diff --git a/education/windows/set-up-school-pcs-technical.md b/education/windows/set-up-school-pcs-technical.md index 16ad861b5d..bfb230b9d4 100644 --- a/education/windows/set-up-school-pcs-technical.md +++ b/education/windows/set-up-school-pcs-technical.md @@ -12,10 +12,9 @@ author: jdeckerMS # Technical reference for the Set up School PCs app (Preview) **Applies to:** -- Windows 10 Insider Preview +- Windows 10 -> [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ] The **Set up School PCs** app helps you set up new Windows 10 PCs that work great in your school by configuring shared PC mode, available in Windows 10, version 1607. **Set up School PCs** also configures school-specific settings and policies, described in this topic. diff --git a/education/windows/take-a-test-app-technical.md b/education/windows/take-a-test-app-technical.md index 2ea186cf15..d061b438b7 100644 --- a/education/windows/take-a-test-app-technical.md +++ b/education/windows/take-a-test-app-technical.md @@ -12,10 +12,9 @@ author: jdeckerMS # Take a Test app technical reference (Preview) **Applies to:** -- Windows 10 Insider Preview +- Windows 10 -> [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ] Take a Test is an app that locks down the PC and displays an online assessment web page. diff --git a/education/windows/take-a-test-multiple-pcs.md b/education/windows/take-a-test-multiple-pcs.md index d0d6052781..061fe5ac54 100644 --- a/education/windows/take-a-test-multiple-pcs.md +++ b/education/windows/take-a-test-multiple-pcs.md @@ -12,11 +12,9 @@ author: jdeckerMS # Set up Take a Test on multiple PCs (Preview) **Applies to:** -- Windows 10 Insider Preview +- Windows 10 -> [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ] - Many schools use online testing for formative and summative assessments. It's critical that students use a secure browser that prevents them from using other computer or Internet resources during the test. The **Take a Test** app in Windows 10, Version 1607, creates the right environment for taking a test: - A Microsoft Edge browser window opens, showing just the test and nothing else. diff --git a/education/windows/take-a-test-single-pc.md b/education/windows/take-a-test-single-pc.md index fece24bac1..3ea4417ccb 100644 --- a/education/windows/take-a-test-single-pc.md +++ b/education/windows/take-a-test-single-pc.md @@ -12,11 +12,9 @@ author: jdeckerMS # Set up Take a Test on a single PC (Preview) **Applies to:** -- Windows 10 Insider Preview +- Windows 10 -> [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ] - The **Take a Test** app in Windows 10, Version 1607, creates the right environment for taking a test: - A Microsoft Edge browser window opens, showing just the test and nothing else. diff --git a/education/windows/take-tests-in-windows-10.md b/education/windows/take-tests-in-windows-10.md index c0de33cc5b..76315dd51c 100644 --- a/education/windows/take-tests-in-windows-10.md +++ b/education/windows/take-tests-in-windows-10.md @@ -12,11 +12,9 @@ author: jdeckerMS # Take tests in Windows 10 (Preview) **Applies to:** -- Windows 10 Insider Preview +- Windows 10 -> [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ] - Many schools use online testing for formative and summative assessments. It's critical that students use a secure browser that prevents them from using other computer or Internet resources during the test. The **Take a Test** app in Windows 10, Version 1607, creates the right environment for taking a test: - **Take a Test** shows just the test and nothing else. diff --git a/education/windows/use-set-up-school-pcs-app.md b/education/windows/use-set-up-school-pcs-app.md index 97f0a04fcb..415ee41643 100644 --- a/education/windows/use-set-up-school-pcs-app.md +++ b/education/windows/use-set-up-school-pcs-app.md @@ -12,10 +12,9 @@ author: jdeckerMS # Use the Set up School PCs app (Preview) **Applies to:** -- Windows 10 Insider Preview +- Windows 10 -> [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ] Teachers and IT administrators can use the **Set up School PCs** app to quickly set up computers for students. A computer set up using the app is tailored to provide students with the tools they need for learning while removing apps and features that they don't need. diff --git a/windows/deploy/TOC.md b/windows/deploy/TOC.md index 89e31937f3..2b0828d9ab 100644 --- a/windows/deploy/TOC.md +++ b/windows/deploy/TOC.md @@ -38,8 +38,9 @@ ## [Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) ## [Windows 10 upgrade paths](windows-10-upgrade-paths.md) ## [Windows 10 edition upgrade](windows-10-edition-upgrades.md) -## [Provision PCs with common settings for initial deployment](provision-pcs-for-initial-deployment.md) -## [Provision PCs with apps and certificates for initial deployments](provision-pcs-with-apps-and-certificates.md) +## [Provisioning packages for Windows 10](provisioning-packages.md) +### [Provision PCs with common settings for initial deployment](provision-pcs-for-initial-deployment.md) +### [Provision PCs with apps and certificates for initial deployments](provision-pcs-with-apps-and-certificates.md) ## [Deploy Windows To Go in your organization](deploy-windows-to-go.md) ## [Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management](upgrade-windows-phone-8-1-to-10.md) ## [Sideload apps in Windows 10](sideload-apps-in-windows-10.md) diff --git a/windows/deploy/images/ICD.png b/windows/deploy/images/ICD.png new file mode 100644 index 0000000000..9cfcb845df Binary files /dev/null and b/windows/deploy/images/ICD.png differ diff --git a/windows/deploy/provisioning-packages.md b/windows/deploy/provisioning-packages.md new file mode 100644 index 0000000000..553f2ba08b --- /dev/null +++ b/windows/deploy/provisioning-packages.md @@ -0,0 +1,130 @@ +--- +title: Provisioning packages (Windows 10) +description: With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. +ms.assetid: 287706E5-063F-4AB5-902C-A0DF6D0730BC +ms.prod: w10 +ms.mktglfcycl: explore +ms.sitesec: library +ms.pagetype: mobile +author: jdeckerMS +--- + +# Provisioning packages for Windows 10 + + +**Applies to** + +- Windows 10 +- Windows 10 Mobile + +Windows provisioning makes it easy for IT administrators to configure end-user devices without imaging. Using Windows Provisioning, an IT administrator can easily specify desired configuration and settings required to enroll the devices into management (through a wizard-driven user interface) and then apply that configuration to target devices in a matter of minutes. It is best suited for small- to medium-sized businesses with deployments that range from tens to a few hundred computers. + +With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. + +Provisioning packages are simple enough that with a short set of written instructions, a student or non-technical employee can use them to configure their device. This can result in a significant reduction in the time required to configure multiple devices in your organization. + +## New in Windows 10, Version 1607 + +The Windows Assessment and Deployment Kit (ADK) for Windows 10 includes the Imaging and Configuration Designer (ICD), a tool for configuring images and runtime settings which are then built into provisioning packages. Windows ICD for Windows 10, Version 1607, simplifies common provisioning scenarios. + +![Configuration Designer options](images/icd.png) + +Windows ICD in Windows 10, Version 1607, supports the following scenarios for IT administrators: + +* **Simple provisioning** – Enables IT administrators to define a desired configuration in Windows ICD and then apply that configuration on target devices. The simple provisioning wizard makes the entire process quick and easy by guiding an IT administrator through common configuration settings in a step-by-step manner. + + > [Learn how to use simple provisioning to configure Windows 10 computers.](../deploy/provision-pcs-for-initial-deployment.md) + +* **Advanced provisioning (deployment of classic (Win32) and Universal Windows Platform (UWP) apps, and certificates)** – Allows an IT administrator to use Windows ICD to open provisioning packages in the advanced settings editor and include apps for deployment on end-user devices. + + > [Learn how to use advanced provisioning to configure Windows 10 computers with apps and certificates.](../deploy/provision-pcs-with-apps-and-certificates.md) + +* **Mobile device enrollment into management** - Enables IT administrators to purchase off-the-shelf retail Windows 10 Mobile devices and enroll them into mobile device management (MDM) before handing them to end-users in the organization. IT administrators can use Windows ICD to specify the management end-point and apply the configuration on target devices by connecting them to a Windows PC (tethered deployment) or through an SD card. Supported management end-points include: + + * System Center Configuration Manager and Microsoft Intune hybrid (certificate-based enrollment) + * AirWatch (password-string based enrollment) + * Mobile Iron (password-string based enrollment) + * Other MDMs (cert-based enrollment) + +> **Note:** Windows ICD in Windows 10, Version 1607, also provides a wizard to create provisioning packages for school PCs. To learn more, see [Set up students' PCs to join domain](https://technet.microsoft.com/edu/windows/index). + +## Benefits of provisioning packages + + +Provisioning packages let you: + +- Quickly configure a new device without going through the process of installing a new image. + +- Save time by configuring multiple devices using one provisioning package. + +- Quickly configure employee-owned devices in an organization without a mobile device management (MDM) infrastructure. + +- Set up a device without the device having network connectivity. + +Provisioning packages can be: + +- Installed using removable media such as an SD card or USB flash drive. + +- Attached to an email. + +- Downloaded from a network share. + +## What you can configure + + +The following table provides some examples of what can be configured using provisioning packages. + +| Customization options | Examples | +|--------------------------|-----------------------------------------------------------------------------------------------| +| Bulk Active Directory join and device name | Join devices to Active Directory domain and assign device names using hardware-specific serial numbers or random characters | +| Applications | Windows apps, line-of-business applications | +| Bulk enrollment into MDM | Automatic enrollment into a third-party MDM service\* | +| Certificates | Root certification authority (CA), client certificates | +| Connectivity profiles | Wi-Fi, proxy settings, Email | +| Enterprise policies | Security restrictions (password, device lock, camera, and so on), encryption, update settings | +| Data assets | Documents, music, videos, pictures | +| Start menu customization | Start menu layout, application pinning | +| Other | Home and lock screen wallpaper, computer name, domain join, DNS settings, and so on | +\* Using a provisioning package for auto-enrollment to System Center Configuration Manager or Configuration Manager/Intune hybrid is not supported. Use the Configuration Manager console to enroll devices. +  + +For details about the settings you can customize in provisioning packages, see [Windows Provisioning settings reference]( http://go.microsoft.com/fwlink/p/?LinkId=619012). + +## Creating a provisioning package + + +With Windows 