68230b42}" name="Manager">
<ActionCenter enabled="true" />
<Apps>
<!-- Alarms and Clock -->
<Application productId="{44F7D2B4-553D-4BEC-A8B7-634CE897ED5F}">
<PinToStart>
<Size>Small</Size>
<Location>
<LocationX>0</LocationX>
<LocationY>0</LocationY>
</Location>
</PinToStart>
</Application>
<!-- Settings -->
<Application productId="{2A4E62D8-8809-4787-89F8-69D0F01654FB}">
<PinToStart>
<Size>Small</Size>
<Location>
<LocationX>1</LocationX>
<LocationY>0</LocationY>
</Location>
</PinToStart>
</Application>
<!-- Outlook Calendar -->
<Application productId="{A558FEBA-85D7-4665-B5D8-A2FF9C19799B}" aumid="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.calendar">
<PinToStart>
<Size>Medium</Size>
<Location>
<LocationX>2</LocationX>
<LocationY>0</LocationY>
</Location>
</PinToStart>
</Application>
<!-- Calculator -->
<Application productId="{B58171C6-C70C-4266-A2E8-8F9C994F4456}" />
<!-- Photos -->
<Application productId="{FCA55E1B-B9A4-4289-882F-084EF4145005}">
<PinToStart>
<Size>Small</Size>
<Location>
<LocationX>0</LocationX>
<LocationY>2</LocationY>
</Location>
</PinToStart>
</Application>
<!-- Store -->
<Application productId="{7D47D89A-7900-47C5-93F2-46EB6D94C159}">
<PinToStart>
<Size>Medium</Size>
<Location>
<LocationX>2</LocationX>
<LocationY>2</LocationY>
</Location>
</PinToStart>
</Application>
<!-- Login App -->
<Application productId="{C85DC60D-30D4-4C67-A4B4-58282F1D152C}" />
</Apps>
<Buttons />
<CSPRunner>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseAssignedAccess/Theme/ThemeAccentColorID</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<!-- zero based index of available theme colors -->
<Data>2</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseAssignedAccess/Theme/ThemeBackground</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<!-- 0 for "light", 1 for "dark" -->
<Data>1</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseAssignedAccess/LockScreenWallpaper/BGFileName</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
<Type xmlns="syncml:metinf">text/plain</Type>
</Meta>
<Data>c:\windows\system32\lockscreen\480x800\Wallpaper_015.jpg</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
</CSPRunner>
<MenuItems>
<DisableMenuItems/>
</MenuItems>
<Settings>
<!-- Allow all settings -->
</Settings>
<Tiles>
<EnableTileManipulation/>
</Tiles>
</Role>
</RoleList>
</HandheldLockdown>
```
## Learn more
[Customizing Your Device Experience with Assigned Access](https://channel9.msdn.com/Events/Build/2016/P508)
## Related topics
[Settings and quick actions that can be locked down in Windows 10 Mobile](settings-that-can-be-locked-down.md)
[Product IDs in Windows 10 Mobile](product-ids-in-windows-10-mobile.md)

172
windows/configuration/mobile-devices/mobile-lockdown-designer.md
View File

@ -1,172 +0,0 @@
---
title: Use the Lockdown Designer app to create a Lockdown XML file (Windows 10)
description:
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: greg-lindsay
ms.author: greglin
ms.topic: article
ms.date: 07/27/2017
ms.reviewer:
manager: dansimp
---
# Use the Lockdown Designer app to create a Lockdown XML file
![Lockdown Designer in the Store.](../images/ldstore.png)
Windows 10 Mobile allows enterprises to lock down a device, define multiple user roles, and configure custom layouts on a device. For example, the enterprise can lock down a device so that only applications and settings in an allow list are available. This is accomplished using Lockdown XML, an XML file that contains settings for Windows 10 Mobile.
When you deploy the lockdown XML file to a device, it is saved on the device as **wehlockdown.xml**. When the device boots, it looks for wehlockdown.xml and applies any settings configured in the file. You can deploy the lockdown XML file by [adding it to a provisioning package](lockdown-xml.md#add-lockdown-xml-to-a-provisioning-package) or [by using mobile device management (MDM)](lockdown-xml.md#push-lockdown-xml-using-mdm).
The Lockdown Designer app helps you configure and create a lockdown XML file that you can apply to devices running Windows 10 Mobile, version 1703, and includes a remote simulation to help you determine the layout for tiles on the Start screen. Lockdown Designer also validates the XML. Using Lockdown Designer is easier than [manually creating a lockdown XML file](lockdown-xml.md).
## Overview
Lockdown Designer can be installed on a PC running Windows 10, version 1607 or later. After you install the app, you connect a mobile device running Windows 10 Mobile, version 1703, to the PC.
>[!NOTE]
>Lockdown Designer will not make any changes to the connected device, but we recommend that you use a test device.
Lockdown Designer will populate the available settings and apps to configure from the connected device. Using the different pages in the app, you select the settings, apps, and layout to be included in the lockdown XML.
When you're done, you export the configuration to a lockdown XML file. This configuration can be applied to any device running Windows 10 Mobile, version 1703.
>[!NOTE]
>You can also import an existing WEHLockdown.xml file to Lockdown Designer and modify it in the app.
## Prepare the test mobile device
Perform these steps on the device running Windows 10 Mobile that you will use to supply the settings, apps, and layout to Lockdown Designer.
1. Install all apps on the device that you want to include in the configuration, including line-of-business apps.
2. On the mobile device, go to **Settings** > **Update & security** > **For developers**, enable **Developer mode**.
3. Read the disclaimer, then click **Yes** to accept the change.
4. Enable **Device discovery**, and then turn on **Device Portal**.
>[!IMPORTANT]
>Check **Settings > Personalization > Start > Show more tiles** on the test mobile device. If **Show more tiles** is **On**, you must select **Large** on the [**Start screen** page](#start) in Lockdown Designer. If you want to apply a **Small** layout, set **Show more tiles** on the test mobile device to **Off**.