10, you can use the Windows Imaging and Configuration Designer (ICD) tool to create provisioning packages. To install Windows ICD and create provisioning packages, you must install the Windows Assessment and Deployment Kit (ADK) for Windows 10 [from the Windows Insider Program site](http://go.microsoft.com/fwlink/p/?linkid=533700). + +While running ADKsetup.exe for Windows 10, version 1607, select the following feature from the **Select the features you want to install** dialog box: + +- Windows Imaging and Configuration Designer (ICD) + +> **Note:** In previous versions of the Windows 10 ADK, you had to install additional features for Windows ICD to run. Starting in version 1607, you can install Windows ICD without other ADK features. + +After you install Windows ICD, you can use it to create a provisioning package. For detailed instructions on how to create a provisioning package, see [Build and apply a provisioning package](http://go.microsoft.com/fwlink/p/?LinkID=629651). + +## Applying a provisioning package to a device + + +Provisioning packages can be applied both during image deployment and during runtime. For information on how to apply a provisioning package to a Windows 10-based device, see [Build and apply a provisioning package](http://go.microsoft.com/fwlink/p/?LinkID=629651). + +## Learn more + + +[Windows 10: Deployment](http://go.microsoft.com/fwlink/p/?LinkId=533708) + +## Related topics + + + + +[Configure devices without MDM](../manage/configure-devices-without-mdm.md) + +  + +  + + + + + diff --git a/windows/keep-secure/implement-microsoft-passport-in-your-organization.md b/windows/keep-secure/implement-microsoft-passport-in-your-organization.md index fdd8f60ef7..db0f315439 100644 --- a/windows/keep-secure/implement-microsoft-passport-in-your-organization.md +++ b/windows/keep-secure/implement-microsoft-passport-in-your-organization.md @@ -301,8 +301,8 @@ You’ll need this software to set Windows Hello for Business policies in your e Windows Hello for Business mode Azure AD -Active Directory (AD) on-premises (available with production release of Windows Server 2016 Technical Preview) -Azure AD/AD hybrid (available with production release of Windows Server 2016 Technical Preview) +Active Directory (AD) on-premises (available with production release of Windows Server 2016) +Azure AD/AD hybrid (available with production release of Windows Server 2016) @@ -310,14 +310,14 @@ You’ll need this software to set Windows Hello for Business policies in your e Key-based authentication Azure AD subscription @@ -330,8 +330,8 @@ You’ll need this software to set Windows Hello for Business policies in your e
  • PKI infrastructure
    • @@ -339,7 +339,7 @@ You’ll need this software to set Windows Hello for Business policies in your e
  • Azure AD subscription
  • [Azure AD Connect](http://go.microsoft.com/fwlink/p/?LinkId=616792)
  • AD CS with NDES
    • -
  • Configuration Manager (current branch) or Configuration Manager 2016 Technical Preview for domain-joined certificate enrollment, or InTune for non-domain-joined devices, or a non-Microsoft MDM service that supports Passport for Work
    • +
  • Configuration Manager 2016 for domain-joined certificate enrollment, or InTune for non-domain-joined devices, or a non-Microsoft MDM service that supports Passport for Work
    • diff --git a/windows/manage/TOC.md b/windows/manage/TOC.md index 5b62f16e2c..c17ac10cb8 100644 --- a/windows/manage/TOC.md +++ b/windows/manage/TOC.md @@ -9,6 +9,7 @@ ### [Diagnostics for Windows 10 devices](diagnostics-for-mdm-devices.md) ### [Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md) ### [Introduction to configuration service providers (CSPs)](how-it-pros-can-use-configuration-service-providers.md) +## [Windows Spotlight on the lock screen](windows-spotlight.md) ## [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md) ### [Configure Windows 10 taskbar](configure-windows-10-taskbar.md) ### [Customize and export Start layout](customize-and-export-start-layout.md) @@ -16,6 +17,7 @@ ### [Customize Windows 10 Start and taskbar with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) ### [Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) ## [Lock down Windows 10](lock-down-windows-10.md) +### [Lockdown features from Windows Embedded 8.1 Industry](lockdown-features-windows-10.md) ### [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md) ### [Set up a device for anyone to use (kiosk mode)](set-up-a-device-for-anyone-to-use.md) #### [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) diff --git a/windows/manage/images/funfacts.png b/windows/manage/images/funfacts.png new file mode 100644 index 0000000000..71355ec370 Binary files /dev/null and b/windows/manage/images/funfacts.png differ diff --git a/windows/manage/images/lockscreen.png b/windows/manage/images/lockscreen.png new file mode 100644 index 0000000000..68c64e15ec Binary files /dev/null and b/windows/manage/images/lockscreen.png differ diff --git a/windows/manage/images/lockscreenpolicy.png b/windows/manage/images/lockscreenpolicy.png new file mode 100644 index 0000000000..30b6a7ae9d Binary files /dev/null and b/windows/manage/images/lockscreenpolicy.png differ diff --git a/windows/manage/images/spotlight.png b/windows/manage/images/spotlight.png new file mode 100644 index 0000000000..515269740b Binary files /dev/null and b/windows/manage/images/spotlight.png differ diff --git a/windows/manage/lock-down-windows-10.md b/windows/manage/lock-down-windows-10.md index bfb23f39db..23461ca922 100644 --- a/windows/manage/lock-down-windows-10.md +++ b/windows/manage/lock-down-windows-10.md @@ -28,8 +28,8 @@ Enterprises often need to manage how people use corporate devices. Windows 10 p Description - -

    [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md)

    tbd

    +

    [Lockdown features from Windows Embedded 8.1 Industry](lockdown-features-windows-10.md)

    Many of the lockdown features available in Windows Embedded 8.1 Industry have been modified in some form for Windows 10.

    +

    [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md)

    Windows 10, Version 1607, introduces *shared PC mode*, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail.

    [Set up a device for anyone to use (kiosk mode)](set-up-a-device-for-anyone-to-use.md)

    You can configure a device running Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile, or Windows 10 Mobile Enterprise as a kiosk device, so that users can only interact with a single application that you select.

    diff --git a/windows/manage/lockdown-features-windows-10.md b/windows/manage/lockdown-features-windows-10.md new file mode 100644 index 0000000000..0acfd3723a --- /dev/null +++ b/windows/manage/lockdown-features-windows-10.md @@ -0,0 +1,115 @@ +--- +title: Lockdown features from Windows Embedded 8.1 Industry (Windows 10) +description: Many of the lockdown features available in Windows Embedded 8.1 Industry have been modified in some form for Windows 10. +ms.assetid: 3C006B00-535C-4BA4-9421-B8F952D47A14 +keywords: lockdown, embedded +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: jdeckerMS +--- + +# Lockdown features from Windows Embedded 8.1 Industry + +**Applies to** +- Windows 10 +- Windows 10 Mobile + +Many of the lockdown features available in Windows Embedded 8.1 Industry have been modified in some form for Windows 10. This table maps Windows Embedded Industry 8.1 features to Windows 10 Enterprise features, along with links to documentation. + + +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows Embedded 8.1 Industry lockdown featureWindows 10 featureChanges

    [Hibernate Once/Resume Many (HORM)](http://go.microsoft.com/fwlink/p/?LinkId=626758): Quick boot to device

    		N/A

    HORM is supported in Windows 10, version 1607.

    [Unified Write Filter](http://go.microsoft.com/fwlink/p/?LinkId=626757): protect a device's physical storage media

    		[Unified Writer Filter](http://go.microsoft.com/fwlink/p/?LinkId=626607)

    The Unified Write Filter is continued in Windows 10, with the exception of HORM which has been deprecated.

    [Keyboard Filter]( http://go.microsoft.com/fwlink/p/?LinkId=626761): block hotkeys and other key combinations

    		[Keyboard Filter](http://go.microsoft.com/fwlink/p/?LinkId=708391)

    Keyboard filter is added in Windows 10, version 1511. As in Windows Embedded Industry 8.1, Keyboard Filter is an optional component that can be turned on via Turn Windows Features On/Off. Keyboard Filter (in addition to the WMI configuration previously available) will be configurable through Windows Imaging and Configuration Designer (ICD) in the SMISettings path.