>
>![turn off show more tiles for small start screen size.](../images/show-more-tiles.png)
## Prepare the PC
[Install Lockdown Designer](https://www.microsoft.com/store/r/9nblggh40753) on the PC.
If the PC and the test mobile device are on the same Wi-Fi network, you can connect the devices using Wi-Fi.
If you want to connect the PC and the test mobile device using a USB cable, perform the following steps on the PC:
1. [Install the Windows 10 Software Development Kit (SDK)](https://developer.microsoft.com/windows/downloads/windows-10-sdk). This enables the **Windows Phone IP over USB Transport (IpOverUsbSvc)** service.
2. Open a command prompt as an administrator and run `checknetisolation LoopbackExempt -a -n=microsoft.lockdowndesigner_8wekyb3d8bbwe`
>[!NOTE]
>Loopback is permitted only for development purposes. To remove the loopback exemption when you're done using Lockdown Designer, run `checknetisolation LoopbackExempt -d -n=microsoft.lockdowndesigner_8wekyb3d8bbwe`
<span id="pair" />
## Connect the mobile device to Lockdown Designer
**Using Wi-Fi**
1. Open Lockdown Designer.
2. Click **Create new project**.
3. On the test mobile device, go to **Settings** > **Update & security** > **For developers** > **Connect using:** and get the IP address listed for **Wi-Fi**.
2. On the **Project setting** > **General settings** page, in **Remote device IP address**, enter the IP address for the test mobile device, using `https://`.
3. Click **Pair**.
![Pair.](../images/ld-pair.png)
**Connect to remote device** appears.
4. On the mobile device, under **Device discovery**, tap **Pair**. A case-sensitive code is displayed.
5. On the PC, in **Connect to remote device**, enter the code from the mobile device.
6. Next, click **Sync** to pull information from the device in to Lockdown Designer.
![Sync.](../images/ld-sync.png)
7. Click the **Save** icon and enter a name for your project.
**Using a USB cable**
1. Open Lockdown Designer.
2. Click **Create new project**.
2. Connect a Windows 10 Mobile device to the PC by USB and unlock the device.
3. On the **Project setting** > **General settings** page, click **Pair**.
![Pair.](../images/ld-pair.png)
**Connect to remote device** appears.
4. On the mobile device, under **Device discovery**, tap **Pair**. A case-sensitive code is displayed.
5. On the PC, in **Connect to remote device**, enter the code from the mobile device.
6. Next, click **Sync** to pull information from the device in to Lockdown Designer.
![Sync.](../images/ld-sync.png)
7. Click the **Save** icon and enter a name for your project.
## Configure your lockdown XML settings
The apps and settings available in the pages of Lockdown Designer should now be populated from the test mobile device. The following table describes what you can configure on each page.
| Page | Description |
| --- | --- |
| ![Applications.](../images/ld-apps.png) | Each app from the test mobile device is listed. Select the apps that you want visible to users.</br></br>You can select an app to run automatically when a user signs in to the device. The **Select Auto-Run** menu is populated by the apps that you select to allow on the device. |
| ![CSP Runner.](../images/ld-csp.png) | CSPRunner enables you to include settings and policies that are not defined in other sections of the app. To make use of CSPRunner, you must create the SyncML block that contains the settings, and then import the SyncML in Lockdown Designer. [Learn how to use CSPRunner and author SyncML.](lockdown-xml.md#csprunner) |
| ![Settings.](../images/ld-settings.png) | On this page, you select the settings that you want visible to users. See the [ms settings: URI scheme reference](/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference) to see which Settings page maps to a URI. |
| ![Quick actions.](../images/ld-quick.png) | On this page, you select the settings that you want visible to users. |
| ![Buttons.](../images/ld-buttons.png) | Each hardware button on a mobile device has different actions that can be disabled. In addition, the behavior for **Search** button can be changed to open an app other than **Search**.</br></br>Some devices may have additional hardware buttons provided by the OEM. These are listed as Custom1, Custom2, and Custom3. If your device has custom hardware buttons, contact your equipment provider to identify how their custom buttons are defined. |
| ![Other settings.](../images/ld-other.png) | This page contains several settings that you can configure:</br></br>- The context menu is displayed when a user presses and holds an application in the All Apps list. You can enable or disable the context menu.</br></br>- Tile manipulation allows users to pin, unpin, move, and resize tiles on the Start screen. You can enable or disable tile manipulation.</br></br>- The Action Center setting controls whether the user can open the Action Center on the device. When the Action Center is disabled, notifications on the lockscreen and toasts are also disabled. You can use optional attributes with the Action Center element to change that behavior for either notifications, toasts, or both. |
| <span id="start" />![Start screen.](../images/ld-start.png) | On this page, you can start a remote simulation session with the test mobile device. Click **Start remote simulation**. You will see a **Start screen remote simulation in progress** message on the PC. (If the **Start remote simulation** button is not active, [pair the mobile device with the PC again](#pair).)</br></br>On the test mobile device, tiles for the apps that you allowed on the **Applications** page are displayed on the screen. You can move, resize, or unpin these tiles to achieve the desired layout.</br></br>When you are done changing the layout on the test mobile device, click **Accept** on the PC. |
## Validate and export
On the **Validate and export** page, click **Validate** to make sure your lockdown XML is valid.
>[!WARNING]
>Lockdown Designer cannot validate SyncML that you imported to CSPRunner.
Click **Export** to generate the XML file for your project. You can select the location to save the file.
## Create and configure multiple roles
You can create additional roles for the device and have unique configurations for each role. For example, you could have one configuration for a **Manager** role and a different configuration for a **Salesperson** role.