    [Shell Launcher](http://go.microsoft.com/fwlink/p/?LinkId=626676): launch a Classic Windows application on sign-on

    		[Shell Launcher](http://go.microsoft.com/fwlink/p/?LinkId=618603)

    Shell Launcher continues in Windows 10. It is now configurable in Windows ICD under the SMISettings category.

    +

    Learn [how to use Shell Launcher to create a kiosk device](http://go.microsoft.com/fwlink/p/?LinkId=626922) that runs a Classic Windows application.

    [Application Launcher]( http://go.microsoft.com/fwlink/p/?LinkId=626675): launch a Universal Windows Platform (UWP) app on sign-on

    		[Assigned Access](http://go.microsoft.com/fwlink/p/?LinkId=626608)

    The Windows 8 Application Launcher has been consolidated into Assigned Access. Application Launcher enabled launching a Windows 8 app and holding focus on that app. Assigned Access offers a more robust solution for ensuring that apps retain focus.

    [Dialog Filter](http://go.microsoft.com/fwlink/p/?LinkId=626762): suppress system dialogs and control which processes can run

    		[AppLocker](../keep-secure/applocker-overview.md)

    Dialog Filter has been deprecated for Windows 10. Dialog Filter provided two capabilities; the ability to control which processes were able to run, and the ability to prevent dialogs (in practice, system dialogs) from appearing.

    +
      +

    • Control over which processes are able to run will now be provided by AppLocker.

      • +

    • System dialogs in Windows 10 have been replaced with system toasts. To see more on blocking system toasts, see Toast Notification Filter below.

      • +

    [Toast Notification Filter]( http://go.microsoft.com/fwlink/p/?LinkId=626673): suppress toast notifications

    		Mobile device management (MDM) and Group Policy

    Toast Notification Filter has been replaced by MDM and Group Policy settings for blocking the individual components of non-critical system toasts that may appear. For example, to prevent a toast from appearing when a USB drive is connected, ensure that USB connections have been blocked using the USB-related policies, and turn off notifications from apps.

    +

    Group Policy: User Configuration > Administrative Templates > Start Menu and Taskbar > Notifications

    +

    MDM policy name may vary depending on your MDM service. In Microsoft Intune, use Allow action center notifications and a [custom OMA-URI setting](http://go.microsoft.com/fwlink/p/?LinkID=616317) for AboveLock/AllowActionCenterNotifications.

    [Embedded Lockdown Manager](http://go.microsoft.com/fwlink/p/?LinkId=626763): configure lockdown features

    		[Windows Imaging and Configuration Designer (ICD)](http://go.microsoft.com/fwlink/p/?LinkID=525483)

    The Embedded Lockdown Manager has been deprecated for Windows 10 and replaced by the Windows ICD. Windows ICD is the consolidated tool for Windows imaging and provisioning scenarios and enables configuration of all Windows settings, including the lockdown features previously configurable through Embedded Lockdown Manager.

    [USB Filter](http://go.microsoft.com/fwlink/p/?LinkId=626674): restrict USB devices and peripherals on system

    		MDM and Group Policy

    The USB Filter driver has been replaced by MDM and Group Policy settings for blocking the connection of USB devices.

    +

    Group Policy: Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions

    +

    MDM policy name may vary depending on your MDM service. In Microsoft Intune, use Allow removable storage or Allow USB connection (Windows 10 Mobile only).

    [Assigned Access](http://go.microsoft.com/fwlink/p/?LinkID=613653): launch a UWP app on sign-in and lock access to system

    		[Assigned Access](http://go.microsoft.com/fwlink/p/?LinkId=626608)

    Assigned Access has undergone significant improvement for Windows 10. In Windows 8.1, Assigned Access blocked system hotkeys and edge gestures, and non-critical system notifications, but it also applied some of these limitations to other accounts on the device.

    +

    In Windows 10, Assigned Access no longer affects accounts other than the one being locked down. Assigned Access now restricts access to other apps or system components by locking the device when the selected user account logs in and launching the designated app above the lock screen, ensuring that no unintended functionality can be accessed.

    +

    Learn [how to use Assigned Access to create a kiosk device](http://go.microsoft.com/fwlink/p/?LinkId=626922) that runs a Universal Windows app.