>[!NOTE]
>Using multiple roles on a device requires a login application that displays the list of roles and allows users to sign in to Azure Active Directory. [Learn how to create a login application that will work with your Lockdown XML file.](https://github.com/Microsoft/Windows-universal-samples/tree/master/Samples/DeviceLockdownAzureLogin)
**For each role:**
1. On the **Project setting** page, click **Role management**.
2. Click **Add a role**.
3. Enter a name for the role, and then click **Save**.
4. Configure the settings for the role as above, but make sure on each page that you select the correct role.
![Current role selection box.](../images/ld-role.png)

254
windows/configuration/mobile-devices/product-ids-in-windows-10-mobile.md
View File

@ -1,254 +0,0 @@
---
title: Product IDs in Windows 10 Mobile (Windows 10)
description: You can use the product ID and Application User Model (AUMID) in Lockdown.xml to specify apps that will be available to the user.
ms.assetid: 31116BED-C16A-495A-BD44-93218A087A1C
ms.reviewer:
manager: dansimp
keywords: ["lockdown"]
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: mobile
author: greg-lindsay
ms.author: greglin
ms.topic: article
ms.localizationpriority: medium
ms.date: 07/27/2017
---
# Product IDs in Windows 10 Mobile
**Applies to**
- Windows 10 Mobile
You can use the product ID and Application User Model (AUMID) in Lockdown.xml to specify apps that will be available to the user.
## Apps included in Windows 10 Mobile
The following table lists the product ID and AUMID for each app that is included in Windows 10 Mobile.
<table>
<thead>
<tr class="header">
<th align="left">App</th>
<th align="left">Product ID</th>
<th align="left">AUMID</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left">Alarms and clock</td>
<td align="left">44F7D2B4-553D-4BEC-A8B7-634CE897ED5F</td>
<td align="left">Microsoft.WindowsAlarms_8wekyb3d8bbwe!App</td>
</tr>
<tr class="even">
<td align="left">Calculator</td>
<td align="left">B58171C6-C70C-4266-A2E8-8F9C994F4456</td>
<td align="left">Microsoft.WindowsCalculator_8wekyb3d8bbwe!App</td>
</tr>
<tr class="odd">
<td align="left">Camera</td>
<td align="left">F0D8FEFD-31CD-43A1-A45A-D0276DB069F1</td>
<td align="left">Microsoft.WindowsCamera_8wekyb3d8bbwe!App</td>
</tr>
<tr class="even">
<td align="left">Contact Support</td>
<td align="left">0DB5FCFF-4544-458A-B320-E352DFD9CA2B</td>
<td align="left">Windows.ContactSupport_cw5n1h2txyewy!App</td>
</tr>
<tr class="odd">
<td align="left">Cortana</td>
<td align="left">FD68DCF4-166F-4C55-A4CA-348020F71B94</td>
<td align="left">Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI</td>
</tr>
<tr class="even">
<td align="left">Excel</td>
<td align="left">EAD3E7C0-FAE6-4603-8699-6A448138F4DC</td>
<td align="left">Microsoft.Office.Excel_8wekyb3d8bbwe!microsoft.excel</td>
</tr>
<tr class="odd">
<td align="left">Facebook</td>
<td align="left">82A23635-5BD9-DF11-A844-00237DE2DB9E</td>
<td align="left">Microsoft.MSFacebook_8wekyb3d8bbwe!x82a236355bd9df11a84400237de2db9e</td>
</tr>
<tr class="even">
<td align="left">File Explorer</td>
<td align="left">C5E2524A-EA46-4F67-841F-6A9465D9D515</td>
<td align="left">c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy!App</td>
</tr>
<tr class="odd">
<td align="left">FM Radio</td>
<td align="left">F725010E-455D-4C09-AC48-BCDEF0D4B626</td>
<td align="left">N/A</td>
</tr>
<tr class="even">
<td align="left">Get Started</td>
<td align="left">B3726308-3D74-4A14-A84C-867C8C735C3C</td>
<td align="left">Microsoft.Getstarted_8wekyb3d8bbwe!App</td>
</tr>
<tr class="odd">
<td align="left">Groove Music</td>
<td align="left">D2B6A184-DA39-4C9A-9E0A-8B589B03DEC0</td>
<td align="left">Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic</td>
</tr>
<tr class="even">
<td align="left">Maps</td>
<td align="left">ED27A07E-AF57-416B-BC0C-2596B622EF7D</td>
<td align="left">Microsoft.WindowsMaps_8wekyb3d8bbwe!App</td>
</tr>
<tr class="odd">
<td align="left">Messaging</td>
<td align="left">27E26F40-E031-48A6-B130-D1F20388991A</td>
<td align="left">Microsoft.Messaging_8wekyb3d8bbwe!x27e26f40ye031y48a6yb130yd1f20388991ax</td>
</tr>
<tr class="even">
<td align="left">Microsoft Edge</td>
<td align="left">395589FB-5884-4709-B9DF-F7D558663FFD</td>
<td align="left">Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge</td>
</tr>
<tr class="odd">
<td align="left">Money</td>
<td align="left">1E0440F1-7ABF-4B9A-863D-177970EEFB5E</td>
<td align="left">Microsoft.BingFinance_8wekyb3d8bbwe!AppexFinance</td>
</tr>
<tr class="even">
<td align="left">Movies and TV</td>
<td align="left">6AFFE59E-0467-4701-851F-7AC026E21665</td>
<td align="left">Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo</td>
</tr>
<tr class="odd">
<td align="left">News</td>
<td align="left">9C3E8CAD-6702-4842-8F61-B8B33CC9CAF1</td>
<td align="left">Microsoft.BingNews_8wekyb3d8bbwe!AppexNews</td>
</tr>
<tr class="even">
<td align="left">OneDrive</td>
<td align="left">AD543082-80EC-45BB-AA02-FFE7F4182BA8</td>
<td align="left">Microsoft.MicrosoftSkydrive_8wekyb3d8bbwe!App</td>
</tr>
<tr class="odd">
<td align="left">OneNote</td>
<td align="left">CA05B3AB-F157-450C-8C49-A1F127F5E71D</td>
<td align="left">Microsoft.Office.OneNote_8wekyb3d8bbwe!microsoft.onenoteim</td>
</tr>
<tr class="even">
<td align="left">Outlook Calendar</td>
<td align="left"><p>A558FEBA-85D7-4665-B5D8-A2FF9C19799B</p></td>
<td align="left"><p>Microsoft.WindowsCommunicationsApps_8wekyb3d8bbwe!Microsoft.WindowsLive.Calendar</p></td>
</tr>
<tr class="odd">
<td align="left">Outlook Mail</td>
<td align="left"><p>A558FEBA-85D7-4665-B5D8-A2FF9C19799B</p></td>
<td align="left"><p>Microsoft.WindowsCommunicationsApps_8wekyb3d8bbwe!Microsoft.WindowsLive.Mail</p></td>
</tr>
<tr class="even">
<td align="left">People</td>
<td align="left">60BE1FB8-3291-4B21-BD39-2221AB166481</td>
<td align="left">Microsoft.People_8wekyb3d8bbwe!xb94d6231y84ddy49a8yace3ybc955e769e85x</td>
</tr>
<tr class="odd">
<td align="left">Phone (dialer)</td>
<td align="left">F41B5D0E-EE94-4F47-9CFE-3D3934C5A2C7</td>
<td align="left">Microsoft.CommsPhone_8wekyb3d8bbwe!App</td>
</tr>
<tr class="even">
<td align="left">Photos</td>
<td align="left">FCA55E1B-B9A4-4289-882F-084EF4145005</td>
<td align="left">Microsoft.Windows.Photos_8wekyb3d8bbwe!App</td>
</tr>
<tr class="odd">
<td align="left">Podcasts</td>
<td align="left">C3215724-B279-4206-8C3E-61D1A9D63ED3</td>
<td align="left">Microsoft.MSPodcast_8wekyb3d8bbwe!xc3215724yb279y4206y8c3ey61d1a9d63ed3x</td>
</tr>
<tr class="even">
<td align="left">Powerpoint</td>
<td align="left">B50483C4-8046-4E1B-81BA-590B24935798</td>
<td align="left">Microsoft.Office.PowerPoint_8wekyb3d8bbwe!microsoft.pptim</td>
</tr>
<tr class="odd">
<td align="left">Settings</td>
<td align="left">2A4E62D8-8809-4787-89F8-69D0F01654FB</td>
<td align="left">2a4e62d8-8809-4787-89f8-69d0f01654fb_8wekyb3d8bbwe!App</td>
</tr>
<tr class="even">
<td align="left">Skype</td>
<td align="left">C3F8E570-68B3-4D6A-BDBB-C0A3F4360A51</td>
<td align="left">Microsoft.SkypeApp_kzf8qxf38zg5c!Skype.AppId</td>
</tr>
<tr class="odd">
<td align="left">Skype Video</td>
<td align="left">27E26F40-E031-48A6-B130-D1F20388991A</td>
<td align="left">Microsoft.Messaging_8wekyb3d8bbwe!App</td>
</tr>
<tr class="even">
<td align="left">Sports</td>
<td align="left">0F4C8C7E-7114-4E1E-A84C-50664DB13B17</td>
<td align="left">Microsoft.BingSports_8wekyb3d8bbwe!AppexSports</td>
</tr>
<tr class="odd">
<td align="left">Storage</td>
<td align="left">5B04B775-356B-4AA0-AAF8-6491FFEA564D</td>
<td align="left">N/A</td>
</tr>
<tr class="even">
<td align="left">Store</td>
<td align="left">7D47D89A-7900-47C5-93F2-46EB6D94C159</td>
<td align="left">Microsoft.WindowsStore_8wekyb3d8bbwe!App</td>
</tr>
<tr class="odd">
<td align="left">Voice recorder</td>
<td align="left">7311B9C5-A4E9-4C74-BC3C-55B06BA95AD0</td>
<td align="left">Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe!App</td>
</tr>
<tr class="even">
<td align="left">Wallet</td>
<td align="left">587A4577-7868-4745-A29E-F996203F1462</td>
<td align="left">Microsoft.MicrosoftWallet_8wekyb3d8bbwe!App</td>
</tr>
<tr class="odd">
<td align="left">Weather</td>
<td align="left">63C2A117-8604-44E7-8CEF-DF10BE3A57C8</td>
<td align="left">Microsoft.BingWeather_8wekyb3d8bbwe!App</td>
</tr>
<tr class="even">
<td align="left">Windows Feedback</td>
<td align="left">7604089D-D13F-4A2D-9998-33FC02B63CE3</td>
<td align="left">Microsoft.WindowsFeedback_8wekyb3d8bbwe!App</td>
</tr>
<tr class="odd">
<td align="left">Word</td>
<td align="left">258F115C-48F4-4ADB-9A68-1387E634459B</td>
<td align="left">Microsoft.Office.Word_8wekyb3d8bbwe!microsoft.word</td>
</tr>
<tr class="even">
<td align="left">Xbox</td>
<td align="left">B806836F-EEBE-41C9-8669-19E243B81B83</td>
<td align="left">Microsoft.XboxApp_8wekyb3d8bbwe!Microsoft.XboxApp</td>
</tr>
</tbody>
</table>
 
## Related topics
[Configure Windows 10 Mobile using Lockdown XML](lockdown-xml.md)
[Settings and quick actions that can be locked down in Windows 10 Mobile](settings-that-can-be-locked-down.md)
 
 

91
windows/configuration/mobile-devices/provisioning-configure-mobile.md
View File

@ -1,91 +0,0 @@
---
title: Configure Windows 10 Mobile devices with Configuration Designer
description: Use Windows Configuration Designer to configure Windows 10 Mobile devices
keywords: phone, handheld, lockdown, customize
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: greg-lindsay
ms.author: greglin
ms.topic: article
ms.date: 07/27/2017
ms.reviewer:
manager: dansimp
---
# Use Windows Configuration Designer to configure Windows 10 Mobile devices
Windows provisioning makes it easy for IT administrators to configure end-user devices without imaging. Using provisioning packages, you can easily specify desired configuration, settings, and information required to enroll the devices into management, and then apply that configuration to target devices in a matter of minutes.