    [Gesture Filter](http://go.microsoft.com/fwlink/p/?LinkId=626672): block swipes from top, left, and right edges of screen

    		[Assigned Access](http://go.microsoft.com/fwlink/p/?LinkId=626608)

    The capabilities of Gesture Filter have been consolidated into Assigned Access for Windows 10. In Windows 8.1, gestures provided the ability to close an app, to switch apps, and to reach the Charms. For Windows 10, Charms have been removed, and blocking the closing or switching of apps is part of Assigned Access.

    [Custom Logon]( http://go.microsoft.com/fwlink/p/?LinkId=626759): suppress Windows UI elements during Windows sign-on, sign-off, and shutdown

    		[Embedded Logon](http://go.microsoft.com/fwlink/p/?LinkId=626760)

    No changes. Applies only to Windows 10 Enterprise and Windows 10 Education.

    [Unbranded Boot](http://go.microsoft.com/fwlink/p/?LinkId=626872): custom brand a device by removing or replacing Windows boot UI elements

    		[Unbranded Boot](http://go.microsoft.com/fwlink/p/?LinkId=626873)

    No changes. Applies only to Windows 10 Enterprise and Windows 10 Education.

    +  +  +  diff --git a/windows/manage/windows-spotlight.md b/windows/manage/windows-spotlight.md new file mode 100644 index 0000000000..af6bd8ed19 --- /dev/null +++ b/windows/manage/windows-spotlight.md @@ -0,0 +1,77 @@ +--- +title: Windows Spotlight on the lock screen (Windows 10) +description: Windows Spotlight is an option for the lock screen background that displays different background images on the lock screen. +ms.assetid: 1AEA51FA-A647-4665-AD78-2F3FB27AD46A +keywords: ["lockscreen"] +ms.prod: w10 +ms.mktglfcycl: explore +ms.sitesec: library +author: jdeckerMS +--- + +# Windows Spotlight on the lock screen + + +**Applies to** + +- Windows 10 + +Windows Spotlight is an option for the lock screen background that displays different background images and occasionally offers suggestions on the lock screen. Windows Spotlight is available in all desktop editions of Windows 10. + +For managed devices running Windows 10 Enterprise and Windows 10 Education, enterprise administrators can configure a mobile device management (MDM) or Group Policy setting to prevent users from using the Windows Spotlight background. For managed devices running Windows 10 Pro, version 1607, administrators can disable suggestions for third party apps. + +## What does Windows Spotlight include? + + +- **Background image** + + The Windows Spotlight displays a new image on the lock screen each day. The initial background image is included during installation. Additional images are downloaded on ongoing basis. + + ![lock screen image](images/lockscreen.png) + +- **Feature suggestions, fun facts, tips** + + The lock screen background will occasionally suggest Windows 10 features that the user hasn't tried yet, such as **Snap assist**. + +## How do you turn off Windows spotlight locally? + + +To turn off Windows Spotlight locally, go to **Settings** > **Personalization** > **Lock screen** > **Background** > **Windows spotlight** > select a different lock screen background + +![personalization background](images/spotlight.png) + +## How do you disable Windows Spotlight for managed devices? + + +Windows 10, version 1607, provides three new Group Policy settings to help you manage Spotlight on employees' computers. + +**Windows 10 Pro, Enterprise, and Education** + +- **User Configuration\Administrative Templates\Windows Components\Cloud Content\Do not suggest third-party content in Windows spotlight** enables enterprises to restrict suggestions to Microsoft apps and services. + +**Windows 10 Enterprise and Education** + +* **User Configuration\Administrative Templates\Windows Components\Cloud Content\Turn off all Windows Spotlight features** enables enterprises to completely disable all Spotlight features in a single setting. +* **User Configuration\Administrative Templates\Windows Components\Cloud Content\Configure Spotlight on lock screen** specifically controls the use of the dynamic Spotlight image on the lock screen, and can be enabled or disabled. (The Group Policy setting **Enterprise Spotlight** does not work in Windows 10, version 1607.) + +Windows Spotlight is enabled by default. Administrators can replace Windows Spotlight with a selected image using the Group Policy setting **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Force a specific default lock screen image**. + +![lockscreen policy details](images/lockscreenpolicy.png) + +Pay attention to the checkbox in **Options**. In addition to providing the path to the lock screen image, administrators can choose to allow or **Turn off fun facts, tips, tricks, and more on lock screen**. If the checkbox is not selected, users will see the lock screen image that is defined in the policy setting, and will also see occasional messages, such as the example in the following image. + +![fun facts](images/funfacts.png) + +## Related topics + + +[Manage Windows 10 Start layout options](../manage/windows-10-start-layout-options-and-policies.md) + +  + +  + + + + + diff --git a/windows/whats-new/TOC.md b/windows/whats-new/TOC.md index 6773c4361a..c9d8a0d1fe 100644 --- a/windows/whats-new/TOC.md +++ b/windows/whats-new/TOC.md @@ -2,3 +2,4 @@ ## [What's new in Windows 10, version 1607](whats-new-windows-10-version-1607.md) ## [What's new in Windows 10, version 1511](whats-new-windows-10-version-1511.md) + diff --git a/windows/whats-new/index.md b/windows/whats-new/index.md index 148a0e6b44..503f5e9190 100644 --- a/windows/whats-new/index.md +++ b/windows/whats-new/index.md @@ -16,6 +16,7 @@ Learn about new features in Windows 10 for IT professionals, such as Enterprise - [What's new in Windows 10, version 1607](whats-new-windows-10-version-1607.md) - [What's new in Windows 10, version 1511](whats-new-windows-10-version-1511.md) +- [Documentation for Windows 10 Insider Preview](windows-10-insider-preview.md)   diff --git a/windows/whats-new/whats-new-windows-10-version-1511.md b/windows/whats-new/whats-new-windows-10-version-1511.md index ddfd02300b..a017ca7d29 100644 --- a/windows/whats-new/whats-new-windows-10-version-1511.md +++ b/windows/whats-new/whats-new-windows-10-version-1511.md @@ -12,7 +12,82 @@ author: TrudyHa Below is a list of some of the new and updated features in Windows 10, version 1511. +## Security +### Easier certificate management + + +For Windows 10-based devices, you can use your MDM server to directly deploy client authentication certificates using Personal Information Exchange (PFX), in addition to enrolling using Simple Certificate Enrollment Protocol (SCEP), including certificates to enable Windows Hello for Business in your enterprise. You'll be able to use MDM to enroll, renew, and delete certificates. As in Windows Phone 8.1, you can use the [Certificates app](http://go.microsoft.com/fwlink/p/?LinkId=615824) to review the details of certificates on your device. [Learn how to install digital certificates on Windows 10 Mobile.](~/keep-secure/installing-digital-certificates-on-windows-10-mobile.md) + +### Microsoft Passport + +In Windows 10, [Microsoft Passport](~/keep-secure/manage-identity-verification-using-microsoft-passport.md) replaces passwords with strong two-factor authentication that consists of an enrolled device and a Windows Hello (biometric) or PIN. + +Microsoft Passport lets users authenticate to a Microsoft account, an Active Directory account, a Microsoft Azure Active Directory (AD) account, or non-Microsoft service that supports Fast ID Online (FIDO) authentication. After an initial two-step verification during Microsoft Passport enrollment, a Microsoft Passport is set up on the user's device and the user sets a gesture, which can be Windows Hello or a PIN. The user provides the gesture to verify identity; Windows then uses Microsoft Passport to authenticate users and help them to access protected resources and services. + + +## Management + +Windows 10 provides mobile device management (MDM) capabilities for PCs, laptops, tablets, and phones that enable enterprise-level management of corporate-owned and personal devices. + +### MDM support + + +MDM policies for Windows 10 align with the policies supported in Windows 8.1 and are expanded to address even more enterprise scenarios, such as managing multiple users who have Microsoft Azure Active Directory (Azure AD) accounts, full control over the Windows Store, VPN configuration, and more. + +MDM support in Windows 10 is based on [Open Mobile Alliance (OMA)](http://go.microsoft.com/fwlink/p/?LinkId=533885) Device Management (DM) protocol 1.2.1 specification. + +Corporate-owned devices can be enrolled automatically for enterprises using Azure AD. [Reference for Mobile device management for Windows 10](http://go.microsoft.com/fwlink/p/?LinkId=533172) + +### Unenrollment + + +When a person leaves your organization and you unenroll the user account or device from management, the enterprise-controlled configurations and apps are removed from the device. You can unenroll the device remotely or the person can unenroll by manually removing the account from the device. + +When a personal device is unenrolled, the user's data and apps are untouched, while enterprise information such as certificates, VPN profiles, and enterprise apps are removed. + +### Infrastructure + + +Enterprises have the following identity and management choices. + +| Area | Choices | +|---|---| +| Identity | Active Directory; Azure AD | +| Grouping | Domain join; Workgroup; Azure AD join | +| Device management | Group Policy; System Center Configuration Manager; Microsoft Intune; other MDM solutions; Exchange ActiveSync; Windows PowerShell; Windows Management Instrumentation (WMI) | + +  + +**Note**   +With the release of Windows Server 2012 R2, Network Access Protection (NAP) was deprecated and the NAP client has now been removed in Windows 10. For more