A provisioning package (.ppkg) is a container for a collection of configuration settings. Using Windows Configuration Designer, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image.
Windows Configuration Designer can be installed from the [Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). Windows Configuration Designer is also available as an app in the Microsoft Store. [Learn more about installing Windows Configuration Designer.](../provisioning-packages/provisioning-install-icd.md)
## Create a provisioning package using the wizard
The **Provision Windows mobile devices** wizard lets you configure common settings for devices running Windows 10 Mobile in a simple, graphical workflow.
### Start a new project
1. Open Windows Configuration Designer:
- From either the Start screen or Start menu search, type 'Windows Configuration Designer' and click the Windows Configuration Designer shortcut,
or
- If you installed Windows Configuration Designer from the ADK, navigate to `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86` (on an x64 computer) or `C:\Program Files\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe` (on an x86 computer), and then double-click **ICD.exe**.
2. On the **Start** page, choose **Provision Windows mobile devices**.
3. Enter a name for your project, and then click **Next**.
### Configure settings in the wizard
<table>
<tr><td valign="top"><img src="../images/one.png" alt="step one"/><img src="../images/set-up-device-mobile.png" alt="set up device"/></br></br>Enter a device name.</br></br> Optionally, you can enter a product key to upgrade the device from Windows 10 Mobile to Windows 10 Mobile Enterprise. </td><td><img src="../images/set-up-device-details-mobile.png" alt="device name, upgrade license"/></td></tr>
<tr><td valign="top"><img src="../images/two.png" alt="step two"/> <img src="../images/set-up-network-mobile.png" alt="set up network"/></br></br>Toggle <strong>On</strong> or <strong>Off</strong> for wireless network connectivity. </br></br>If you select <strong>On</strong>, enter the SSID, network type (<strong>Open</strong> or <strong>WPA2-Personal</strong>), and (if <strong>WPA2-Personal</strong>) the password for the wireless network.</td><td><img src="../images/set-up-network-details-mobile.png" alt="Enter network SSID and type"/></td></tr>
<tr><td valign="top"><img src="../images/three.png" alt="step three"/> <img src="../images/bulk-enroll-mobile.png" alt="bulk enrollment in Azure Active Directory"/></br></br>Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, <a href="/azure/active-directory/active-directory-azureadjoin-setup" data-raw-source="[set up Azure AD join in your organization](/azure/active-directory/active-directory-azureadjoin-setup)">set up Azure AD join in your organization</a>. The <strong>maximum number of devices per user</strong> setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. </br></br> Set an expiration date for the token (maximum is 180 days from the date you get the token). Click <strong>Get bulk token</strong>. In the <strong>Let&#39;s get you signed in</strong> window, enter an account that has permissions to join a device to Azure AD, and then the password. Click <strong>Accept</strong> to give Windows Configuration Designer the necessary permissions.</br></br><strong>Warning:</strong> You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards. </td><td><img src="../images/bulk-enroll-mobile-details.png" alt="Enter expiration and get bulk token"/></td></tr>
<tr><td valign="top"><img src="../images/four.png" alt="step four"/> <img src="../images/finish-mobile.png" alt="finish"/></br></br>You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.</td><td><img src="../images/finish-details-mobile.png" alt="Protect your package"/></td></tr>
</table>
After you're done, click **Create**. It only takes a few seconds. When the package is built, the location where the package is stored is displayed as a hyperlink at the bottom of the page.
### Apply provisioning package
You can apply a provisioning package to a device running Windows 10 Mobile by using:
- removable media
- copying the provisioning package to the device
- [NFC tags](provisioning-nfc.md)
- [barcodes](provisioning-package-splitter.md)
### Using removable media
1. Insert an SD card containing the provisioning package into the device.
2. Navigate to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package to install.
![add a package option.](../images/packages-mobile.png)
3. Click **Add**.
4. On the device, the **Is this package from a source you trust?** message will appear. Tap **Yes, add it**.
![Is this package from a source you trust.](../images/package-trust.png)
### Copying the provisioning package to the device
1. Connect the device to your PC through USB.
2. On the PC, select the provisioning package that you want to use to provision the device and then drag and drop the file to your device.
3. On the device, the **Is this package from a source you trust?** message will appear. Tap **Yes, add it**.
![Is this package from a source you trust.](../images/package-trust.png)
## Related topics
- [NFC-based device provisioning](provisioning-nfc.md)
- [Use the package splitter tool](provisioning-package-splitter.md)

144
windows/configuration/mobile-devices/provisioning-nfc.md
View File

@ -1,144 +0,0 @@
---
title: NFC-based device provisioning (Windows 10)
description:
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: greg-lindsay
ms.author: greglin
ms.topic: article
ms.localizationpriority: medium
ms.date: 07/27/2017
ms.reviewer:
manager: dansimp
---
# NFC-based device provisioning
**Applies to**
- Windows 10 Mobile
Near field communication (NFC) enables Windows 10 Mobile Enterprise and Windows 10 Mobile devices to communicate with an NFC tag or another NFC-enabled transmitting device. Enterprises that do bulk provisioning can use NFC-based device provisioning to provide a provisioning package to the device that's being provisioned. NFC provisioning is simple and convenient and it can easily store an entire provisioning package.
The NFC provisioning option enables the administrator to provide a provisioning package during initial device setup (the out-of-box experience or OOBE phase). Administrators can use the NFC provisioning option to transfer provisioning information to persistent storage by tapping an unprovisioned mobile device to an NFC tag or NFC-enabled device. To use NFC for pre-provisioning a device, you must either prepare your own NFC tags by storing your provisioning package to a tag as described in this section, or build the infrastructure needed to transmit a provisioning package between an NFC-enabled device and a mobile device during OOBE.
## Provisioning OOBE UI
All Windows 10 Mobile Enterprise and Windows 10 Mobile images have the NFC provisioning capability incorporated into the operating system. On devices that support NFC and are running Windows 10 Mobile Enterprise or Windows 10 Mobile, NFC-based device provisioning provides an additional mechanism to provision the device during OOBE.
On all Windows devices, device provisioning during OOBE can be triggered by 5 fast taps on the Windows hardware key, which shows the **Provision this device** screen. In the **Provision this device** screen, select **NFC** for NFC-based provisioning.
![Example of Provision this device screen.](../images/nfc.png)
If there is an error during NFC provisioning, the device will show a message if any of the following errors occur:
- **NFC initialization error** - This can be caused by any error that occurs before data transfer has started. For example, if the NFC driver isn't enabled or there's an error communicating with the proximity API.
- **Interrupted download or incomplete package transfer** - This error can happen if the peer device is out of range or the transfer is aborted. This error can be caused whenever the device being provisioned fails to receive the provisioning package in time.
- **Incorrect package format** - This error can be caused by any protocol error that the operating system encounters during the data transfer between the devices.
- **NFC is disabled by policy** - Enterprises can use policies to disallow any NFC usage on the managed device. In this case, NFC functionality is not enabled.
## NFC tag
You can use an NFC tag for minimal provisioning and use an NFC-enabled device tag for larger provisioning packages.
The protocol used for NFC-based device provisioning is similar to the one used for NFC provisioning on Windows Embedded 8.1 Handheld, which supported both single-chunk and multi-chunk transfer when the total transfer didn't fit in one NDEP message size. In Windows 10, the provisioning stack contains the following changes:
- **Protocol namespace** - The protocol namespace has changed from Windows.WEH.PreStageProv.Chunk to Windows.ProvPlugins.Chunk.
- **Tag data type** - The tag data type has changed from UTF-8 into binary raw data.
>[!NOTE]
>The NFC tag doesn't go in the secondary device. You can transfer the NFC tag by using a provisioning package from device-to-device using the NFC radio or by re-reading the provisioning package from an NFC tag.
### NFC tag components
NFC tags are suitable for very light applications where minimal provisioning is required. The size of NFC tags that contain provisioning packages is typically 4 KB to 10 KB.
To write to an NFC tag, you will need to use an NFC Writer tool, or you can use the [ProximityDevice class API](/uwp/api/Windows.Networking.Proximity.ProximityDevice) to write your own custom tool to transfer your provisioning package file to your NFC tag. The tool must publish a binary message (write) a Chunk data type to your NFC tag.
The following table describes the information that is required when writing to an NFC tag.
| Required field | Description |
| --- | --- |
| **Type** | Windows.ProvPlugins.Chunk<br></br>The receiving device uses this information to understand information in the Data field. |
| **Data** | Tag data with small header in raw binary format that contains a chunk of the provisioning package to be transferred. |
### NFC provisioning helper
The NFC provisioning helper device must split the provisioning package raw content into multiple parts and publish these in order. Each part should follow the following format:
<table><tr><td><strong>Version</strong></br>(1 byte)</td><td><strong>Leading</strong><br>(1 byte)</td><td><strong>Order</strong></br>(1 byte)</td><td><strong>Total</strong></br>(1 byte)</td><td><strong>Chunk payload</strong></br>(N bytes)</td></tr></table>
For each part:
- <strong>Version</strong> should always be 0x00.
- <strong>Leading byte</strong> should always be 0xFF.
- <strong>Order</strong> represents which message chunk (out of the whole message) the part belongs to. The Order begins with zero (0).
- <strong>Total</strong> represents the total number of chunks to be transferred for the whole message.
- <strong>Chunk payload</strong> represents each of the split parts.
The NFC provisioning helper device must publish the record in a type of Windows.ProvPlugins.Chunk.
**Code example**
The following example shows how to write to an NFC tag. This example assumes that the tag is already in range of the writing device.
```
private async void WriteProvPkgToTag(IStorageFile provPkgFile)
{
var buffer = await FileIO.ReadBufferAsync(provPkgFile);
if (null == buffer)
{
return;
}
var proximityDevice = Windows.Networking.Proximity.ProximityDevice.GetDefault();
if (null == proximityDevice)
{
return;
}
var dataWriter = new DataWriter();
var header = new NfcProvHeader();
header.version = NFC_PROV_MESSAGE_CURRENT_VERSION; // Currently the supported version is 0x00.
header.leading = NFC_PROV_MESSAGE_LEADING_BYTE; // The leading byte should be always 0xFF.
header.index = 0; // Assume we only have 1 chunk.
header.total = 1; // Assume we only have 1 chunk.
// Write the header first and then the raw data of the provisioning package.
dataWriter.WriteBytes(GetBytes(header));
dataWriter.WriteBuffer(buffer);
var chunkPubId = proximityDevice.PublishBinaryMessage(
"Windows:WriteTag.ProvPlugins.Chunk",
dataWriter.DetachBuffer());
}
```
### NFC-enabled device tag components
Provisioning from an NFC-enabled source device allows for larger provisioning packages than can be transferred using an NFC tag. When provisioning from an NFC-enabled device, we recommend that the total file size not exceed 120 KB. Be aware that the larger the NFC file is, the longer it will take to transfer the provisioning file. Depending on your NFC hardware, the transfer time for a 120 KB file will vary between 2.5 seconds and 10 seconds.