information about support lifecycles, see [Microsoft Support Lifecycle](http://go.microsoft.com/fwlink/p/?LinkID=613512). + +  +### Device lockdown + + +Do you need a computer that can only do one thing? For example: + +- A device in the lobby that customers can use to view your product catalog. + +- A portable device that drivers can use to check a route on a map. + +- A device that a temporary worker uses to enter data. + +You can configure a persistent locked down state to [create a kiosk-type device](https://technet.microsoft.com/en-us/itpro/windows/manage/set-up-a-device-for-anyone-to-use). When the locked-down account is logged on, the device displays only the app that you select. + +You can also [configure a lockdown state](https://technet.microsoft.com/en-us/itpro/windows/manage/lock-down-windows-10-to-specific-apps) that takes effect when a given user account logs on. The lockdown restricts the user to only the apps that you specify. + +Lockdown settings can also be configured for device look and feel, such as a theme or a [custom layout on the Start screen](https://technet.microsoft.com/en-us/itpro/windows/manage/windows-10-start-layout-options-and-policies). + +## Updates + + +With Windows 10, your enterprise will have more choice and flexibility in applying operating system updates. You can manage and control updates to devices running Windows 10 Pro and Windows 10 Enterprise using MDM policies. + +While Windows Update provides updates to unmanaged devices, most enterprises prefer to manage and control the flow of updates using their device management solution. You can choose to apply the latest updates as soon as they are available, or you can set a source and schedule for updates that works for your specific requirements. + +For more information about updating Windows 10, see [Windows 10 servicing options for updates and upgrades](../manage/introduction-to-windows-10-servicing.md).   diff --git a/windows/whats-new/whats-new-windows-10-version-1607.md b/windows/whats-new/whats-new-windows-10-version-1607.md index 8674d347f9..4ff3d2b9a8 100644 --- a/windows/whats-new/whats-new-windows-10-version-1607.md +++ b/windows/whats-new/whats-new-windows-10-version-1607.md @@ -13,10 +13,32 @@ author: TrudyHa Below is a list of some of the new and updated features in Windows 10, version 1607.   +## Deployment +### Windows Imaging and Configuration Designer (ICD) + +In previous versions of the Windows 10 ADK, you had to install additional features for Windows ICD to run. Starting in version 1607, you can install Windows ICD without other ADK features. [Install the ADK.](http://go.microsoft.com/fwlink/p/?LinkId=526740) + +Windows ICD now includes simplified workflows for creating provisioning packages: + +- [Simple provisioning to set up common settings for Active Directory-joined devices](~/deploy/provision-pcs-for-initial-deployment.md) +- [Advanced provisioning to deploy certificates and apps](~/deploy/provision-pcs-with-apps-and-certificates.md) +- [School provisioning to set up classroom devices for Active Directory](https://technet.microsoft.com/en-us/edu/windows/set-up-students-pcs-to-join-domain) + +## Security + +### Windows Hello for Business + +When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the [Windows Hello](~/keep-secure/manage-identity-verification-using-microsoft-passport.md) name in Windows 10, version 1607. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics.   - - - +## Management + +### Taskbar configuration + +Enterprise administrators can add and remove pinned apps from the taskbar. Users can pin apps, unpin apps, and change the order of pinned apps on the taskbar after the enterprise configuration is applied. + +### Mobile device management and configuration service providers (CSPs) + +Numerous settings have been added to the Windows 10 CSPs to expand MDM capabilities for managing devices. To learn more about the specific changes in MDM policies for Windows 10, version 1607, see [What's new in MDM enrollment and management](https://msdn.microsoft.com/en-us/library/windows/hardware/mt299056%28v=vs.85%29.aspx#whatsnew_1607). diff --git a/windows/whats-new/windows-10-insider-preview.md b/windows/whats-new/windows-10-insider-preview.md new file mode 100644 index 0000000000..c2f98f8924 --- /dev/null +++ b/windows/whats-new/windows-10-insider-preview.md @@ -0,0 +1,27 @@ +--- +title: Documentation for Windows 10 Insider Preview (Windows 10) +description: Preliminary documentation for some Windows 10 features in Insider Preview. +ms.assetid: 75F285B0-09BE-4821-9B42-37B9BE54CEC6 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: TrudyHa +--- + +# Documentation for Windows 10 Insider Preview + +> [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ] + +This section contains preliminary documentation for some enterprise features in Windows 10 Insider Preview. Information in this section may change frequently. + + + + +  + +  + + + + +