To provision from an NFC-enabled source device, use [ProximityDevice class API](/uwp/api/Windows.Networking.Proximity.ProximityDevice) to write your own custom tool that transfers your provisioning package in chunks to your target mobile device. The tool must publish binary messages (transmit) a Header message, followed by one or more Chunk messages. The Header specifies the total amount of data that will be transferred to the target device; the Chunks must contain binary raw data formatted provisioning data, as shown in the NFC tag components section.
For detailed information and code samples on how to implement an NFC-enabled device tag, see **ConvertToNfcMessageAsync** in [this GitHub NfcProvisioner Universal Windows app example](https://github.com/Microsoft/Windows-universal-samples/blob/master/Samples/NfcProvisioner/cs/Scenario1.xaml.cs). The sample app shows you how to host the provisioning package on a master device so that you can transfer it to the receiving device.
## Related topics
- [Use Windows Configuration Designer to configure Windows 10 Mobile devices](provisioning-configure-mobile.md)
- [Barcode provisioning and the package splitter tool](provisioning-package-splitter.md)

93
windows/configuration/mobile-devices/provisioning-package-splitter.md
View File

@ -1,93 +0,0 @@
---
title: Barcode provisioning and the package splitter tool (Windows 10)
description:
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: greg-lindsay
ms.author: greglin
ms.topic: article
ms.localizationpriority: medium
ms.date: 07/27/2017
ms.reviewer:
manager: dansimp
---
# Barcode provisioning and the package splitter tool
**Applies to**
- Windows 10 Mobile
Enterprises that do bulk provisioning can use barcode-based device provisioning to provide a provisioning package to the device that's being provisioned.
The barcode provisioning option enables the administrator to provide a provisioning package during initial device setup (the out-of-box experience or OOBE phase). To use barcodes to provision a device, your devices must have an integrated barcode scanner. You can get the barcode format that the scanner supports from your OEM or device provider, and use your existing tools and processes to convert a provisioning package into barcodes.
Enterprise IT professionals who want to use a barcode to provision mobile devices during OOBE can use the package splitter tool, **ppkgtobase64.exe**, which is a command-line tool to split the provisioning package into smaller files.
The smallest provisioning package is typically 5-6 KB, which cannot fit into one single barcode. The package splitter tool allows partners to split the original provisioning package into multiple smaller sized chunks that are encoded with Base64 so that enterprises can leverage their existing tools to convert these files into barcodes.
When you [install Windows Configuration Designer](../provisioning-packages/provisioning-install-icd.md) from the Windows Assessment and Deployment Kit (ADK), **ppkgtobase64.exe** is installed to the same folder.
## Prerequisites
Before you can use the tool, you must have a built provisioning package. The package file is the input to the package splitter tool.
- To build a provisioning package using the Windows Configuration Designer UI, see [Use Windows Configuration Designer to configure Windows 10 Mobile devices](provisioning-configure-mobile.md).
- To build a provisioning package using the Windows Configuration Designer CLI, see [Windows Configuration Designer command-line interface](../provisioning-packages/provisioning-command-line.md).
## To use the package splitter tool (ppkgtobase64.exe)
1. Open a command-line window with administrator privileges.
2. From the command-line, navigate to the Windows Configuration Designer install directory.
On an x64 computer, type:
```
cd C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86
```
- or -
On an x86 computer, type:
```
cd C:\Program Files\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86
```
3. Run `ppkgtobase64.exe`. The [syntax](#syntax) and [switches and arguments](#switches-and-arguments) sections provide details for the command.
### Syntax
```
ppkgtobase64.exe -i <InputFile> -o <OutputDirectory> -s <BlockSize> [-c] [/?]
```
### Switches and arguments
| Switch | Required? | Arguments |
| --- | --- | --- |
| -i | Yes | Use to specify the path and file name of the provisioning package that you want to divide into smaller files.</br></br>The tool allows you to specify the absolute path of the provisioning package file. However, if you don't specify the path, the tool will search the current folder for a package that matches the file name you specified. |
| -o | Yes | Use to specify the directory where the output files will be saved. |
| -s | Yes | Use to specify the size of the block that will be encoded in Base64. |
| -c | No | Use to delete any files in the output directory if the directory already exists. This parameter is optional. |
| /? | No | Lists the switches and their descriptions for the command-line tool or for certain commands. |
## Related topics

202
windows/configuration/mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md
View File

@ -1,202 +0,0 @@
---
title: Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise (Windows 10)
description: A device in kiosk mode runs a specified app with no access to other device functions, menus, or settings.
ms.assetid: 35EC82D8-D9E8-45C3-84E9-B0C8C167BFF7
ms.reviewer:
manager: dansimp
keywords: kiosk, lockdown, assigned access
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: mobile
author: greg-lindsay
ms.author: greglin
ms.topic: article
ms.localizationpriority: medium
ms.date: 07/27/2017
---
# Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise
**Applies to**
- Windows 10 Mobile
A device in kiosk mode runs a specified app with no access to other device functions, menus, or settings. You use the [Enterprise Assigned Access](#enterprise-assigned-access) configuration service provider (CSP) to configure a kiosk experience. You can also configure a device running Windows 10 Mobile or Windows 10 Mobile Enterprise, version 1607 or earlier, for kiosk mode by using the [Apps Corner](#apps-corner) feature. (Apps Corner is removed in version 1703.)
## Enterprise Assigned Access
Enterprise Assigned Access allows you to put your Windows 10 Mobile or Windows 10 Mobile Enterprise device in kiosk mode by creating a user role that has only a single app, set to run automatically, in the Allow list.
>[!NOTE]
>The app can be a Universal Windows app, Universal Windows Phone 8 app, or a legacy Silverlight app.
### Set up Enterprise Assigned Access in MDM
In AssignedAccessXml, for Application, you enter the product ID for the app to run in kiosk mode. Find product IDs at [Product IDs in Windows 10 Mobile](product-ids-in-windows-10-mobile.md).
[See the technical reference for the Enterprise Assigned Access configuration service provider (CSP).](/windows/client-management/mdm/enterpriseassignedaccess-csp)
### Set up assigned access using Windows Configuration Designer
>[!IMPORTANT]
>When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
#### Create the *AssignedAccess*.xml file
1. Create an *AssignedAccess*.xml file that specifies the app the device will run. (You can name use any file name.) For instructions on AssignedAccessXml, see [EnterpriseAssignedAccess CSP](/windows/client-management/mdm/enterpriseassignedaccess-csp).
>[!NOTE]
>Do not escape the xml in *AssignedAccess*.xml file as Windows Configuration Designer will do that when building the package. Providing escaped xml in Windows ICD will cause building the package fail.
#### Create the provisioning package
1. [Install Windows Configuration Designer.](../provisioning-packages/provisioning-install-icd.md)
2. Open Windows Configuration Designer (if you installed it from the Windows ADK, `%windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe`).
3. Choose **Advanced provisioning**.
4. Name your project, and click **Next**.
5. Choose **All Windows mobile editions** and click **Next**.
6. On **New project**, click **Finish**. The workspace for your package opens.
7. Expand **Runtime settings** &gt; **EmbeddedLockdownProfiles**, and click **AssignedAccessXml**.
8. Click **Browse** to select the *AssignedAccess*.xml file.
9. On the **File** menu, select **Save.**
10. On the **Export** menu, select **Provisioning package**.
11. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.**
12. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing.
- **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
- **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select** and choosing the certificate you want to use to sign the package.
13. Click **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows ICD uses the project folder as the output location.
Optionally, you can click **Browse** to change the default output location.
14. Click **Next**.
15. Click **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status.
If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
16. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
- If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
- If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
17. Select the **output location** link to go to the location of the package.
#### Distribute the provisioning package
You can distribute that .ppkg to mobile devices using any of the following methods:
- Removable media (USB/SD)
**To apply a provisioning package from removable media**
1. Copy the provisioning package file to the root directory on a micro SD card.
2. On the device, insert the micro SD card containing the provisioning package.
3. Go to **Settings** &gt; **Accounts** &gt; **Provisioning.**
4. Tap **Add a package**.
5. On the **Choose a method** screen, in the **Add from** dropdown menu, select **Removable Media**.
6. Select a package will list all available provisioning packages on the micro SD card. Tap the desired package, and then tap **Add**.
7. You will see a message that tells you what the package will do the device, such as **Adding it will: Lock down the user interface**. Tap **Yes, add it**.
8. Restart the device and verify that the runtime settings that were configured in the provisioning package were applied to the device.
- Email
**To apply a provisioning package sent in email**
1. Send the provisioning package in email to an account on the device.
2. Open the email on the device, and then double-tap the attached file.
3. You will see a message that tells you what the package will do the device, such as **Adding it will: Lock down the user interface**. Tap **Yes, add it**.
4. Restart the device and verify that the runtime settings that were configured in the provisioning package were applied to the device.
- USB tether
**To apply a provisioning package using USB tether**
1. Connect the device to your PC by USB.
2. Select the provisioning package that you want to use to provision the device, and then drag and drop the file to your device.
3. The provisioning package installation dialog will appear on the phone.
4. You will see a message that tells you what the package will do the device, such as **Adding it will: Lock down the user interface**. Tap **Yes, add it**.
5. Restart the device and verify that the runtime settings that were configured in the provisioning package were applied to the device.
## Apps Corner
>[!NOTE]
>For Windows 10, versions 1507, 1511, and 1607 only.
Apps Corner lets you set up a custom Start screen on your Windows 10 Mobile or Windows 10 Mobile Enterprise device, where you can share only the apps you choose with the people you let use your device. You configure a device for kiosk mode by selecting a single app to use in Apps Corner.
**To set up Apps Corner**
1. On Start ![start.](../images/starticon.png), swipe over to the App list, then tap **Settings** ![settings](../images/settingsicon.png) &gt; **Accounts** &gt; **Apps Corner**.
2. Tap **Apps**, tap to select the app that you want people to use in the kiosk mode, and then tap done ![done icon.](images/doneicon.png).
3. If your phone doesn't already have a lock screen password, you can set one now to ensure that people can't get to your Start screen from Apps Corner. Tap **Protect my phone with a password**, click **Add**, type a PIN in the **New PIN** box, type it again in the **Confirm PIN** box, and then tap **OK**. Press **Back** ![back.](../images/backicon.png) to the Apps Corner settings.
4. Turn **Action center** on or off, depending on whether you want people to be able to use these features when using the device in kiosk mode.
5. Tap **advanced**, and then turn features on or off, depending on whether you want people to be able to use them.
6. Press **Back** ![back.](../images/backicon.png) when you're done.
**To use Apps Corner**
1. On Start ![start.](../images/starticon.png), swipe over to the App list, then tap **Settings** ![settings](../images/settingsicon.png) &gt; **Accounts** &gt; **Apps Corner** &gt; launch ![launch](../images/launchicon.png).
>[!TIP]
>Want to get to Apps Corner with one tap? In **Settings**, tap **Apps Corner** &gt; **pin** to pin the Apps Corner tile to your Start screen.
2. Give the device to someone else, so they can use the device and only the one app you chose.
3. When they're done and you get the device back, press and hold Power ![power.](../images/powericon.png), and then swipe right to exit Apps Corner.
## Related topics
[Set up a kiosk on Windows 10 Pro, Enterprise, or Education](../kiosk-single-app.md)
[Configure Windows 10 Mobile using Lockdown XML](lockdown-xml.md)
[Product IDs in Windows 10 Mobile](product-ids-in-windows-10-mobile.md)

Some files were not shown because too many files have changed in this diff Show More